National Security Agency surveillance
Map of global NSA data collection as of 2007[update], with countries subject to the most data collection shown in red
Programs Pre-1978 ECHELON MINARET SHAMROCK PROMIS Since 1978 Upstream collection BLARNEY FAIRVIEW Main Core ThinThread Genoa Since 1990 RAMPART-A Since 1998 Tailored Access Operations Since 2001 OAKSTAR STORMBREW Trailblazer Turbulence Genoa II Total Information Awareness President's Surveillance Program Terrorist Surveillance Program Since 2007 PRISM Dropmire Stateroom Bullrun MYSTIC Databases, tools etc. PINWALE MARINA Main Core MAINWAY TRAFFICTHIEF DISHFIRE XKeyscore ICREACH BOUNDLESSINFORMANT GCHQ collaboration MUSCULAR Tempora
Legislation Safe Streets Act Privacy Act of 1974 FISA ECPA Patriot Act Homeland Security Act Protect America Act of 2007 FISA Amendments Act of 2008
Institutions FISC Senate Intelligence Committee National Security Council
Lawsuits ACLU v. NSA Hepting v. AT&T Jewel v. NSA Clapper v. Amnesty Klayman v. Obama ACLU v. Clapper Wikimedia v. NSA US v. Moalin
Whistleblowers William Binney Thomas Drake Mark Klein Thomas Tamm Russ Tice Edward Snowden
Publication 2005 warrantless surveillance scandal Global surveillance disclosures (2013–present)
Related Cablegate Surveillance of reporters Mail tracking UN diplomatic spying Insider Threat Program Mass surveillance in the United States Mass surveillance in the United Kingdom
Concepts SIGINT Metadata
Collaboration United States CSS CYBERCOM DOJ FBI CIA DHS IAO Five Eyes CSEC GCHQ ASD GCSB Other DGSE BND
v t e

XKeyscore (XKEYSCORE orXKS) is a secret computer system used by the United StatesNational Security Agency (NSA) for searching and analyzing global Internet data, which it collects in real time. The NSA has shared XKeyscore with other intelligence agencies, including theAustralian Signals Directorate, Canada'sCommunications Security Establishment, New Zealand'sGovernment Communications Security Bureau, Britain'sGovernment Communications Headquarters, Japan'sDefense Intelligence Headquarters, and Germany'sBundesnachrichtendienst.^[1]

In July 2013,Edward Snowden publicly revealed the program's purpose and use by the NSA inThe Sydney Morning Herald andO Globo newspapers. The code name was already public knowledge because it was mentioned in earlier articles, and, like many other code names, it appears in job postings and onlinerésumés of employees.^[2][3]

On July 3, 2014, Germanpublic broadcasterNorddeutscher Rundfunk, a member ofARD, published excerpts of XKeyscore's source code.^[4][5]

Part ofa series on
Global surveillance
Disclosures
Origins Pre-2013 2013–present Reactions
Systems
XKeyscore PRISM ECHELON Sentient Carnivore Dishfire Stone Ghost Tempora Frenchelon Fairview MYSTIC DCSN Boundless Informant Bullrun Pinwale Stingray SORM RAMPART-A Mastering the Internet Jindalee Operational Radar Network
Selected agencies
FVEY ASD CSE GCSB GCHQ NSA BND BSSN CNI DIH DGSE KGB MSS JSCU Spetssvyaz Unit 8200
Places
The Doughnut Fort Meade Menwith Hill Pine Gap Southern Cross Cable Utah Data Center Bad Aibling Station Dagger Complex GCHQ Bude
Laws
Five Eyes UKUSA Agreement Lustre U.S. USA Freedom Act FISA amendments EU Data Retention Directive Data Protection Directive GDPR China National Intelligence Law Cybersecurity Law UK Investigatory Powers Act 2016
Proposed changes
U.S. FISA Improvements Act Other proposals
Concepts
Mass surveillance List of government mass surveillance projects Culture of fear Secure communication SIGINT Call detail record Surveillance issues in smart cities
Related topics
Espionage Intelligence agency Cryptography Tor VPNs TLS Human rights Privacy Liberty Satellites Stop Watching Us Nothing to hide argument
v t e

XKeyscore is a complicated system, and various authors have different interpretations of its actual capabilities.Edward Snowden andGlenn Greenwald have said that XKeyscore is a system that enables almost unlimitedsurveillance of anyone anywhere in the world, while the NSA has claimed that usage of the system is limited and restricted.^{[citation needed]}

