Stewart Baker’s User Interface and Edward Snowden’s Authorities

Former NSA Counsel Stewart Baker has been in an increasingly urgent froth since Edward Snowden’s leaks first became public trying to prove that the NSA should have more, not less, unchecked authority.

He outdid himself yesterday with an attempt to respond to Jack Goldsmith’s question,

How is the NSA Director Alexander’s claim that “we can audit the actions of our people 100%” (thus providing an important check against abuse) consistent with (a) stories long after Snowden’s initial revelations that the White House does not “know with certainty” what information Snowden pilfered, (b) reported NSA uncertainty weeks after the initial disclosure about what Snowden stole, (c) Alexander’s own assertion (in June) that NSA was “now putting in place actions that would give us the ability to track our system administrators”?

Baker’s totally inadequate response consists of pointing to certain features of XKeyscore revealed by the Guardian.

Take a close look at slide 7 of the latest leaked powerpoints.

It shows a sample search for a particular email address, including a box for “justification.” The sample justification (“ct target in n africa”) provides both the foreign intelligence reason for surveillance and the location of the target. What’s more, the system routinely calls for “additional justification.” All this tends to confirm NSA’s testimony that database searches must be justified and are subject to audits to prevent privacy abuses.

Now, I don’t know about Baker, but even without a drop-down menu, the average American high schooler is thoroughly adept at substituting a valid justification (“grandmother’s funeral,” “one day flu”) for an invalid one (“surfs up!” “first day of fishing season”). I assume the analysts employed by NSA are at least as adept at feeding those in authority the answers they expect. XKeyscore just makes that easier by providing the acceptable justifications in a drop-down menu.

More problematic for Baker, he commits the same error the Guardian’s critics accuse it of committing: confusing a User Interface like XKeyscore or PRISM with the underlying collections they access. (The Guardian has repeated Snowden and Bill Binney’s claims the NSA collects everything, without yet presenting proof that that includes US person content aside from incidental content collected on legitimate targets.)

That error, for Baker, makes his response to Goldsmith totally inapt to his task at hand, answering Goldsmith’s questions about what systems administrators could do, because he responds by looking at what analysts could do. Goldsmith’s entire point is that the NSA had insufficient visibility into what people with Snowden’s access could do, access which goes far beyond what an analyst can do with her drop-down menu.

And one of the few documents the government has released actually shows why that is so important.

The Primary Order for the Section 215 metadata dragnet, released last week, reveals that technical personnel have access to the data before it gets to the analyst stage.

Appropriately trained and authorized technical personnel may access the BR metadata to perform those processes needed to make it usable for intelligence analysis. Technical personnel may query the BR metadata using selection terms4 that have not been RAS-approved (described below) for those purposes described above, and may share the results of those queries with other authorized personnel responsible for these purposes, but the results of any such queries will not be used for intelligence analysis purposes. An authorized technician may access the BR metadata to ascertain those identifers that may be high volume identifiers. The technician may share the results of any such access, i.e., the identifers and the fact that they are high volume identifers, with authorized personnel (including those responsible for the indentification and defeat of high volume and other unwanted BR metadata from any of NSA’s various metadata respositories), but may not share any other information from the results of that access for intelligence analysis purposes. In addition, authorized technical personnel may access the BR metadata for purposes of obtaining foreign intelligence information pursuant to the requirements of subparagraph (3)(C) below.


Whenever the BR metadata is accessed for foreign intelligence analysis purposes or using foreign intelligence analysis query tools, an auditable record of the activity shall be generated.

Note, footnote 4 describing these selection terms is redacted and the section in (3)(C) pertaining to these technical personnel appears to be too.

Now, I suspect the technical personnel who access the metadata dragnet are different technical personnel than the Snowdens of the world. They’re data crunchers, not network administrators. Which only shows there’s probably a second category of person that may escape the checks in this system.

That’s because with their front-end manipulation of the dataset (though not the activities described under (3)(C)), these personnel are not conducting what are considered foreign intelligence searches of the database. The data they extract from the database is specifically prohibited (though, with weak language) from circulation as foreign intelligence information. That appears to mean their actions are not auditable. When Keith Alexander says the data is 100% auditable? You shouldn’t believe him, because his own document appears to say only the analytical side of this is audited. (The document also makes it clear that once the data has been queried, the results are openly accessible without any audit function; the ACLU had a good post on this troubling revelation.)

