Last modified: Wednesday, July 31, 2013
IU's Fred Cate: XKeyscore shows how out of touch NSA is with law, public sentiment
FOR IMMEDIATE RELEASE
July 31, 2013
BLOOMINGTON, Ind. -- The disclosure today by the Guardian newspaper of another NSA surveillance program is only the most recent in a series of revelations suggesting how out of touch the National Security Agency is with U.S. law and with public sentiment about privacy and its protection, according to an Indiana University cybersecurity and privacy expert.
According to the Guardian story, which relies primarily on internal NSA promotional and training material leaked by Edward Snowden, XKeyscore is an NSA program that allows analysts to search vast databases of stored emails, online chats, Facebook postings and browsing history of people in the U.S. and around the globe.
Fred H. Cate, director of the Center for Applied Cybersecurity Research, said the scope of a project like XKeyscore shows that the government is arguing it can collect everything and then impose its own limits internally to comply with the law.
Cate said the leaked documents don't reveal much about how the data were collected, but they do add to what's known about:
- Its volume: One document explains that "the amount of data we receive per day (20 terabytes) can only be stored for as little as 24 hours."
- Its variety, including the contents of "emails, webpages and documents," not to mention chats, browsing history, and even the IP addresses of every person who visits any specified website.
- The ease with which analysts obtain access: without authorization from a court or even a senior NSA official.
"What the documents show, more than anything, is how out of touch the NSA is with U.S. law and with public and congressional sentiment about privacy and its protection," Cate said. "And if the government failed to prevent the terrorist attacks of 9/11 because of its inability to 'connect the dots,' just continuing to add more dots isn't going to help further secure our nation."
At least where U.S. citizens and permanent residents are involved, Section 215 of the USA PATRIOT Act limits NSA surveillance to collecting data that the government can demonstrate to a court it believes are "relevant to an authorized investigation."
But the Verizon order, which the Guardian published in June, outlines a program in which the NSA is collecting more than a billion records a day about calls placed to and from Verizon customers -- records that provide readily identifiable information about the sender and receiver of each call, their locations, the time and duration of each call, and other data.
"Despite collecting hundreds of billions of records every year, the director of national intelligence has reported to Congress that the government actually used fewer than 300 in 2012," Cate said. "Either there is a misrepresentation of the true volume of records being utilized, or the government is using a small handful of valuable records to justify the surveillance of us all. Moreover, there is a huge difference between oversight by a court and oversight by the very agency that is engaged in the surveillance. Congress has repeatedly recognized this distinction, but today's revelations suggest that the NSA does not."
XKeyscore underscores the importance of the issue, involving as it does not just information about calls, but rather communications content itself, Cate said; and it highlights how separately we need new surveillance laws not only to protect our privacy, but to ensure that classified security efforts are effective and focused on real threats, rather than a "collect everything" mentality.
Fred H. Cate is the C. Ben Dutton Professor of Law at the IU Maurer School of Law and director of the university's Center for Applied Cybersecurity Research. He is a member of the inaugural U.S. Department of Homeland Security Data Privacy and Integrity Committee Cybersecurity Subcommittee and one of the founding editors of the Oxford University Press journal International Data Privacy Law. He can be reached at 812-855-1161 or email@example.com.