The NSA's Evil Google: XKeyscore Tool Enables Vast Warrantless Search of Online Communication and Activity

One of the contentious issues that's swirled around the NSA since whistleblower Edward Snowden began leaking information on the organization's capabilities is exactly what it can -- or can't -- do. Snowden has stated that as a contractor with Booz Allen Hamilton, "I, sitting at my desk, certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, to even the President if I had a personal email."

The NSA has strongly denied these claims,  arguing that it had neither the technological capability to engage in such monitoring nor the authority to do so. The authority question may be up for discussion, but new leaks from The Guardian today have blown gaping craters (again) into the NSA's allegations that the sort of spying Snowden alleges was beyond its capabilities. The newly revealed program, XKeyscore, is designed to analyze and search data in ways that would make Google jealous.  According to the documents, XKeyscore can be configured to watch for email traffic, Facebook chats, or set to log all visitors to a given domain.     

What do you need to provide to use it? A brief internal justification. You don't even need permission from the secret FISA court.

As for what it can do? It can do things like this:  

Claims like this demolish any idea that the NSA is dedicated to protecting anyone's data.  "Show me all the VPN customers." There's another slide, later, that boasts about how the system can be used to detect a German traveling in Pakistan by detecting his use of the German language and tracking German servers. Another describes how Google Maps can be used to determine web searches and find targets doing "suspicious stuff."

Of course, it's possible that the NSA was engaging in a bit of self-promoting dialog, promising internal capabilities that weren't as straightforward as they might sound. Based on Snowden's previous claims, however, it doesn't sound that way.

The NSA Responds:

The NSA's response to these leaks has been as follows:
"NSA's activities are focused and specifically deployed against – and only against – legitimate foreign intelligence targets in response to requirements that our leaders need for information necessary to protect our nation and its interests,” the statement said. “XKeyscore is used as a part of NSA's lawful foreign signals intelligence collection system. Allegations of widespread, unchecked analyst access to NSA collection data are simply not true. Access to XKeyscore, as well as all of NSA's analytic tools, is limited to only those personnel who require access for their assigned tasks … In addition, there are multiple technical, manual and supervisory checks and balances within the system to prevent deliberate misuse from occurring."
I've added emphasis because it's important to point out the dodge. First, the question of legitimacy. This is a tautology. The NSA only deploys these tools against legitimate targets as determined by the NSA. The current rules prohibit the disclosure of information that would allow anyone to actually challenge legitimacy.

Next, "lawfulness." Yes, what the NSA is doing is lawful. No one is arguing it isn't. What's being argued is whether or not these programs are constitutional, necessary, or if this is what Congress and the American people intended when they authorized the Patriot Act. The question of whether or not the NSA is doing something illegal hasn't really come up. Yes, only certain people have access. Who? People the NSA decides need access. This is a reassurance that isn't actually reassuring anyone of anything.

Finally, note that the organization has dropped the pretense of being unable to gather massive amounts of critical data on people. They still claim Snowden is blowing this out of proportion, but that argument only holds water if you believe a government organization with direct access to a non-adversarial court that rubber stamps 99% of its warrant requests should be running the show.

Don't forget -- this is the same organization that can't run an internal email search due to antiquated technology.