I called this system Heartbeat, because it took the pulse of the NSA and of the wider IC. The volume of information that crashed through its veins was simply enormous, as it pulled documents from internal sites dedicated to every specialty from updates on the latest cryptographic research projects to minutes of the meetings of the National Security Council. I’d carefully configured it to ingest materials at a slow, constant pace, so as not to monopolize the undersea fiber-optic cable tying Hawaii to Fort Meade, but it still pulled so many more documents than any human ever could that it immediately became the NSAnet’s most comprehensive readboard.
Early on in its operation I got an email that almost stopped Heartbeat forever. A faraway administrator—apparently the only one in the entire IC who actually bothered to look at his access logs—wanted to know why a system in Hawaii was copying, one by one, every record in his database. He had immediately blocked me as a precaution, which effectively locked me out, and was demanding an explanation. I told him what I was doing and showed him how to use the internal website that would let him read Heartbeat for himself. His response reminded me of an unusual characteristic of the technologists’ side of the security state: once I gave him access, his wariness instantly turned into curiosity. He might have doubted a person, but he’d never doubt a machine. He could now see that Heartbeat was just doing what it’d been meant to do, and was doing it perfectly. He was fascinated. He unblocked me from his repository of records, and even offered to help me by circulating information about Heartbeat to his colleagues.
Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat. It showed me not just the aims but the abilities of the IC’s mass surveillance system. This is something I want to emphasize: in mid-2012, I was just trying to get a handle on how mass surveillance actually worked. Almost every journalist who later reported on the disclosures was primarily concerned with the targets of surveillance—the efforts to spy on American citizens, for instance, or on the leaders of America’s allies. That is to say, they were more interested in the topics of the surveillance reports than in the system that produced them. I respect that interest, of course, having shared it myself, but my own primary curiosity was still technical in nature. It’s all well and good to read a document or to click through the slides of a PowerPoint presentation to find out what a program is intended to do, but the better you can understand a program’s mechanics, the better you can understand its potential for abuse.
This meant that I wasn’t much interested in the briefing materials—like, for example, what has become perhaps the best-known file I disclosed, a slide deck from a 2011 PowerPoint presentation that delineated the NSA’s new surveillance posture as a matter of six protocols: “Sniff It All, Know It All, Collect It All, Process It All, Exploit It All, Partner It All.” This was just PR speak, marketing jargon. It was intended to impress America’s allies: Australia, Canada, New Zealand, and the UK, the primary countries with which the United States shares intelligence. (Together with the United States, these countries are known as the Five Eyes.) “Sniff It All” meant finding a data source; “Know It All” meant finding out what that data was; “Collect It All” meant capturing that data; “Process It All” meant analyzing that data for usable intelligence; “Exploit It All” meant using that intelligence to further the agency’s aims; and “Partner It All” meant sharing the new data source with allies. While this six-pronged taxonomy was easy to remember, easy to sell, and an accurate measure of the scale of the agency’s ambition and the degree of its collusion with foreign governments, it gave me no insight into how exactly that ambition was realized in technological terms.
Much more revealing was an order I found from the FISA Court, a legal demand for a private company to turn over its customers’ private information to the federal government. Orders such as these were notionally issued on the authority of public legislation; however, their contents, even their existence, were classified Top Secret. According to Section 215 of the Patriot Act, aka the “business records” provision, the government was authorized to obtain orders from the FISA Court that compelled third parties to produce “any tangible thing” that was “relevant” to foreign intelligence or terrorism investigations. But as the court order I found made clear, the NSA had secretly interpreted this authorization as a license to collect all of the “business records,” or metadata, of telephone communications coming through American telecoms, such as Verizon and AT&T, on “an ongoing daily basis.” This included, of course, records of telephone communications between American citizens, the practice of which was unconstitutional.
Additionally, Section 702 of the FISA Amendments Act allows the IC to target any foreigner outside the United States deemed likely to communicate “foreign intelligence information”—a broad category of potential targets that includes journalists, corporate employees, academics, aid workers, and countless others innocent of any wrongdoing whatsoever. This legislation was being used by the NSA to justify its two most prominent Internet surveillance methods: the PRISM program and upstream collection.
PRISM enabled the NSA to routinely collect data from Microsoft, Yahoo!, Google, Facebook, Paltalk, YouTube, Skype, AOL, and Apple, including email, photos, video and audio chats, Web-browsing content, search engine queries, and all other data stored on their clouds, transforming the companies into witting coconspirators. Upstream collection, meanwhile, was arguably even more invasive. It enabled the routine capturing of data directly from private-sector Internet infrastructure—the switches and routers that shunt Internet traffic worldwide, via the satellites in orbit and the high-capacity fiber-optic cables that run under the ocean. This collection was managed by the NSA’s Special Sources Operations unit, which built secret wiretapping equipment and embedded it inside the corporate facilities of obliging Internet service providers around the world. Together, PRISM (collection from the servers of service providers) and upstream collection (direct collection from Internet infrastructure) ensured that the world’s information, both stored and in transit, was surveillable.