I suspect a lot of what these technical personnel are doing is stripping numbers — probably things like telemarketer numbers — that would otherwise distort the contact chaining. Unless terrorists’ American friends put themselves on the Do Not Call List, then telemarketers might connect them to every other American not on the list, thereby suggesting a bunch of harassed grannies in Dubuque are 2 degrees from Osama bin Laden.

But there’s also the reference to “other unwanted BR metadata.” As I’ll explain in a future post, I suspect that may be some of the most sensitive call records in the dataset.

Whatever call records get purged on the front end, though, it appears to all happen outside the audit chain that Keith Alexander likes to boast about. Which would put it well outside the world of drop-down menus that force analysts actions to conform with something that looks like foreign intelligence analysis.

In other words, even the document the government provided (with heavy redactions) to make us more comfortable about this program shows places where it probably has insufficient visibility on what happens to the data. And that’s well before you get into the ability of people who can override other technical checks on NSA behavior as system administrators.

Update: More froth from Stewart Baker. This response to my post seems to be an utter capitulation to Goldsmith’s point.

Wheeler thinks this is important because it means that the “justification” menus don’t guarantee auditability of every use of intercept data by every employee at NSA. Again, that may be true, but the important point about the “justification” menu isn’t that it offers universal protection against abuse; nothing does. [my emphasis]

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

31 replies
  1. Nigel says:

    He got a pretty good shellacking in the comments section over at Volokh.

    I particularly liked the comment about the quantum theory of Fourth Amendment violations.

  2. Greg Bean (@GregLBean) says:

    Having access to ALL the information would in many ways be like having the Almanac-from-the-future in the movies ‘Back to the Future’.

    And that is NSA’s whole purpose, to be able to know in advance what is going to happen.

    BUT, I wonder how much commercial advantage was gained from having this Almanac of the future; every commercial opportunity revealed days-weeks-months before the market knew.

    Tell me no one got rich, and is not still getting rich on this.

    I maintain, the whole surveillance for prevention of terrorist attack is a scam, it provides no adequate commercial benefit (go ahead, convince me the powers care one hoot about a death here or there) but for commercial advantage, well now, that is beyond doubt worth spending $trillions on.

    Why was it being outsourced to Booz and how have they been doing, just btw?

  3. Richard Hoefer says:

    That’s excellent analysis, Marcy.
    I’ve never felt so deeply and certain that the United States is completely off the rails. I don’t see any Lone Rangers off in the horizon aiming to rescue the situation either.

  4. Chris Harries says:

    Since 2007 there has been no recovery. In fact the economy has steadily deteriorated. And the economic crisis has broadened, it now comprehends most of the globe and it is still spreading.

    That is the context in which to understand the NSA programme. The “terrorism” that it is intended to deter is that of the civil variety: strikes, community actions against foreclosure and other repossessions, demonstrations against unemployment, cutbacks, privatisation. It would be interesting to look back at the police responses to demonstrations around Europe in the past five years, for signs that the authorities were monitoring the communications of those involved. What we do know is that the police have generally been very well prepared and able to stamp out protests very quickly. Look at Greece for example.

    As the GCHQ definitions (reported in the Gruadnian) make clear, “threats to economic well being” (aka the smooth functioning of the Capitalist system) are grounds for monitoring the communications of… Shop stewards, union organisers, student leaders, community groups etc etc.

    As to the odd hobbyist in the Hadramaut replacing the soles of his flip flops with plastic explosive, my own guess is that the arabic language capabilities of the NSA is still at the rudimentary stage. Now that is something that could be checked.

  5. P J Evans says:

    Considering that the Do Not Call list doesn’t stop the telemarketers all that well – if they’re stripping telemarketer numbers from that list, I hope they’re providing those numbers to the FTC and whichever other agencies are responsible for maintaining the DNC list.

