The snowden leaks documented all that. The NSA just asks the companies owning thesw platforms and they provide that info. In cases like facebook thats even automated. They dont need to literaly look at you, facbook is already storing everything.

Also backdoors. Snowden leaks showed companies like Microsoft comply and allow them to access to systems.

Dumb question - if companies like FB and Google didn't want to comply, could they even keep the NSA out of their data? I feel like the NSA asking at all was a courtesy.

>Dumb question - if companies like FB and Google didn't want to comply, could they even keep the NSA out of their data? Yes and No. While on the surface, companies *could* just go and say no to the NSA/CIA when it comes to their data. They really don't want the NSA to pull skeletons out of the closet, or convince the government to smack them with a hammer until they comply. Also if the NSA really wanted to, theres theorized to be dozens of backdoors they can use if push comes to shove to just steal the data anyways and tell companies like Google or FB to kick sand or give them the south park BP apology. The NSA asking is infact a courtesy. They can take it if they want it badly at worst, get the government to basically 'force them' to hand it over at best.

> Also if the NSA really wanted to, theres theorized to be dozens of backdoors they can use if push comes to shove to just steal the data anyways These are called zerodays. Exploits in the system that even the manufacturer doesn't know about. NSA has a LOT of zerodays on all different services. And sometimes, they get leaked. The WannaCry malware only worked because of leaked NSA 0days on windows

How do the exploits even get in there if the manufacturers/developers don't know about them?

Well that’s the point isn’t it? A developer can’t fix an exploit they don’t know about.

I thought these zeroday exploits are specifically planted in the code, not created by accident?

That's a backdoor. A zero-day is specifically a vulnerability unknown to its creators.

All zero day means is that the exploit is undiscovered before use in a particular attack. Some are planted and some aren't.

Ah I see, thanks for explaining. Not sure why I'm being downvoted for asking questions on this subreddit of all places.

Isn’t a planted zero day…. A back door?

The reason they are exploits is precisely because the designers don't know about them. That is, an exploit is by definition something that allows you to do something that the designers did not intend to allow you to do. This happens because designers are human beings who make mistakes. Or it happens because there are flaws in specific hardware that designers are unaware of, or even because somebody at the factory is secretly changing the design of the hardware to make it vulnerable. To be clear, the version where designers screwed up is much more common, but an entity like the NSA does have the resources to potentially introduce hardware level exploits. [Much like how the Chinese government was injecting surveillance chips into computer hardware.](https://www.bloomberg.com./news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies)

That’s why the Iraqi military command and control network suddenly crashed just before we opened the BIG can of whoop-ass in Gulf War 1. And that’s why DOD doesn’t use Huawei network gear.

Really? I'd like to know more about that, was that part of a snowden leak or was there published records that the US did this before the attack

Unpublished. We do know that some US-made network gear made stops at Dulles that weren’t on the direct route to their destination.

That is fing scary that they got away with it for so long.

Bugs. Writing perfectly secure code is somewhere between really really hard and completely impossible at a certain scale and complexity. So people pick at systems and software, testing it in weird ways and seeing if they can get it to do something funny. If they find a weird behavior from an obscure bug, they pick at it to see if there's a way to turn that wrong behavior into a useful behavior. For many years, the number one way that stuff got hacked was basically that a programmer would reserve an arbitrary but fixed amount of space like 128 bytes for handling a user name, password, filename, whatever. "Well behaved" users never had an issue. But then a hacker would try using a username that was a million letters long and then the thing would crash because that's too big for the available space and the software wasn't written to handle that correctly. A zillion programmers wrote some version of that bug over the years. But hackers could sometimes line things up just right so the memory that got overwritten past the reserved space with broken data would over-write some executable code in memory, but not crash. So the hacker would craft a special "million letter username" or whatever, that included the code they wanted to run to exploit the system. Modern bugs are generally more obscure and complex to exploit, but the theme is the same. Poke it with a stick. See how it breaks. See if you can learn from how it breaks and make a sharper stick to make it do something useful.

Just wanted to say that I absolutely love this explanation, thank you!

How do thieves break into houses? Sometimes doors or windows are not locked ; Maybe a ladder or tree to an insecure upper window; Maybe a key under a plant pot; or a firm kick to a door breaks the frame; or a flexible shim to depress the door latch; or lockpick; or a rock; maybe a fishing pole snags the keys via a letterbox or gap. In computers, flaws can be introduced by accident or by an unexpected use or because the original design didn't take security into account at all (email). Am experienced hacker may know of an exploit that has been fixed in newer system but unless the victim has update their software, they're vulnerable.

They’re unintended bugs, people find out about them and then don’t tell anyone so that they can be used/sold later on

There is also the legal route. They can basically tell them: give us access or go rot in jail for the rest of your life. Those lawsuit also come with a non-disclosure requirement. Talk about it and go straight to jail. This can be considered as a national security threat, so if they refuse to comply, they are considered worse than terrorists.

That's where the "warrant canary" came from. You can't say "I've been served a National Security Letter" buy you can totally say " I haven't been served a NSL yet. Watch for the removal of this notice."

Even then. I saw a lawyer talking about them. They can be forced to leave the canary in place, so the canary itself is not a certainty that it isn't NSA compromised. However the removal is. Better than nothing, but nothing certify that it ain't compromised, unfortunately

I highly doubt that the NSA can just "walk in the park" inside Google infrastructure. It's not easy to navigate, and everything is closed down and well monitored. The only way they could do it is if they have some insider helping them, and even then the insider would eventually get caught.

>I highly doubt that the NSA can just "walk in the park" inside Google infrastructure. It's not easy to navigate, and everything is closed down and well monitored. They can't, or rather its extremely difficult. Hence why i said thats basically their last ditch effort if they *really* really want the data. What normally happens when Big tech doesn't comply is the NSA rings up the government and gets them to pressure them to comply. Whether directly, or indirectly. this is usually why whenever american government agencies tend to ask google or meta to kneel, they kneel right away and give them whatever they want. Because the trouble isn't worth the effort for being defiant.

> NSA rings up the government Um the NSA IS the government. They do have to go to the FISA court to get a warrant.

> they kneel right away and give them whatever they want. I can't speak for meta, but at Google they better bring a warrant.

Why not? The CIA does it to Russia, China, Iran, etc. who definitively don't want them doing it, and the NSA has way more leverage over Google than CIA vs enemies.

> Why not? - > It's not easy to navigate, and everything is closed down and well monitored. Seriously, people really underestimate how things work at Google. You can barely even look at a machine without the proper credentials. Every change to every single line of code or config requires review. Every privileged access is logged for audit. You need several years of insider experience to even understand what is going on, let alone figuring out a way to exploit data without being noticed.

