NSA’s XKEYSCORE spy program is ‘as easy as typing a few words in Google’

Reuters / Vincent Kessler
The National Security Agency’s infamous XKEYSCORE program, revealed by leaker Edward Snowden, makes searching the world’s private communications as easy to use as Google, according to training documents published by the Intercept.

XKEYSCORE was one of the first programs that the Guardian wrote about when Snowden began leaking NSA documents in 2013. On Wednesday, the Intercept, where former Guardian reporter Glenn Greenwald now works, began delving deeper into the program, specifically looking at how NSA analysts are taught to use the system and sift through the tens of billions of records that are believed to be stored in its database.

“It is a fully distributed processing and query system that runs on machines around the world,” an NSA briefing on XKEYSCORE says. “At field sites, XKEYSCORE can run on multiple computers that gives it the ability to scale in both processing power and storage.”

Training documents show that XKEYSCORE is extremely user-friendly, requiring only a target’s email address, telephone number, name or other identifying data for an analyst to be able to conduct sweeping searches on that person.

“Anyone could be trained to do this in less than one day: they simply enter the name of the server they want to hack into XKEYSCORE, type enter, and are presented login and password pairs to connect to this machine. Done. Finito,” Jonathan Brossard, a security researcher and the CEO of Toucan Systems, told The Intercept.

“NSA has built an impressively complete set of automated hacking tools for their analysts to use,” Brossard noted. “The amount of work an analyst has to perform to actually break into remote computers over the Internet seems ridiculously reduced ‒ we are talking minutes, if not seconds. Simple. As easy as typing a few words in Google.”

READ MORE: Malware masterplan: NSA targeted Google & Samsung app stores to harvest data

The documents don’t indicate that NSA employees need prior approval for specific searches, Greenwald and two other Intercept reporters found. Morgan Marquis-Boire and Micah Lee analyzed the various NSA papers with Greenwald.

XKEYSCORE training documents say that the “burden is on user/auditor to comply with USSID-18 or other rules,” referring to similar legal requirements in the US and other countries, including the United Kingdom. The US Signals Intelligence Directive 18 (USSID 18) is the American directive that governs “U.S. person minimization.” In accordance with USSID 18, NSA analysts are trained to avoid querying the system in ways that might result in spying on Americans.

It doesn’t appear that compliance with USSID 18 comes from within the program, meaning there is nothing in XKEYSCORE to prevent an analyst from ignoring the directive, according to Kurt Opsahl, the Electronic Frontier Foundation’s general counsel.

“The document discusses whether auditors will be happy or unhappy. This indicates that compliance will be achieved by after-the-fact auditing, not by preventing the search,” Opsahl told the Intercept, describing USSID 18 as “an attempt by the intelligence community to comply with the Fourth Amendment.”

“But it doesn’t come from a court, it comes from the executive,” he added.

READ MORE: XKeyscore exposed: How NSA tracks all German Tor users as 'extremists'

The NSA, however, disagrees with Opsahl’s interpretation of the agency’s documents and directives.

“The National Security Agency’s foreign intelligence operations are 1) authorized by law; 2) subject to multiple layers of stringent internal and external oversight; and 3) conducted in a manner that is designed to protect privacy and civil liberties,” the NSA said in a statement to the Intercept.

“As provided for by Presidential Policy Directive 28 (PPD-28), all persons, regardless of their nationality, have legitimate privacy interests in the handling of their personal information,” the agency continued. “NSA goes to great lengths to narrowly tailor and focus its signals intelligence operations on the collection of communications that are most likely to contain foreign intelligence or counterintelligence information.”

The NSA believes that sweeping surveillance capabilities are necessary to fight the War on Terror.

“The U.S. Government calls on its intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats,” the NSA said. “These threats include terrorist plots from al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression against the United States and our allies; and international criminal organizations.”

XKEYSCORE did prove helpful in the case of Shaykh Atiyatallah, an Al-Qaeda senior leader and Osama Bin Laden confidant, who googled himself, including his various aliases, an associate and the name of his book, the Intercept reported. All of that information was captured by the NSA’s program.

Traffic on popular social media sites is described as “a great starting point” for tracking targets, according to an XKEYSCORE presentation called Tracking Targets on Online Social Networks.

The program was also used to access UN Secretary General Ban Ki-moon’s talking points prior to meeting with President Barack Obama, according to the April 18, 2013 issue of the internal NSA publication Special Source Operations Weekly.

The NSA also used XKEYSCORE to monitor hacker forums for people selling or using exploits and other hacking tools. The purpose for searching through those locations is two-fold: First, the NSA is seeking to understand the capabilities developed by its adversaries, which includes foreign state hackers. Second, it is also seeking to find forums where such capabilities can be bought.

On top of monitoring hacker forums, however, the NSA also follows vulnerability reports sent to vendors such as Kaspersky. This allows the NSA to learn when it is time to stop using exploits they have employed to gather data because that exploit has been discovered by a third party. One vulnerability the NSA uses involves piggybacking off of private companies’ tracking of their own users through digital cookies, the Intercept reported. The agency can track targets regardless of IP address, as long as they use the same web browser and fail to clear their cookies.