Getting XKeyscore Right

Thinking critically about what we know of NSA surveillance

On July 31, Guardian columnist Glenn Greenwald published a story about an NSA surveillance program called XKeyscore:

A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.

There are a few problems with this story. Not only is the program not top secret, but important details raise serious questions about the Guardian’s fact checking and portrayal. It’s worth asking: Do we know what we’re even reacting to anymore?

First, the program itself is not top secret. Jobs for XKeyscore technical support are posted openly to the web. Both SAIC and Raytheon — two of the largest Department of Defense contractors — put up job openings for XKeyscore technicians, though they seem to have been removed from each company’s website (the Washington Post screen captured one such listing for SAIC). The program is still openly listed elsewhere — General Dynamics has some job listings with XKeyscore listed as a key competency, as do smaller subcontractors.

Moreover, the reporter Marc Ambinder wrote about XKeyscore in his recent book on the intelligence community:

XKEYSCORE is not a thing that DOES collecting; it’s a series of user interfaces, backend databases, servers and software that selects certain types of metadata that the NSA has ALREADY collected using other methods. XKEYSCORE, as D.B. Grady and I reported in our book, is the worldwide base level database for such metadata. XKEYSCORE is useful because it gets the “front end full take feeds” from the various NSA collection points around the world and importantly, knows what to do with it to make it responsive to search queries. As the presentation says, the stuff itself is collected by some entity called F6 and something else called FORNSAT and then something with the acronym SSO.

In addition, the Guardian story does not meaningfully distinguish between a technical capability and a legal permission to perform collection — a huge distinction. People have the capability to do lots of things that they are legally prohibited from doing. Greenwald includes this important line in the middle of his story:

But XKeyscore provides the technological capability, if not the legal authority, to target even US persons for extensive electronic surveillance without a warrant provided that some identifying information, such as their email or IP address, is known to the analyst.

To repeat: People have the technical capability to do all sorts of bad things. The reason we have laws is to protect ourselves from the technical capability of others, including that of our own government. The FBI has the capability to invade anyone’s home and shoot on sight. They don’t because laws prohibit it (I am not defending the shortcoming of the law, which is clearly inadequate — but that’s a problem of the law and not of the capability).

More saliently, the federal government can already technically do harmful things to us through our data. The IRS has all of our tax records and, thus, our employment data. Our medical records are only protected by laws, not by the technical means to share and disclose them. Our housing, movements, financial histories, and credit — almost everything that documents our lives — is already possessed by the federal government. It is laws, and not technical means, that prevent rampant, systemic oppression.

Greenwald does not substantiate any claim to systemic abuse of XKeyscore. He does not provide a single instance where it was used — illegally — to collect information on a U.S. citizen. In fact, the discussion about potential abuse of NSA programs remains theoretical. There are no credible allegations of widespread, illegal abuse of the programs in place to identify and track suspected terrorists. (Even Senator Ron Wyden, in noting that the intelligence community “misled Congress about the usefulness” of mass collection programs, is not identifying systemic abuses or failure of oversight audits within the system.) The potential for abuse is real and not to be discounted, but it is misleading to present it as actual abuse.

The Guardian also posted an entire deck of slides (warning to government-employed readers: the slides are highly classified) on its website, which purport to describe the XKeyscore system. This is where the question of journalistic overreach advances from quibbling about presentation and tabloid-style hype to outright misrepresentation.

Greenwald claims in his piece that Xkeyscore allows analysts to indiscriminately read emails, including those of American citizens. Yet the slides themselves only mention indexing and metadata. Nowhere do they mention reading the content of emails, either because it is illegal without a warrant (in the case of U.S. citizens) or XKeyscore is not the correct system to do so.

The date that these slides were created is critical. Greenwald and the Guardian posted them as relevant sourcing material for the XKeyscore program. Yet they are not current — in fact, the slides refer to a program that was almost certainly changed significantly due to updates in U.S. law. In the lower right-hand corner of the first slide is an important set of numbers.

They show that the Powerpoint was first created on January 8, 2007 and should be declassified on January 8, 2032 under the standard guidelines of Executive Order 13526. But if the slides were drafted in January of 2007, then they pre-date both the Protect America Act (passed in August of 2007), which modified large swaths of the NSA’s warrantless surveillance programs first started under President Bush, and the FISA Amendments Act (passed in July of 2008), which instituted strict limits on how the NSA can collect, and required a specific warrant to intentionally collect, any data on a U.S. citizen. The title slide is marked 2008, but it’s unclear how it was modified, since the classification date would have to be updated if it included new classified data. It is also unclear if the slides were published in the months before or after the passage of the FISA Amendments Act.

The Guardian appears to be using obsolete slides created for a program that was later modified significantly through changes to U.S. law.

In Greenwald’s story, he repeatedly references, and includes tightly cropped screen captures of, another presentation apparently dated December 2012. While the 2007/2008 presentation can be perused to substantiate some of the reporting, many of the strongest claims Greenwald makes in his article are backed up only by small, cropped screen captures of slides that are not posted to the Guardian’s website. There is no way to verify or confirm what he’s reporting.

I emailed the Guardian’s U.S. editor-in-chief, Janine Gibson, for clarification. Did the slides posted to the Guardian’s website represent XKeyscore from before or after the FISA Amendments Act? Were the full slides Greenwald used in his story available for publication?

She replied, “We’ve published all the material relating to XKeyscore that we intend to publish at this time, though of course we have used much more to inform the reporting.”

After a follow-up question, Ms. Gibson responded, “I don’t have anything else to add. The presentation is online and you can see it. As I said in the previous email, we used many materials to inform the reporting in our story.”

Matt Wells, a senior editor at the Guardian, also responded that they stand by their story and have no plans to publish anything further on XKeyscore.

Glenn Greenwald did not respond to a request for comment.

Their responses present unsettling questions about the Guardian’s editorial judgment in running this story. The Guardian published a misleading story conflating important issues and supported it by posting secret materials seemingly dated from before major changes to U.S. law that would have dramatically altered their content.

This is an oversight in editorial control, fact checking, and reportorial judgment. It’s difficult to escape the conclusion that not only is this story badly overhyped, but that it is misrepresenting what the program really is, and the danger it poses to our civil liberties and freedom from undue surveillance. The federal government writ large has the technical capacity to do a lot of terrible things; reporting that is hardly news. It is the laws that prevent those terrible things that matter — so when they are broken, we know whom to hold accountable.

In all the hype about XKeyscore, we’ve learned very little about any legal protections afforded to Americans under this program. We have not learned of any abuse of the system to do harm unnecessarily. What we have learned, essentially, is that the NSA — a spy agency whose attention is focused internationally—does exactly what it is supposed to do.

Having the technical capability to behave unethically is not the same as being shown to behave unethically. That is the crucial, missing piece in the outcry: There is no evidence that XKeyscore has ever been misused.

Is XKeyscore an unacceptable breach of American ethics anyway? It could be. Maybe we as Americans no longer want our spy agencies to engage in spying. If so, then we should be having that conversation — not freaking out over false reports that the NSA is reading your email or listening to your phone calls.