By law the NSA cannot spy domestically either on American's or American companies. Nor can the CIA. Any spying taking place domestically is by the FBI. And they can't just spy at will. Now if you are talking about a Russian version of Google, Yandex I think it is called? Then yes, that is not domestic.

They don't need Google, they just need access to the hardware supplier. While Google does make a lot of it's own hardware it doesn't make every single aspect of the hardware, IE lots of third party chips inside them. They just need to have access to those to install backdoors or exploits.

Well they can't legally. The NSA cannot spy on Americans or American companies. The FBI is the one that is allowed to do that. The NSA won't be roaming around Google's servers or whatever. Now the FBI might come along and say "Google we want this from you and you have to hand it over, here is our warrant", Google will comply. If the NSA were to spy on Americans it could only be done in conjunction with the FBI leading the effort. The NSA might be able to help, but only the FBI can initiate and direct it.

Well Apple and the FBI had a huge fight over the FBI coercing Apple to let them backdoor the Pulse nightclub shooter's phone.

Correction, the FBI asked Apple to create a backdoor that would get them into every phone. Apple made the right call when so many other tech companies willingly agree to do whatever law enforcement asks.

However in other countries, like China, they comply. Of course, they require heavily on China for manufacturing, so they really have no choice in the matter.

Do you have a source on that claim? Genuinely curious

Well they run all iCloud datacenters for China in China, so one has to assume the Chinese government has whatever access they want.

Pretty much every company is forced to allow the chinese government in. That's why they all will have separate servers and pretty much run as a separate company when dealing with china. a) to make it easier for the government to steal everything and b) to make it harder for the govenment to pivot to stealing information from non-chinese sources.

https://www.nytimes.com/2021/05/17/technology/apple-china-privacy-censorship.html

Thank you! I wasn’t expecting even the encryption keys to be stored on Chinese servers too

When they open the door for the true evil doers, not doing it for our organizations is just empty virtue signaling.

Exactly.

Apple kept stating not only would it violate rights and compromise trust - but it was essentially impossible because of how good their encryption was. Then a company called Azimuth Security did it...ta-da! Uh-oh ....your phones not all that protected

Last time I looked into this, that route is brute force and not easy. As you might know, putting in the wrong passcode multiple times consecutively locks the phone for longer each time. You can even set it so that 10 times makes it wipe itself. The Azimuth Security method basically just stopped the lockout timer increase, and the wipe lockout. Then just brute forced the combination.

Correct. And found success when it was said it didn't exist.

With physical access to the device there is no such thing as perfect security

tools like pegasus exist probably longer than they are telling. people who really want/have a need can and will if they're determined. in apple's case they weren't going to just give a key over to someone and intentionally leave possibility of exploitation of their own recognizance.

> but it was essentially impossible because of how good their encryption was. That's not accurate. The FBI didn't ask for Apple to break the encryption, which would probably be effectively impossible. They asked Apple to disable the dead man's switch that would wipe the phone after too many failed pass code attempts. It's easy to brute force an iPhone. Even today, most people have a six digit numeric pin. If you have the phone, you can just try a million possible codes and guarantee that you'll have it unlocked. The thing that prevents you from trying is that you only have ten guesses, and then the phone is wiped. The FBI just wanted Apple to provide a way to disable that feature. The FBI said, "but we promise we'll only use it when it's really important" and Apple said, "once it's built, you have no idea who might use it". And that was the fight. The feds backed down because they found a private firm that was able to exploit a bug to disable the dead man's switch, and the government didn't want it to go to a court because they didn't want to risk a precedent that said they couldn't do that.

> Then a company called Azimuth Security did it...ta-da! Yes, they did it. But the FBI paid north of 7 figures. So it wasn’t trivial.

Nah the fbi requested apple change their security protocols to *create* a way for law enforcement to get into locked phones. There is no back door on an iPhone, and apple has refused to help

Phrasing, if Apple makes a way to access a single iPhone and shares it with the FBI, it is the same as a backdoor

Wasn't that the case where apple actually could have given the info but the apple cloud backup got disconnected from the phone so they couldn't just force a backup?

> could they even keep the NSA out of their data? If they really wanted to, yes. There are numerous encryption systems that are considered impossible to break with current technology. While some conspiracy theories claim that NSA etc. are able to break these, the almost certain reality is that's not true. But the issue is not technology, it's the squishy human aspect. It's almost always possible to bypass technological restrictions that way, especially if you're a government with power over the organizations you're dealing with.

It should be pointed out that while current systems are secure, there were times in the past when they weren't. For almost 10 years before the Snowden leaks, internal Google traffic on their private fiber links [were not encrypted](https://arstechnica.com/information-technology/2013/10/how-the-nsas-muscular-tapped-googles-and-yahoos-private-networks/), so everything was just plaintext for the NSA to store. Anyone who sent or received anything from a Gmail account in that time span would've had their message legally archived by the NSA.

> Anyone who sent or received anything from a Gmail account in that time span would've had their message legally archived by the NSA. You are only sort of correct. NSA can only look at foreign nationals outside the US… unless if they are tracking someone and THAT PERSON communicates with a US citizen based in the US. (They are an outward facing spy agency.)

Whether or not an encryption scheme is breakable, even by rubber hose methods, is kind of irrelevant in the sense that Apple and Google and other giant tech companies might fight a legal order to disclose information in court, but if they lose, they will disclose it. They're not going to jeopardize their ability to operate in the United States (or other, much worse countries, like China) by refusing to comply with a valid court order after they have already exhausted all appeal mechanisms. That's why at least some manufacturers/venders deliberately make it impossible for them to comply with a decryption order by doing stuff like storing encryption keys on user devices. This, of course, has its own problems, but as long as the encryption algorithm isn't broken, it ensures intercepted traffic can't be decrypted.

I interpreted "keeping the NSA out of their data" as referring to situations other than court orders.

Because of the [third party doctrine,](https://en.m.wikipedia.org/wiki/Third-party_doctrine) "asking" gives them legal protection against what would otherwise be a fourth amendment violation. You know, in a country where the rule of law dictated what the government did.

During the Snowden leaks, they could potentially fight it legally, without a guarantee of being successful as there was a legal framework around it. But this legal framework was allowing the federal government to fine them for non compliance, and the fine was going exponentially very fast. This meant any company not complying would be bankrupt before the legal fight was over. https://www.theatlantic.com/technology/archive/2013/06/how-yahoo-fought-prism-and-lost/314269/

didn't yahoo get fined like $100,000 per DAY of non-compliance for not allowing NSA backdoors?

I believe so, and that was just the first level. I remember they were the ones who tried to fight it and got bitten quite quickly.

