I agree - securing one's privacy is an incredibly important problem. That said, none of the leaks show any technology that wasn't publicly known beforehand (e.g.: packet sniffing, man-in-the-middle attacks, stored personal records obtained from internet/telecommunications companies, etc.). The fact that these are used on a much larger scale might be surprising to some, but not novel. We've known for a long time that large, well-funded intelligence organizations operate on a much larger scale than any lone or small group of hackers could. If you worry about your privacy on the internet, the solutions to these problems were known beforehand (e.g.: encrypt your traffic, authenticate those you communicate with, limit personal data stored in the cloud, etc.).

Claiming that the NSA is an active threat to the privacy of Americans without the evidence to back it up is counter-productive. Schneier himself has written quite a bit about the importance of properly identifying your threats in the process of establishing good security. I guarantee that spokeo.com and similar sites have more dossiers on Americans that the NSA does, and I'd be willing to bet that information from those sites have been used more frequently for nefarious purposes against ordinary citizens. The NSA has the capability to target you - this leads to overblown articles making the leap from "the NSA collects massive amounts of metadata" to "the NSA collects massive amounts of American's metadata", incendiary discussion forums calling for the immediate shutdown of the NSA, imprisonment of top NSA officials, fear mongering about the NSA brought up in situations that have nothing to do surveillance, etc. What they don't have is the motive (seeing as how they're an agency charged with the gathering of foreign intelligence) or legal authority to spy on Americans. The evidence stating that they are actively spying on Americans just isn't there. Until credible evidence shows that NSA is invading the privacy of ordinary people, I'm going to worry about the credible threats.

It creeps me out that I can Google my name and find 6 different websites willing to sell me my current and previous addresses, e-mail address, phone numbers, names of family members, etc. that they harvested from public records; it bothers me that anyone with a Pineapple device can trick my cell phone into connecting to actively hostile network if I forget to turn off the Wifi; it bothers me that I can turn on Collusion in Firefox and see that my browsing activity is reported to 40 different companies across every web page I surf to unless I turn off Javascript and frequently delete all of my cookies; it scares me that I get spam e-mail sent from the compromised accounts of people I know personally that tries to redirect me to malicious web sites; two years ago someone got my debit card number and pulled a little over $2000 out of a bank in Shenzhen - I worry about the security of sites I purchase from over the internet, which ATMs I draw from, what that waiter is doing when he disappears after I hand him my card. I consider myself a pretty paranoid person. At this point I don't feel threatened by the NSA (if I worked for a foreign government I would probably have a different opinion).

I'm going to continue using every reasonable means to protect the privacy and integrity of data. I'm not going to do it because of the NSA - I'm going to do it because the internet is a security nightmare, and there are lots of people out there who would do lots of things to my data without any regard to my well being.

Out of all the threats you mentioned, the NSA is the only one that can imprison me if it decides I've done something it doesn't like. The worst part is that the data they're collecting can be used retroactively X years down the line if the government so chooses to. And this herein lies the danger. You may trust your government now to use the information they gather legitimately, but do you trust it indefinitely? You shouldn't in principle, even ignoring all the practical reasons that the government has shown itself incapable of using such power only for good.

BTW, it has been revealed that the government stores information indiscriminately; but only through a court order or some other "probably cause" will they actively search the records of an American communicating with another American. This information is also stored for X amount of years (i've heard various years cited, from 2 to 10). Using encryption also flags your communication as "potentially foreign" and thus open to analysis. It was also unclear from the articles I've read whether internet metadata is covered under privacy laws. Massive amounts of information regarding individuals can be mined from just web addresses. So yes, Americans are targeted in the laymen sense of the word. Sure, the NSA has legalese that they use to justify how their actions don't target Americans, but its pretty transparent.

So yeah, go ahead and worry about the threat of someone finding an old address of yours. I'll continue to worry about the orwellian surveillance state that is being constructed right before our eyes.