According toThe Washington Post and national security reporterMarc Ambinder, XKeyscore is an NSA data-retrieval system which consists of a series of user interfaces,backend databases, servers and software that selects certain types of data andmetadata that the NSA has already collected using other methods.^[6][7]

On January 26, 2014, the German broadcasterNorddeutscher Rundfunk asked Edward Snowden in its TV interview: "What could you do if you would use XKeyscore?" and he answered:^[1]

You could read anyone's email in the world, anybody you've got an email address for. Any website: You can watch traffic to and from it. Any computer that an individual sits at: You can watch it. Any laptop that you're tracking: you can follow it as it moves from place to place throughout the world. It's a one-stop-shop for access to the NSA's information.... You can tag individuals ... Let's say you work at a major German corporation and I want access to that network, I can track your username on a website on a forum somewhere, I can track your real name, I can track associations with your friends and I can build what's called a fingerprint, which is network activity unique to you, which means anywhere you go in the world, anywhere you try to sort of hide your online presence, your identity.

According toThe Guardian'sGlenn Greenwald, low-level NSA analysts can, via systems like XKeyscore, "listen to whatever emails they want, whatever telephone calls, browsing histories, Microsoft Word documents. And it's all done with no need to go to a court, with no need to even get supervisor approval on the part of the analyst."^[8]

He added that the NSA's database of collected communications allows its analysts to listen "to the calls or read the emails of everything that the NSA has stored, or look at the browsing histories or Google search terms that you've entered, and it also alerts them to any further activity that people connected to that email address or that IP address do in the future".^[8]

In an official statement from July 30, 2013, the NSA said "XKeyscore is used as a part of NSA's lawful foreignsignals intelligence collection system" to legally obtain information about "legitimate foreign intelligence targets in response to requirements that our leaders need for information necessary to protect our nation and its interests. ... to collect the information, that enables us to perform our missions successfully – to defend the nation and to protect U.S. and allied troops abroad."^[9]In terms of access, an NSA press statement reads that there is no "unchecked analyst access to NSA collection data. Access to XKeyscore, as well as all of NSA's analytic tools, is limited to only those personnel who require access for their assigned tasks." and that there are "stringent oversight and compliance mechanisms built in at several levels. One feature is the system's ability to limit what an analyst can do with a tool, based on the source of the collection and each analyst's defined responsibilities."^[10]

According to an NSA slide presentation about XKeyscore from 2013, it is a "DNI Exploitation System/Analytic Framework". DNI stands for Digital Network Intelligence, which means intelligence derived from internet traffic.^[11]

Edward Snowden said about XKeyscore: "It's a front end search engine" in an interview with the GermanNorddeutscher Rundfunk.^[12]

XKeyscore is a "piece of Linux software that is typically deployed onRed Hat servers. It uses theApache web server and stores collected data inMySQL databases".^[13]

XKeyscore is considered a "passive" program, in that it listens, but does not transmit anything on the networks that it targets.^[5] But it can trigger other systems, which perform "active" attacks throughTailored Access Operations which are "tipping", for example, the QUANTUM family of programs, including QUANTUMINSERT, QUANTUMHAND, QUANTUMTHEORY, QUANTUMBOT and QUANTUMCOPPER andTurbulence. These run at so-called "defensive sites" including theRamstein Air Force base in Germany,Yokota Air Base in Japan, and numerous military and non-military locations within the US. Trafficthief, a core program of Turbulence, can alert NSA analysts when their targets communicate, and trigger other software programs, so select data is "promoted" from the local XKeyscore data store to the NSA's "corporate repositories" for long term storage.^[5]

XKeyscore consists of over 700 servers at approximately 150 sites where the NSA collects data, like "US and allied military and other facilities as well as US embassies and consulates" in many countries around the world.^[14][15][16] Among the facilities involved in the program are four bases inAustralia and one inNew Zealand.^[15]

According to an NSA presentation from 2008, these XKeyscore servers are fed with data from the following collection systems:^[17]

1. F6 (Special Collection Service) – joint operation of the CIA and NSA that carries out clandestine operations including espionage on foreign diplomats and leaders
2. FORNSAT – which stands for "foreign satellite collection", and refers to intercepts from satellites
3. SSO (Special Source Operations) – a division of the NSA that cooperates with telecommunication providers

