I'm curious, how much of this did the NSA learn from Facebook et al? There has to be some overlap between the analytics Facebook uses and what the NSA is doing. Did they learn anything from articles Facebook employees have written? Has Facebook assisted them with any of this? Or has the NSA basically had to reinvent the wheel?
Leaving the exact meaning of the 'social network' terminology aside, the NSA could accumulate tons of useful data without any help from Facebook et al by simply looking at what's already public.
You can track down a lot of people by simply lifting some statistically improbable phrases from what they write on comment boards or forums and then searching for those strings on services like Facebook. It's quite easy to find most people based on what they choose to share publicly.
The NYT is using "social network" in the term's pre-Internet era sense, meaning, as the headline and story say, "social connections" and "large-scale graph analysis."
Nowhere in their story do the reporters allege that the NSA has been bulk-downloading private Twitter, Facebook, Google+, etc. information with the cooperation of those companies. (In fact, I would be very surprised if that were the case, as it goes against what my own reporting has established.)
Instead, as the story says in the second paragraph, the NSA is building social graphs based on its "analysis of phone call and e-mail logs." We know they get phone call metadata via Section 215 of the Patriot Act from telcoms like AT&T, VZ, Sprint, etc., which have long been in bed with FedGov. My guess is that the email metadata comes from two sources: AT&T, VZ, Sprint, etc., and bulk fiber taps (remember, "UPSTREAM" from the earlier Snowden slides) aimed at email providers that do not fully support SMTP-TLS.
When I wrote about this in June (http://news.cnet.com/8301-13578_3-57590389-38/), only Google among the top mail providers was fully supporting SMTP-TLS, while Yahoo Mail, Hotmail.com/Outlook.com, AOL, etc. were not. And for SMTP-TLS, it takes two to tango.
A possible third source, also via UPSTREAM, is monitoring HTTPS connections to Facebook itself, which was using 1024-bit RSA keys until recently, as I wrote about here: http://news.cnet.com/8301-13578_3-57591560-38/
Finally, the NSA is supplementing its email-and-phone metadata database with whatever it can vacuum up through public records (the article refers to voter registration rolls, property records, and Facebook profiles) and non-public data held by regulated industries that, unlike large Silicon Valley companies, have little interest in litigating against FedGov on privacy. The article refers to bank codes, insurance information, passenger manifests, billing records, and "location-based services like GPS and TomTom" -- odd wording, that, and a hint that the reporters may not have understood all of their material. Cell phone location metadata from carriers is probably included as well.
In other words, Facebook can be reasonably criticized for moving slowly away from 1024-bit RSA keys and not supporting SMTP-TLS, which have made it easier for not only the NSA but other intelligence agencies to conduct surveillance too. But this story is not about the NSA having direct access to Facebook's servers or getting bulk dumps of direct messages from Twitter, and in fact there's zero evidence that's the case.
Oh no, I agree. Companies like Facebook probably aren't providing direct access to their servers. However, it does make me wonder if Facebook is cooperating with them in other ways. Perhaps maybe they've been sharing knowledge or tools.
Also, we now know that the NSA has been influencing companies' product strategies. For all we know, the NSA co-opted them into using outdated RSA keys and not using SMTP-TLS. It would hardly be surprising.
In fact, I would be very surprised if that were the case, as it goes against what my own reporting has established.
Which makes me wonder why they aren't.
At the least, I don't see anything illegal about their scraping public facebook info, and they can easily gain access to the private stuff as we've learned.
So why wouldn't they populate their old-school social graphs with new-school social graph information?
They absolutely would. As I said above, "the NSA is supplementing its email-and-phone metadata database with... Facebook profiles."
The point I was making (perhaps poorly) is that the NSA is surely bulk vacuuming up public Facebook profiles and using its relationship with AT&T/VZ/Sprint/etc. to do fiber taps of poorly encrypted or unencrypted data in transit. But there's no evidence of direct access to Facebook/Twitter/G+ servers or bulk downloads of private data from social networks.
So the primary form of collection that should concern us most is media that spy on us while we use them. Books that watch us read them, music that’s listen to us listen to it. Search boxes that report what we are searching for to whoever is searching for us and doesn’t know us yet.
There is a lot of talk about data coming out of facebook: is it coming to me? is it coming to him? is it coming to them? They want you to think that the threat is data coming out. You should know that the threat is code going in.
For the last 50 years what has been happening in enterprise computing, is the addition of that layer of analytic on top of the datawarehouse that mostly goes in enterprise computing by the name of "business intelligence". what it means is you’ve been building this vast datawarehouses in your company for decade or 2 now you have only information about your own operations your suppliers your competitors, your customers now you want to make that data start to do tricks. By adding it to all the open source data out there in the world, and using it to tell you the answers to questions you didn’t know you had. That’s business intelligence.
The real threat of facebook is the BI layer on top of facebook warehouse. The facebook datewarehouse contains the behavior not just the thinking but also the behavior or somewhere nearing a billion people. The business intelligence layer on top of it which is just all that code they get to run covered by the terms of service that say "they can run any code they want for improvement of the experience". The business intelligence on top of facebook is where every intelligence service of the world wants to go.
Imagine that you are a tiny little secret police organisation in some not very important country. Let’s put ourselves in their position Let’s call them I don’t know what, you know ... "kirghista".
You are a secret police you are in the "people business" secret policing is "people business". You have classes of people that you want you want agents, you want sources you have adversaries, and you have influencables, that is people you torture who are related to adversaries wives, husbands, fathers, daughter you know those people.
So you are looking for classes of people. You don’t know their names, but you know what they are like you know who is recrutable for you as an agent you know who are likely sources, you can give the social characteristics of your adversaries, and once you know your adversaries, you can find the influencables.
So what you want to do is run code inside facebook. It will help you find the people that you want it will show you the people whose behavior and whose social circles tell you that they are what you want by way of agent, sources what their adversaries are and who you can torture to get to them.
So you don’t want data out of facebook the day you have data out of facebook it is dead. You want to put code into facebook and run it there and get the results you want to cooperate.
