But it does indicate the level of attention they can provide.
As others have pointed out too - there may be piles of information stored away in various databases around the government, but unless you really bubble to the top of their kettle of fish, they will not have the time or energy to seriously examine your activities. (I imagine a humorous NSA-is-after-me movie where a dyslexic terrorist keeps dialing Joe Schmoe because his cell phone number is same as another terrorist, but with two of the numbers reversed)
Plus, how accessible are those databases? Let’s pick on Facebook. You and I can’t see details of someone’s life unless Facebook makes a programming error or the person fails to hide their details. So, exhibitionists and tech-illiterate are more at risk. For the private parts, the hidden details (like which IP did you post from?) presumably that data is accessible by the internal staff; so then we have to ask ourselves - what level of access would our favorite TLA (Three Letter Acronym) government agency have to this?
Options: Does the NSA or FBI have automatic entry to the database and all the details, their own private VPN into the database? Do the sysadmins respond to simple queries from them? Do the company brass make all requests go through the lawyers and only hand out things that pass the smell test or comply with the law?(Do you then need to put a gag order on such warrants?) Do they maybe have moles or “friends” who bypass formal channels?
The one thing I’m going to guess is that it’s not like Hollywood, where some guy sitting at home can login (somehow!) and read everything they want. Plus, serious formal databases have activity tracking logs and other access controls and logs up the wazoo, and people whose job it is to look at them.
And that’s just one database. What about the rest? Do you think the NSA has a hook into the Walmart online shopping database, or Uber, or AirBnB? Is there one central “Visa” database or does each bank handle its own? Do FICO databases list your credit card numbers, or is that a chain to be followed (and how accurate are credit reports?) I see it analogous to the Law & Order scenes, where after the crime, they go down the street looking for businesses that have security cameras to review - there’s no central repository of that information like 1984’s monitors.
So again - if you come to the attention of the authorities, there is probably a lot of data that they can dig up. But they have to be sufficiently motivated to dig, and likely only dig the areas that concern the situation under review.
Enough NSA employees used the vast intelligence apparatus to stalk their ex-lovers and spouses that NSA management coined a special term for this: LOVEINT, a play on spy lingo for signals intelligence (SIGINT) and human intelligence (HUMINT). This was documented in The Wall Street Journal Aug 23, 2013.
Through PRISM, the NSA had extensive access to Facebook databases: PRISM - Wikipedia
The article in The Wall Street Journal on August 23, 2013 says that there have been a handful of cases of so-called LOVEINT in the past decade. An article in Slate on August 27, 2013 says that there has been 12 cases since 2003. So it appears from these articles that there is around one case a year. The articles seemed to say that anyone who did this at least lost their clearance.
I recall reading (sorry no cite) that they started asking newbies to snoop on spouses/SO’s as training, almost like a medical student might use his spouse as a guinea pig for something, and, well they found out more than they bargained for.
So, subsidizing tech companies with black-ops money. This may work for the A-list databases, my point is that there are dozens if not hundreds of diverse databases, which may or may not require serious cooperation to access; and then perhaps serious programming to mine sufficiently.
For example, I recently ordered something from B&H Photo in New York. How accessible is their database unless the proper request comes through the right channels. To avoid customs clearing hassles, I have stuff shipped to an address just across the border, and pick it up when I drive across. Maybe they could access the Fed-Ex database, but it’s not my address; I might even use an assumed name. Maybe they can access the Visa database, but what if I were really a terrorist and chose to use pre-paid gift cards? (And I’m a legit NSA target, being Canadian…)
The question of course is what sort of credentials and request are needed to share that data? If it comes from the uniformed police, possibly with a warrant, it may actually be easier than some shady character approaching the VP or IT manager and asking for a major data dump. In fact, if such an informal breach is discovered and the manager can’t prove it was the NSA or FBI (“I don’t know, it was some guy with a cheap suit and bad shoes - I call the number on the card and get a busy signal”) then the company must divulge to anyone whose data may have been compromised…
Unless you are sending a paper letter to B&H, that order likely flowed over an internet backbone. The NSA has optical taps on all key internet backbones and intercept much of the data flowing across those. This was authorized under section 702 of the 2008 FISA Amendments Act. If that traffic uses end-to-end encryption (e.g, HTTPS) it can be difficult to decrypt.
The PATRIOT Act, subsequent FISC rulings and other minimization rule changes enable the FBI, the NSA, and the CIA to share unredacted information about Americans.
There are some limitations on use of intelligence gathered by NSA but these are procedural, not technical. According to the New York Times Aug 3, 2013, the DEA, Secret Service, and DHS are clamoring for access to this data for their own investigations of drug use, tax evasion, and copyright infringement. Nobody knows the exact state of the current access.
The Civil Liberties Protection Officer at the Office of the Director of National Intelligence, who is the congressionally-established watchdog charged with investigating these sorts of things, wrote an article on Lawfare today that has some interesting information on just this question.
So the “state of current access” of law enforcement to tap certain communication intercepts for criminal investigations, as far as 2016 goes, was one.