In a single, undated slide published by Swedish media in December 2013, the following additional data sources for XKeyscore are mentioned:^[18]

1. Overhead – intelligence derived from American spy planes, drones and satellites
2. Tailored Access Operations – a division of the NSA that deals with hacking andcyberwarfare
3. FISA – all types of surveillance approved by theForeign Intelligence Surveillance Court
4. Third party – foreign partners of the NSA such as the (signals) intelligence agencies of Belgium, Denmark, France, Germany, Italy, Japan, the Netherlands, Norway, Sweden, etc. However the Netherlands is out of any cooperation concerning intelligence gathering and sharing for illegal spying.

From these sources, XKeyscore stores "full-take data", which is scanned by plug-ins that extract certain types of metadata (like phone numbers, e-mail addresses, log-ins, and user activity) and indexs them in metadata tables, which can be queried by analysts. XKeyscore has been integrated withMARINA, which is NSA's database for internet metadata.^[11]

However, the system continuously gets so much Internet data that it can be stored only for short periods of time. Content data remains on the system for only three to five days, while metadata is stored for up to thirty days.^[19] A detailed commentary on an NSA presentation published inThe Guardian in July 2013 cites a document published in 2008 declaring that "At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours."^[20]

According to a document from an internal GCHQ website which was disclosed by the German magazineDer Spiegel in June 2014, there are three different types of the XKeyscore system:^[21]

• Traditional: The initial version of XKeyscore is fed with data from low-rate data signals, after being processed by the WEALTHYCLUSTER system. This traditional version is not only used by NSA but also at many intercept sites of GCHQ.
• Stage 2: This version of XKeyscore is used for higher data rates. The data is first processed by the TURMOIL system, which sends 5% of the internet data packets to XKeyscore. GCHQ only uses this version for collection under theMUSCULAR program.
• Deep Dive: This latest version can process internet traffic at data rates of 10 gigabits per second. Data that could be useful for intelligence purposes is then selected and forwarded by using the "GENESIS selection language". GCHQ also operates a number of Deep Dive versions of XKeyscore at three locations under the codenameTEMPORA.^[22]

For analysts, XKeyscore provides a "series of viewers for common data types", which allows them to query terabytes of raw data gathered at the aforementioned collection sites. This enables them to find targets that cannot be found by searching only the metadata, and also to do this against data sets that otherwise would have been dropped by the front-end data processing systems. According to a slide from an XKeyscore presentation, NSA collection sites select and forward less than 5% of the internet traffic to thePINWALE database for internet content.^[19]

Because XKeyscore holds raw and unselected communications traffic, analysts can not only perform queries using "strong selectors" like e-mail addresses, but also using "soft selectors", like keywords, against the body texts of e-mail and chat messages and digital documents and spreadsheets in English, Arabic and Chinese.^[11]

This is useful because "a large amount of time spent on the web is performing actions that are anonymous" and therefore those activities can't be found by just looking for e-mail addresses of a target. When content has been found, the analyst might be able to find new intelligence or a strong selector, which can then be used for starting a traditional search.^[11]

Besides using soft selectors, analysts can also use the following other XKeyscore capabilities:^[11][23]

• Look for the usage ofGoogle Maps and terms entered into a search engine by known targets looking for suspicious things or places.
• Look for "anomalies" without any specific person attached, like detecting the nationality of foreigners by analyzing the language used within intercepted emails. An example would be a German speaker in Pakistan. The Brazilian paperO Globo claims that this has been applied to Latin America and specifically to Colombia, Ecuador, Mexico and Venezuela.^[14][24]
• Detect people who use encryption by doing searches like "allPGP usage in Iran". The caveat given is that very broad queries can result in too much data to transmit back to the analyst.
• Showing the usage ofvirtual private networks (VPNs) and machines that can potentially behacked viaTAO.
• Track the source and authorship of a document that has passed through many hands.
• On July 3, 2014ARD revealed that XKeyscore is used to closely monitor users of theTor anonymity network,^[5] people who search for privacy-enhancing software on the web,^[5] and readers ofLinux Journal.^[25]

The Guardian revealed in 2013 that most of these things cannot be detected by other NSA tools, because they operate with strong selectors (like e-mail and IP addresses and phone numbers) and the raw data volumes are too high to be forwarded to other NSA databases.^[11]

In 2008, NSA planned to add a number of new capabilities in the future including access toVoIP and other, unspecified network protocols and additional forms of metadata such asExif tags, which often includegeolocation (GPS) data.^[11]

The NSA slides published inThe Guardian during 2013 claimed that XKeyscore had played a role in capturing 300 terrorists by 2008,^[11] which could not be substantiated as the redacted documents do not cite instances of terrorist interventions.

