Has XKeyscore never been abused? Joshua Foust vs The Guardian and the pitfalls of “bad reporting”

On 2nd of August, freelance journalist Joshua Foust published an article about the “problems” he had with Glenn Greenwald’s Guardian story on XKeyscore.

In it, Mr Foust tries to deconstruct Greenwald’s story, pointing out several instances of what he calls “bad editorial judgement”, “oversight in editorial control” and “journalistic overreach”, criticising in general Greenwald’s unsubstantiated reporting. This is not the first time this has happened. There seems to be a history of – shall we say – mutual disregard between Mr Foust and Mr Greenwald. Previous examples of this have seen Mr Greenwald reporting something, Mr Foust trying to unveil Greenwald’s “journalistic malfeasance” with Mr Greenwald then rebutting (or not) and so on.

Any professional disregard between the two men aside, Mr Foust’s assessments of Greenwald’s work are problematic in themselves. I have previously remarked on the difficulty Mr Foust seems to be having in constructing a plausible argument. This stems, among other things, from his tendency to interpret people’s utterances in a certain way and then postulate that interpretation as fact. Another problem is that he tends to condemn other journalists for alleged mistakes which he then goes on to commit himself. Other writers have also noticed this and remarked on Mr Foust’s “tenuous grasp” of certain facts.

Now, obviously Mr Foust is entitled to his opinion. I agree with him and Jay Pinho that if any “hasty reporting […] appears to […] cut corners in dangerous ways” then that should be pointed out. It is certainly true that we, as readers, writers, and journalists should be very careful and critical of what we take as fact. However, like on previous occasions, Mr Foust’s argument against Mr Greenwald’s story is hardly watertight and I cannot help feeling that he allowed himself to get carried away with his apparent disapproval of both Mr Greenwald and the Guardian.

So, in the spirit of Mr Foust’s honourable attempt to shine a light on potentially bad reporting and misinformation – and to make sure that we “know what we’re reacting to – let’s take a good look at Mr Foust’s own argument and at some of the worrying questions raised by the XKeyscore revelations.

Firstly, Mr Foust takes issue with Greenwald’s description of XKeyscore as “top secret”. Undoubtedly, he has a point here; the existence of mass surveillance programmes is hardly a secret. I know that this is not what Mr Foust’s means. Rather, it is the characterisation of XKeyscore specifically as “top secret” that he disputes. He is not wrong. There are job listings on the internet – such as one by Virginia-based defence contractor SAIC for an XKEYSCORE Systems Engineer – that specifically ask for knowledge of XKeyscore, suggesting that the programme is hardly a secret to everybody. The fact that “at the time [the SAIC advert] was posted it would have […] been, for people outside of the field, largely indecipherable” or that “[t]he listing has since been edited to remove all reference to XKEYSCORE,” still may not attest to the secrecy of the programme, especially for those who move within the defence contractor world. Yet, while the term “top secret” indeed doesn’t seem to apply, I would agree with comments made on Mr Foust’s article that “When a slide is classified […and] the only item being discussed is XKeyscore [i.e. the term], most editors would conclude (rightly) that it’s classified.” More than that, given how little the general public knew, prior to the story in the Guardian, about the particulars of what the programme does – and how little they were clearly meant to know – questions about secrecy and potentially purposeful misinformation remain that the Guardian is right to be worried about.

You may remember that Edward Snowden said in one of his first interviews that he could “wiretap anyone, from you or your accountant, to a federal judge or even the president, if [he] had a personal email”. You may also recall the reaction to this statement at the time; it caused outrage amongst government officials in particular who denied his claim and called Mr Snowden a liar. Now, either these officials really didn’t know that XKeyscore allows for precisely that (in which case it would have been if perhaps not top, then at least secret) or they denounced the claim because they did not want the rest of us to know, in which case – again – they wanted to keep it secret.

More than that, while XKeyscore as a term may not be secret and it may not be “a thing that DOES collecting”, it has to be noted, as Bruce Schneier points out, that the NSA “divid[es] their efforts up and us[es] many different code names in an attempt to disguise what they’re doing. It allows them to deny that a specific program is doing something, while conveniently omitting the fact that another program is doing the thing and the two programs are talking to each other.” So defences of XKeyscore and other programmes may be purposefully misleading because they fail to mention the fact that programmes talk to other programmes and feed each other.

Mr Foust next takes issue with what he sees as the lack of a meaningful distinction “between a technical capability and a legal permission to perform collection”, which is in Mr Foust’s words, “a huge distinction”. He is right of course; there is a huge distinction between technical capabilities to perform an action and legal permission to make use of those capabilities. Obviously, a technical capability is just that; the capability of doing something. It does not include or exclude a permission to be used in a certain way. And obviously, as Mr Foust goes on to point out “[p]eople have the capability to do lots of things that they are legally prohibited from doing.”

