What is this matrix?
The graphic is an attempt to show what we've learned about the National Security Agency (and occasionally its British partner, GCHQ) surveillance during the past year of revelations prompted by former NSA contractor Edward Snowden.
The X-axis represents the targets of surveillance — ranging from foreign to domestic. The Y-axis represents the type of surveillance — ranging from targeted to bulk. Programs are placed on the matrix based on an analysis of the publicly available information about them.
The matrix was inspired by New York magazine's approval matrix (which is not actually a matrix – it's a Cartesian coordinate plane), which plots New York cultural trends.
The goal of displaying the programs in a matrix is to reveal which ones fit squarely into NSA's mission — which is to gather foreign intelligence "in order to gain a decision advantage for the Nation" — and which ones are more controversial domestic or high-volume surveillance programs.
I don't agree with where you placed the programs. How did you decide where to put them?
We used our judgment, but the decisions sometimes made our heads hurt.
Take the definition of bulk. The dictionary defines 'bulk' as large volume, but earlier this year President Barack Obama defined bulk as large quantities of data…"acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.)."
As a result, the government argues that many of its high-volume programs are not bulk. Consider the Prism program, which collects information from U.S. companies about the content of communications of " persons reasonably believed to be located outside the United States" for foreign intelligence purposes. Prism captures more than 250 million Internet communications a year, according to a 2011 opinion from the Foreign Intelligence Surveillance Court. The government says the communications it captures are targeted, but in its recent transparency report, it says targets can include include groups of people and even whole countries. As a result, the government considers Prism a targeted program, but we are categorizing it as bulky.
Another thorny issue is estimating how much domestic data a program captures. Consider the Upstream program, which collects communications of targets as it transits the Internet within the United States. The upstream program collected more than 13.25 million Internet transactions during the first six months of 2011 – of which between 996 and 4,965 were wholly domestic, according to the 2011 FISC opinion. The government considers the program to be targeted at foreigners, but we are categorizing it as somewhat domestic.
And finally, there are many programs where we don't have a clear sense of the whether the targets are foreign or domestic. Consider QuantumInsert. It is an extremely sophisticated program that was used to infect the computers of engineers at a Belgian telecommunications firm when they accessed their LinkedIn profiles. But the technique could conceivably be used in the United States as well, if the Foreign Intelligence Surveillance Court approved a court order for its use. In these cases, we erred on the side of assuming that the targets were foreign.
Why aren't some programs that I've heard about on this chart?
The matrix is not comprehensive because some programs contained too few details to adequately categorize, such as programs to intercept and hack commercial routers.
Other programs appear to be back-end systems instead of collection programs. For example, Mainway is an NSA database of communications metadata that contains information from the now-infamous phone metadata program that is already included on the matrix.
And some well-known programs appear to be analysis tools, which help NSA analysts to view data that is stored elsewhere — making them difficult to categorize as collection tools. Two of the best known of these are XKeyscore, which appears to be primarily a tool for indexing and storing communications content and metadata for easy analysis, and Boundless Informant, which appears to be a tool to visualize global metadata records that, in some cases, are collected by other intelligence agencies and shared with the NSA.
What about other intelligence agency programs?
The NSA revelations have also led to fascinating scoops about other intelligence industry programs, such as a Central Intelligence Agency program to collect bulk records of international money transfers by companies such as Western Union, and a Drug Enforcement Agency program to gain access to an AT&T database of call records. To keep the graphic manageable, we decided to focus it on the NSA.
What about other country's spying programs?
Several GCHQ programs are included in the matrix, because they were either joint programs with the NSA or appeared to directly benefit the NSA. However, we did not include revelations about other allied nations' programs – such as Canadian spying on airport Wi-Fi — that did not appear to directly impact the United States.
Is this everything the NSA does?
Nope. This matrix only represents a selection of the programs that have been revealed in the past year. It is not clear that the programs that have been revealed are a representative sample of the NSA's entire scope of activities.
How would pending NSA reform efforts change the surveillance landscape?
In January, President Obama has ordered the NSA to limit its collection of bulk data to certain circumstances and to treat personal data of foreigners with as much care as it treats the data of U.S. persons "to the maximum extent feasible." Those rules may diminish the number of programs in the bulk category and could require the NSA to delete foreigners' data after five years.
In addition, Congress is considering legislation — the USA Freedom Act — that would end the controversial phone metadata program. The bill would require the FBI to seek a court order when it wants to obtain phone metadata records from telecommunications companies. The demise of the phone metadata program would curtail the bulkiest domestic program on this chart.
Related Articles: Hear Julia Angwin talking about the challenges of tracking the ever-changing surveillance landscape. Among them: limited information and semantic games.