A 2011 report from the NSA unit in theDagger Complex (close toGriesheim in Germany) said that XKeyscore made it easier and more efficient to target surveillance. Previously, analysis often accessed data NSA was not interested in. XKeyscore allowed them to focus on the intended topics, while ignoring unrelated data. XKeyscore also proved to be outstanding for tracking active groups associated with theAnonymous movement in Germany, because it allows for searching on patterns, rather than particular individuals. An analyst is able to determine when targets research new topics, or develop new behaviors.^[26]

To create additional motivation, the NSA incorporated variousgamification features. For instance, analysts who were especially good at using XKeyscore could acquire "skilz" points and "unlock achievements." The training units in Griesheim were apparently successful and analysts there had achieved the "highest average of skilz points" compared with all other NSA departments participating in the training program.^[26]

According to documentsDer Spiegel acquired from Snowden, the German intelligence agenciesBND (foreign intelligence) andBfV (domestic intelligence) were also allowed to use the XKeyscore system. In those documents the BND agency was described as the NSA's most prolific partner in information gathering.^[27] This led to political confrontations, after which the directors of the German intelligence agencies briefed members of the German parliamentary intelligence oversight committee on July 25, 2013. They declared that XKeyscore has been used by the BND since 2007 and that the BfV has been using a test version since 2012. The directors also explained that the program is not for collecting data, but rather only for the analysis of collected data.^[28]

As part of theUKUSA Agreement, a secret treaty was signed in 1954 by Sweden with the United States, the United Kingdom, Canada, Australia and New Zealand (called theFive Eyes) for the purpose of intelligence collaboration anddata sharing.^[29] According to documents leaked by Snowden, theNational Defence Radio Establishment (FRA) has been granted access to XKeyscore.^[30]

In an ongoing scandal, where it has been revealed that NSA helped FE (Danish Defence Intelligence Service) build a new Spy datacenter at Sandagergård, Amager, XKeyscore has been made available for FE to use on the collected data.^[31]

The classified documents leaked by Snowden also indicate that in April 2013, NSA had secretly provided the XKeyscore system to theJapanese government.^[32]

• List of government surveillance projects
• PRISM
• File:XKeyscore presentation from 2008.pdf, a redacted presentation about X-Keyscore via The Guardian (UK) via Edward Snowden via U.S. National Security Agency
• Targeted surveillance

Wikimedia Commons has media related toXKeyscore.

• A full NSA presentation about XKeyscore from 2008
• Building a panopticon: The evolution of the NSA’s XKeyscore
• Marquis-Boire, Morgan; Greenwald, Glenn; Lee, Micah (July 1, 2015)."XKEYSCORE: NSA's Google for the World's Private Communications".The Intercept. RetrievedJuly 5, 2015.
• Lee, Micah; Greenwald, Glenn; Marquis-Boire, Morgan (July 2, 2015)."Behind the Curtain; A Look at the Inner Workings of NSA's XKEYSCORE".The Intercept. RetrievedJuly 5, 2015.

• 2013 scandals
• Counterterrorism in the United States
• Espionage
• Human rights in the United States
• Mass surveillance
• Obama administration controversies
• Privacy in the United States
• Privacy of telecommunications
• American secret government programs
• Surveillance scandals
• United States national security policy
• War on terror
• GCHQ operations
• National Security Agency operations
• Intelligence agency programmes revealed by Edward Snowden
• Federal Intelligence Service
• Communications Security Establishment

• CS1 maint: multiple names: authors list
• Webarchive template wayback links
• CS1 Portuguese-language sources (pt)
• CS1 Danish-language sources (da)
• Use mdy dates from January 2020
• Use American English from August 2013
• All Wikipedia articles written in American English
• Articles containing potentially dated statements from 2007
• All articles containing potentially dated statements
• Articles with short description
• Short description is different from Wikidata
• All articles with unsourced statements
• Articles with unsourced statements from June 2024
• Commons category link from Wikidata