  6. orionATL says:

    once again, this entire system is not prospective and cannot predictively stop any initiative, terrorist, cyberpunk, or otherwise.

    this nsa/fbi spying is retrospective and reactive, responding to an initiative from an individual or organization.

    thus its best use is in policing (political groups, gangs,and individuals) AFTER they have revealed their intentions and those intentions fit labels assigned by tptb as “malevolent”.

    we have already seen after sept 2001 how the combination of terrified congresscattle and determined presidential authoritarians can shred the u.s. constitution in a matter of months.

    only a pollyanna or a fool could believe that the nsa spying system will not be applied to domestic politics whenever the “need” arises.

    seperately, tbere has been no strong argument made, though i suspect there could be, that the “total information control” approach which nsa/fbi spying represents is not the best, or even a very good way, to go about policing/protecting.

    but back to the main point, where individual human behavior is concerned the future is simply not predictable. that is why the u.s. secret service has such elaborate strategies to protect the president.

    the nsa/fbi total communication control is a similar set of social agencies whose central benefit is protecting existing political power. that is and will always be its primary, narrow, and perhaps only benefit.

  7. emptywheel says:

    @P J Evans: I think they also purge out pizza and falafel joints.

    Which would be very interesting, given the central role of a pizza place in the Tsarnaev’s alleged crimes, both the 2011 triple murder and the Marathon bombing manhunt.

  8. JTMinIA says:

    You refer to the technical personnel as “data crunchers,” which may or may not be correct. To me, a data cruncher is a person performing some kind of analysis, even if it is preliminary. What I believe that “technical personnel” here refers to are the people who enter the information into the data-base. The odds that the data coming from the various telecoms, etc, are in the correct format is very low, as are the odds that all the different sources are sending the NSA files that are in the same format as each other. Therefore, someone – my guess: technical personnel – must take each incoming file and write a script to add the data to the existing data-base. They might also deal with any differences in value-coding, as well as deal with missing values (if some sources have less information that others).

    Please note that there is a parallel to this in medical and psychological science. Anyone who accesses a data-base to perform any kind of analysis must be certified by the local IRB (which is the Institutional Review Board … the folks that keep up from repeating Tuskeegee, Milgram, Stanford, etc). But, if you need help setting up your data-base, you can ask IT and the IT people do not need to be certified.

    If you think that this makes no sense, I agree. (And I insisted that the IT guy in my department become IRB certified because my reading of the federal guidelines was that anyone accessing the data needed to be certified.) But I can see how a person that deals with data that have rules concerning who can have access would end up seeing technical staff as being different from analysts.

  9. JTMinIA says:

    The above was a bit tangential. YOUR point stands. My beef with the rules controlling psych data was that it allowed people – technical staff – to have access without being certified. The reply to me was “what would an IT guy want with psych data?” My reply was that I didn’t give a rat’s tush; anyone having access to my data needed to be certified, so, if IT had a password to my computer, they needed to be certified.

    I think the same kind of simplistic short-sightedness is probably happening at the NSA. The technical staff probably have way more access than anyone is authorized to have. The excuse – from the NSA – is something like: “but they’re just computer nerds … they won’t be reading emails and listening to phone calls.”

    The question wasn’t whether they want to. The question was whether they could. We all know that they can and those answering questions about this in public are just using the IT/tech-guy dodge to get around answering the actual question. Just like my colleagues do when they say that “only certified people have access to the raw data.” We all knew that was a lie before I made the IT folks go through certification. We just like to pretend that the IT folks don’t exist (until we get a blue screen of death).

  10. orionATL says:


    it is no coincidence that the nsa/fbi spying machinery, social and physical, has arisen at the same time as the rapid development and deployment of pilotless airplanes.

    both benefit from very capable computer software.

    it seems reasonable to me to assert that computer software has reached the point of sophistication that some incarnations of it constitute a very serious threat to u.s. constitutional government.

    drone technology in warfare also has the disadvantage of making presidents and generals and paramilitaries far less cautious about the use of arms in warring/policing. the loss of a plane minus a human pilot is “no big deal” the death of a human pilot – or worse from the politician’s standpoint – his capture and imprisonment can have undesireable consequences.

    electronic spying technology does not have the downed or dead pilot problem, but it is unconstitutional and offensive, at least to some citizens. hence the need to keep its use hidden. as edward snowden’s disclosures and subsequent congressional (and executive) yelping have made clear, there is nothing in those disclosures that could not or should not have been discussed openly. the reason for the extreme secrecy is that this application of computer software would likely be strongly opposed and challenged by some politicians, some citizens, and, most importantly politically, some very capable public intetest organizations

  11. orionATL says:


    your two comments are an excellent analogy and not at all tangential from my viewpoint.

    i would not be at all surprised if a large part of the enormous nsa workforce (50k) were involved in making individual records fit into the data base.