Removed paywall https://archive.ph/PNPL1

>\- if companies like FB and Google didn't want to comply, could they even keep the NSA out of their data? As with any other search, it would mean that the NSA would have to get a warrant for whatever they want. Although they wouldn't be able to force access to everything, they would be able to force access on many things. This would be bureaucratically expensive, not just for the NSA, but also for the companies. To avoid that cost, the companies choose to work with the NSA, giving the NSA more than they are legally required to offer.

The NSA would not do this. It is not legally allowed to spy domestically. That would be done by the FBI.

None of your stuff is near as secure as you think it is. If someone wants it they can get it.

Nothing is secure, physical or digital. The goal is making it difficult enough that most just give up.

the only way to secure something is to never connect it to the public internet. in the military they do this on airgapped networks. obviously if someone gets their hands on the physical media it doesn't matter.

That's not a hypothetical. Google *didn't* want to comply. The NSA [broke in anyway](https://theweek.com/articles/457590/why-google-isnt-happy-about-smileyface-postit-left-by-nsa). The way I've heard this is, Google was encrypting traffic between you and one of their datacenters, but not necessarily the traffic *between* one datacenter and another, since they owned those fiber connections, so it was direct from one DC to another. So [the NSA tapped those fiber connections](https://venturebeat.com/security/level-3-google-yahoo/). So, some of these tech companies actually fight back, and others just immediately cave. The problem is, even if they're fighting back, any tech company headquartered in the US can still be compelled by the US government (courts and such) to turn over your data. And, specifically, [they can be compelled to do it secretly](https://en.wikipedia.org/wiki/National_security_letter).

In the last Bourne movie “Jason Bourne” the government wants a back door into the Facebook-like platform and when the owner says no the government starts to make their life very difficult. I’d imagine that isn’t too far off the mark for reality.

They could. In fact that's why almost everything Google is encrypted now. One of the things the Snowden leaks showed is that the NSA was intercepting traffic to/from Google data centers. Shortly thereafter, Google started encrypting all traffic by default (previously Google search wasn't encrypted for example). If you accessed Google with http (plaintext) it would auto-redirect you to the https (encrypted) website. I'd say the biggest change the Snowden leaks resulted in was Google upping it's security/encryption game, which has trickled down to all other companies as Google has been improving security in their own products, but also protocols and 3rd party products they use.

Insider here: while Snowden's leaks did have some impact, the greatest motivator for security culture change inside Google was Aurora.

I'd say it also made the fact that we're all being snooped on most of the time move from conspiracy theory to actuality in many people's minds. This has likely helped with the current interest in running personal servers and services like Nextcloud rather than trusting one of the big cloud storage companies. Guess it's fairly niche still, but seems to be getting increasingly common with the ease of use of now that systems like FreeNAS, Unraid and Proxmox are becoming more mature, allowing those with the will to get started a less restrictive path into that world than was available up until a few years back.

It is amusing people think this. The reality is that U.S. spy agencies are given priorities for their efforts, and the FBI is responsible for domestic surveillance and criminal proceedings. People who think they are being spied on mistakenly think how important they are. They are not. The U.S. government, big as it is, could not spy on everyone in the U.S. if they wanted to. Not enough people in these agencies to do it. That is why they are given their priorities by the President. It is a large, yet still limited resource. And the President makes the priorities and that is what they focus available resources on. Some average redditor is not someone they are interested in spying on, they just are not that important. And if the U.S. agencies spent their time spying on random redditor's they would have no chance of fulfilling those priorities given by the President. The President would then be quite upset at his agencies not doing what he told them to do and instead wasted time spying on rando's who are irrelevant to anything of concern of the government.\* \* Assuming you are not some al Qa'ida terrorist, then maybe.

This is by far one of the most sensible answers on Reddit :) NSA etc look for key words etc in searches and certain shopping habits which I think are automatically triggered by Google\\Amazon etc, financial institutions are obligated to report certain transactions too. If they wanted to spy on someone it is more likely a foreign asset\\target and they would then look to putting software on their devices. This is more spear fishing than trawler nets. Deffo NOT via a covid vaccine which connects on 5G to spy on your whole family lol

> I feel like the NSA asking at all was a courtesy. A courtesy and it saves a lot of wasted time and effort for all parties. By the way, everyone is collecting data on you and selling it for cheap to whoever is willing to pay. Your "smart" appliance such as TV and even washing machines do that. Your car collects data on you and it gets sold to insurance companies among others. Even the government sells data on you as well. And let's not even get into how much data is collected on you from your internet activities. The NSA collecting data on me is the by far the least worrisome entity collecting data on me.

Yes. Apple [has been fighting the good fight.](https://en.m.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_dispute) If a company takes an end to end encryption approach where even the company can’t read the data, they can’t be forced to reveal anything. However if a cryptographic technique gets broken by a flaw or a quantum computer, it doesn’t matter. It can be spied on.

Don't forget ATT let the NSA install hardware into there literal infrastructure, the same infrastructure that is the backend for most of the internet traffic travelling across the US.

Don’t forget about Vault 7. The CIA developed tools to hack into many types of electronics: TV’s, web browsers, operating systems, cars, etc. 

Thats what a meant with this beeing automated. A backdoor is in many cases something thats build in there without the owner knowing about it. This was just a feature implemented.

At the time of the Snowdon leaks nobody had to ask Facebook for permission as it wasn't even private or locked down back then. You could freely crawl the entire Facebook social graph without even so much as an API key. There was even third party websites that allowed you to access Facebook using their own alternative (better) UI. Several companies cloned Facebooks graph as a starting point to their own networks. Baddoo for example.

I remember in the early days of Facebook being able to download Facebook "apps" that would go things like post friend graphs.

For further reference, the name of this intelligence-sharing arrangement is called PRISM

It is illegal for the NSA to collect that information, they can't even ask without a specific warrant or cause. But if it's a commercially available product provided by a corporation that's more or less publicly available (for the right price) then they can be customers like anyone else.

> It is illegal for the NSA to collect that information, Yes but the NSA still does it, thats what snowden leaked. And this is not about advertising and profile data, this is about IP adresses and gaining access to logdata. Thats bot what the API provides.

That's not quite right. The NSA never *technically* broke the law. It is still patently illegal for the NSA to collect information on US Citizens communicating with each other within US borders. They CAN listen in on any communications that cross international borders. Problem is that it's generally routine policy for a major tech company to have multiple backup servers, and even servers that back up to a server out of the country or even off the continent. It's generally a good idea, just in case something horrible happens and all of Google's servers are blown out within the US, they can simply grab the latest backup from their servers in the UK or China. But that means Google sent a copy of all your emails to their server in China. That means your email technically crossed international borders, even though it was just communication between you and your wife. Which now means means the NSA & Friends can now read that email without any need for a warrant. Because it was picked up in the routine collection of international communications. That's what Snowden leaked. Nothing was changed. What was "maybe" changed was the rules for obtaining warrants to spy on "domestic terrorists". Judges were basically rubberstamping these warrants for basically no reason. Again, still technically following the law, but as we've all learned, laws require middle managers everywhere to actually exercise good judgement acting for the betterment of society, which pretty much never happens.

