Report

NSA Hype Machine

Is Edward Snowden exposing the NSA -- or just buying its sales pitch?

Maybe Edward Snowden wasn't such a blowhard, after all. When the NSA leaker insisted that low-level employees like him could spy on just about anyone, administration officials and NSA supporters in Congress were quick to call him an embellisher, if not an outright liar. But a pair of classified disclosures on Wednesday -- one authorized by government officials, the other most certainly not -- lend some credence to Snowden's claims. They don't clearly demonstrate that Snowden was right, but they don't exactly rule out that an analyst could use the powerful tool to spy on Americans without proper authority.

A U.S. intelligence official offered a competing explanation of the documents, however: that America's electronic eavesdropping giant was itself the exaggerator. The documents that were released today? At least one of them looks like a NSA marketing brochure -- an attempt to make the agency look like a better spy than it actually was.

The biggest news of the day came courtesy of the Guardian and its most productive source, Snowden. The newspaper published a 32-slide presentation on an NSA data analysis tool called XKeyscore. The tool is analogous to an intake valve or filter. It makes a first pass of the phone records, emails, and other electronic data NSA collects and then directs information into more discretely organized databases for storage, analysis, and retrieval.

The presentation was apparently created in early 2008, and it may be out of date given the rapid evolution of technology. But it describes XKeyscore operating on a massive network of more than 700 servers, snatching up electronic data from approximately 150 NSA sites on six continents. XKeyscore is collecting so much information, the presentation shows, that it can only hold onto it for a few days before the tool's databases reach their storage capacity.

Snowden has claimed that as an NSA contractor, he had the ability to order surveillance and spy on anyone he chose. This was among his boldest claims and the one most hotly refuted by administration officials and NSA's supporters in Congress. The XKeyscore presentation doesn't clearly demonstrate that Snowden was right, but it doesn't rule out that the tool could be employed by a rogue analyst or someone operating beyond the constraints of the law.

Whether the system is being used to spy on U.S. citizens and residents depends on the legal safeguards that are in place, according to a former intelligence analyst who is experienced in using NSA tools. Technologically, there is nothing impeding an analyst from using XKeyscore, or other data mining programs, from looking at a U.S. citizen's email or phone records. What matters is whether there's a compliance and auditing process for ensuring that analysts aren't exceeding their authorities. And there is no indication what, if any, controls are in place for the analysts using XKeyscore.

Under current law, the content of a U.S. person's communications cannot be accessed, under any circumstances, without a warrant. But metadata such as phone logs and the "to" and "from" lines of an email, is not subject to the same standards. XKeyscore appears to collect and analyze metadata, and the presentation gives examples of finding this information in foreign countries.

Outside of the bulk collection of phone records authorized by the Patriot Act, relatively little is known about what metadata the NSA is collecting under other programs and with tools like XKeyscore and others that haven't been disclosed.

Intelligence and law enforcement officials were at pains today in a hearing before the Senate Judiciary Committee to emphasize that Americans' content was not being accessed under this specific bulk phone records program. They didn't mention whether such surveillance was accomplished by using other programs or tools.

The officials' comments were narrowly tailored, and lawmakers seemed mostly interested in ensuring that the NSA was not listening to Americans' phone calls without warrants. Sen. Patrick Leahy, the committee chairman, asked for a report on whether the NSA was searching the history of individuals' Web searches, as the Guardian reported today.

The XKeyscore presentation does offer some insights into how the NSA goes about finding suspected terrorists by their digital footprints. In a sort of "how to" guide, it advises analysts to "look for anomalous events" among the transactions and records that XKeyscore is scanning. "E.g. someone whose language is out of place for the region they are in," "Someone who is using encryption," and "Someone searching the Web for suspicious stuff."

Such broad and amorphous guidelines suggest that XKeyscore gives analysts broad access to information from around the world about many people who are certainly not terrorists or their associates. And the presentation's boastful tone, which reads more like a marketing document than a technical manual, appears designed to convince users that XKeyscore can solve their most vexing intelligence problems.

The document claims that XKeyscore could find "all the encrypted word documents from Iran," or all instances of the encryption technology PGP being used in that country. Encrypted message traffic might well be of interest to U.S. intelligence analysts tracking, for instance, the Iranian nuclear program. XKeyscore claims to "perform this kind of retrospective query, then simply pull content of interest from site as required."