  12. JTMinIA says:

    Sorry. One last point, taking us back to the level of what the USG is trying to do to Snowden and is doing to Manning.

    Given the huge number of employees at the NSA (as pointed out by Orion), there are thousands of people who know the truth about what data are being collected and stored. On the premise that a lot more is being stored than those talking about it in public have acknowledged, the USG needs to keep these people from talking. What better way than to make it clear that your life is OVER if you tell the public about the lies?

    Note, also, the converse. If those talking about this in public are not lying, they would have had a few selective leaks from staff by now to back up their story. In other words, because Bush/Obama/etc have established a clear pattern of “leaks” when it helps them, that there have been no “leaks” from low-level folks to back up the idea that only metadata is collected and stores counts – to me – as evidence against that idea.

  13. emptywheel says:

    @JTMinIA: Yeah, it’s probably not the right term. I wrote it at 2AM after bar time drunks woke me up.

    But it’s clear they do some tweaking of the data–beyond just stripping out known telemarketers and pizza joints. It’s an IT/analytical role, but not an intel/analyst role, no?

  14. emptywheel says:

    @JTMinIA: And I do think the analysis here is actually more invasive than your IT folks, only because they’re taking out known false positives and other sensitive numbers. Which would seem to allow more intrusive involvement with the data even.

  15. Frank33 says:

    Technical personnel may query the BR metadata using selection terms4 that have not been RAS-approved (described below) for those purposes described above, and may share the results of those queries with other authorized personnel responsible for these purposes, but the results of any such queries will not be used for intelligence analysis purposes.

    Technical personnel use intelligence analysis. But their results may not be used for intelligence analysis. That is ridiculous and obviously an NSA cover story. Anyone who works for the NSA does intelligence analysis.

    But this other layer of “Technical Personnel” has super user privileges. Is this a cover story of a cover story? Could there be a super duper secret organization embedded in the super secret NSA?

  16. orionATL says:

    when a former nsa lawyer says something like “it’s highly likely that…” is that not a wink and a nudge designed to imply that that is in fact what happens?

    but govt and corporate lawyers have become, increasing, experts in lawyerly lying or dissembling for the explicit purpose of covering up bureaucratic misconduct.

    personally, baker, if he held the position attributed to him, would be one of the last people whose assertions about rules and controls within the nsa i would trust.

    virtually everything baker says about protections for privacy is in the form of a surmise, with the implied invitation to the gullible and the authoritarian to take it instead as fact. but why should we not expect that his arguments are willfully misleading?

    the profound skepticism i am expressing is, you see, the other side of pervasve secrecy and of deception to protect that secrecy – “don’t worry your little head about it, mary jane, we already thought about that and we’ve already got it covered. you privacy is safe with us. honest!”

  17. orionATL says:

    stewart baker has been handing out assurances about electronic spying, national security needs, and individual privacy for a very long time:

    “..Civil Liberties vs National Security

    In September 9, 1992, while Baker was Counsel for the National Security Agency, he wrote a letter to Gerald E. McDowell, Esq., Acting Deputy Assistant Attorney General, Department of Justice, regarding NSA’s intercept operations:

    “In the wake of disclosures about the role of the Banca Nazionale del Lavoro (BNL), particularly its Atlanta branch, in the provision of financial assistance to the regime of Saddam Hussein, questions were raised about whether the intelligence community was providing sufficient support to law enforcement.
    “This letter, from NSA’s general counsel, answers a series of questions from the Justice Department pertaining to NSA’s knowledge of, or involvement in, BNL activities. The responses appear to indicate that NSA had not derived any intelligence concerning BNL activities from its intercept operations. The letter also stresses NSA’s sensitivity to the issue of the privacy of American citizens (noting that ‘NSA improperly targeted the communications of a number of Americans opposed to the Vietnam War’) and the restrictions on reporting information concerning U.S. citizens or corporations.”

