XKeyscore is what the NSA uses to search through troves of collected data. An NSA analyst inputs a range of criteria – such as a name, IP address, browser type or keywords – and then reviews the relevant metadata returned from 700 servers in 150 locations around the world. Using XKeyscore, an NSA analyst can get a clear picture of the target’s online activities, such as who they’re speaking to, the websites they’re reading, and the time they are most often online. If the intelligence is compelling enough, the analyst may take the next step and review the contents of e-mails, video calls and other communications (which are stored on separate databases). The reason NSA analysts review metadata before content is the same reason the Stasi never got around to using all their intelligence. It is not possible to read and assess huge volumes of content. Metadata, however, is easier to analyze and manipulate, helping analysts figure out which content should be explored.
Before weighing the impact this kind of capability has on privacy and liberty, the brilliance and sophistication of such a program needs to be acknowledged. If a bad guy in a foreign country is using the Internet to plan an attack, coach others or supply funding, the NSA can look over their shoulder in a way more traditional intelligence gathering never could. Facing an adaptive and creative terrorist threat, XKeyscore is an ingenious method of synthesizing vast amounts of information to arrive at actionable intelligence. That said, this kind of intelligence gathering has great potential to cross the line from effective counterterrorism to violations of the Fourth Amendment.
Bending the Fourth Amendment
Without a warrant, the NSA is forbidden from collecting Internet data that relates only to American citizens. That has been the standard at the Foreign Intelligence Surveillance Court, and it has guided the kind of information handed over to the NSA by the Internet and telecom companies. There are three types of data that can be legally collected by the NSA without a warrant:
- Online activities of foreigners (i.e., non-Americans)
- Communications where at least one of the parties is a foreigner
- Digital information that passes through U.S. servers but does not originate in the United States
It is important to understand that the NSA is not specifically engaged in spying on Americans (unless they have a warrant because the secret court agrees there is a reason to do so). Yet, when collecting so much information, there is the potential for metadata and content from innocent, law-abiding American citizens to get caught in the net and then show up before some XKeyscore-using analyst. How might this happen?
A declassified FISA court ruling showed that over a 3-year period, the NSA collected about 56,000 e-mails from Americans not tied to terrorism.
Consider a hypothetical foreign terrorist’s e-mail account. When this terrorist is targeted, the NSA collects everything from everyone in the target’s contact list. The agency then collects data from all the contacts of the terrorist’s contacts. Sometimes, they may also collect data from the contacts of the contacts of the contacts. Among all those Internet users, some contacts might be bad guys, some of them might not be. Some of them might even be American citizens. If an NSA analyst then reviews metadata from the American, but the data collected is not related to the hypothetical terrorist, it is technically a breach of the Fourth Amendment.
Whoops.
How often does this happen? A declassified FISA court ruling showed that over a 3-year period, the NSA collected about 56,000 e-mails from Americans not tied to terrorism. More than 50,000 inadvertent violations of the Fourth Amendment is significant. Yet, relative to the voluminous amount of data collected, the violations are a minuscule portion of the number of legally acquired e-mails. That is not a valid excuse for illegally breaching the expectation of privacy, but it does put the matter in perspective.
Beyond the accidental violations of the Fourth Amendment, this kind of data gathering capacity holds the potential for abuse. There have been willful violations of clear-cut laws, some of which is patently immature. For example, it has been reported that some analysts used the NSA’s capabilities to spy on love interests – in NSA parlance, LOVEINT. This kind of abuse has amounted to “a handful of cases in the last decade.”
Weighing Security and Privacy
NSA documents claim that by 2008, 300 terrorists were captured via XKeyscore. While that may be the case, the interested public has no real way of knowing whether it is true or whether the definition of “terrorist” and “captured” held broader definitions for NSA personnel making a case for why the data gathering programs are critical. However, for the sake of argument, let’s assume that number is accurate.
Does the benefit of removing 300 individuals seeking to harm U.S. citizens and interests outweigh the costs to privacy stemming from more than 50,000 illegally reviewed e-mails? Are there instances where violating the Bill of Rights is justified in the face of a viable threat to life and liberty? The argument could be made that the Bill of Rights is irrelevant if you are dead from a terrorist attack. Outgoing FBI Director Robert Mueller would tend to agree. He told The Hill:
“I would query about what you mean in terms of civil liberties and what we’ve given up…You could say that, to the extent that you exchange information between the CIA and FBI, NSA and the like, you could characterize that as somehow giving up civil liberties, but the fact of the matter is, it’s understandable and absolutely necessary if you want to protect the security of the United States.”
Will this kind of capability always be used for such noble purposes or does it set a tradition of domestic spying that could pose severe challenges to a free nation at some point in the future? What if decades from now an ill-meaning individual captures a position of power and aims to build a “Big Brother” government more akin to Orwell’s 1984?
At the same time, constitutional protections and the Bill of Rights do not exist only when it is convenient. In their wisdom, the Founding Fathers outlined hard and fast parameters for the republic, inflexible guarantees meant to uphold a free society. Compromising any of these for any reason begins to tread on the sacred liberties that make America what it is. If we sacrifice a measure of freedom (in this case, expectation of privacy) for a measure of security, are we not walking down a slippery slope?
Violating the Fourth Amendment sets a precedent. While the NSA’s occasionally intrusive surveillance program may be important for today’s terrorist threat, what about tomorrow, or 10 years from now, or 100 years from now? Will this kind of capability always be used for such noble purposes or does it set a tradition of domestic spying that could pose severe challenges to a free nation at some point in the future? What if decades from now an ill-meaning individual captures a position of power and aims to build a “Big Brother” government more akin to Orwell’s 1984? Do we not have an obligation to nip these infringements on basic rights in the bud so as to perpetuate a free democracy?
These are difficult questions, and they are at the heart of the national dialogue on the conflict between security and privacy. A more robust public debate on these very issues is coming, and it will challenge all Americans to define precisely what safety and liberty mean in a 21st century context. The way we as a nation answer these questions will shape what America looks like and how it secures its population in the decades to come.
In the next installment, we look at where this digital intelligence gathering started, how it has changed over the years, and the challenges it faces not just from a concerned public but from disgruntled employees.