Mr Foust criticizes that Mr Greenwald does not make the distinction between capability and legal authority clear enough when Mr Greenwald writes that “XKeyscore provides the technological capability, if not the legal authority, to target even US persons for extensive electronic surveillance without a warrant.”

What Mr Greenwald is saying is that, in theory, any analyst could target you and me and everyone we know anytime they liked. Obviously, this doesn’t mean that they are legally allowed to do so. In fact, being able to do something but not necessarily being allowed to do it is so obvious a distinction that many of us seem to have trusted in good faith that although “[p]eople have the technical capability to do all sorts of bad things” there are legal restrictions in place to “protect [us] from the technical capability of others, including that of our own government.” We have been relying (more or less) on the assumption that while our governments and security agencies have the technical capability to “do all sorts of bad things”, there are obviously laws in place that protect us from that technical capability – and that they are being observed.

Mr Greenwald seems to disagree. He seems to believe, correctly I think, that people may overlook the distinction and assume that with the technical capability comes the authority to use it. Or worse: that people have the technical capability to do all sorts of bad things and they will do them, legal authority or no legal authority.

Mr Foust on the other hand assumes that the laws to protect us from certain capabilities are being observed. He stresses this by arguing that the FBI doesn’t “invade anyone’s home and shoot on sight”. Sadly, the comparison is rather meaningless. Obviously the FBI will not invade anyone’s home and shoot on sight. That would be, as Mr Foust correctly points out, against the law. However, Gregory Cassel comments: “If the FBI invaded your home you’d know. If the NSA was invading your electronic space you’d have no idea.” Something that is visible to everyone and that is easily identifiable as a crime is not the same as something that is potentially not seen by anyone and/or so obscure that it takes a while to work out whether it’s even legal or not.

To use Mr Foust’s analogy; if the FBI were operating like the NSA, the Feds would sneak in, use silencers and be gone before anyone noticed there’d been a murder. More than that, because we couldn’t be quite sure if maybe they were acting on some secret warrant, we wouldn’t  be able to tell whether it was a murder at all or, in fact, a perfectly legal sentence being carried out. I know this may sound absurd. However, considering the reality of drone strikes and the fact that gunning other people down, or killing them with injections, is considered by some to be okay given the right circumstances, then maybe it isn’t so absurd after all.

So there is a capability for doing “bad things” and yes, Mr Foust is right: “It is laws, and not technical means [i.e. the capabilities in themselves], that prevent rampant, systemic oppression.” The problem is that I, for one, have yet to see a law strong enough to protect us properly – from systematic oppression or technical capabilities.

We have already seen that the law does not seem to adequately prevent abuse of the technical capabilities of Prism, Boundless Informant or the British GSHQ’s Tempora. To the contrary, evidence strongly suggests that the intelligence agencies of various countries have come up with a couple of neat ways to get around these laws – consider the close cooperation between the NSA and GCHQ for example. Some interesting comments on why this is worrying are here and here.

And there is another thing I fail to see: how “the discussion about potential abuse of NSA programs remains theoretical.” Sure, we could pass abuse off as “compliance problems” and attribute them to human error, as James Clapper does in his letter to Ron Wyden. To be fair, we could take all of Mr Clapper’s utterances in good faith and trust, as Mr Foust seems to do, that we are perfectly protected by the laws that are intended to prevent the abuse of technical capabilities. After all, Mr Foust described “the slides [published by the Guardian as] refer[ring] to a program that was almost certainly changed significantly due to updates in U.S. law.”

My italics and can I just ask: almost certainly? So actually not certainly. This is an assumption, is it? So while it is misleading to assume the abuse of XKeyscore in light of the abuse of other programmes – not to mention the potential abuse of the 2008 FISA Amendment Act or cooperations with other intelligence agencies – it is perfectly fine to assume that XKeyscore has almost certainly been changed to reflect changes in the law to prevent abuse?

Even if, for the sake of the argument, we were to go along with the idea that XKeyscore has changed, who is to say that it has not changed in the exact opposite direction of what Mr Foust assumes? Obviously, the NSA’s technical capabilities would have grown considerably since these slides were first put together, so who is to say that (the potential for) abuse hasn’t, in fact, grown as well?

There is another problem. Mr Foust himself mentions the 2008 FISA Amendment Act which he claims “institute[s] strict limits on how the NSA can collect, and require[s] a specific warrant to intentionally collect, any data on a U.S. citizen.”