    Speaking about Carnivore in 2002, Baker said: “The measures currently being considered would not tip the balance between privacy and security too far, … Other proposals could have a stronger impact. … Baker said he was concerned that relaxing privacy protections could eventually lead to ‘dragnet searches’ of e-mail for certain words and phrases. … ‘It would be a very big change in our approach to the privacy of communications, … At that point, you become very worried about the consequences for the privacy of ordinary people.'”

    Baker was quoted May 31, 2002, as saying: “‘If you have terrorists inside your borders, you don’t have the luxury anymore of separating law enforcement from the need to gather intelligence, … Before 9/11, the risk to our security seemed theoretical and remote. Now it seems concrete. We would be foolish not to reconsider the balance’ between privacy and security.
    “Much of what [Attorney General John] Ashcroft is proposing simply takes into account modern information technology, Baker added. ‘In the 1970s, maintaining a clip file on someone was a big deal. Now, Google does it for you,’ he said, referring to the popular Internet search engine.”
    Full October 2002 Markle Foundation report “Protecting America’s Freedom in the Information Age” (174-page pdf).

    Testimony of Stewart Baker Before the National Commission on Terrorist Attacks Upon the United States, December 8, 2003 (37-page pdf): “In my view, there were two problems – a problem with the tools our agencies were able to use and a problem with the rules they were required to follow. What’s worse, two years later, neither problem has been fixed. Which means that there is a very real risk we will fail again, and that more Americans will die at the hands of terrorists as a result of our failure.”

    taken from:

  18. omphaloscepsis says:

    From the top of Baker’s post in Marcy’s Update link:

    “NSA has limitations on what it collects, particularly in the United States, and no one thinks that the front end XKeyScore system overrides those limits.”

    That seemed like a good place to stop reading.

  19. JTMinIA says:

    @emptywheel: Oh, my, yes; having my emails and phone-calls hoovered is a tad more invasive than having the fact that I grind my teeth in my sleep widely known.

    As to what an IT person (or “data manager” in my world) does vs. what an analyst does … what I’m most interested in right now is what, exactly, Snowden was. His background makes me think that he was a data manager, instead of an analyst. And data managers have pretty much unlimited access to everything that was ever in the system. So, even if they really do mask off or strip out the content of emails and phone-calls before the analysts get access, a data-manager could see and do anything – right from his desk – just as Snowden has said.

    And that’s what parallels my case so well. Example: we collect complete demographics on all subjects, because some funding agencies want to be shown that we aren’t just using blue-eyed, blond, right-handed males (as my advisor’s advisor did back in the 50s and 60s). That’s supposed to remain segregated from the actual data, because it could easily be used to link the actual person to the data, which is something that we are not allowed to do (as soon as analysis starts). But the data-manager (who happens to be me, as well, but that’s not always the case) sees it all, at the same time, in one place, while creating the segregated files.

    If Snowden was what I’m calling a data-manager, instead of an analyst, then he could do everything that he said that he could. The talking head on TV and in front of congress might be telling the truth when he or she says that the analysts can’t access content, but that doesn’t mean that someone else couldn’t. The public needs a little education on all of the different people that are required to build and maintain a huge data-base. If the questions to the talking heads are not worded carefully, then it’s easy for the talking head to mislead without giving an outright lie.

    With that said, I think that Wyden understands all this and did ask the right question(s). Clapper simply lied in response and everyone knows it.

  20. emptywheel says:

    @JTMinIA: Agree with all that about data managers. It’s an interesting theory about Snowden, then. Because it would explain his use of “we” in some places.

    And FWIW, as I said, I think they purge some of the most sensitive data. If they do, then it goes through the data manager’s hands identified as sensitive.

