Although the new FISA orders had the force of law, compelling the companies to provide assistance to the FBI on behalf of the NSA, the orders did not tell each company exactly what to hand over or how. The NSA emphasized partnership, Rick wrote, because “PRISM access is 100% dependent on ISP provisioning.” The agency could not take what it wanted without help. A well-informed insider told me, “NSA can’t simply walk up to Facebook and say, ‘Hey, we’re going to go in your server room and pull everything back to headquarters, okay?’ Only Facebook knows how to do that. We’re talking about services of monumental complexity that span continents, developed by thousands of world-class engineers. There have to be negotiations about who can be brought in from the company on it, what can be pulled based on the architecture of the service, how to actually implement it, and so on.”
* * *
—
PRISM was not a mass surveillance program. I say that plainly because there were many who came to misread or miscast it that way. There were regulations and technical limits to what it could do. PRISM did not and could not scoop up Hotmail or Yahoo accounts in bulk. The NSA chose target accounts by way of individual taskings, the term of art. Analysts identified those accounts by email address or a comparably specific factor such as the telephone number used for registration. Those are called strong or deterministic selectors, in counterpoint to weak ones used in other surveillance programs that might match a large number of accounts. (Those might be key words from a target dictionary or a range of numeric device addresses in a foreign network of interest.) When analysts called up the Unified Targeting Tool on their screens, the PRISM interface asked, by way of a drop-down menu, for the foreign intelligence purpose (“Select a Value”) of their inquiries. Another drop-down menu asked for a “foreignness factor” that gave reason to believe the target was neither an American nor located in the United States. PRISM users were forbidden to spy deliberately on U.S. persons, the legal term encompassing citizens, permanent residents, organizations, and companies. If Americans turned up “incidentally” in their nets, NSA operators were obliged to “minimize,” or restrict access to, those names. Supervisors and auditors kept tabs on compliance. Once a year, in a classified session, the Foreign Intelligence Surveillance Court reviewed the procedures for target selection and for masking the names of Americans who turned up in the catch. Nothing in the Snowden archive, and nothing I learned independently, offered reason to doubt that the NSA workforce did its best to follow the rules in good faith.
And even so, the formal restraints obscured the breadth of government intrusion into the U.S. information economy. Wide gaps had emerged in the checks and balances that once governed domestic NSA operations. For decades, intelligence collection at home had operated under traditional Fourth Amendment standards. Interception of signals on U.S. wires required an individual warrant based upon probable cause and judicial review of the supporting facts. Under PRISM, the NSA sent selectors to Silicon Valley by the tens of thousands, more than a hundred thousand accounts “on cover” at a time, unreviewable in volume and in fact unreviewed by any independent authority. When the intelligence court approved the targeting procedures, it did not ask and was not told the account names under surveillance or the number of Americans swept in.
Rick’s presentation celebrated the low threshold of evidence required to task a target for collection under PRISM, comparing it to legal standards in other realms. Conviction of a crime required proof beyond reasonable doubt. Civil judgments were based upon a preponderance of evidence, “greater than 50% percent probability,” he wrote. The old FISA standard for a surveillance order was probable cause. For some kinds of warrants, the FISA Court required a still lower test known as reasonable articulable suspicion, the same standard that governs a traffic stop by police. PRISM surveillance required less than that. An analyst need only state a “reasonable belief” that a would-be target was abroad. But some of the grounds I saw cited for such a “reasonable belief,” including an ostensibly foreign IP address, were well known to return false results in significant number.
The acquisition of Americans’ content under PRISM was “incidental” to surveillance aimed at foreigners, but that did not mean it was unforeseen. The NSA knew how its systems worked. Bystanders filled its data repositories in far greater numbers than designated targets, and many of the bystanders were American. The NSA kept all that data, and “minimizing” only restricted access to the U.S. identities. Many officials had authority to unmask them, in order to understand the intelligence in context or for other reasons.