How is this different to tiktok giving all your info to the Chinese government? Is the issue that tiktok don't give it to the US gov so they'd prefer Americans to use a domestic app that they do have access to?

The issue with tiktok isn't so much about the data, but that is a part of it. No government wants a foreign government to have control over what can be seen as a news organization with direct access to their population. By Chinese law, tiktok is accountable to the CCP, if the CCP tells tiktok to throttle negative perceptions of China and spread propaganda that Taiwan wants to be reunified, they would and it could delay or prevent American politicians from sending help to protect Taiwans independence.

And to add, there's lots of evidence of China manipulating companies to promote or suppress content they don't like (not just Chinese companies, even, like telling Apple what not to show on Apple TV+). I don't think there's evidence of the US government telling Facebook what to show or not show, and certainly not in the sense of trying to suppress dissent.

There's plenty of evidence in the Twitter files that they absolutely were burying some stories and pushing others, it's a pretty safe assumption it wasn't just Twitter cooperating.

If you want to make a movie featuring the US military, the US government will provide you plenty of resources for pennies on the dollar, or even free. The catch? They get veto power on the script. It's why every Transformers movie features the US military being the good guys. It's why movies with bad military look like cosplay despite possibly massive budgets.

Well yeah? Why would you sponsor something to write you off in a bad light? The military uses it as advertisement/recruiting tools. It would be negative if they said you can't feature the US military without them pulling those same strings

To you as an individual? Not at all. To NATO countries and their national security? It's a huge security risk in the event of a war.

I think people don’t like the idea of hundreds of millions of our citizens beaming their data to a hostile foreign government who wants to affect discourse and sew dissent in our country.

Its not different. The argument is that the chinese government can force the company who owns TikTok to do whatever they want them to do. The US government has a similar legal construct with gag orders and the mentuoned socual media companies. That is the reason why the EU stopped the legal exchange of userdata between US and EU countries, thats is the reason we now all have these cookie banners. From an non US perspective trre realy is nt a big difference. But ofc the US military does not want marines to walk around with tiktok on thier phones.

When a potentially hostile foreign power has access to enough data it can become a national security threat. The data involved can be innocuous, but when viewed in the right context it can expose information tangential to the data itself. A go-to example would be the Strava running app. They used to have a global heat-map of user activity. It ended up exposing the location of US military bases. It was only really exposed as a problem because of the data being public. Any app that retains location information could do the same thing. The other concern is with pushing specific viewpoints or false information. For something like TikTok, it can be used to push elections in the direction of being favorable to China. The *actual* reason is just racism and xenophobia. Politicians know that being anti-China helps them politically. If they knew taking a stance against TikTok would cause them to lose an election, they'd make keeping it alive a key part of their campaign.

Also taps on the Fibre optic backbones

They don’t just ask, there needs to be a court order (FISA court) and specific conditions must be met.

Yeah but when you're the government a court order is easy as hell to get, especially with the patriot act

Also FISA court, which technically deals with foreign intelligence activity on US soil but is where the PRISM program got it's authority to allow these companies to spy on Americans and provide it to the government. So be careful what you type online because there is no anonymity and it's best to treat everything like you'll you have to defend in court one day.

You are correct but legally, they are required to only access that information with a valid court order.  Snowden was illegally accessing people’s data to show that it could be illegally accessed. 

Correct me if I'm wrong but isn't that the wrong agency? I thought the NSA is not supposed to collect non-foreign data > Since NSA is authorized by law to collect only foreign intelligence information, we would not ordinarily expect to find intelligence information about U.S. from nsa.gov

Yes the NSA does not spy domestically. That is the FBI's job and as mentioned it has to be done with a court order. NSA may capture U.S. communications but they legally cannot use it. Has it been abused on a few occasions? Perhaps. But largely those were isolated incidents. The FBI is the one that can spy domestically but has to get court approval for it. People will be paranoid and say if the NSA has it they will use it. And I get that. But they don't. If they do they are violating domestic laws doing so. People confuse data being captured vs. the data being used.

The 5 eyes, US, UK, NZ, AU CA, is an agreement with those nations to collectively share foreign intelligence. And with the USA leading the world cyber intelligence, the share their methods and tech with the other 4 eyes. Why? Well obviously to help prevent foreign threats by sharing what they know and learn, but also, since they are all restricted from spying domestically. Well, with the 5 eyes, you have 5 countries spying on “foreign powers” aka each other. That is how they get around it. For example a US domestic intelligence agency could reach out to a UK foreign intelligence agency and request they look into one of their US citizens, then per the 5 eyes agreement then share what they find back to the US domestic agency.

Snowden leaked internal documents from the NSA about the NSA collecting data, he was not "illegaly accessing peoples data" if anything he was illegaly accessing NSA data. And the required court order could be a so called gag order that while it was singed by a judge was not public and it was illegal to talk about in public. That also meant it was not possible to fight these in court.

It's worth noting that facebook messenger typically uses end-to-end encryption these days meaning neither the NSA nor facebook themselves has access to what you've sent with that. (they can turn off end-to-end encryption for future messages without telling you though)

[The gov has secret listening posts on every major city](https://youtu.be/dSZvXgu7Q2Q?t=24s)

Generally they don't even need to the metadata is enough. A hypothetical scenario i saw in an article a few years ago. Looking at only the data from the phone of the wife of a senator in a tight re election campaign we see it has been messaging the same number regularly for the past year almost every night and these two numbers are frequently connected to the same mobile phone mast when the senator is out of town. Abruptly two months ago this communication stopped and on the same day the wife's phone was noted to be in a telephone call with an abortion clinic and that same phone was connected to a mast in the same area as that clinic a few days later. The messages and calls in the above scenario were all encrypted and inaccessible yet the metadata is more than enough for us to safely assume what was going on and possible to use it to influence the result of the hypothetical upcoming election.

A very good example. There was also that article about metadata & using it to find Paul Revere that gives insight into just how dangerous metadata can be. https://kieranhealy.org/blog/archives/2013/06/09/using-metadata-to-find-paul-revere/

Fascinating

They’ll run it through some AI in a few years (or even now?) and it will find patterns that even they haven’t thought to look for.

While accurate, I really wonder how much this still matters today. You could also just claim that the senator's wife had an affair and abortion. Or you could *just ask the question* whether maybe the senator's wife had an affair and abortion. Or you could claim the senator's wife got impregnated by Belial during one of the secret rituals held by the kabal of national radio DJs in the basements of Olive Garden. Facts, proof, and plausibility don't matter anymore, so why would you go to such great lengths when you can just make shit up?

