The Washington PostDemocracy Dies in Darkness

NSA surveillance program still raises privacy concerns years after exposure, member of privacy watchdog says

The National Security Agency at Fort Meade, Md.
The National Security Agency at Fort Meade, Md. (Patrick Semansky/AP)
Placeholder while article actions load

A previous version of this article incorrectly said that Travis LeBlanc was appointed by President Barack Obama. He was appointed by President Donald Trump. The article has been corrected.

An extensive surveillance program first revealed by former National Security Agency contractor Edward Snowden in 2013 continues to operate with no judicial and limited congressional oversight despite its potential to capture Americans’ communications, a member of a privacy watchdog agency said in a statement released Tuesday.

The National Security Agency’s XKeyscore program was the subject of a five-year investigation by the Privacy and Civil Liberties Oversight Board (PCLOB), an independent government privacy watchdog, that wrapped up in December.

According to documents leaked by Snowden, the program has existed for more than a decade. It allows analysts to use a Google-like search function across vast databases of Internet traffic captured from sites worldwide to pluck out the emails, Web browsing histories and social media activity of specific people.

The program relies heavily on the “autonomous collection of massive data sets,” and analysis driven by artificial intelligence, Travis LeBlanc, a Democratic board member appointed by President Donald Trump, said in a statement. His partly redacted statement was released after it went through a declassification process.

LeBlanc was alone among the board’s five members to vote against approving the panel’s classified report on XKeyscore in December, saying that the board “failed to adequately investigate or evaluate” the NSA’s collection activities.

“What most concerned me was that we have a very powerful surveillance program that eight years or so after exposure, still has no judicial oversight, and what I consider to be inadequate legal analysis and serious compliance infractions,” LeBlanc said in an interview.

Privacy watchdog’s next target: The least-known but largest and most complex NSA surveillance regime

The board sent copies of the report to Congress, the White House and the Office of the Director of National Intelligence in March.

NSA officials pushed back against LeBlanc’s assertions, saying the agency conducted appropriate legal reviews of the use of XKeyscore. They also said the agency has protections to safeguard Americans’ privacy. They pointed to a document issued in January that outlines the rules.

Former board chairman Adam Klein, an appointee of Trump who stepped down from the board this month, defended its work. “The board produced a detailed, comprehensive report and recommendations on a very complex program,” he said. “The clarity of description will enable Congress and other appropriate actors in the executive branch to ask hard questions as needed about this program.”

The program operates under a broad framework laid out by a presidential directive known as Executive Order 12333, which governs most surveillance taking place outside the United States and some surveillance taking place inside the United States. When collection activities take place under 12333, they are not subject to oversight by the Foreign Intelligence Surveillance Court.

According to a 2009 slide released by Snowden and published in the Intercept in 2015, many of the sites that XKeyscore relies on for data were either in the United States or linked to sites in the United States. LeBlanc, in his statement, suggested as much. “It is beyond obvious that NSA must gather or collect that signals intelligence from somewhere — in the United States or abroad.”

The NSA declined to discuss the location of the collection.

“I continue to be concerned that Americans still know far too little about the government’s surveillance activities under EO 12333 and how it threatens their privacy,” said Sen. Ron Wyden (D-Ore.), a member of the Intelligence Committee, in a statement to The Washington Post. “I’ve been pressing for multiple PCLOB reports about EO 12333 to be declassified, which will shed light on these secret authorities that govern the collection and use of Americans’ personal information.”

Privacy and civil liberties board will review surveillance law that has vexed Trump

The program also resulted in hundreds of compliance incidents in 2019, a majority of which were considered “questionable intelligence activities” — a category that means the action may have involved improper surveillance of Americans’ communications, according to U.S. officials, who spoke on the condition of anonymity because details are classified.

“Obviously violations of U.S. law and the known collection or processing of U.S. person information are serious compliance issues,” LeBlanc said in his statement.

Rebecca Richards, NSA’s civil liberties and privacy officer, said: “When we looked at the [questionable intelligence activities] associated with this, we didn’t find any of them to identify systemic issues or any particular concerns. We found them to be standard intelligence practices.”

The incidents could include making a typo in a query or making too broad a query, she said.

Richards noted that the NSA has adopted the board’s recommendation that it provide training for analysts specifically on XKeyscore. Analysts, she said, already receive general compliance training.

LeBlanc devoted some of his strongest criticism to the NSA’s legal analysis, which he said “lacks any consideration of recent relevant” privacy case law, including Supreme Court decisions that have imposed stricter limits on cellphone and geolocation surveillance.

Agency spokesman Charlie Stadtlander said “NSA’s Office of General Counsel regularly reviews NSA intelligence programs and capabilities to ensure compliance with the Constitution, laws, and other applicable regulations and policies.”

But some privacy advocates say the technical capabilities have outpaced the law. For instance, according to slides disclosed by Snowden, the program enabled an analyst to review communications indiscriminately as long as they were not tagged as belonging to an American, meaning that the analyst could inadvertently be viewing an American’s information without penalty, said Ashkan Soltani, a senior fellow at Georgetown University’s Institute for Technology Law and Policy.

And much of the indexing work on the data is done by machines, before a human even sets eyes on it, Soltani said. “The realities of the Internet today means the likelihood that the NSA might accidentally be processing an American’s communications is quite high,” he said.

In NSA-intercepted data, those not targeted far outnumber the foreigners who are

LeBlanc said the board did not analyze the extent to which XKeyscore’s use of machine analysis — as opposed to human review — of Americans’ information triggers Fourth Amendment scrutiny.

The board, he said, ultimately “failed the public” by not using its investigation to “delve into important technological and modern electronic surveillance issues” raised by XKeyscore.