The NSA’s oversight and compliance directorate generated many reports but seldom found abuse, in large part because the agency defined the term narrowly. Abuse was a knowing breach of regulations by a rogue employee for reasons such as personal gain, vengeance, or romance gone bad. (The latter offense had a nickname, LOVEINT, but it was rare.) Corrupt use of PRISM was not the issue. The hard questions arose from its fine print and everyday practice, when the system worked exactly as intended. The Bush and Obama administrations had defended the FISA amendments of 2008 and 2012 as modest technical adjustments for changing times, with constitutional protections and judicial review intact. Deep layers of secrecy, alongside careful deflection of questions about the government’s intent, had left a major shift of legal boundaries invisible outside the privileged world of classified knowledge. Brenner, who supported the change in law, acknowledged nonetheless that its import had been concealed from the public. “NSA was operating under statute—but ordinary, intelligent, educated Americans could not have looked at that statute and understood that it meant what the FISA Court interpreted it to mean,” he told an invited Fort Meade audience in 2015.
Because of that secrecy, even the best-informed journalists and policy analysts had no information on the way PRISM worked. Plaintiffs could bring no constitutional challenge in federal court. Congress faced no public pressure, and big internet companies encountered little demand for stronger defense of privacy. Voters and consumers could not ask for change because they did not know the truth.
* * *
—
Two days after Marty Baron agreed to publish the PRISM story, a message from Snowden nearly drove us off the rails. I had sent him an upbeat status report. The Post was pressing ahead at full speed. Snowden wrote back, noting pointedly that his seventy-two-hour deadline for publication had expired. The document he had sent to Poitras and me spoke for itself, as far as he was concerned. What else could we possibly need?
He and I had discussed this at length already. There were steps I could not skip. “You may have time constraints I do not understand,” I wrote. “I want to make sure that you understand mine. I have seldom heard of a story of this magnitude that went from soup to nuts in three days, or four or five. I’m not proposing a specific alternative. I sincerely hope you’ll reconsider the idea of a deadline set in days. If you can shed any light on how timing affects you, it’s possible I can help address it in another way.”
Late on Saturday night, May 25, he replied with new urgency. “Alright, let’s talk about time pressure first,” he said. “Let me illustrate the driver in more detail so we’re clear. Until you publish, I am at the highest level of personal risk, because rightly or wrongly, adversaries may feel this can be stopped early.” He had left a cover story about medical treatment, but “at this point I’m certain we’re out of time. That means unless I’m better than I think I am, on Monday, NSA will become aware precisely where I am, and they’re not going to be thinking ‘what a brave and principled whistlerblower,’ it’s going to be ‘how do we splat the spy?’”
Those were not the words that knocked the wind out of me. The gut punch came when Snowden answered my half-forgotten question about the cryptographic signature, the little digital file he asked me to publish alongside the story and the PRISM slides. I had struggled to explain the thing to editors, focusing on the technical points. They had left me with
something bigger to think about.
Why does your source care about the signature?
I had let that question slip in the crush of other work. Snowden had first mentioned the signature nine days earlier, on May 16. Its purpose, he said, was to certify that the PRISM document “has not been edited or changed.” That sounded promising. Did he mean, I wrote back, that someone at the NSA had signed the presentation with a U.S. government credential? That would be outstanding news, akin to a royal seal embossed in resin and wax. Little doubt about authenticity would remain. Snowden offered half a reply, then pirouetted away. “It creates a ‘chain of custody.’ This matters for the historical record,” he wrote. “I can’t yet explain the rest.”
After meeting with the Post editors, I remembered that I could do an elementary check of the signature on my own. The result was disappointing. I was slow to grasp what it implied.
gpg --verify PRISM.pptx.sig PRISM.pptx
gpg: Signature made Mon May 20 14:31:57 2013 EDT
using RSA key ID ████████
gpg: Good signature from “Verax”
Now I knew that Snowden, using his Verax alter ego, had signed the PowerPoint file himself. If I published the signature, all it would prove to a tech-savvy few was that a pseudonymous source had vouched for his own leak. What good would that do anyone?
In the Saturday night email, Snowden spelled it out. He had chosen to risk his freedom, he wrote, but he was not resigned to life in prison or worse. He preferred to set an example for “an entire class of potential whistleblowers” who might follow his lead. Ordinary citizens would not take impossible risks. They had to have some hope for a happy ending.