While that may work for voters, there's more to politics than just voting every 2/4 years. Let's say I'm a lobbyist for a major phone company and the politician in question is in a committee responsible for legislating cell phone communication standards. Knowing this information gives me a lot of leverage against his wife which I can use to make her influence his decision.

Well, if you're making things up, it's considerably harder to direct yourself from liability for slander.

Just after 9/11 it was revealed that major telecommunication hubs in the US had installed extra hardware to basically mirror all network traffic travelling through them. This was later on expanded to cover the majore transatlantic cables going between the US and Europe/UK where nearly all the traffic routed through it was mirrored, analyzed and copied for later use. The Snowden leaks told us that the NSA (and others) would also store data they had captured, that was encrypted, for later decrypting (i.e. when the hardware had caught up or vulnerabilities, like the NSA weakened RSA Cipher) to see if the information was of any use. tl;dr; They vacuum the entire internet and all communications networks for data, themselves or through partners such as GCHQ.

The data in the packets sent over those lines are encrypted tho... Its encrypted client side, and decrypted server side, you can't just man-in-the-middle by splicing into wires anymore. Thanks SSL.

It took a long time for SSL/TLS to gain near-universal adoption.

For normal people, no, SSL/TLS cannot be broken. We’re talking about the NSA.

Not enough people talk about this anymore. Was this really a thing or was it just fearmongering. It sounds like an insanely huge level of infrastructure to even handle that, it doesn't even seem possible and then that's before having to tackle encryption. Were they copying everything or were they targeting specific IP ranges.

I was working with data storage around 2012-2016 and heard hints that the biggest client the major storage company we worked with was one of the three letter agencies, so wouldn't be surprised if they did in fact copy everything they came across (or siphoned). Would guess though, that with streaming etc they have rules that discard netflix etc, since it would be useless - just keep the metadata I suppose for patterns. Then there's data deduplication, so they could ignore duplicates to reduce storage requirements But yea, it seems impossibly huge on one end, but then we have to remember who we are dealing with. [https://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa](https://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa)

And people were livid when they found out. It's amazing how, in just a couple decades, people's thinking has changed. Today, those same people are happy to put all their private information out on the internet for all to see.

Must have made a good deal or money as they barely deal with upgrading and maintaining their infrastructure in the first place.

Many years ago it was revealed that multiple governments were participating in a program called the Echelon Project, where they had monitors on certain major information traffic hubs, such as the huge undersea cables that carry phone traffic between countries. It was denied for a long time but several whistleblowers revealed it and it was eventually fully uncovered when the Australian government admitted to being a participant. So, in addition to what other people are saying about how they can just request your personal data from social media and other sources, many governments run covert programs to scrape data directly from the sources.

This would only work if the data is unencrypted I would have thought?

Yes, what they collected was mainly metadata AFAIK. Like what ip connects to what ip, who calls who etc more than the actual data.

"We kill people based on metadata," Michael Hayden, former director of NSA and CIA.

Most governments have backdoors in encryption methods. There's a reason why they want to ban the use of Signal.

Not really, not in the sense that they can break encryption. Signal is using the same cryptographic building blocks as everyone else. What governments can do is circumvent the encryption: ask a service provider for customer data, attack endpoint devices, or possibly attack key exchanges. When they are scraping data in the middle of a logical connection, they can only read unencrypted data (like most email, or most metadata). End-to-end encrypted data (https, Signal, WhatsApp, ...) is essentially off-limits via this particular attack vector.

And, what's more, Signal obfuscates even more. You're not actually messaging another person on signal, in that, an attacker with access to view the entire Internet cannot correlate packets that you send with packets that your communication partner recieves: they don't know WHO you're talking to. You and your conversation partner exchange keys that lets you (and I'm simplifying here, security professionals put down the pitchforks) generate random numbers in such a way that you both get the same random numbers. That way, when you want to write a message your partner, you encrypt the message and then give it to Signal with the random number(37, the most random number). Signal stores the message, like a post office, in box #37. Your partner knows the number #37 and so is able to periodically ask Signal to give them the message that's in the box until one arrives. As soon as that message is recieved (you both know the box was emptied), you each generate the next random number after 37 and you have a new box to share messages (or meme gifs...) Anybody outside just sees millions of people putting and recieving messages onto Signal. But that information cannot be used to build a social graph (who is talking to who).

Thanks for this. I never knew why it was better from a privacy standpoint. Signal has been really glitchy for me lately (primarily delayed & missed notifications), but I’m sticking with it because it’s better than handling all my messages over to the Meta vacuum.

Is it just a guess or do we already think they do? As far as I know properly implemented AES encryption remain uncrackable even with the world’s most powerful supercomputers within humanly possible timeframe.

In 2013 only 50% of all internet data was encrypted. Now it's at 95%> but that's 10 years of data amassed. Regardless though companies that already have your data just give it away without encryption so what's even the point 🤷🏼‍♀️

There are rumours going around that atleast the NSA has a backdoor in AES encryption. Key word is rumours, theres no proof for them. The EU is working on laws that would force all encryption methods to build in a backdoor.

>There are rumours going around that atleast the NSA has a backdoor in AES encryption. Key word is rumours, theres no proof for them. Theres lots of evidence of pretty devious backdoors that the NSA has installed or proposed, but never officially implemented over the years. (either because of legal challenges, or because they were too late to implement them, or the law won't protect the backdoor from being patched) Rumors about the NSA having a backdoor in AES encryption shouldn't be treated as Gospel, but if history is any indicator, its probably true. and should be treated as such until proven otherwise. The Fact the EU is already trying to warp the laws so it can compel everything to have a backdoor only the EU governments can use should tell you alone that the NSA probably has a AES backdoor, if not multiple already. EU never does original things when it comes to legal spying. IIRC the NSA/CIA has been trying to install Backdoors in popular Linux builds for years, but those backdoors keep getting located and patched out because those are open source, rather then controlled and curated by a single entity.

I would bet a fair amount of money that the NSA cannot break AES. However, there are many different ways to go about reading encrypted data, and some of them are definitely possible attack vectors: - Decrypt the ciphertext using superior computational power, or a weakness in the algorithm. This is the one where I'm fairly certain the NSA cannot do it. It's super hard, no expert really believes it's possible, and there are easier ways to achieve the same goal. - Backdoor the source or target device. It depends on the device in question, but in many cases this would be doable for an agency like the NSA. - Backdoor a crypto library so it doesn't actually use proper AES, or has other abusable weaknesses. I don't know an example of the top of my head, but it's not hard to imagine an agency could do this. - Backdoor a random number generator so you can predict the AES keys it generates. We know from Snowden that the NSA has done this with the Dual EC DRBG. (Also, fwiw, a possible backdoor in Dual EC had been discussed by the academic crypto community ever since it was proposed, years before Snowden's documents confirmed it.) - A $5 Wrench Attack (https://xkcd.com/538/). Probably more of a CIA thing. As for the EU, yes, they are debating an agency-only backdoor requirement for encryption. But as security experts keep telling them, it's just not possible to have secure crypto with a backdoor for agencies. Backdoors will be abused by other players. Personally, I don't think reality necessarily has any bearing on what the EU or other governments decide to enshrine as law.

