TOP $9 A '6 -. Content Acquisitin Optimization TOP TOP SECRET//SI//NOFORN Yahoo Webmessenger o Update data sent to individuals logged into Yahoo's Instant Messenger service online - Online contact status, unread emails in Yahoo inbox - Usually small sessions (2-4kB) o Sporadic collection (30,000 - 60,000 sessions per day) o Intermittent bursts of collection against contacts of targets - Large numbers of sessions (20,000+) against a single targeted selector - Not collected against the target (online presence/unread email from target) - No owner attribution (metadata value limited to fact-of comms for emails, online presence events for buddies) o Over a dozen selectors detasked in two weeks - Because a target's contact was using/idling on Yahoo Webmessenger - Several very timely selectors (Libyan transition, Greek financial related) TOP SECRET//SI//NOFORN TOP SECRET//SI//NOFORN Address Books o Email address books for most major webmail are collected as stand-alone sessions (no content present*) o Address books are repetitive, large, and metadata-rich o Data is stored multiple times (MARINA/MAINWAY, PINWALE, CLOUDs) o Fewer and fewer address books attributable to users, targets o Address books account for ~ 22% of SSO's major accesses (up from ~ 12% in August) Access (10 Jan 12) US---3171 DS---200B US---3261 US---3145 US---3180 US---3180 (16 Dec 11) TOTAL Total Sessions 1488453 938378 94132 177663 269794 289318 3257738 Address Books 237067 (16% of traffic) 311113 (33% of traffic) 2477 (3% of traffic) 29336 (16% of traffic) 40409 (15% of traffic) 91964 (32% of traffic) 712366 (22% of traffic) Provider Yahoo Hotmail Gmail Facebook Other TOTAL TOP SECRET//SI//NOFORN Collected 444743 105068 33697 82857 22881 689246 A;ributed 11009 1115 2350 79437 1175 95086 A;ributed% 2.48% 1.06% 6.97% 95.87% 5.14% 13.80% TOP SECRET//SI//NOFORN Buddy Lists,Inboxes o Unlike address books, frequently contain content data - Offline messages, buddy icon updates, other data included - Webmail inboxes increasingly include email content - Most collection is due to the presence of a target on a buddy list where the communication is not to, from, or about that target o NSA collects, on a representative day, ~ 500,000 buddylists and inboxes - More than 90% collected because tasked selectors identified only as contacts (not communicant, content, or owner) o Identifying buddylists and inboxes without content (or without useful content) an ongoing challenge TOP SECRET//SI//NOFORN TOP SECRET//SI//NOFORN Scenario: o @yahoo Sep 2011 @yahoo.com (tasked S2E, asw Iran Quds Force) has his/her Yahoo account hacked by an unknown actor, sends out spam email to his/her contact list: TOP SECRET//SI//NOFORN TOP SECRET//SI//NOFORN Scenario: @yahoo o @yahoo.com has a number of Yahoo groups in his/her contact list, some with many hundreds or thousands of members o At DS-200B in particular, collection spiked as: - The initial spam messages were sent (and collected) - Inboxes of email recipients were viewed by contact list - Messages were sometimes viewed, but more often sent as precached views on Google and Yahoo (along with inboxes) - Inboxes where the recipient did not delete the spam message continued to be collected every time they were viewed - Some recipients added @yahoo.com to their address books (possibly as a spam defeat?) - address books were collected every time TOP SECRET//SI//NOFORN TOP SECRET//SI//NOFORN Scenario: @yahoo DS-200B Collection By Day - 11 Sep - 24 Sep (in MB) 120000 100000 80000 60000 40000 20000 0 DS-200B Collection By Hour - 18 Sep - 23 Sep (in MB) 40000 30000 20000 10000 0 9/18/2011 0:00 9/18/2011 12:00 9/19/2011 8:00 9/19/2011 20:00 9/20/2011 8:00 9/20/2011 20:00 9/21/2011 8:00 9/21/2011 20:00 TOP SECRET//SI//NOFORN 9/22/2011 8:00 9/22/2011 20:00 9/23/2011 8:00 9/23/2011 20:00 TOP SECRET//SI//NOFORN Scenario: @yahoo o @yahoo.com emergency detasked from DS-200B and US-3171 at 13:04Z on 20 Oct o Numerous first-order address books and inboxes collected meant tasked selectors on address books or buddy lists of contacts of @yahoo.com also affected: - @yahoo.com and detasked off US-3171 at 13:10Z on 20 Sep @gmail.com emergency o Memorializing to PINWALE only address books and inboxes owned by target selectors would have reduced PINWALE volumes 90%+ - Site XKEYSCOREs would buffer data for SIGDEV purposes - Metadata from known owner address books and inboxes stored regardless TOP SECRET//SI//NOFORN TOP SECRET//SI//NOFORN Mobile IMAP o IMAP protocol used by email clients to fetch mail from server(s) o Not designed for devices with intermittent connections (i.e. mobile phones) o Android implementation in particular uses a lot of bandwidth TOP SECRET//SI//NOFORN