To effect this, I intend to apply for asylum (preferably somewhere with strong internet and press freedoms, e.g. Iceland, though the strength of the reaction will determine how choosy I can be). Given how tightly the U.S. surveils diplomatic outposts (I should know, I used to work in our U.N. spying shop), I cannot risk this until you have already gone to press, as it would immediately tip our hand. It would also be futile without proof of my claims—they’d have me committed—and I have no desire to provide raw source material to a foreign government. Post publication, the source document and cryptographic signature will allow me to immediately substantiate both the truth of my claim and the danger I am in without having to give anything up. . . .
Give me the bottom line: when do you expect to go to print?
Alarm gave way to vertigo. I forced myself to reread the passage slowly. Snowden planned to seek the protection of a foreign government. He would canvass diplomatic posts on an island under Chinese sovereign control. He might not have very good choices. The signature’s purpose, its only purpose, was to help him through the gates.
How could I have missed this? Poitras and I did not need the signature to know who sent us the PRISM file. Snowden wanted to prove his role in the story to someone else. That thought had never occurred to me. Confidential sources, in my experience, did not implicate themselves—irrevocably, mathematically—in a classified leak. As soon as Snowden laid it out, the strategic logic was obvious. If we did as he asked, Snowden could demonstrate that our copy of the NSA document came from him. His plea for asylum would assert a “well-founded fear of being persecuted” for an act of political dissent. The U.S. government would maintain that Snowden’s actions were criminal, not political. Under international law each nation could make that judgment for itself. The fulcrum of Snowden’s entire plan was the signature file, a few hundred characters of cryptographic text, about the length of this paragraph. And I was the one he expected to place it online for his use.
Idiot. Remember “chain of custody”? He came right out and told you he wanted a historical record.
My mind raced. When Snowden walked into a consulate, evidence of his identity in hand, any intelligence officer would surmise that he might have other classified information in reach. Snowden said he did not want to hand over documents, but his language, as I read it that night, seemed equivocal. Even assuming he divulged nothing, I had not signed up for his plan. I had agreed to protect my source’s identity in order to report a story to the public. He wanted me to help him disclose it, in private, as a credential to present to foreign governments. That was something altogether different.
Even in those next awful hours, I never believed that Snowden was a spy. His behavior was inexplicable through that lens. No aspiring foreign agent would launch his espionage career by handing a pile of secrets to journalists. Intelligence services overseas would much rather have a secret that no one else knows, or no one else knows they know. If they chose to make it public in a propaganda campaign, they would want to control the selection and timing. I had spent many hours in conversation with this man, probing his backstory and motives. His explanations rang true, and my instincts said he was sincere. The trouble was that instincts had not covered me in glory these last few weeks. Snowden kept springing surprises. I began to second-guess myself. How certain was I, really, that I knew his innermost plans?
A wave of nausea swept over me. This guy’s safety and freedom could be in my hands. Nobody at the Post understood the signature mumbo-jumbo. Marty Baron would look to me for a decision. The last thing I wanted was to hurt my source, but I had not agreed to play the role Snowden cast for me. I tried to tell myself the question was moot: none of us thought we should publish the PRISM document in full, anyway, and any kind of editing would void the signature. But that was no longer the issue and I knew it. Snowden had told me clearly what he intended to do with the signature. If we published it now, the Post would be a knowing instrument of his flight from American law. I might wish him luck. I did. But it was not my role to help.
I logged on to an anonymous chat account, hoping to find Poitras online. It was late, but she had done the same.
BG: I just read his email
you see it?
LP: yes
Intense
BG: I can’t imagine how where he is leads to Iceland. At all.
He has just told us he intends to apply for asylum and may not be able to be choosy
“No desire” to provide raw source to a fo gov.
LP: what do you read that—that he is considering that?
BG: I read that as an option he has in mind.
Looking back, it is clear to me that I misread Snowden badly. Events to come proved beyond plausible doubt that he did not transfer allegiance to a foreign government, did not contemplate buying his safety with classified files. The words that shook me—“preferably,” “choosy,” “no desire”—were ambiguous in context. I assumed the worst. We both did.