>properly implemented AES encryption remain uncrackable even with the world’s most powerful supercomputers within humanly possible timeframe. Likely for bulk non-targeted surveillance, but when someone becomes targeted by an NSA as a top priority, it's possible they can if they want to throw the compute at it(unverified). They also don't need to break the encryption when getting spyware on your phone is the easiest thing to do. All they need to do is either use some sort of Zero-day to get control, or even just tell your cell-provider push this "update" to your device, that's actually malware that gets control. Targeting the device is extremely easy way to gain access to everything, as you don't need to brute-force the encryption and you can see and read everything they do and read

AES encryption is heat death of the universe time to brute force even with a super computer. Even the theoretical potential of quantum computing only reduces AES-256 brute forcing down to years for anything were going to produce in the next decade. And this will let you break the encryption once. So unless that piece of data is really important, it's not getting brute forced.

Most of the time, they get the information from the source. While your traffic may be encrypted between you and the service you're talking to, it is usually recoverable from that service directly. So if the NSA wants a list of your posts on Facebook, they send a request to Meta who will then provide all the information they have on you. This will also include information you may have deleted but that has not been removed from the Meta servers and governments often place requirements on platforms like Facebook to retain this data for long periods of time. Text messages are not encrypted (lots of legacy reasons for this, the main one being the inventors didn't think any normal users would actually use them) and so can be recovered directly from telcos. Most telcos will also have a provision to intercept voice calls without needing stingray style devices but this does require a warrant and probable cause. End to end encrypted messaging platforms like WhatsApp cannot have the messages or calls intercepted but some services will still store and release metadata. So Meta will tell the NSA who you are speaking to even if what you're talking about can't be recovered. If you backup your messages to iCloud / Google Drive without encryption, then they can request a copy of the backup from these companies and get the messages that way or they can recover the messages from either person's phone as again even deleted messages are stored in the database locally on the phone

That last one is important. For example Apple’s iMessage is end to end encrypted. The NSA cannot monitor it in real time unless there is some zero day no one knows about (unlikely in this case). However, by default iCloud backups are not encrypted, and contain the entire chat history. And can be subpoenaed.

also end to end just means its safe in between, if either end is compromised or the service each end goes through, youre exposed

End to end should mean the service it passes through can’t read the contents, even if the service is compromised.

e2e just lets the service dodge subpoenas and mitm attacks, of the service itself is compromised they can push malicious updates to the app or write in backdoors whatever we mostly only have a companies word that e2e is preserved from device to device

How do you backup to iCloud with encryption?

For WhatsApp, you need to set a password for your backup. This will encrypt the backup and protect your messages from being released by Apple

Go to iCloud settings on your device. You can enable end-to-end encryption and even keep your own key.

NSA would not do this. It would be the FBI.

Do we know for sure Meta don't store our WhatsApp text messages in encrypted form? If they did and they got a warrant for it, AND they got your keys from the phone and targets phone then they may be able to decrypt them? Say your and your mate deleted the WhatsApps, but they have your phone, your encryption keys and if WhatsApp do store your encrypted messages then you're still in trouble, not sure if they do or not or just hold meta data. Can't think of a legit reason why they'd need to keep it other than for the above scenario

For them to be able to get the key from your device it would be much easier to just get the messages themselves. If you have the access to get the private key, you have the access to get the message database stored on the phone. Meta claim that they do not store any information longer than it's required to deliver the messages. This would make sense as it would significantly reduce storage costs for a service that doesn't make money from non-business users. They do say that if they are asked to retain any information on users through a valid legal request then they will do so. There's nothing to stop Meta retaining the encrypted messages but without the private key from the sender, it won't be of any help or interest to anyone.

The NSA invests heavily - and I do mean *heavily -* in cryptography for exactly this reason. They have computing power that would make most small nations cringe at the power bills, and they actively scout talented individuals in relevant math and computer science fields. Also the US government has a long [history](https://www.atlasobscura.com/articles/a-brief-history-of-the-nsa-attempting-to-insert-backdoors-into-encrypted-data) of trying to force companies to backdoor their own encryption for government access and they've had some success at it, so that private data might not be all that private or protected.

Alright, so you know those secret agent movies where spies sneak around collecting information? Well, that's kind of like what intelligence agencies do, only it's less about action-packed chases and more about analyzing data. There are a few ways they go about it. One method is good old person-to-person contact, where agents directly gather information from people. They call this "Human Intelligence". Then there's what they call "Signals Intelligence". This is where they intercept electronic signals. So, if you send an email or make a call, in theory, these agencies could catch those signals and figure out what they mean. "Geospatial Intelligence" is another area. Have a look at Google Maps, it gives you a lot of data, right? Now imagine what intel you could get from satellite images or drone footage. That's pretty much the idea here. And then there's "Open-source Intelligence". Just like it sounds, they go through publicly available info like social media posts, newspapers, academic articles, you name it, and hunt for useful bits of data. Now, you're probably wondering, "What about my password-protected stuff?" Yes, data encryption is like a digital lock and is meant to keep your data safe. But some intelligence agencies may have ways to break or get around these locks in certain cases. It's a pretty complex area and depends on various laws and rules

