Tech

XKEYSCORE Spy Program Revealed by Snowden Still a Problem

There are still significant privacy issues with an NSA spying program years after Snowden revealed its existence.
GettyImages-1185502935
Image: Horacio Villalobos/Corbis via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

A government watchdog committee is facing criticism for failing to provide sufficient oversight over XKEYSCORE, an NSA surveillance program revealed by Edward Snowden in 2013.

The U.S. Privacy and Civil Liberties Oversight Board (PCLOB) conducted a classified investigation into XKEYSCORE, a highly classified program that the NSA uses to analyze enormous global troves of internet data and communications. That report was delivered late last year to the NSA, Congress, and other executive branch agencies along with recommendations from individual board members. One member of the board who conducted this investigation publicly blasted the nature of the board's investigation this week, revealing the existence of the report and also blasting it. 

Advertisement

“I had hoped that the former majority of the Board would have conducted a more thorough investigation of this highly-classified surveillance program that is unlikely to be scrutinized by another independent oversight authority in the near future,” Travis LeBlanc, a member of the PCLOB wrote, adding that he had "serious reservations" with the classified report.

According to a 2008 presentation acquired by The Guardian, XKEYSCORE can collect data from all of its global servers, which at the time spanned 150 locations, using a single query. It can collect metadata from users and also use data from their internet usage to locate them. 

LeBlanc writes that, among many things, the report failed to address any algorithmic biases that XKEYSCAPE may have or whether it had the correct compliance procedures in place.

According to LeBlanc, the board “refused” to follow up with any compliance reports that were deemed Questionable Intelligence Activities (QIA), which the Department of Defense defines as an action that resulted in the illegal surveillance or improper review of an individual’s communications. The amount of total QIA’s reported was redacted from the statement. 

Advertisement

He also noted that he found it “concerning” that the NSA appeared to not have a written legal analysis until the board requested one in 2015 since these analyses are used to create compliance policies and procedures. The legal analysis that was provided also used decades-old cases to assert that XKEYSCAPE was being used in compliance with the Fourth Amendment. 

According to LeBlanc, the board did not do much to investigate the system’s compliance program, which already does not require that analysts receive privacy and civil liberties and compliance training. 

The board also failed to investigate the efficacy or cost of the program, which LeBlanc notes is one of the most “basic” parts of an oversight investigation. The 2008 presentation shows that the XKEYSCAPE already had 700 servers across the world but could be scaled even further just by adding more servers. If the NSA has continued to use XKEYSCAPE since then, there’s no telling how much the system has grown or how many people have been affected by its data collection.

“On these points and others, the former Board’s report unfortunately reads more like a book report summary of the XKEYSCORE program than an independent oversight analysis grappling with key concerns in this evolving technological legal landscape,” LeBlanc said in his statement. 

LeBlanc urged them to declassify the statement for the sake of transparency as “the public is rightfully worried about secret surveillance programs,” he said. 

According to LeBlanc, the board has made no effort to declassify the report.