The next stage of my investigation was to figure out how this collection was actually accomplished—that is to say, to examine the documents that explained which tools supported this program and how they selected from among the vast mass of dragneted communications those that were thought worthy of closer inspection. The difficulty was that this information did not exist in any presentation, no matter the level of classification, but only in engineering diagrams and raw schematics. These were the most important materials for me to find. Unlike the Five Eyes’ pitch-deck cant, they would be concrete proof that the capacities I was reading about weren’t merely the fantasies of an overcaffeinated project manager. As a systems guy who was always being prodded to build faster and deliver more, I was all too aware that the agencies would sometimes announce technologies before they even existed—sometimes because a Cliff-type salesperson had made one too many promises, and sometimes just out of unalloyed ambition.
In this case, the technologies behind upstream collection did exist. As I came to realize, these tools are the most invasive elements of the NSA’s mass surveillance system, if only because they’re the closest to the user—that is, the closest to the person being surveilled. Imagine yourself sitting at a computer, about to visit a website. You open a Web browser, type in a URL, and hit Enter. The URL is, in effect, a request, and this request goes out in search of its destination server. Somewhere in the midst of its travels, however, before your request gets to that server, it will have to pass through TURBULENCE, one of the NSA’s most powerful weapons.
Specifically, your request passes through a few black servers stacked on top of one another, together about the size of a four-shelf bookcase. These are installed in special rooms at major private telecommunications buildings throughout allied countries, as well as in US embassies and on US military bases, and contain two critical tools. The first, TURMOIL, handles “passive collection,” making a copy of th
e data coming through. The second, TURBINE, is in charge of “active collection”—that is, actively tampering with the users.
You can think of TURMOIL as a guard positioned at an invisible firewall through which Internet traffic must pass. Seeing your request, it checks its metadata for selectors, or criteria, that mark it as deserving of more scrutiny. Those selectors can be whatever the NSA chooses, whatever the NSA finds suspicious: a particular email address, credit card, or phone number; the geographic origin or destination of your Internet activity; or just certain keywords such as “anonymous Internet proxy” or “protest.”
If TURMOIL flags your traffic as suspicious, it tips it over to TURBINE, which diverts your request to the NSA’s servers. There, algorithms decide which of the agency’s exploits—malware programs—to use against you. This choice is based on the type of website you’re trying to visit as much as on your computer’s software and Internet connection. These chosen exploits are sent back to TURBINE (by programs of the QUANTUM suite, if you’re wondering), which injects them into the traffic channel and delivers them to you along with whatever website you requested. The end result: you get all the content you want, along with all the surveillance you don’t, and it all happens in less than 686 milliseconds. Completely unbeknownst to you.
Once the exploits are on your computer, the NSA can access not just your metadata, but your data as well. Your entire digital life now belongs to them.
21
Whistleblowing
If any NSA employee who didn’t work with the SharePoint software I managed knew anything at all about SharePoint, they knew the calendars. These were pretty much the same as any normal nongovernment group calendars, just way more expensive, providing the basic when-and-where-do-I-have-to-be-at-a-meeting scheduling interface for NSA personnel in Hawaii. This was about as exciting for me to manage as you might imagine. That’s why I tried to spice it up by making sure the calendar always had reminders of all the holidays, and I mean all of them: not just the federal holidays, but Rosh Hashanah, Eid al-Fitr, Eid al-Adha, Diwali.
Then there was my favorite, the seventeenth of September. Constitution Day and Citizenship Day, which is the holiday’s formal name, commemorates the moment in 1787 when the delegates to the Constitutional Convention officially ratified, or signed, the document. Technically, Constitution Day is not a federal holiday, just a federal observance, meaning that Congress didn’t think our country’s founding document and the oldest national constitution still in use in the world were important enough to justify giving people a paid day off.
The Intelligence Community had always had an uncomfortable relationship with Constitution Day, which meant its involvement was typically limited to circulating a bland email drafted by its agencies’ press shops and signed by Director So-and-So, and setting up a sad little table in a forgotten corner of the cafeteria. On the table would be some free copies of the Constitution printed, bound, and donated to the government by the kind and generous rabble-rousers at places like the Cato Institute or the Heritage Foundation, since the IC was rarely interested in spending some of its own billions on promoting civil liberties through stapled paper.
I suppose the staff got the message, or didn’t: over the seven Constitution Days I spent in the IC, I don’t think I’d ever known anyone but myself to actually take a copy off the table. Because I love irony almost as much as I love freebies, I’d always take a few—one for myself, and the others to salt across my friends’ workstations. I kept my copy propped against the Rubik’s Cube on my desk, and for a time made a habit of reading it over lunch, trying not to drip grease on “We the People” from one of the cafeteria’s grim slices of elementary-school pizza.