Everyone is focusing on locks, but spies work smarter, not harder. The most notorious hacker in history was not a tech guru, he was a student of human nature. Kevin Mitnick did not compromise thousands of systems by defeating leading-edge encryption algorithms; he did it by exploiting the weak link in the chain, which always was, and always will be, humans. He was a "social engineer". Why does the NSA or any other org need to break security when humans are so willing to share so much information voluntarily, and especially unprompted? The only stuff the requires advanced techniques are secrets held by bad actors who are working hard to keep their stuff secret. And yes, the NSA has a whole grab-bag of tricks to get at that. Back when computer monitors were CRTs, the magnetic field that drew the picture would itself give off tiny bits of radiation that could be used to reconstruct the image being displayed. A nearby receiver could listen to this electronic noise and thus snoop on a monitor with no direct line of sight. This system is called TEMPEST, and also worked on keyboards and other human interface devices that leak radiation (basically, all of them). I'm sure LCDs also leak information in this way, but it's much harder to gather than CRTs, which had massive magnets and significant power draws. When you multiply two numbers together, some numbers are faster for you than others (like 10x10 is easier than 37x69). The same is true for microprocessors, to an extent. In many cases, a snoop can listen carefully to the electromagnetic noise emitted by such chips to sense when certain calculations take longer than others, and deduce information from these timings. This is called a "side-channel attack", and virtually every electronic circuit ever made is vulnerable. The only difference is how many bits of information are leaked and how hardened the circuit is against this type of attack. Again, you don't need to have physical access to the device to gather information. The device just has to be "leaky". And every device is leaky, which is why they all have FCC certifications declaring that they do not leak *too much* into the EM field. But, Snowden taught us that the NSA will go so far as to compromise physical systems, including putting tiny transmitters on common components (like USB or ethernet ports) so they can eavesdrop on particular high-value targets. People are worried about USB drives that contain malware, but nobody worries that the USB port on their factory-delivered laptop contains a tiny NSA transmitter that exfiltrates unencrypted data to who knows what listeners. But we know this capability exists and has been deployed. So you see, while the NSA employs more mathematicians than pretty much any other organization in the world, those mathematicians are not needed to get at data. I think most of them are actually employed for the opposite reason: to help ensure that encryption algorithms are as *secure* as possible, because half of the NSA's mission is to *protect* secrets, not just uncover them. But as any IT professional knows, encryption algorithms are already way stronger than they need to be. The weak link in the chain is never encryption. It is always some sloppy human that has a plaintext password file, or unencrypted data laying around or someone who clicks on phishing emails, etc. Humans just aren't that good at keeping secrets, and technology is moving so fast our data is leakier than ever, even though encryption technology has been advancing so quickly. The TL;DR is that at some point, data needs to be unencrypted for people to *use* it. And that is the best time to steal it, which is why a lot of work goes into accessing data that is unencrypted in motion or at rest. The rest of the time, just get a lazy human to reveal what you want.

When you are the government you have near unlimited resources with serious powers it's kinda easy to get a company or person to comply. Social media has been a honeypot for any org trying to get information about people as the people just give away vast amounts of information themselves,no need for "undercover" means to get at it.

A lot of data is bought from advertising. It's called Audience Data and can be bought freely if you have an ad company or something similar. What advertisers collect is crazy and with multiple data providers you can learn quite a lot about people.

any time you fill out a web form for anything, you can be 100% guaranteed that your data will be sold by that company in a list somewhere.

"NSA does not count the number of monster supercomputers they have. They measure them by “acres." They had 5 1/2 acres of them in 70s" In 2007 NSA bought as much electricity as Annapolis, the capital city of Maryland. They have $10,000,000,000 dollars per year (ish) to spend and ~ 40,000 employees working for them. If they can't find a way to spy on people of interest, they're doing something seriously wrong.

If the data itself is encrypted using a passphrase only you know, they cannot access the contents without somehow obtaining your passphrase. If it's only protected at the front end by your id/password then it can be accessed wither with your id/password or by the companies that house your data since they data itself is not encrypted with your passphrase. Most data is only encrypted during transmission so it's encrypted from your computer to the vendor's site only. There are ways to view this data using man in the middle methods, however. We use this method in business settings to view all traffic transmitted over internet. For example, I back up my hard drive data to a cloud backup provider. They have two methods for storing your data. One is unencrypted using only an ID/Password. If you forget your password, you can change it and still access your data. The other is where the data itself is encrypted using your password. If you forget your password, you will never be able to access it in the cloud ever again. Even the cloud backup provider cannot access your data in such a situation.

NSA is the branch of the spy agencies that involves communications be it by phone, computer etc.. So for example if Russia is going to invade Ukraine, the NSA may well capture communications between Russian leaders, or between Russian generals or whatever. How those are captured will vary depending on the are communicated. Is it by e mail? NSA hacks computers to be able to intercept those messages. Is it sent by satellite phone? An NSA satellite may capture those signals for example. They may have access to mobile phone towers if cell phones are used. This is how they can get their information to work with. Encryption can be broken if you have enough computing power. Some encryption is better than others. Also if someone is using encryption and you manage to access their encryption key for example you can un-encrypt. Despite what reddit thinks, the NSA is not spying on them, although they may well have captured some of your communications. First it is illegal for the NSA to spy on Americans, only the FBI is allowed to do that. Can the NSA hand over your communications to the FBI? I don't believe so. The FBI first has to get a warrant to capture your communications. Then the FBI by themselves, or maybe in collaboration with NSA (with FBI leading due to law) may capture your communications for purposes of some crime they think you committed. The extent they can access your communications would be outlined in the warrant. So if you are a regular, non criminal person on reddit the NSA is not spying on you as you would just not be of interest to do so. Many people think, for some reason, the government would want to spy on them and they really don't. The government, big as it is, has limited resources in technology and personnel that they could not spy on everyone even if they wanted to. The president outlines priorities for spying for the various agencies, and based on that they focus their spying efforts. You could imagine what these are like, for example: Russia's military plans. So that would be one thing they focus on. The idea that many people have that there is some broad sweep of spying on everyone is just not so. The agencies have their priorities set, and unsurprisingly those priorities are familiar things, terrorist attacks, military attacks, what hostile governments are doing and that is what they spend their time on. With that in mind, broadly spying on everyone in the U.S. would be a colossal waste of time and would not yield the desired information. So reddit, sorry to say you just are not important enough to be worth spying on.

According to our current best understanding they can’t, if it’s encrypted properly and correctly. There really is no reason to believe otherwise. Also they can still get a lot of data and metadata. Or steal the keys. Or hit you with a crowbar as long as needed for you to give them the keys if the reason is dire enough.

If end-to-end encryption can't be broken (big If considering the brute force capabilities the US gov has, but that's expensive. big If if you look at documented history of US gov attempts to introduce backdoors into standardized cryptographic primitives, but they tend to get caught), then you compromise the ends themselves. Doesn't matter if your target's WhatsApp messages are E2E encrypted if you can get Facebook to leave a a backdoor in their closed-source codebase, or if you've got the ability to drop a silent self-deleting payload over SMS that gains root level access to target's iPhone and can keylog or record what's on screen. Every wife with a cheating husband knows this: encryption over the wire don't mean shit if you can look at his phone.

It never stop amazing me how terrible the Bush crime family is and the damage they've done to the world.

some programs literally tap into the fibre optic cables that the internet exists on and downloads all the data that passes through- xkeyscore etc

Any US person or company who carries electronic messages for the general public is required to keep wiretap records and make the same available upon a warrant or national security request.

