NSA Hype Machine

Is Edward Snowden exposing the NSA -- or just buying its sales pitch?


Maybe Edward Snowden wasn’t such a blowhard, after all. When the NSA leaker insisted that low-level employees like him could spy on just about anyone, administration officials and NSA supporters in Congress were quick to call him an embellisher, if not an outright liar. But a pair of classified disclosures on Wednesday — one authorized by government officials, the other most certainly not — lend some credence to Snowden’s claims. They don’t clearly demonstrate that Snowden was right, but they don’t exactly rule out that an analyst could use the powerful tool to spy on Americans without proper authority.

A U.S. intelligence official offered a competing explanation of the documents, however: that America’s electronic eavesdropping giant was itself the exaggerator. The documents that were released today? At least one of them looks like a NSA marketing brochure — an attempt to make the agency look like a better spy than it actually was.

The biggest news of the day came courtesy of the Guardian and its most productive source, Snowden. The newspaper published a 32-slide presentation on an NSA data analysis tool called XKeyscore. The tool is analogous to an intake valve or filter. It makes a first pass of the phone records, emails, and other electronic data NSA collects and then directs information into more discretely organized databases for storage, analysis, and retrieval.

The presentation was apparently created in early 2008, and it may be out of date given the rapid evolution of technology. But it describes XKeyscore operating on a massive network of more than 700 servers, snatching up electronic data from approximately 150 NSA sites on six continents. XKeyscore is collecting so much information, the presentation shows, that it can only hold onto it for a few days before the tool’s databases reach their storage capacity.

Snowden has claimed that as an NSA contractor, he had the ability to order surveillance and spy on anyone he chose. This was among his boldest claims and the one most hotly refuted by administration officials and NSA’s supporters in Congress. The XKeyscore presentation doesn’t clearly demonstrate that Snowden was right, but it doesn’t rule out that the tool could be employed by a rogue analyst or someone operating beyond the constraints of the law.

Whether the system is being used to spy on U.S. citizens and residents depends on the legal safeguards that are in place, according to a former intelligence analyst who is experienced in using NSA tools. Technologically, there is nothing impeding an analyst from using XKeyscore, or other data mining programs, from looking at a U.S. citizen’s email or phone records. What matters is whether there’s a compliance and auditing process for ensuring that analysts aren’t exceeding their authorities. And there is no indication what, if any, controls are in place for the analysts using XKeyscore.

Under current law, the content of a U.S. person’s communications cannot be accessed, under any circumstances, without a warrant. But metadata such as phone logs and the "to" and "from" lines of an email, is not subject to the same standards. XKeyscore appears to collect and analyze metadata, and the presentation gives examples of finding this information in foreign countries.

Outside of the bulk collection of phone records authorized by the Patriot Act, relatively little is known about what metadata the NSA is collecting under other programs and with tools like XKeyscore and others that haven’t been disclosed.

Intelligence and law enforcement officials were at pains today in a hearing before the Senate Judiciary Committee to emphasize that Americans’ content was not being accessed under this specific bulk phone records program. They didn’t mention whether such surveillance was accomplished by using other programs or tools.

The officials’ comments were narrowly tailored, and lawmakers seemed mostly interested in ensuring that the NSA was not listening to Americans’ phone calls without warrants. Sen. Patrick Leahy, the committee chairman, asked for a report on whether the NSA was searching the history of individuals’ Web searches, as the Guardian reported today.

The XKeyscore presentation does offer some insights into how the NSA goes about finding suspected terrorists by their digital footprints. In a sort of "how to" guide, it advises analysts to "look for anomalous events" among the transactions and records that XKeyscore is scanning. "E.g. someone whose language is out of place for the region they are in," "Someone who is using encryption," and "Someone searching the Web for suspicious stuff."

Such broad and amorphous guidelines suggest that XKeyscore gives analysts broad access to information from around the world about many people who are certainly not terrorists or their associates. And the presentation’s boastful tone, which reads more like a marketing document than a technical manual, appears designed to convince users that XKeyscore can solve their most vexing intelligence problems.

The document claims that XKeyscore could find "all the encrypted word documents from Iran," or all instances of the encryption technology PGP being used in that country. Encrypted message traffic might well be of interest to U.S. intelligence analysts tracking, for instance, the Iranian nuclear program. XKeyscore claims to "perform this kind of retrospective query, then simply pull content of interest from site as required."

How well the tool does this filtering and querying, however, seems debatable. The presentation itself acknowledges that queries of a global nature, for something as broad as all encrypted documents in a specific country, produces a huge amount of information. And in the context of a different program, officials at today’s hearing had trouble persuading lawmakers that sucking up all Americans’ phone records was all that useful for stopping terrorist plots.

According to a U.S. intelligence official, however, there’s less to the document than meets the eye. The proponents of a particular tool or program frequently create promotional materials like the XKeyscore presentation to encourage analysts to use their technology, and to promote interest among lawmakers who control the NSA’s budget. This was true of a slide presentation describing the PRISM system revealed earlier by the Guardian and the Washington Post, the official told Foreign Policy. It had "made the rounds" of intelligence agencies and offered exaggerated claims about PRISM’s capabilities, such that it was the biggest contributor of information to the president’s daily intelligence briefing. This official strongly disputed that PRISM was so extraordinary.