I liked reading the Constitution partially because its ideas are great, partially because its prose is good, but really because it freaked out my coworkers. In an office where everything you printed had to be thrown into a shredder after you were done with it, someone would always be intrigued by the presence of hard-copy pages lying on a desk. They’d amble over to ask, “What have you got there?”
“The Constitution.”
Then they’d make a face and back away slowly.
On Constitution Day 2012, I picked up the document in earnest. I hadn’t really read the whole thing in quite a few years, though I was glad to note that I still knew the preamble by heart. Now, however, I read through it in its entirety, from the Articles to the Amendments. I was surprised to be reminded that fully 50 percent of the Bill of Rights, the document’s first ten amendments, were intended to make the job of law enforcement harder. The Fourth, Fifth, Sixth, Seventh, and Eighth Amendments were all deliberately, carefully designed to create inefficiencies and hamper the government’s ability to exercise its power and conduct surveillance.
This is especially true of the Fourth, which protects people and their property from government scrutiny: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Translation: If officers of the law want to go rooting through your life, they first have to go before a judge and show probable cause under oath. This means they have to explain to a judge why they have reason to believe that you might have committed a specific crime or that specific evidence of a specific crime might be found on or in a specific part of your property. Then they have to swear that this reason has been given honestly and in good faith. Only if the judge approves a warrant will they be allowed to go searching—and even then, only for a limited time.
The Constitution was written in the eighteenth century, back when the only computers were abacuses, gear calculators, and looms, and it could take weeks or months for a communication to cross the ocean by ship. It stands to reason that computer files, whatever their contents, are our version of the Constitution’s “papers.” We certainly use them like “papers,” particularly our word-processing documents and spreadsheets, our messages and histories of inquiry. Data, meanwhile, is our version of “effects,” a catchall term for all the stuff that we own, produce, sell, and buy online. That includes, by default, metadata, which is the record of all the stuff that we own, produce, sell, and buy online—a perfect ledger of our private lives.
In the centuries since the original Constitution Day, our clouds, computers, and phones have become our homes, just as personal and intimate as our actual houses nowadays. If you don’t agree, then answer me this: Would you rather let your coworkers hang out at your home alone for an hour, or let them spend even just ten minutes alone with your unlocked phone?
The NSA’s surveillance programs, its domestic surveillance programs in particular, flouted the Fourth Amendment completely. The agency was essentially making a claim that the amendment’s protections didn’t apply to modern-day lives. The agency’s internal policies neither regarded your data as your legally protected personal property, nor regarded their collection of that data as a “search” or “seizure.” Instead, the NSA maintained that because you had already “shared” your phone records with a “third party”—your telephone service provider—you had forfeited any constitutional privacy interest you may once have had. And it insisted that “search” and “seizure” occurred only when its analysts, not its algorithms, actively queried what had already been automatically collected.
Had constitutional oversight mechanisms been functioning properly, this extremist interpretation of the Fourth Amendment—effectively holding that the very act of using modern technologies is tantamount to a surrender of your privacy rights—would have been rejected by Congress and the courts. America’s Founders were skilled engineers of political power, particularly attuned to the perils posed by legal subterfuge and the temptations of the presidency toward exercising monarchical authority. To forestall such eventualities, they designed a system, laid
out in the Constitution’s first three articles, that established the US government in three coequal branches, each supposed to provide checks and balances to the others. But when it came to protecting the privacy of American citizens in the digital age, each of these branches failed in its own way, causing the entire system to halt and catch fire.
The legislative branch, the two houses of Congress, willingly abandoned its supervisory role: even as the number of IC government employees and private contractors was exploding, the number of congresspeople who were kept informed about the IC’s capabilities and activities kept dwindling, until only a few special committee members were apprised in closed-door hearings. Even then they were only informed of some, but not all, of the IC’s activities. When rare public hearings on the IC were held, the NSA’s position was made strikingly clear: The agency would not cooperate, it would not be honest, and, what was worse, through classification and claims of secrecy it would force America’s federal legislatures to collaborate in its deception. In early 2013, for instance, James Clapper, then the director of National Intelligence, testified under oath to the US Senate Select Committee on Intelligence that the NSA did not engage in bulk collection of the communications of American citizens. To the question, “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?” Clapper replied, “No, sir,” and then added, “There are cases where they could inadvertently perhaps collect, but not wittingly.” That was a witting, bald-faced lie, of course, not just to Congress but to the American people. More than a few of the congresspeople to whom Clapper was testifying knew very well that what he was saying was untrue, yet they refused, or felt legally powerless, to call him out on it.
Permanent Record Page 22