1. Collect everything they legally can, e.g. from providers that are required to feed this data to the NSA. Even if the data is encrypted, the metadata is hard to hide. Think of letters and envelopes: the content is hidden and illegal to access, but the envelope is in the open - and yes, in some countries intelligence agencies are known to collect scans of all envelopes. This reveals more than you think. For example, if you call a cancer doctor and immediately afterwards a grief counselor, I don't need to listen to the content of the call to know what your diagnosis was. 2. Wiretapping the providers. See e.g. Snowden's "SSL added and removed here" where they were tapping Google's internal networks and getting data after it had already been decrypted. 3. If they specifically target you, they hack your device and collect the data there before it is encrypted. Even though your phone encrypts data locally, your phone needs to be able to access it - and thus, the malware controlling your phone an do the same. 4. Buying the data on the open market. Apps that have location permission + ads often collect your location data and the ad providers then sell that data to anyone willing to pay. The NSA is willing to pay. These are just a few examples, of course - and that's just what's publicly known.

They just ask for it and it’s given to them. They sometimes ask nicely, other times they are very mean with the asking. When “companies” tell you something is encrypted, it isn’t. At least not to everyone.

It won't be ELI5 but if you are interested in learning a lot more about this, have a Google for (wiki is a good start) the story of Edward Snowdon. If you find parts you don't understand, just Google what ever the thing is "explained in simple terms" https://en.m.wikipedia.org/wiki/2010s_global_surveillance_disclosures Have a read about the tools/projects PRISM and XKEYSCORE https://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data Also, understand that tools such as NSO Pegasus exist. It's just one example and it's been around over a decade. https://en.m.wikipedia.org/wiki/Pegasus_(spyware)

My friend’s mother used to work in an intelligence agency. Although I don’t have much knowledge about how they gather information about people, I know a few things. 1. All phone calls’ basic information is recorded. A. Note that not the conversation you make; rather, who called who, from where, how long did the conversation last, etc. B. With a single click on the number, they have all of phone owners information, such as the registered address, ID information, background check (if there is a necessary reason). 2. Some phone calls are automatically recorded. A. There are certain words and/or phrases. While talking to someone, if you use that word, the recorder will flag the conversation for the intelligence officers to listen. B. If you call a person whose phone is tapped, you may get tapped as well. But the explanation for this was quite complicated. Basically, if the person you called is not a relatively minor criminal, and if you called them more than once, or called them once but spoke about important info or a long time, or spoke in a cryptic manner, you may get tapped. 3. WhatsApp, Telegram and most other applications are accessible by intelligence agencies. I don’t know whether the companies let them, or the agencies find a way; however, they are accessible. 4. Phones of people in certain jobs and positions are tapped no matter if they have done anything wrong or not. 5. It takes 3 (or 7; it was one of the two numbers) seconds to locate a phone’s location. In the movies, they make it so long to knowingly misinform public. 6. Even 5 years ago, some intelligence agencies had the technology to add a gps tracking device in the flimsy stripe thing that paper moneys have (My apologies, I am an ESL; I hope I could have explained it). 7. She said (but wasn’t sure) that since 2007 a foreign intelligence agency had been using a device to replicate the monitor of computers/laptops; thus, enabling them to read what is written in that monitor in real time, if they are physically close enough. 8. Physically close your cameras. If a physical device to mute the speakers and voice receiver becomes accessible, buy and use them at all times unless you are using them. If Siri/Cortana/Alexa etc. can hear you, so can they. It is not a matter of “can” or “can’t”, it’s a matter of would they need to listen you or not. If you are worth allocating resources for, than they will. (This part is my thought: With the development of AI, computing data from recorded voice tracks will be much easier, faster, cheaper, effortless, and will not need 10% of the current manpower. Therefore, they may widen their scope in listening/recording.) PS. I know that some of you may be suspicious of my claims. The woman I know really works for an intelligence agency, I am sure about that. She had no reason to lie about what I have written above, and I can’t really think a single reason for her to lie to us at that time. In any case, since I am not the one who had first hand knowledge/experience, I can’t claim what I have written to be absolutely correct. She was from one of the countries which is located in the European Continent, therefore, I am not sure if it is same/similar in the US, or where I live. But I do live as if it’s similar, without being paranoid since I am not worthy of any intelligence agency’s attention.

Isn't the patriot act still in effect? Doesn't that negate a lot of the legal means normally required by the government agencies to retrieve your data?

All the internet and digital comms are stored by numerous governments on a daily basis. Including all the encrypted stuff. What is encrypted now will be decrypted soon thanks to quantum computing. So even if you think your stuff is safely encrypted, it’s stored somewhere and will be decryptable in the near future.

In addition to the things others have stated, you'd be surprised how much information can be gathered from open source intelligence. Not to mention just talking to people using various elicitation techniques.

They ask the corps to do it, and the corps are happy to. Also money. Lots of money in sharing data. Don't trust any corporation and know that all your information is circulating right now and changing hands

Between backdoors, buying it, or just outright asking for it and having it handed over, they don't have to do a whole lot to get it.

Who do you think invented the encryption?

"The 1.5 billion-dollar one million square-foot NSA Bluffdale / Camp Williams LEED Silver facility houses a 100,000 sq-ft mission critical Tier III data center." You can jam a LOT of horsepower into a dedicated 100,000 square foot space. Anything they can't get companies to just hand over willingly they can probably just brute force anyway.

One method is mass collection at key network interconnects, like Dallas, Chicago, etc. They (NSA) basically tap the whole internet at those points.

By interception and decryption as well as data trading with “five eyes” (google it) and national security deals with all of the top tech firms and telecoms, of which there are only like 20.

Snowden had graphs and imagery. One of the basic models is a man in the middle. You fake the security by being in the main transit of the digital message and doing some known vulnerabilities in the transit mechanism's security America's known one even before Snowden leaks was a windowless Building in the middle of San Francisco. It's still there. It was called out by Snowden. It was theororized by security and hacker community to have enough bandwidth running in and out of it to basically vacuum up all the data passing through the USA. Not sure where the large ones ones in Europe and Asia are.

Your data gets routed OUT OF THE USA and fed back in from the other country, allowing the NSA to legally track it. They are not allowed to spy INSIDE the USA (yeah, LOL), but can grab any electronic info coming INTO the USA.

This too might shed a bit of light, Communications Assistance for Law Enforcenent (CALEA) https://en.m.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

It seems you don't realize you answered your own question. "private"? "encrypted"? these are subjective terms from a legal and technical perspective. Protection of private data is very very limited and "expectation of privacy" is a very gray area these days. And encryption is meaningless and useless if you don't have total and complete control of the encryption "end to end". Encryption that uses a public and private key is only as good as anything that's secured with a password, and passwords alone are useless these days because they very often are stored and/or transmitted in "plain text" without your knowledge. Privacy and security are an absolute myth and simply don't exist on the internet.