Last time I looked, the 2008 FISA Amendment Act permitted “only minimal court oversight” much as it “lack[ed] stronger language that was contained in prior House bills that included clear statutory directives about when the government should return to the FISA court and obtain an individualized order if it wants to continue listening to a US person’s communications”. It further “contain[ed] an “exigent” circumstance loophole that thwart[ed] the prior judicial review requirement”, “trivialize[d] court review by explicitly permitting the government to continue surveillance programs even if the application is denied by the court” and made it extremely difficult to establish legal standing due to the secrecy of the FISA court proceedings. I discussed all this in one of my previous posts.

It has been said time and time again that while “laws are supposed to protect against this sort of abuse, […] in the years after the 9/11 terrorist attacks they failed pretty severely.” Bruce Schneier importantly points out the “tortured legal reasoning used to justify these surveillance programs, and the extent to which the [FISA] court failed to provide any meaningful oversight.” Now, are those the laws and legal proceedings in accordance with which XKeyscore was potentially amended? The same laws that are supposed to “prevent rampant, systemic oppression” and abuse of “technical capabilities”? Apparently so, because Mr Foust then goes on to accuse the Guardian of “using obsolete slides created for a program that was later modified significantly through changes to U.S. law.”

Hang on! I must have missed that moment in the argument where a programme that was almost certainly changed significantly to reflect changes in the law to a programme “that was later modified significantly through changes to U.S. law.” What happened to almost certainly? So much for misleading by presenting an assumption as fact.

So, my question is; where can we verify what Mr Foust is saying? I, for one, can find no way of telling if there is any more substance to his claims than to those made by Glenn Greenwald in the Guardian.

“The Guardian published a misleading story conflating important issues and supported it by posting secret materials seemingly dated from before major changes to U.S. law that would have dramatically altered their content,” writes Mr Foust. Note the wording “would have”; where is the evidence to corroborate this claim? Mr Foust himself admits he doesn’t have it but passes this off by saying that “the burden of proof” is on the Guardian, not him: “I do not claim to know the program in its current form. The Guardian editors declined to say whether the slides they posted did. The burden of proof is on them.” Now I don’t know about you but I have always had issues with the kind of argument that goes: I do not need to proof my claim that is contrary to yours because you started this and you should present evidence first. The alleged lack of evidence for the first claim does not lend strength to its opposite if evidence of the opposite is missing.

To be fair, for a moment there, I really thought Mr Foust was going to turn the story around by making a valid point, namely that “[i]t is the laws that prevent those terrible things that matter — so when they are broken, we know whom to hold accountable. In all the hype about XKeyscore, we’ve learned very little about any legal protections afforded to Americans under this program.

Precisely! Are there any? How many loopholes have these laws got? This is an interesting and worrying question to ask. How strong are the laws that prevent potential abuse of technical capabilities?

Sadly, Mr Foust then immediately undermines this argument by saying that “[w]e have not learned of any abuse of the system to do harm unnecessarily. What we have learned, essentially, is that the NSA — a spy agency whose attention is focused internationally—does exactly what it is supposed to do.”

Bravo! So, by inference, because we haven’t learned about any abuse and in theory there should be laws that prevent abuse and that everyone observes, there is nothing to worry about because the Spooks are just doing their jobs? (Mind you, the idea that “the NSA does exactly what it is supposed to do” is itself open to conjecture but there you go.)

That is an interesting way of seeing it. The problem is that it rests on a premise that – unless you are willing to accept it and make it your own – doesn’t actually provide a strong basis for a convincing argument at all. The idea that there is no abuse does not follow logically from the premise that we haven’t seen any abuse. The idea that laws should exist to prevent horrible things from happening does not automatically mean that these laws do exist, let alone that they are being observed. In fact, the 2008 FISA Amendment Act makes it difficult to know whom to hold accountable if laws aren’t observed.

“Having the technical capability to behave unethically is not the same as being shown to behave unethically. That is the crucial, missing piece in the outcry: There is no evidence that XKeyscore has ever been misused.”

This may be true. But the same goes for the inversion; there being no evidence of abuse does not mean there is no abuse. Between the lines, Mr Foust accuses Mr Greenwald of omissions in his reporting, of lacking the evidence to substantiate his claim. Well then, Mr Foust should present the evidence to substantiate his opposite claim.

Ah, I hear you say, but Mr Foust was simply pointing out that we should not just swallow everything we read or see or hear because we are so blinded by our indignation at the NSA revelations that we do not even question what we are being told anymore.

Yet, Mr Foust seems to expect us to make his assumption our own that the laws in place are sufficient to prevent abuse of technical capabilities and moreover that these laws are being observed. The trouble is that if, in light of all recent revelations put together, we find it difficult to accept that premise – and a lot of people do; I refer you again to Bruce Schneier’s comments – his own argument is easier to nit-pick apart than he believes Glenn Greenwald’s article to be.


I am indebted for many valuable insights and much clarification on the technical side of xKeyscore and other programs to a very good and very tech-savvy friend of mine. You know who you are!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s