NSA, ASD rifle through users' address books: Report

US and Australian intelligence agencies are collecting users' address books and contact lists for intelligence, but they are also being defeated by spammers.

The Australian Signals Directorate (ASD) has been assisting the US National Security Agency (NSA) in the collection of millions of online address books.

In another document leaked by whistleblower Edward Snowden, and reported by The Washington Post, the NSA and ASD are collecting more specific information on how users interact with each other over the internet for intelligence purposes.

The NSA has already been reported to store metadata on millions of web users without their consent, but the latest document shows how US and Australian intelligence agencies have been targeting email address books and instant messenger contact lists.

The document shows that the agencies have targeted the address books belonging to users of Yahoo, Hotmail, Gmail, and Facebook, and that this data is stored across multiple databases.

A representative day of how many address books are collected is shown in the document, with The Washington Post claiming that the figures are from the top six overseas access points. One of these belongs to "NSA's Australian counterpart" — the ASD.

The figures show than on that particular day, the two intelligence agencies collected 712,366 address books. The ASD's collection point was responsible for 311,113 of them.

Address books are not the only source of information listed in the document. The two intelligence agencies also appear to be targeting contact lists, with Yahoo Messenger being a particular focus.

Information that can be collected from Yahoo Messenger includes users' online contact status and unread emails in Yahoo inboxes. The document notes that webmail inboxes increasingly include content, as opposed to pure metadata that is gleaned from address books, and that "buddy lists" provide information in an indirect way.

"Most collection is due to the presence of a target on a buddy list where communication is not to, from, or about that target."

The document indicates that the NSA collects information from 500,000 lists and inboxes each day.

However, the NSA and ASD are having increasing difficulty with managing the amount of data it can analyse, stating that "identifying buddy lists and inboxes without content (or without useful content)" is an ongoing challenge.

An example case is provided where a targeted Yahoo email account in 2011 was hacked and used to send spam. The ASD's collection of information spiked dramatically as it collected all of the spam, and then subsequently began looking at and collecting information from recipients.

The problem became so bad that in the subsequent month, the target email address was "emergency detasked" from the Australian collection point and one other US collection point.

The number of these incidents is decreasing, however, with another document showing that emergency detasks are trending downward, from a little under 120 per month in November 2011 to about 10 in May 2012.

The improvements in how it collects and analyses information also apply specifically to Yahoo Messenger. Another document states that Yahoo's web-based Messenger client makes a lot of network chatter that has very little foreign intelligence value.

Lastly, the documents identify a bandwidth problem whenever the IMAP protocol is used to fetch mail from servers.

When email accounts are secured using two-factor authentication, the second factor is typically not time based when connecting via IMAP, making it potentially easier to break into an account and likely to be of significant interest to the intelligence agencies. In Yahoo's case, it has been demonstrated that no two-factor challenge is even made when checking mail in this way, even if the account has the security measure enabled.