The XKeyscore presentation claims that "over 300 terrorists [were] captured using intelligence generated from" the tool. It also claims to be able to search more deeply in different data sets than other NSA data miners. But if there is more to be said about how precisely XKeyscore can do this, it’s either not in the document or is contained on the handful of slides that have been blacked out.

But there’s no doubt that NSA is collecting huge amounts of information on a broad scale, and that the agency’s leaders want to continue doing so.

The administration today declassified three documents about surveillance activities, including a 2009 letter from the Department of Justice to the then chairman of the House Intelligence Committee, which states that the NSA’s collection of bulk phone records, as well as another program to collect bulk email metadata, "operate on a very large scale." Indeed, the NSA has collected so much metadata that "the vast majority" of it is never reviewed by a human analysts, according to the letter.

Managing big data has caused the NSA some big headaches, the declassified documents show. According to the 2009 letter, the agency ran into unspecified "compliance problems" while implementing automated technologies to scan for potential terrorist targets. Before analysts can examine records in the bulk phone databases, they must first specify a "reasonable articulable suspicion," referred to inside the agency as RAS, that someone is connected to or involved in terrorism. But another document from the Foreign Intelligence Surveillance Court, which authorizes NSA’s surveillance, shows that some automated scanning of information precedes an analyst actually looking at it.

The automated tools worked "in a manner that was not completely consistent" with the court’s specific orders in one instance, according to the 2009 letter and another sent to the Senate’s oversight committee in 2011.

"The problems generally involved the implementation of highly sophisticated technology in a complex and ever-changing communications environment," the letter says. The incidents of non-compliance were reported to the committee "in great detail." And in response, the NSA implemented an "end-to-end" review of its procedures and put in place "several restrictions," which are not described. The agency’s director, Keith Alexander, also made a presentation about the changes to the court in September 2009. The Court, the NSA’s congressional oversight committees, and the executive branch "responded actively" to the problems, the letter states.

Collecting huge amounts of personal data has caused the agency problems, but the documents seek to justify NSA’s work as essential to stopping terrorism. The phone and email records provided the core of an "early warning system" for terrorist plots, the 2009 letter says. "The more metadata NSA has access to, the more likely it is that NSA can identify or discover the network of contacts linked to targeted [phone] numbers or [email] addresses."

Sen. Ron Wyden, among the NSA’s most vocal critics, questioned whether the NSA programs have been working as advertised. Calling the documents released today "misleading," Wyden said in a statement that he and Sen. Mark Udall had two years ago pressed officials to demonstrate that the bulk collection of email metadata was providing a useful capability to the intelligence agency that it would not otherwise have.  "They were unable to do so and the program was shut down due to a lack of operational value, as senior intelligence officials have now publicly confiremd," Wyden said, adding that he has not seen any evidence that the bulk collection of phone records provides any "unique" intelligence value, either. 

Several senators in today’s hearing also questioned why the agency needed to gather up all phone records and store them up to five years in order to find leads or useful information in a handful of cases. (By NSA’s own count, the bulk phone records program "made a contribution" in a dozen terrorism cases with a "homeland nexus," said NSA Deputy Director Chris Inglis.)

"NSA needs access to telephony and email transactional information in bulk so that it can quickly identify and access the network of contacts that a targeted number or address is connected to," says the 2009 letter, a view that Inglis and other of his senior colleagues from the FBI, the Justice Department, and the Office of the Director of National Intelligence echoed in the hearing. The NSA’s fundamental position, which has been unchanged for years, is that it needs access to all information because until it has a suspect in its sights, the agency doesn’t know what it doesn’t know. In order to find a needle, it needs the entire haystack.

But Inglis and others indicated the government may be open to modifying the phone records program, which narrowly survived an attempt by House members last week to dramatically scale it back. Intelligence officials have said they’d consider housing phone records at the companies themselves, rather than transferring them on a continuing basis to NSA repositories. Inglis voiced some support for that approach, and said there are "technical architectures" that could ensure NSA gets access to all the data it needs, and quickly, sometimes within seconds.

But according to telecom industry sources, this arrangement would only add significant checks against the NSA’s authority if the phone companies had a chance to review every request for information, the way they do when served with a criminal wiretap order, for instance. If NSA has unfettered access to phone records, it matters little whether they’re stored in an NSA server or a phone company’s.

But NSA has a long history of hoarding information, and jealously guarding access to it. If today’s hearing, coupled with last week’s House action, are any indication, NSA leaders may feel they have to make some concessions–even cosmetic ones–if they want to continue hoovering up the world’s data.

Inglis wasn’t the only senior intelligence official defending the agency today. In Las Vegas, at the annual Black Hat security conference, NSA Director Gen. Keith Alexander told an assembly of computer hackers and other cyber security experts that the spying operations were working within the law, but that they could still be improved. "The whole reason I came here was to ask you to help make it better," Alexander reportedly said, imploring the attendees to join forces with the NSA. "If you disagree with what we’re doing, you should help make it better." 

Alexander told the audience that at the NSA, "We stand for freedom." 

"Bullshit!" a heckler yelled. 

Another yelled, "Read the Constitution!" 

"I have," Alexander replied. "You should too." His reply reportedly drew some applause. 

 Twitter: @shaneharris