Tech

XKeyscore and NSA Surveillance Leaks – Expert Reaction

Staff Reporter
First Posted: Aug 01, 2013 09:19 PM EDT

XKeyscore is an online surveillance tool run by America’s National Security Agency (NSA) that allows analysts to search contents of chats, emails and browsing histories without warrants, according to leaked slides from CIA whistleblower Edward Snowden.

By Paul Dalgarno

The slides, published in The Guardian today, seem to support claims XKeyscore can search “nearly everything a typical user does on the internet” and in one 30-day period in 2012, collected and stored nearly 42 billion records.

The NSA slides declare some 300 terrorists were caught using XKeystroke technology by 2008.

Experts in the field respond:

Philip Branch, Senior Lecturer in Telecommunications at Swinburne University of Technology

The program appears to be a datamining tool especially designed for intelligence gathering. In the same way as businesses are getting into “big data” in order to understand their customers, consumer trends and the like, the US intelligence community appear to have been doing much the same thing.

We know that they see a big chunk of the world’s internet traffic. They have access points around the world to access other forms of electronic communication.

This program seems to be a system for scanning for markers that may identify potential terrorists. If, as they claim, it has identified 300 or more potential terrorists it would seem to have been a success.

The way it appears to work is similar to other datamining techniques. It looks at content, probably for keywords, and at metadata such as source and destination addresses, or phone numbers.

To identify potential threats it looks for anomalies. Examples given are language unusual for that region, looking for dubious material on the internet, and, very intriguingly, the use of encryption.

It appears that they have taken to heart the saying that “if you have nothing to hide, you have nothing to worry about” and reinterpreted it as “if you have something to hide, perhaps you do have something we should worry about”.

One of the very interesting things is that they can identify individual devices. This is perhaps not as dramatic as might appear at first. It’s well known that financial institutions have been tracking individuals for a long time. Even though IP addresses change, there is enough other information to identify most machines.

If you are using a browser, there’s a lot of information about how it is configured. Often the configuration is unusual enough to identify uniquely the individual. The browser you use, the plug-ins, the cookies that are set, are all able to identify a user, in the sense that it is the same user we saw before.

So, again, the latest revelations are interesting but not necessarily unexpected. We know businesses have been using these techniques for some time. It would be remarkable if the intelligence agencies weren’t.

Sean Rintel, Lecturer in Strategic Communication at University of Queensland and board member of Electronic Frontiers Australia

It is clearer now than ever that, since we can’t retrospectively change these surveillance technologies, and indeed there may be valid uses of them, citizens of all countries need to stand together to demand three new kinds of digital rights.

  1. We must have rights to personal data control. Knowing what, when, and how much of our personal data has been collected, and which agencies have access it to it.

  2. We must have rights to transparent security institution oversight. Parliamentary and legal procedures must be in place to ensure that all searches of such data require strictly evidenced belief that a search is necessary, that searches are narrowly targeted, and that citizens have methods to access the details of such proceedings.

  3. We must have rights to meaningful checks and responses to abuses. If there is any kind of problem with the use or integrity of data in such systems (such as overreach of searches, searches for non-security/law-enforcement purposes, data breaches) then citizens must have the right to meaningful civil and legal recourse. News website Mashable is currently running a campaign to crowdsource a digital bill of rights.

Australians should be involved in that because some of our traffic relies on US services and, as such, US laws. Australians should also engage with their political parties and civil society groups, such as Electronic Frontiers Australia (of which I am a board member) and its Citizens Not Suspects campaign.

With an election looming, now is the time for meaningful action. Whether or not one trusts our government or others, trusts security services/law enforcement or not, or believes that it is or is not reasonable to trade privacy for security, new digital rights to choice, control, and transparency will ensure our civil security.

John Lenarcic, Lecturer in Business IT and Logistics at RMIT University

The genie may already be out of the bottle with respect to privacy. Way back in 1999, the then-CEO of Sun Microsystems Scott McNealy infamously proclaimed:

You have zero privacy anyway. Get over it.

The social media revolution, while diminishing privacy in some respect to users, made it the salient issue of our era. And the NSA deployment of systems such as XKeyscore has once again brought the security versus privacy debate to the fore.

But security and privacy are needs that co-exist at times in an inverse relationship to each other. If eavesdropping on telecommunications leads to terrorists being nabbed then what’s the hassle, according to the NSA?

This is a NSA-brand of utilitarianism whereby the ends justifies the means. The strict (or even not so rigid) Kantians among us, though, may gasp in horror at the antics of the NSA if we believe in protecting privacy.

Indeed, this is a moral dilemma that is rapidly unfurling before our very eyes. As they say in the classics, life wasn’t meant to be easy …

James Hamlyn-Harris, Lecturer in Information & Communication Technologies at Swinburne University of Technology

We can infer from the name and the terminology used in the slides that XKeyscore is a search engine which uses search terms and filters to narrow the search field.

The more information you give it, the fewer (and more relevant) hits will be returned.

Rather than returning a specific result, it will return a ranked list of results (ranked by “keyscore”) depending on how many search terms and filters matched each searched entry.

This means that searching for an email address (mostly unique) will return a very relevant list of entries, but searching a set of vague search terms or filters (such as traffic on this domain, between these dates, containing these words send by this user agent, or browser, with these plug-ins) will return a big list of hits ranked by relevance.

A human will look at the results and make judgements about which results are useful or actionable.

See Now: NASA's Juno Spacecraft's Rendezvous With Jupiter's Mammoth Cyclone

More on SCIENCEwr