How well the tool does this filtering and querying, however, seems debatable. The presentation itself acknowledges that queries of a global nature, for something as broad as all encrypted documents in a specific country, produces a huge amount of information. And in the context of a different program, officials at today's hearing had trouble persuading lawmakers that sucking up all Americans' phone records was all that useful for stopping terrorist plots.

According to a U.S. intelligence official, however, there's less to the document than meets the eye. The proponents of a particular tool or program frequently create promotional materials like the XKeyscore presentation to encourage analysts to use their technology, and to promote interest among lawmakers who control the NSA's budget. This was true of a slide presentation describing the PRISM system revealed earlier by the Guardian and the Washington Post, the official told Foreign Policy. It had "made the rounds" of intelligence agencies and offered exaggerated claims about PRISM's capabilities, such that it was the biggest contributor of information to the president's daily intelligence briefing. This official strongly disputed that PRISM was so extraordinary.

The XKeyscore presentation claims that "over 300 terrorists [were] captured using intelligence generated from" the tool. It also claims to be able to search more deeply in different data sets than other NSA data miners. But if there is more to be said about how precisely XKeyscore can do this, it's either not in the document or is contained on the handful of slides that have been blacked out.

But there's no doubt that NSA is collecting huge amounts of information on a broad scale, and that the agency's leaders want to continue doing so.

The administration today declassified three documents about surveillance activities, including a 2009 letter from the Department of Justice to the then chairman of the House Intelligence Committee, which states that the NSA's collection of bulk phone records, as well as another program to collect bulk email metadata, "operate on a very large scale." Indeed, the NSA has collected so much metadata that "the vast majority" of it is never reviewed by a human analysts, according to the letter.

Managing big data has caused the NSA some big headaches, the declassified documents show. According to the 2009 letter, the agency ran into unspecified "compliance problems" while implementing automated technologies to scan for potential terrorist targets. Before analysts can examine records in the bulk phone databases, they must first specify a "reasonable articulable suspicion," referred to inside the agency as RAS, that someone is connected to or involved in terrorism. But another document from the Foreign Intelligence Surveillance Court, which authorizes NSA's surveillance, shows that some automated scanning of information precedes an analyst actually looking at it.

The automated tools worked "in a manner that was not completely consistent" with the court's specific orders in one instance, according to the 2009 letter and another sent to the Senate's oversight committee in 2011.

"The problems generally involved the implementation of highly sophisticated technology in a complex and ever-changing communications environment," the letter says. The incidents of non-compliance were reported to the committee "in great detail." And in response, the NSA implemented an "end-to-end" review of its procedures and put in place "several restrictions," which are not described. The agency's director, Keith Alexander, also made a presentation about the changes to the court in September 2009. The Court, the NSA's congressional oversight committees, and the executive branch "responded actively" to the problems, the letter states.

Collecting huge amounts of personal data has caused the agency problems, but the documents seek to justify NSA's work as essential to stopping terrorism. The phone and email records provided the core of an "early warning system" for terrorist plots, the 2009 letter says. "The more metadata NSA has access to, the more likely it is that NSA can identify or discover the network of contacts linked to targeted [phone] numbers or [email] addresses."

Sen. Ron Wyden, among the NSA's most vocal critics, questioned whether the NSA programs have been working as advertised. Calling the documents released today "misleading," Wyden said in a statement that he and Sen. Mark Udall had two years ago pressed officials to demonstrate that the bulk collection of email metadata was providing a useful capability to the intelligence agency that it would not otherwise have.  "They were unable to do so and the program was shut down due to a lack of operational value, as senior intelligence officials have now publicly confiremd," Wyden said, adding that he has not seen any evidence that the bulk collection of phone records provides any "unique" intelligence value, either. 

Several senators in today's hearing also questioned why the agency needed to gather up all phone records and store them up to five years in order to find leads or useful information in a handful of cases. (By NSA's own count, the bulk phone records program "made a contribution" in a dozen terrorism cases with a "homeland nexus," said NSA Deputy Director Chris Inglis.)

