The World

The NSA Is Being Overwhelmed By Spam

The National Security Agency headquarters at Fort Meade, Md., as seen from the air.

Photo by Saul Loeb/AFP/Getty Images

In the latest article based on the Edward Snowden documents, the Washington Post’s Barton Gellman and Ashkan Soltani report that the NSA is “harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world, many of them belonging to Americans… in large numbers that amount to a sizable fraction of the world’s e-mail and instant messaging accounts.” These amount to hundreds of thousands of email address books and chat contact lists per day.


NSA Director Keith Alexander has defended the practice of bulk data collection in the past, saying, “You need the haystack to find the needle.” But this latest program may revive the question of whether, privacy issues aside, the NSA is pouring way too much hay on the stack.  


Last June, one biologist who specializes in statistical analysis calculated that even using the most conservative estimates, there’s only a 1-in-10,102 chance that someone identified by the NSA’s PRISM program is an actual terrorist, a calculation endorsed by a former NSA analyst.

I understand that much of the bulk data the NSA collects is for broadly mapping social connections rather than pinpointing individual users, but there’s still an upper range to how much of this data can be processed. As Gellman and Soltani note late in their article, the biggest threat to this program was from hackers or cyberattacks but from the sheer amount of spam they wound up collecting:


Spam has proven to be a significant problem for the NSA — clogging databases with information that holds no foreign intelligence value. The majority of all e-mails, one NSA document says, “are SPAM from ‘fake’ addresses and never ‘delivered’ to targets.”

In fall 2011, according to an NSA presentation, the Yahoo account of an Iranian target was “hacked by an unknown actor,” who used it to send spam. The Iranian had “a number of Yahoo groups in his/her contact list, some with many hundreds or thousands of members.”


The cascading effects of repeated spam messages, compounded by the automatic addition of the Iranian’s contacts to other people’s address books, led to a massive spike in the volume of traffic collected by the Australian intelligence service on the NSA’s behalf.

After nine days of data-
bombing, the Iranian’s contact book and contact books for several people within it were “emergency detasked.”

If we do see a move away from bulk data gathering by intelligence agencies in coming years, I suspect it might have less to do with privacy concerns raised after the Snowden revelations than questions of whether this is really that efficient a way to gather information.