In the two months since Edward Snowden began to expose the National Security Agency’s surveillance programs, we’ve heard two different stories about them. Snowden and his collaborator, Glenn Greenwald of the Guardian, have claimed that the programs allow NSA analysts and contractors to spy indiscriminately on Americans. U.S. government officials have told us that the programs don’t allow this. Who’s telling the truth?
The answer, for the most part, is both. The two sides are using different definitions of allow. Snowden and Greenwald are telling us what’s technologically possible. The government is telling us what’s legally permitted. Our job is to put the two stories together. We must pressure the government to translate its legal restrictions into technological barriers, so that what’s impermissible becomes impossible.
Yesterday, the Obama administration told its side of the story to the Senate Judiciary Committee. At a hearing on the NSA’s phone metadata program. Deputy Attorney General James Cole testified that “the government can only search the data if it has reasonable, articulable suspicion that the phone number being researched is associated with certain terrorist organizations.” Cole said analysts “can only access” the data once this requirement “has been met and documented.” Until then, he asserted, the data “cannot be accessed … You cannot enter that database and make a query and access any of those data.”
That’s a lot of cannot and can only. But on closer inspection, it’s just rules. When Cole testified that “you can’t get into” the database “without that gate being checked through,” Sen. Mike Lee, R-Utah, forced him to concede that the “gate”—presenting reasonable suspicion—doesn’t even involve a warrant. It’s just “internal procedures.”
Meanwhile, in the Guardian, Greenwald was telling his side of the story. He reported that a previously undisclosed NSA tool, known as XKeyscore, “allows analysts to monitor a virtually unlimited array” of Internet activity and to search “vast databases containing emails, online chats and the browsing histories of millions of individuals.” To prove it, the Guardian published slides from an NSA training document—apparently, screenshots of the search forms in which an analyst would input an email address, Facebook user name, or other surveillance target.
But the Guardian, like the government, isn’t telling the whole story. The Guardian says its report vindicates Snowden’s claim that “I, sitting at my desk,” could “wiretap anyone, from you or your accountant, to a federal judge or even the president.” That’s not quite what Snowden said. His precise claim was that “I, sitting at my desk, certainly had the authorities” (emphasis added) to wiretap anyone. That’s a legal assertion unsubstantiated by the screenshots. The Guardian also reports that XKeyscore “allows analysts to search with no prior authorization” through NSA databases. The word prior hints that the agency does have procedures to monitor and punish abuse. More on that below.
In yesterday’s exchange, the government and the Guardian were talking about two different programs: one for domestic phone metadata, the other for foreign Internet content. But the overarching story lines—Snowden’s disclosures about what the NSA can do, and the government’s disclosures about what the NSA may do—are useful for checking and clarifying one another. Greenwald points out that Rep. Mike Rogers, the Republican chairman of the House Intelligence Committee, has scoffed that Snowden “was lying” when he claimed the ability to “read everybody’s emails.” Rogers said Snowden had misrepresented what “the technology of the programs would allow one to do. It’s impossible for him to do what he was saying he could do.” The screenshots leave Rogers with a lot to explain.
The government, in turn, has released documents indicating that the NSA is more constrained than Snowden originally implied. Yesterday it declassified the most explicit such document: an order issued in April by the Foreign Intelligence Surveillance Court. That’s to Snowden’s credit: Without his leaks, the government wouldn’t have shown us anything. We’ve learned a lot from the dialectic of unauthorized and authorized disclosures. Why stop now? Let’s find out how, and to what extent, the rules against indiscriminate spying are enforced. Here are some basic questions.
1. Storage. The court order for phone records says “NSA shall store and process the BR metadata in repositories within secure networks under NSA’s control. The BR metadata shall carry unique markings such that software and other controls (including user authentication services) can restrict access to it to authorized personnel.” That’s a rule with teeth. What about Internet data? According to the Guardian, “NSA has attempted to segregate exclusively domestic US communications in separate databases” so they’re not read along with foreign communications.” That shows good faith, but the results are limited. As the Guardian explains,
“NSA documents acknowledge that such efforts are imperfect, as even purely domestic communications can travel on foreign systems, and NSA tools are sometimes unable to identify the national origins of communications. Moreover, all communications between Americans and someone on foreign soil are included in the same databases as foreign-to-foreign communications, making them readily searchable without warrants.”
2. Access. Several government officials, including FBI Director Robert Mueller and Sen. Dianne Feinstein, the chair of the Senate Intelligence Committee, claim that “only 22 people have access” to the phone records database. The court order specifies them: the chief of the Homeland Security Analysis Center, the deputy chief, and 20 “specially-authorized Homeland Mission Coordinators” at the Signals Intelligence Directorate. The order says all queries of the database “shall be approved by” one of these 22 people. But how is that rule enforced? If you’re not on the list, can you search first and explain yourself later? Do you have physical if not legal access? The order directs NSA to “ensure” compliance through “technical and management controls,” but it doesn’t specify what technical controls, if any, block unapproved access. It also says the data can be searched by “manual analyst query.” Who oversees that?
What about Internet data? The NSA claims that “access to XKeyscore … is limited to only those personnel who require access for their assigned tasks.” But according to the Guardian, Snowden “says he was authorized to use [XKeyscore] while working as a Booz Allen contractor.” Is that true? How many people have legal access to these tools? How many have physical access?
3. Justification. Government officials constantly tell us that the phone database can’t be searched without articulated justification. But how and when is the justification inspected? According to the Guardian, to search Internet data using XKeyscore, all you have to do is complete “a simple on-screen form giving only a broad justification for the search.” One training slide depicts a skeletal email search form in which two one-line blanks, marked “Justification” and “Additional Justification,” provide enough space for roughly 100 characters worth of reasons. That’s less than a tweet. “The request is not reviewed by a court or any NSA personnel before it is processed,” Greenwald reports. Is that true?
4. Audits. Cole says the “gate” that limits searches of phone records is “controlled by compliance audits” of the “documentation of the analyst’s justification.” It’s not really a gate. It’s surveillance of the surveillers. The first part of the surveillance—documentation of each query—is built into the system. “Whenever the [phone] metadata is accessed,” says the court order, “an auditable record of the activity shall be generated.” NSA “shall monitor the implementation and use of the software and other controls (including user authentication services) and the logging of auditable information.” That’s great. But the second part of the surveillance—auditing the logs—is human and sketchy. Only once every three months does the court order require NSA’s general counsel to “review a sample of the justifications” for executed searches.
The auditing of Internet spying doesn’t look much better. The NSA boasts that in XKeyscore, “Every search by an NSA analyst is fully auditable, to ensure that they are proper and within the law.” But the paltry space provided for “justification” in the user interface suggests there isn’t much to audit, beyond the fact that a particular analyst applied a particular search term. And the auditors don’t exactly inspire fear. “It’s very rare to be questioned on our searches,” Snowden told the Guardian, “and even when we are, it’s usually along the lines of: ‘let’s bulk up the justification’.”
Is there more to the story? Does the NSA apply other barriers to abuse? The agency hints that it does. Responding to the report on XKeyscore, the NSA assures us that “there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse.” That’s nice, but hints won’t do. None of the topics we’re asking about—storage, access, justification, audits—poses any threat to national security. Tell us exactly how you’re protecting us. We’ll be the ones who decide what’s enough.
William Saletan’s latest short takes on the news, via Twitter: