Still no evidence of mass surveillance in latest XKEYSCORE leaks
(originally posted 06.07.2015 on Google+)


The way this article is written, The Intercept leaves the reader with the impression that basically any average internet user will be targeted with the XKEYSCORE tool. For example, it says:

"Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe."


Which data is in the XKEYSCORE database?

But The Intercept fails to prove these scandalizing claims with facts. It provides a lot of documents, but the first "problem" with these documents is that they show us a lot what NSA analysts can do with data, but very little about which data. Which data is in the XKEYSCORE database? Is it a vast amount (or even nearly all) of the daily worldwide internet traffic (like The Intercept tries to make us believe), is it relatively very little, pre-selected traffic or something in between?

The Intercept tries to impress us with some numbers:

"According to a 2009 document, some field sites receive over 20 terrabytes of data per day."

20 terabytes per day, this sounds impressing. But we should keep in mind that if it was NSA's goal to collect as much as possible internet data, they had to go to the big internet exchange points. Let's take for example the German DECIX. Back in 2009, it had an average throughput of 400 GBit/s[1]. This equals to more than 4 petabytes per day. So while 20 terabytes of data may sound quite impressive for some, a number of much less than 1% certainly doesn't.

But we should further discuss this question: Which data is actually collected? While it may be interesting to know about the capabilities of tools like XKEYSCORE, it is even more interesting to have an idea about the underlying database. The Intercept's broad and scandalizing interpretation could only be valid if it contains significant parts or even all of the actual data (which The Intercept silently assumes), but this is not only contradicted with the above DECIX example.

There is a lot of information available on how internet taps of intelligence agencies actually work. There is the American PCLOB 702 report[2], the British ISC report[3], and the German "NSA-Untersuchungsausschuss" (Wikileaks leaked transcripts from public sessions[4]). They all suggest that all intelligence agencies basically proceed the same way:

It starts with an order from their government. The government wants foreign intelligence on some specific topics. Then they look what they could gain from internet taps to carry out their task. Then they look which internet cables are accessible (either because carriers can be compelled or there is cooperation). Then they look which from this cables seem to fit best for their mission. These are the cables that are actually tapped (in one of the published documents you can clearly see that the cable selection is an important analyzing task[5]). And not everything from these cables is collected, only data that fits to specific selectors, and filters are applied to filter out citizens of participating countries.

So the reality is: The internet consists of hundreds of thousands of cables. Only a fraction of these cables are accessible to the NSA. Out of the accessible cables, only a fraction is chosen to be actually tapped. And the data of the selected cables are further filtered with selectors and filters. Only the remaining rest is stored and analyzed. It is simply not true that there is a decent chance that data from average westerners is collected and analyzed with XKEYSCORE -- at least there is no evidence for this claim so far.

What further should make you skeptical about the broad claims from The Intercept is that there are very little documents about the acquisition and collecting process published yet. Don’t these documents exist, or aren’t they published because they would bother the scandalizing reporting?


The documents say “target, target, target …”

So far for the collected data, which is one “problem” (I set it in brackets because it’s The Intercept’s problem, not mine). The other “problem” are the published documents itself. Every single document makes it very clear that it is about targeted surveillance, not mass surveillance. “Target” seems to be one of the most used words in these documents. It is like it was so often before with Snowden-based “revelations”: The scandalizing headlines and articles completely rely on the fact that most readers will not read and understand the published documents. 


We are speaking about raw internet data

The third “problem” is again related to the collected data. In its second part (the more technical description of XKEYSCORE), The Intercept focuses on alleged ”design deficiencies that could leave it vulnerable to attack by an intelligence agency insider.”
I will not go into detail about whether these allegations are justified or not. The provided documents are simply by far not enough as a base for a serious technical expertise. And even more important, it just doesn’t matter. Even if there are serious design deficiencies, we should always keep in mind that XKEYSCORE handles raw internet data. This is by far no high sensitive data which should be protected like crown jewels.

From its very beginning, the internet was always considered as a public media, where the data likely passes many companies, countries and technicians with possible access to it. So it was always a strong recommendation to encrypt sensitive data. Why should the NSA protect data like Fort Knox that hundreds of technicians worldwide could also collect?

And you should keep this in mind too: Even if the NSA collects data from you and analyzes it with XKEYSCORE, if they are able to read your private communications or see your private pictures, you probably did something wrong. Serious wrong.



[1] https://de.wikipedia.org/wiki/DE-CIX (in German)
[2] https://www.pclob.gov/library/702-Report.pdf 
[3] http://isc.independent.gov.uk/news-archive/12march2015 
[4] https://wikileaks.org/bnd-nsa/sitzungen/ (in German)
[5] https://s3.amazonaws.com/s3.documentcloud.org/documents/2116010/dni101.pdf 
     (See second page, “help you analyze” -> “Best Collection Points”)