What's XKEYSCORE?

If you regularly search LinkedIn profiles for national security information, you'll find hundreds of highly compensated individuals who worked for NSA and who list, as one of their skills, the fluency in XKEYSCORE. Glenn Greenwald's publication today of one of the training presentation PowerPoints is sufficient to give us all that skill. (Marc Ambinder: now proficient in advanced web and document production, French, and XKEYSCORE.)

I quibble with the Guardian's description of the program as "TOP SECRET." The word is not secret; its association with the NSA is not secret; that the NSA collects bulk data on foreign targets is, well, probably classified, but at the SECRET level. Certainly, work product associated with XKEYSCORE is Top Secret with several added caveats. Just as the Guardian might be accused of over-hyping the clear and present danger associated with this particular program, critics will reflexively overstate the harm that its disclosure would reasonably produce.

XKEYSCORE is not a thing that DOES collecting; it's a series of user interfaces, backend databases, servers and software that selects certain types of metadata that the NSA has ALREADY collected using other methods. XKEYSCORE, as D.B. Grady and I reported in our book, is the worldwide base level database for such metadata. XKEYSCORE is useful because it gets the "front end full take feeds" from the various NSA collection points around the world and importantly, knows what to do with it to make it responsive to search queries. As the presentation says, the stuff itself is collected by some entity called F6 and something else called FORNSAT and then something with the acronym SSO.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Deciphered, F6 means a Special Collection Service site located in a U.S. embassy or consulate overseas. The stuff is shunted by these sites to the SCS's headquarters in Beltsville, Maryland, because the F6 sites are located in countries where it would be impossible to use regular telephonic or fiber optic cables to send it back to HQ. I should probably refrain from being more specific. FORNSAT simply means "foreign satellite collection," which refers to NSA tapping into satellites that process data used by other countries. And SSO — Special Source Operations — refers to the branch of NSA's Signals Intelligence Division that taps cables, finds microwave paths, and otherwise collects data not generated by F6 or foreign satellites. Basically, everything else. The presentation suggests that the NSA collects internet traffic from 150 sites — specific facilities — worldwide.

Much of the presentation instructs analysts to query their targets carefully because there's so much stuff that the NSA can't even retain it all. I should amend that sentence to add that there are so many different types of data, too, that asking for "all the Internet traffic associated with Pakistan" is going to blow some circuits. Fortunately, the program is set up to allow analysts to look at slices of data that XKEYSCORE has structured. If the NSA needs to figure out the new virtual private networks that the Haqqani network is using in Pakistan, an analyst can task XKEYSCORE to provide it with a list of VPNs that the collection systems have picked up within a particular timeframe. The analyst will then use other databases and tools to figure out where and when the VPN came online, who might be using it, and what subset of other internet data he or she needs to see.

Before the FISA Amendments Act was passed, an analyst presumably would not have to justify, in advance, the foreignness of a particular target or search query. After, every time he or she begins a new query, he or she has to convince the system that the target is foreign. Maybe the phone number associated with the internet data has an overseas prefix. The person stores media outside the U.S. A Google search indicates that the person lives in Geneva. Enough of these boxes have to be checked to provide a 51 percent foreignness threshold, after which the analyst can continue his or her work without any other paperwork. If that threshold isn't met, another NSA group would take over; the NSA has suggested that analysts who are allowed to do queries on U.S. persons have entirely different reporting and supervisory architectures than most other NSA analysts. XKEYSCORE is used by everybody, however. Garbage in, garbage out. User activity metadata (including bulk data collected on U.S. persons) is stored in the MARINA database; content read or tasked is retained in the PINWALE database; and for specific and regular targets — maybe the SVR Resident in Washington — the TRAFFICTHIEF database allows an analyst to quite richly paint a portrait of that person's internet activities in real or near-real time, IF NSA has the data.

A guess about the content part of this: if the NSA analyst is up on a foreign target (one that's met the threshold), he or she will need to shave down the amount of non-user activity data — realtime web sessions, sites cached — that the person has visited. Keyword searches are used to send this slice of data to the analyst. The PINWALE database incorporates and houses this content.