"NSA needs access to telephony and email transactional information in bulk so that it can quickly identify and access the network of contacts that a targeted number or address is connected to," says the 2009 letter, a view that Inglis and other of his senior colleagues from the FBI, the Justice Department, and the Office of the Director of National Intelligence echoed in the hearing. The NSA's fundamental position, which has been unchanged for years, is that it needs access to all information because until it has a suspect in its sights, the agency doesn't know what it doesn't know. In order to find a needle, it needs the entire haystack.

But Inglis and others indicated the government may be open to modifying the phone records program, which narrowly survived an attempt by House members last week to dramatically scale it back. Intelligence officials have said they'd consider housing phone records at the companies themselves, rather than transferring them on a continuing basis to NSA repositories. Inglis voiced some support for that approach, and said there are "technical architectures" that could ensure NSA gets access to all the data it needs, and quickly, sometimes within seconds.

But according to telecom industry sources, this arrangement would only add significant checks against the NSA's authority if the phone companies had a chance to review every request for information, the way they do when served with a criminal wiretap order, for instance. If NSA has unfettered access to phone records, it matters little whether they're stored in an NSA server or a phone company's.

But NSA has a long history of hoarding information, and jealously guarding access to it. If today's hearing, coupled with last week's House action, are any indication, NSA leaders may feel they have to make some concessions--even cosmetic ones--if they want to continue hoovering up the world's data.

Inglis wasn't the only senior intelligence official defending the agency today. In Las Vegas, at the annual Black Hat security conference, NSA Director Gen. Keith Alexander told an assembly of computer hackers and other cyber security experts that the spying operations were working within the law, but that they could still be improved. "The whole reason I came here was to ask you to help make it better," Alexander reportedly said, imploring the attendees to join forces with the NSA. "If you disagree with what we're doing, you should help make it better." 

Alexander told the audience that at the NSA, "We stand for freedom." 

"Bullshit!" a heckler yelled. 

Another yelled, "Read the Constitution!" 

"I have," Alexander replied. "You should too." His reply reportedly drew some applause. 

KENZO TRIBOUILLARD

National Security

The Surveillance State Strikes Back

Why Edward Snowden just might turn out to be Big Brother's best friend.

When former National Security Agency contractor Ed Snowden exposed the inner workings of the country's biggest intelligence organization, he said he did so to roll back a spying apparatus that put the United States on the path to "turnkey tyranny."

But his revelations could end up having the opposite effect. Instead of declawing a single surveillance state, Snowden's leaks could ironically wind up enhancing government spying around the globe.

According to experts who are advising U.S. email, cloud data storage, and social media companies, executives are concerned that foreign governments -- particularly ones with fewer protections for personal privacy and free speech -- are already beginning to demand that U.S. tech companies relocate their servers and databases within their borders. Under normal circumstances, companies would rarely comply with those migration demands, especially if those countries have reputations for heavy-handed internal policing. But now that the United States is being seen as a global spying power, they may have little choice.

Other governments can make their relocation demands in the name of protecting citizens from the intrusive powers of the NSA. Then those regimes can use U.S. tech to make their own law enforcement and intelligence agencies more NSA-like.

"Despite Snowden's sensational revelations, data will not be better protected outside the U.S. in countries where privacy is aspirational at best," said Al Gidari, a lawyer with the firm Perkins Coie who represents companies on surveillance and communications law. "Data stored locally will be the fuel for corruption, abuse and repression in most of those countries, especially in those countries that are complaining the loudest about U.S. surveillance activities."

This week, Brazil's communications minister said that Internet service providers may now be required to store information locally following reports that NSA has spied on communications in Brazil and across Latin America.

"The ideal thing would be for these companies to keep their data in the country so it can be available should Brazil's justice system request it," Paulo Bernardo Silva said in an interview with a Brazilian newspaper. Silva described local control of data as a matter of national sovereignty.

Companies that provide cloud computing services are facing particular scrutiny abroad. Their business is to store large amounts of sensitive information about foreign individuals and companies on servers that are located in United States. And there is a growing perception that this infrastructure is firmly within the grip of the U.S. intelligence agencies, several experts said. That impression is not diminished when U.S. officials, attempting to mollify domestic critics, argue that the NSA is only interested in monitoring foreigners.

Over the past few years, overseas governments have increased pressure on marquee technology companies to hand over more data about their customers and to comply with official orders that would be deemed unconstitutional in the United States.

