Hello, friends,
In 2013, speaking to the world on video from his hotel room in Hong Kong, whistleblower Edward Snowden shocked the world by revealing that the U.S. National Security Agency was conducting widespread surveillance of Americans—despite its mandate as a foreign intelligence agency with strict limitations on domestic spying.
One of Snowden’s most alarming revelations was a dragnet surveillance program, authorized by Section 215 of the Patriot Act and put in place after the 9/11 terrorist attacks, that scooped up the phone records of nearly every American. Congress ended the bulk record collection program in 2015, and the legal authority expired last year.
But another of Snowden’s jaw-dropping revelations remains unaddressed. Speaking to the camera, Snowden explained that as a then-29-year-old contractor at the NSA, he could pull up the personal communications of anyone. “I, sitting at my desk,” said Snowden, “certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge, to even the president, if I had a personal email.”
At the time, Snowden didn’t elaborate on how he had such powerful access. But later reporting revealed that he was likely referring to a program called XKeyscore, whose training documents described a program that allowed analysts to conduct Google-like searches by entering an address, telephone number, name, or other identifying information into the system. The system is global and decentralized, allowing analysts to pull up data from the NSA’s massive repositories around the world.
A year after the Snowden video, a new whistleblower emerged, raising a similar alarm. Former State Department official John Napier Tye wrote an op-ed in the Washington Post stating that the NSA was exploiting a legal loophole—embedded in Executive Order 12333, issued by Ronald Reagan in 1981—allowing it to collect American communications as part of its data collection outside of the U.S. (Domestic surveillance must otherwise be overseen by the Foreign Intelligence Surveillance Court.)
In today’s world, where internet communications hop and skip all over the place before reaching their destination, this rule allows the NSA to inadvertently or incidentally scoop up the contents of American communications when it scoops up large-scale data abroad or monitors the communications of foreigners.
“Based in part on classified facts that I am prohibited by law from publishing, I believe that Americans should be even more concerned about the collection and storage of their communications under Executive Order 12333 than under Section 215,” Tye wrote.
In 2014, a White House–appointed national security watchdog group, the U.S. Privacy and Civil Liberties Oversight Board, announced it would conduct a study of activities conducted under Executive Order 12333, including the NSA’s XKeyscore system.
Six years later, after a long period of dormancy during the Trump Administration when the board did not have enough members for a quorum, the oversight board finally issued its public report earlier this year … and it basically says nothing about XKeyscore.
The public report contains three paragraphs declaring that the board conducted a “deep dive” into XKeyscore and stating that a classified report and recommendations were delivered to the NSA, Congress, and relevant agencies. But there’s no evidence of this “deep dive” in the unclassified public report.
And then just last week, a tantalizing clue emerged that something remains amiss with NSA domestic surveillance when oversight board member Travis LeBlanc issued a declassified public statement criticizing the board’s analysis of XKeyscore. Many of his objections were classified, he said, but the board had failed to adequately scrutinize the program and the legal authorities underpinning it.
In his 10-page statement, LeBlanc criticized the NSA for conducting belated and unsatisfactory legal analysis, using outdated legal reasoning to justify its actions, evading board oversight, and failing to conduct privacy and civil liberties training for analysts who use XKeyscore. He also faulted the board for failing to investigate NSA incidents where the program might have been used unlawfully and conducting a shallow analysis of the program—which he described as a “book report.”
LeBlanc also raised one of my favorite issues—the inscrutability of the algorithms that the NSA uses to sift through its mountains of data.
“Competent overseers must begin to grapple with critical questions about modern electronic surveillance like the appropriate role of algorithmic decision making, how data is categorized or tagged, the weight ascribed to certain data, how classes of communications are prioritized and the all too familiar concept of AI/ML ‘black boxes,’ ” LeBlanc wrote. “It is disappointing that the board failed to address these topics—especially when so many external stakeholders have sought the Board’s considered insight on these issues.”
LeBlanc noted that he and another board member, Ed Felten, had provided additional recommendations to the board that were not adopted, including one that would protect against “incidental” domestic surveillance.
Their proposed solution is intriguing: the creation of a U.S. person “tag” that could be used to identify information in NSA databases that was collected about domestic residents. This would allow the NSA to better identify and suppress the collection and retention of domestic communications as required by its own rules, LeBlanc wrote.
But the board did not adopt the proposal. And so now, eight years after Snowden’s bombshell revelations, we, the public, remain in the dark about how many of our emails are stored in the NSA’s massive server farms and whether energetic young analysts at the NSA can peek at them from their desktops.
As always, thanks for reading.
Best,
Julia Angwin
Editor-in-Chief
The Markup