LP: oh god
fuck
BG: He’s in a position to provide that material. He may be under compulsion. We REALLY can’t do anything that could abet or be perceived to abet that.
LP: of course
BG: I just wanna be a goddam journalist
On Sunday we patched together a conference call with the lawyers. I sketched the main developments—file, signature, asylum—without saying “NSA” or “Hong Kong.” Childish opsec, but we were scattered and could not wait for a face-to-face. The lawyers were alarmed. When two of them started talking at once, I misheard something. “Don’t tell me I’ll be aiding and abetting if I don’t turn in my source,” I said. “I’m not going to do it.”
Nobody had suggested that, actually. Everyone on the call agreed that we would carry on with our story plans and protect the source’s identity as before. No one but Poitras and I knew Snowden’s name anyway. But Kevin Baine, the lead outside counsel, asked me in a no-bullshit tone to level with him. Had I ever promised to publish the full PRISM presentation or its digital signature? I had not, and Poitras said the same. Our source framed both those points as “requests” before he sent the document. Poitras and I had ducked and changed the subject. Why engage him in a hypothetical
dispute? Depending on what the document said, publication in full might have been an easy yes. “You have to tell him you never agreed to that,” Baine said. Poitras and I faced a whole new kind of legal exposure now. We could not leave unanswered a “direct attempt to enlist you in assisting him with his plans to approach foreign governments.”
It was about as bad as I thought. Then it got worse. The day before Snowden’s asylum email, we had told Baron for the first time that our source was in Hong Kong. Poitras planned to film him there. Snowden invited me to join her. “I am not sure I will have much beyond the slides to offer, but I will be glad to offer any assistance or insight that I can,” he wrote. I badly wanted to meet the man. I told Baron I leaned toward taking the trip, but I was in a bind. Film was Poitras’s bailiwick. Filling out the PRISM reporting was mine. I had to reach out in deepest confidence to other people in a position to know the facts. How could I do those interviews over international telephone lines? I was not even using a phone for local calls. I met my sources in person, making advance arrangements when I could do so securely and otherwise turning up at their door unannounced. “I’m on the fence about my priorities,” I said. Baron smiled and turned to Poitras, saying, “We’ll leave it to you to tip him over.” It was the natural instinct of any journalist. Go where the story is. I decided I would have to make it work. Later that day, I wrote to Snowden, “I look forward to meeting face to face. Chances are our mutual friend and I will travel together Saturday.”
Not long after the first conference call, Baine sent word that we needed to talk again. Right away. He had consulted his partner Barry Simon, who specialized in government investigations and criminal defense. Simon, Baine said, “had a strong reaction” to our travel plans. That was one way to put it. When he joined the call, Simon spoke with an urgency I had not heard from a lawyer in twenty-one years at the Post. There could be a raid on our source at any time by U.S. forces, Chinese authorities, or parties unknown who operated in Hong Kong’s intelligence no-man’s-land. If we were in the room, we might well be arrested alongside him in a system that did not afford us many rights. In the circumstances, we could not expect much help from U.S. consular services. Upon our return, U.S. prosecutors would find it easier to bring a criminal case—easier to distinguish our conduct from ordinary journalism—if we carried or took possession of classified documents overseas. When we made notes and recordings of our interviews, those were bound to include classified information, too. We should assume that both U.S. and Chinese authorities were capable of intercepting anything we stored or transmitted in digital form. If we somehow secured our files impregnably, someone might compel us to decrypt them. The final, unavoidable exposure was this: we had no practical defense against eavesdropping when we sat down with our source. No reasonable person, least of all an experienced national security reporter, could claim to be unaware that China routinely wiretapped hotel rooms and meeting venues in Hong Kong. I had interviewed diplomats about the subject myself. By conversing about classified matters—and how could we not?—Poitras and I would directly expose U.S. national security secrets to a foreign intelligence service. If we did not think we could be prosecuted on those facts, Simon said, we were wrong.
Dark Mirror Page 14