It has been almost three months since the first revelations about the activities of the National Security Agency appeared in The Washington Post and The Guardian. And while the initial scope and particulars of the programs revealed were major news, information about the NSA’s surveillance continues to come out.
Here’s a recap of what has been learned in recent weeks:1. XKeyscore Program Collects Mass Amounts Of Data
Source: “XKeyscore: NSA tool collects ‘nearly everything a user does on the internet’,” The Guardian, July 31
Another program with a striking name revealed in documents leaked by former security contractor Edward Snowden, XKeyscore is the NSA’s “widest-reaching” system for developing intelligence from the internet, according to NSA training materials.
The Guardian, which published its first story about XKeyscore on July 31, described the program as allowing analysts to search — without prior authorization — through databases containing emails, online chats, and the browsing histories of millions of people.
From The Guardian:
The XKeyscore system is continuously collecting so much internet data that it can be stored only for short periods of time. Content remains on the system for only three to five days, while metadata is stored for 30 days. One document explains: “At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours.”
To solve this problem, the NSA has created a multi-tiered system that allows analysts to store “interesting” content in other databases, such as one named Pinwale which can store material for up to five years.
It is the databases of XKeyscore, one document shows, that now contain the greatest amount of communications data collected by the NSA.
2. NSA Collects ‘Most’ Cross-Border Emails
Source: “N.S.A. Said to Search Content of Messages to and From U.S.,” New York Times, Aug. 8
In early August, The New York Times reported that the NSA is temporarily copying and then searching through the content of “apparently most” emails and other text-based communications that cross the U.S. border.
Essentially, the story suggested that if you’ve recently sent an email to someone overseas, there’s a decent chance that the U.S. government sifted through it. Officials had previously acknowledged that communications between Americans and foreigners targeted for surveillance overseas were being intercepted. But this went further.
From the Times:
Computer scientists said that it would be difficult to systematically search the contents of the communications without first gathering nearly all cross-border text-based data; fiber-optic networks work by breaking messages into tiny packets that flow at the speed of light over different pathways to their shared destination, so they would need to be captured and reassembled.
[A senior intelligence] official said that a computer searches the data for the identifying keywords or other “selectors” and stores those that match so that human analysts could later examine them. The remaining communications, the official said, are deleted; the entire process takes “a small number of seconds,” and the system has no ability to perform “retrospective searching.”
3. NSA Broke The Rules Thousands Of Times
Source: “NSA broke privacy rules thousands of times per year, audit finds,” The Washington Post, Aug. 15
Last week, The Washington Post offered some numbers for use in the debate over the NSA revelations. According to an internal audit and other top-secret documents, the Post reported, the NSA had broken privacy rules or overstepped its legal authority thousands of times each year since 2008.
From the Post:
The NSA audit obtained by The Post, dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications. Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.
In a statement in response to questions for this article, the NSA said it attempts to identify problems “at the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down.” The government was made aware of The Post’s intention to publish the documents that accompany this article online.
4. Court That Oversees NSA Is Constrained In What It Can Do
Source: “Court: Ability to police U.S. spying program limited,” The Washington Post, Aug. 15
In an article that accompanied the one described above, the Post managed to wrest comment out of the chief judge of the Foreign Intelligence Surveillance Court, the secret court which oversees some NSA operations. Words from a FISC judge are rare enough. But these were big words. In a written statement to the Post, U.S. District Judge Reggie Walton acknowledged that the FISC lacks tools to verify how often government surveillance breaks the court’s rules.
“The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” Walton wrote. “The FISC does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”
5. NSA Surveillance Can Reach Most Of America
Source: “New Details Show Broader NSA Surveillance Reach,” Wall Street Journal, Aug. 20
On Tuesday, The Wall Street Journal reported that the NSA’s surveillance network has the capacity to reach around 75 percent of all U.S. internet traffic. Current and former officials, speaking anonymously, told the paper that the system in some cases retains the written content of emails sent between U.S. citizens, and in other cases filters domestic phone calls made with internet technology.
The Journal described a filtering system, whereby complex algorithms are used to identify information to be collected.
From the Journal:
The NSA’s U.S. programs have been described in narrower terms in the documents released by former NSA contractor Edward Snowden. One, for instance, acquires Americans’ phone records; another, called Prism, makes requests for stored data to Internet companies. By contrast, this set of programs shows the NSA has the capability to track almost anything that happens online, so long as it is covered by a broad court order.
The NSA programs are approved and overseen by the secret Foreign Intelligence Surveillance Court. NSA is required to destroy information on Americans that doesn’t fall under exceptions to the rule, including information that is relevant to foreign intelligence, encrypted, or evidence of a crime.
The NSA is focused on collecting foreign intelligence, but the streams of data it monitors include both foreign and domestic communications. Inevitably, officials say, some U.S. Internet communications are scanned and intercepted, including both “metadata” about communications, such as the “to” and “from” lines in an email, and the contents of the communications themselves.
6. Thousands Of Domestic Emails Were Collected In Violation Of Law
Source: “NSA illegally collected thousands of emails before Fisa court halted program,” The Guardian, Aug. 21
The latest NSA revelations didn’t come from Edward Snowden or anonymous sources, they came from the government itself. (Don’t clap just yet, the government made the move also partly in response to a Freedom of Information Act request by the Electronic Frontier Foundation.)
On Wednesday, the Office of the Director of National Intelligence made public portions of three secret FISC opinions detailing government violations of surveillance rules, in which tens of thousands of emails between Americans were swept up over a three-year period.
From The Guardian’s account of the court rulings:
“NSA has acquired, is acquiring, and if the certifications and procedures now before the Court is approved, will continue to acquire, tens of thousands of wholly domestic communications,” Bates wrote in his ruling.
The exact total remained a mystery to the court. “The actual number of wholly domestic communications acquired may still be higher,” Bates wrote.
The Court had more precise visibility into the NSA’s total internet acquisitions annually. NSA consumed 250 million internet communications each year, according to an assessment by Bates in 2011. Some 9% of that was collected as the communications transit across the internet, a process known as “upstream” collection. The remaining 91% comes to NSA from its internet service provider partners.
It was the NSA’s handling of data collected upstream that the Fisa court found to be constitutionally problematic.