In the two months since Edward Snowden began to expose the National Security Agency’s surveillance programs, we’ve heard two different stories about them. Snowden and his collaborator, Glenn Greenwald of the Guardian, have claimed that the programs allow NSA analysts and contractors to spy indiscriminately on Americans. U.S. government officials have told us that the programs don’t allow this. Who’s telling the truth?
The answer, for the most part, is both. The two sides are using different definitions of allow. Snowden and Greenwald are telling us what’s technologically possible. The government is telling us what’s legally permitted. Our job is to put the two stories together. We must pressure the government to translate its legal restrictions into technological barriers, so that what’s impermissible becomes impossible.
Yesterday, the Obama administration told its side of the story to the Senate Judiciary Committee. At a hearing on the NSA’s phone metadata program. Deputy Attorney General James Cole testified that “the government can only search the data if it has reasonable, articulable suspicion that the phone number being researched is associated with certain terrorist organizations.” Cole said analysts “can only access” the data once this requirement “has been met and documented.” Until then, he asserted, the data “cannot be accessed … You cannot enter that database and make a query and access any of those data.”
That’s a lot of cannot and can only. But on closer inspection, it’s just rules. When Cole testified that “you can’t get into” the database “without that gate being checked through,” Sen. Mike Lee, R-Utah, forced him to concede that the “gate”—presenting reasonable suspicion—doesn’t even involve a warrant. It’s just “internal procedures.”
Meanwhile, in the Guardian, Greenwald was telling his side of the story. He reported that a previously undisclosed NSA tool, known as XKeyscore, “allows analysts to monitor a virtually unlimited array” of Internet activity and to search “vast databases containing emails, online chats and the browsing histories of millions of individuals.” To prove it, the Guardian published slides from an NSA training document—apparently, screenshots of the search forms in which an analyst would input an email address, Facebook user name, or other surveillance target.
But the Guardian, like the government, isn’t telling the whole story. The Guardian says its report vindicates Snowden’s claim that "I, sitting at my desk," could "wiretap anyone, from you or your accountant, to a federal judge or even the president.” That’s not quite what Snowden said. His precise claim was that “I, sitting at my desk, certainly had the authorities” (emphasis added) to wiretap anyone. That’s a legal assertion unsubstantiated by the screenshots. The Guardian also reports that XKeyscore “allows analysts to search with no prior authorization” through NSA databases. The word prior hints that the agency does have procedures to monitor and punish abuse. More on that below.
In yesterday’s exchange, the government and the Guardian were talking about two different programs: one for domestic phone metadata, the other for foreign Internet content. But the overarching story lines—Snowden’s disclosures about what the NSA can do, and the government’s disclosures about what the NSA may do—are useful for checking and clarifying one another. Greenwald points out that Rep. Mike Rogers, the Republican chairman of the House Intelligence Committee, has scoffed that Snowden “was lying” when he claimed the ability to “read everybody’s emails.” Rogers said Snowden had misrepresented what “the technology of the programs would allow one to do. It's impossible for him to do what he was saying he could do.” The screenshots leave Rogers with a lot to explain.
The government, in turn, has released documents indicating that the NSA is more constrained than Snowden originally implied. Yesterday it declassified the most explicit such document: an order issued in April by the Foreign Intelligence Surveillance Court. That’s to Snowden’s credit: Without his leaks, the government wouldn’t have shown us anything. We’ve learned a lot from the dialectic of unauthorized and authorized disclosures. Why stop now? Let’s find out how, and to what extent, the rules against indiscriminate spying are enforced. Here are some basic questions.
1. Storage. The court order for phone records says “NSA shall store and process the BR metadata in repositories within secure networks under NSA’s control. The BR metadata shall carry unique markings such that software and other controls (including user authentication services) can restrict access to it to authorized personnel.” That’s a rule with teeth. What about Internet data? According to the Guardian, “NSA has attempted to segregate exclusively domestic US communications in separate databases” so they’re not read along with foreign communications.” That shows good faith, but the results are limited. As the Guardian explains,
“NSA documents acknowledge that such efforts are imperfect, as even purely domestic communications can travel on foreign systems, and NSA tools are sometimes unable to identify the national origins of communications. Moreover, all communications between Americans and someone on foreign soil are included in the same databases as foreign-to-foreign communications, making them readily searchable without warrants.”