they are mostly interested in the header also they only need to log unique payload data, and they can ignore encrypted stuff unless they think they will ever be able to break it. Most traffic is non-unique. It would be a total waste to keep a copy of the traffic flow of a thousand different people downloading a movie when they could just keep one copy of the movie the first (unique) time they see it, and then use a reference to it all other times. almost every security pro I have heard talk on this matter fall into one of two camps in their opinion on this. Camp A thinks that NSA logs all traffic into and out of the country but not all the traffic that stays within the country. I have found some evidence to corroborate this but it was nothing solid, some legal analysis of anonymity on the internet that referenced the NSA as monitoring all traffic into and out of the USA but it was written by lawyers not security people. Camp B thinks NSA logs roughly one out of every ten thousand packets through IXs, which would include a substantial number of international packets (but not entire flows) and substantially less intranational traffic since a lot of that doesn't go through IXes but stays within the AS. This would be called sampling, and it is still enough to do a lot of signals intelligence analysis with. I can't find anything solid on this, but there are several papers in anonymity literature that describe attackers with such capability, and many of them probably think NSA is such an attacker. also of interest: https://www.eff.org/issues/nsa-spying this paper also has interesting information in it, at least some of which is true, despite having at least one less than reputable author (I hear he had little to do with it actually) http://www.blackhat.com/presentations/bh-usa-09/TOPLETZ/BHUSA09-Topletz-GlobalSpying-PAPER.pdf this paper talks about sampling traffic and has very credible authors : http://freehaven.net/anonbib/cache/murdoch-pet2007.pdf Every security person whose opinion I respect thinks that NSA logs more traffic that enters or leaves USA than they log traffic that stays withing the USA, they just differ on if they log all international traffic from/to USA or only sample it (which would still be enough to do a lot with)