In 2011, Research In Motion, maker of the BlackBerry, gave the government of India access to its consumer and messaging services, in response to authorities' concerns that they would not be able to monitor criminals and other threats communicating over the company's networks. Officials had threatened to cut off access to the company's services inside their country if RIM didn't comply. The company ultimately agreed to allow India's security agencies to intercept emails and other messages.

Last year, the Google executive in charge of the company's business operations in Brazil was arrested after the company failed to comply with a government order to remove YouTube videos critical of a local mayoral candidate. Google, which owns YouTube, said it wasn't responsible for the content that users post to the video sharing network.

It wasn't the first time the company had run up against aggressive policing of information that would be protected under the First Amendment in the United States. In 2011, Google removed profiles from its Orkut social-networking system after a court order deemed them politically offensive. And another order told the company to take down thousands of photos from one of its sharing sites.

U.S. companies are required to abide by the surveillance laws in whatever country they operate. But under legal assistance treaties, foreign governments usually funnel their requests through official channels, and U.S. authorities deliver the requests to the American companies. That slows down the surveillance machine in those countries, and they've been looking for ways to speed up that process.  

Brazil may prove an early test case for the Snowden blowback effect. According to a report in the Brazilian newspaper Folha, the government will present a "formal condemnation of U.S. data collection techniques" to the United Nations Human Rights Council at its next meeting on September 9, in Geneva. Brazil has apparently had little luck attracting supporters to its attempt to politically embarrass the U.S. government -- only seven other countries on the 47-member commission have signed on.

But new information about NSA spying, disclosed by the director of the agency himself, may add some momentum to Brazil's efforts. At the Aspen Security Conference, Gen. Keith Alexander tipped his hand and revealed that the NSA is obtaining a huge amount of communications traffic from cables that come ashore in Brazil.

Brazil is in the espionage business, too, of course, as are most countries. But the NSA revelations have tended to obscure the obvious hypocrisy in one nation feigning outrage that another country is spying on it. In an interview with Folha, Brazilian Defense Minister Celso Amorim acknowledged that his fellow countrymen could be spied on via their connections to foreign social networks. (The implication was those in the United States.) But he said there was no evidence that the Brazilian government was using such a scheme to monitor its own citizens.

"What is known is more about the U.S. agencies," Celso said. "To my knowledge, nothing has come out about the Brazilian agencies. But Brazilians can be [monitored], yes. It is speculation."

Celso added that on two occasions, he believed his communications had been monitored by the United States, including while he lived in the country as Brazil's ambassador to the United Nations. "I was responsible for three committees on the issue of Iraq. My phone started making a very strange noise, and when the commission on Iraq ended, the noise did too. There was an obvious focus then."

U.S. technology companies' reputations are also taking hits in Europe. Vivane Reding, the European Union's Justice Minister, is reviewing the Safe Harbor Framework, which is intended to support transatlantic trade while also protecting European citizens' privacy. Redding has said the agreement could be used as a "loophole" to allow the transfer of personal data to the United States from European countries where privacy rules are stronger.

Companies based in Europe also believe that the NSA scandal could be a financial boon for them. Customers may start moving their data to facilities located in countries with stricter privacy regulations -- and away from American-based firms. "There's a perception, even if unfounded, that U.S. privacy protections are insufficient to protect the data which is stored either on U.S. soil or with U.S. companies," Justin Freeman, the corporate counsel for cloud computing provider Rackspace, told a House committee last year.

Snowden's revelations have cracked whatever veneer of deniability U.S. companies had that they weren't providing foreigners' personal data to American intelligence agencies. And considering that Congress this week put its stamp of approval on a key element of the NSA's surveillance architecture, companies may find it harder to persuade their foreign customers that the U.S. is still a safe place to keep their information.

But there may be a way, however unlikely, for U.S. companies to repair their international standing and keep their customers' information away from the NSA: They could move their own infrastructure overseas or become acquired by majority foreign owners.

According to a report in the Wall Street Journal, the wireless division of Verizon and T-Mobile have not been part of the spy agency's data collection regime because they're tied to foreign owners. Deutsche Telekom, of Germany, owns 74 percent of T-Mobile, and Vodafone Group, of the United Kingdom, owns 45 percent of Verizon Wireless in a joint-venture with its parent company.

Germany and England may seem a long way to go to relocate a business. But it could keep companies further from the long arm of the NSA.

Google