Among the revelations made last week by NSA leaker Edward Snowden, few were more jarring than the suggestion that private security contractors have the capability to monitor your every online communication seemingly on a whim, in real-time. As he told the Washington Post, “They quite literally can watch your ideas form as you type.”
Like most everything else Snowden disclosed, it seemed like something out of a spy movie. But with the caveat that no one outside the NSA truly knows the extent of the agency’s reach, cybersecurity experts say that Snowden’s charge rings true, at least in part. According to PowerPoint slides Snowden provided to the Post and the Guardian, PRISM collected stored communications information from sites such as Facebook, Skype, Google, and Yahoo, boasting of access to online social networking details, email, file transfers, photos and video and voice chats.
Barring direct access (physically installing some sort of keystroke capture, for example) analysts probably don’t have the capability to jump into a random Skype conversation and see what’s being typed—nor would they want to. “Are they probably actually doing that for like arbitrary people?,” asked Julian Sanchez, a research fellow at the Cato Institute who specializes in tech privacy. “Probably not because that would take a lot of time and not be very useful.”
In that context, Snowden’s “quite literally” assertion shouldn’t be taken literally. It’s more of a broader statement about how much the agency can learn about you. “Given search queries, given other kinds of information they could get from this whole nexus of information he’s been leaking, it’s more sort of like you’re exposed in all aspects of your life,” said Joe Hall a technologist at the Center for Democracy and Technology. “It’s more a statement of inference than it is a statement about peering into your brain and watching you type.”
But Sanchez points to a program like Google Search, which transmits data to a server with every keystroke, as an example of what the NSA might be capable of, if they had access to a specific target. “If they have back-end access to a device there then there is no reason that that would not in principle be possible,” said Sanchez. “I don’t know whether it is literally something that is done on a regular basis. it sounds like for the most part what they’re doing is querying a database for stored record.”
“It’s sort of a combination of him using flowery language and the one pull quote from that session with him that’s a really good shocking tidbit, but this is more about inference,” said Hall.
“But then,” he added, “I’ve been surprised quite a bit lately.”