  21. P J Evans says:

    I’ll buy that theory; it fits with my experience at work, where we were building a large database. We had lower-level users, who didn’t have the ability to move files from one queue to another in the online order tracking system. We had QC, who could move files between ques, but didn’t necessarily have access to many of the queues and nodes – and there were a lot of them – and some people had access to nearly all of them. And the software support/database people had more access than that, and could (usually) change the data from the back end.
    BTW, we send a version of the database to the government for its purposes. (It’s actually partially available to the public; the finer details are not available.)

  22. JohnT says:

    Alexander’s own assertion (in June) that NSA was “now putting in place actions that would give us the ability to track our system administrators

    Wait, WUT!!11!1

    My response: Errrm, that should’ve been the first thing done. And who’s tracking them? And what sanctions are in place in cases of abuse? And yada, yada, yada, and everything else we said when George the Moran and Darth Cheney were in charge

    Response from Boggggistan: Don’t you just luvvvv how it’s all hopey changey now, and saves us from the terrists

  23. JTMinIA says:

    @P J Evans: Do you send it as delimited ascii, CSV, or – and this is what I’d really like to know – some proprietary format, such as SAP’s. If I had to guess what the NSA is using, I’d say it’s something from Oracle. If that’s the case, any half-way decent data-manager can view and even edit, while leaving no trace.

  24. JTMinIA says:

    ps. aren’t we all supposed to be freaking out about the embassies being closed? I mean, seriously, it’s a very shiny object. Or, maybe, we’re supposed to be arguing about A-Rod’s suspension.

  25. orionATL says:


    “… a-rod suspension”.

    a major faux pas – it is forbidden, as i understand its etiquette, to write about any of the round ball sports at the emptywheel website. :))

  26. orionATL says:


    there is an entirely different way to look at the vague but wide-ranging warning.

    the state dept does not want to have to defend itself from another republican opportunistic attack on a ” benghazi”.

    the safest, easiest solution? shut down every f-kin embassy or consulate that might be “attacked”.

    that is what state did.

    now, about the intell community. despite the billions and the extraordinary software and the secrecy to do anything imaginable,

    the nsa/fbi electronic spying machine is not capable of foretelling the future, palm-reading, or stopping an ischemic attack.

    it is retrospective and forensic.

    so –

    the nsa boys and girls do not want to be caught missing yet another attack like boston or benghazi or the aramco facility in algeria (?).

    what to do then?

    well, just issue some vague prediction, like any palm-reader or chinese fortune cookie, or newspaper horoscope and hope that, if disaster occurs, your organization can claim “we warned you.”

    the bottom line on this line of reasoning is that the electronic spying community cannot afford at this time to be found wanting in detecting yet another threat.

    so the state dept and the nsa have mutually reinforcing motives to put out a vague warning and close embassies – not to do so if an attack occurred would be fatal to credibility.

    the fact that neither of these bureaucracies seem to have a clue if there is a specific attack coming and where it would occur is clear from the language they use in the warnings.

    thus it is with dysfunctional government.

  27. Charles II says:

    Marcy says, “The Guardian has repeated Snowden and Bill Binney’s claims the NSA collects everything, without yet presenting proof that that includes US person content aside from incidental content collected on legitimate targets.”

    This is a really important point. Until evidence on this comes out, it’s hard to get the Congress to move. Show that they are (a) collecting and storing phone call content, (b) domestically, and (c) it’s not related to a terrorism issue and the Congress will be forced to move. We could even see a Church Committee-style response, with comprehensive reform good for a decade or two.

    However, I have to point out that Russell Tice has made specific allegations in this regard, saying that political figures like Senator Obama and former president Bill Clinton were wiretapped. That’s a truly infamous charge. If confirmed, that could trigger change.

  28. earlofhuntingdon says:

    It seems unlikely that the government knows – or wants to know – exactly what its contractors collect or what they do with it. The better to “get results”, whatever those are, and to avoid public accountability altogether.

    Once upon a time, even a supine Congress prohibited by statute a program(s) called Total Information Awareness (a move that was probably circumvented by changing the program(s) name(s) and hiding its budget through cutouts). Where are all those stalwart congresscritters who voted against TIA, now that current governmental and outsourced programs actually collect and occasionally use such “total” information?

Comments are closed.