The NSA is not a law-enforcement agency. Unless we find credible evidence otherwise, I'm going to continue operating under the assumption that there is no click-here-to-send-this-person-to-jail button at the NSA. To be handed a jail sentence as a result of NSA spying, the process looks more like this: - NSA analyst stumbles across you, most likely in the course of pursuing a foreign intelligence target, but maybe as part of a vast domestic spying program as some believe (I haven't seen enough credible evidence to believe this)

- NSA analyst finds credible evidence within that collection to suggest that you were engaged in criminal activity

- NSA is able to convince the FBI (or other legitimate law enforcement agency) that you were engaged in criminal activty

- The FBI opens an investigation into you; if preliminary investigation yields suspicion, they request a warrant from a judge to gather more information

- If the FBI finds sufficient evidence of a crime, they obtain a warrant for your arrest and detain you for trial

- Evidence independently obtained by the FBI is presented to a jury of your peers. As of yet, there's no precedent for admitting evidence by the NSA. To the court it's the equivalent of an anonymous tip, and the NSA has a history of not wanting to reveal its sources and methods anyways.

- A jury of your peers decides whether or not you are guilty of a crime. A judge sentences you.

So yes, you can get sent to prison based on NSA spying. It's a long process with independent review by multiple parties. I'll be very concerned regarding this process if the first step is broken, which is what everyone is up in arms over. I don't see the evidence yet that this step is broken, or even applicable in most cases [1].

Why am I afraid of people getting my addresses, phone numbers, etc.? My wife testified to put a violent man in prison some years ago. As a result, I have more concern than most that there are people who would want to do my family harm. I don't like that $15 will tell you where my wife, kids and I sleep at night or give contact information to harass us. Old information would allow someone to take out a line of credit in my name, leaving me to sort out the financial mess. Other people I know in legal and law enforcement positions are accutely aware of the threat of being retaliated against outside the courts for perceived wrongs.

[1] I have to run to work, and I'd be insulting your argument if I just left it at that - I'll write up an explanation of my views on the Section 215 collect when I get home. I appreciate the discussion - thank you for actually giving thoughtful answer rather than just a snide remark dismissing me.

My apologies for not getting back to you two days ago when I originally said I would - a close family member was in car accident and that took precedence over commenting on HN. That said, here's the response I promised:

You bring up a good point with regards to data retention. There's no way for me to know that 10 years down the line, the government won't devolve into some totalitarian nightmare and use that data they collected indiscriminately against me for nefarious purposes. I'd like to point out that this issue exists regardless of who controls the data. Data that, for example, Google collects on me now could be used against me 10 years down the line - maybe they start selling the data to credit bureaus or insurance agencies; maybe they get hacked and I end up getting my identity stolen or blackmailed or just plain robbed; maybe someone working for Google just decides that they don't like me and wants to make my life a living hell. The issue of having your confidence betrayed and privacy lost apply to every company you deal with, every company those companies deal with, etc., not just the NSA. I've never seen a website that posted its data retention policy, and even if it did I have no way of verifying that they follow it.

Based on Snowden's leaks, declassified court documents and public statements, we know that the NSA has some sort of internal compliance department to catalogue every time they screw up and collect against legally protected communication, they receive some degree of oversight from the DoJ and FISC, and they're at least supposed to be sending semi-annual compliance reports to the intelligence committees in Congress. The same can't be said for the millions of internet sites that collect our data. Maybe that's not enough oversight for the NSA - I won't argue with that. The NSA derives its legal authority to collect from the laws passed by elected representatives in Congress. If you don't like the fact that the NSA collects this data, write to your representatives and ask for them to revise or repeals the laws. If you think the collection may be vital to national security but are concerned about its misuse, call for more independent oversight with more transparency. I have absolutely no problem with you doing that, so long as you do so using informed opinions based on concrete evidence.

This gets back to the original argument that jonnybgood was making and I was defending: most of the articles that appear regarding the NSA are overhyped with a healthy dose of fear mongering. Articles that would be more accurately titled something like "The NSA collects vast amounts of data using X" instead are presented as "The NSA collects vast amounts of Americans' data using X". They conflate collection authorities and present it as fact to the audience. For example, the NSA is permitted by law (under certain interpretations - the EFF is looking to challenge this in court) to collect American cell phone metadata under Section 215, but is expressly forbidden from collecting American data under FAA 702 authorities. Leaked slides show that the PRISM program is their mechanism for collecting FAA 702 data. Any article claiming that the NSA is collecting such-and-such data against Americans but then goes on to cite PRISM as evidence is conflating the evidence. By presenting flawed or hyped up analysis to the public, all they do is stir up hype, anger, fear and distrust in the government.