The Guardian has splashed a new story about XKEYSCORE, which is the NSA's global internet data-mining system. Meanwhile, the Director of National Intelligence has partially declassified talking points that were provided to all members of Congress about the bulk collection programs confirmed by Edward Snowden's leaks, as well as two court orders authorizing the collection. There's a lot to digest here, so I suggest taking it in bits and pieces.
What's new? New is news, so:
As we've suspected, the business records provision of the Patriot Act is used to collect a whole lot of different types of stuff, and NOT just telephone and email data. Be clear about this: The court order leaked by Edward Snowden and the one declassified by the DNI today relate to TWO sources of information used for what the NSA describes as TWO different programs. The programs themselves involve the regular use of the largest subsets of data — email metadata and telephonic metadata. The word "program" is problematic, because it connotes separateness. They're actually two activities that are sucked in to the mothership using different means. Activity One collects bulk telephony metadata from U.S. service providers; Activity Two collects email metadata. The Obama administration now says that Activity Two was discontinued in 2011.
The National Security Agency can use the telephony metadata it collects and stores to probe the potential accomplices of foreign intelligence targets. You will read the word "terrorist" targets, but the NSA uses the database for counter-narcotics, counter-weapons-of-message-destruction, and counter-espionage investigations, too. The court order allows the database to be used to search for information about U.S. persons relating to terrorism — it says nothing about how it might be used for other purposes that don't involve U.S. persons. Keep that in mind.
If there is reasonable articulatable suspicion — the NSA actually has acronym for this phrase, RAS — to believe that a U.S. person is part of a plot or conspiracy, the NSA can trace this person's communications — whom they called, who called them — using three hops. If I were the target and called my mother, that's one hop. If my mother called my brother, that's two hops. If my brother called his girlfriend, that's three hops.
To put in this in the NSA's perspective, if a terrorist outside the U.S. calls a confederate or facilitator inside the U.S., the NSA, assuming the target meets the RAS criteria, can collect metadata on hundreds of Americans.
If I call six people a month, and each of those six people averages six calls per month to six people, and each of those six people averages six calls, then (if I'm doing the math correctly), more than 700 people are included in the hopper from that one point of contact. The NSA then gives this data to the FBI, which figures out what to do with it. Human eyes do not examine the 700-plus sets of phone records unless the target's circumstances require it.
The main way telephonic database automatically flags interesting numbers — numbers, that, as I've written, acquire a history of both queries and added data — will, or should, significantly reduce the amount of work an FBI agent has to do in order to figure out which if these 700 people actually requires further investigation or a warrant or order to access the content of your communications. The U.S. telephonic records are segregated from the rest of the population, but in practice it is fairly easy for an analyst to query it. That would make sense so long as that analyst had to justify the query and was affirmatively evaluated on whether the query met the standards.
Figuring out how to police individual analysts while letting them do their jobs is going to be one of the bigger challenges of the new surveillance regime.