I do not view the exchange so harshly. Clapper was an old-school spy without taste or talent for wordplay. On the “high side,” where classified information flowed, he had a reputation for integrity and speaking his mind. He never looked comfortable in public, where he had to filter each sentence on the fly. Clapper tripped on a dilemma that many a more agile witness could have sidestepped gracefully. Law and regulation forbade him to give a classified answer in an unclassified setting. Deflecting the question was Mike Hayden’s skill set, not Clapper’s. Wyden was determined to part the curtains on the call records program. He set up the exchange as a public performance. He already knew the answer. Clapper knew that Wyden knew. He had briefed the senators himself in classified session. But Wyden wanted a yes-or-no answer with cameras rolling, and Clapper made a clumsy job of it. When the facts emerged later, his explanation was worse. He gave the “least untruthful” answer he could, he told NBC’s Andrea Mitchell. Truth being less untruthful, that reply did not do him any good. Clapper’s culpable offense, in my view, was refusing to correct the record after the hearing.
What amazed me onstage at Aspen was that Blair still avowed the truth of the false story line. Our exchange turned almost metaphysical. The NSA collected U.S. telephone records in bulk, I said. Clapper said it collected nothing. Alexander said it held nothing. How could Blair defend those words in good faith?
“I think you’re misusing the word ‘collect,’” Blair said. “I think the word, the proper word here, is ‘store,’ in order to be able to have access to them when permission is granted.”
Permission from whom, he did not say. FISA judges authorized the acquisition of phone records in bulk, but the judges did not decide or even know when the NSA pulled the records and chained through them.
“Well, see, that’s the kind of secret term of art that I think is undercutting your case,” I told him. If FBI agents could gather all our telephone records “and put them in a tank somewhere and say that that’s not collection, you’re not speaking English as most people understand it.”
I offered another example. In 2009, when Blair oversaw the intelligence community, the Justice Department and FBI assured Congress in sworn testimony that they made very sparing use of their power under Section 215 of the Patriot Act to obtain secret intelligence warrants for “business records.” There had been only twenty-one such orders from the FISA Court that year, the FBI reported. “Now,” I told Blair, “it turns out that with three of those orders you can get something on the order of one trillion telephone records.” (Here I was wrong. The orders were issued quarterly to each of three phone companies, so I should have said twelve of the twenty-one orders, not three.)
Suppose your teenage daughter admits she threw a house party when you were out of town. She assures you that it was no big deal: she invited only twenty-one friends. Later you find out that a trillion teenagers showed up. Did she lie to you? She could mount some kind of pedantic defense, but what parent would let her get away with that? She deceived you, deliberately so. The FBI had done the same.
“You’re prepared to justify this program,” I told Blair, “but what I’m talking about is the honesty, the straightforwardness of the public debate.”
By this time I had decisively lost the room. “I’m not supposed to be the debater up here,” I admitted. Negroponte laughed. Blair sighed theatrically. The national security establishment broke into ironic applause. Blair soon seized on his advantage, as the Navy had trained him to do.
“If you came in as director of communications for ODNI, you would get a clearance, but you’d still be the same Bart Gellman who is nasty and suspicious and concerned about things,” he said.
* * *
—
Not suspicious enough, as it turned out. At that moment, I had yet to discover how much the government was still concealing about the call records program. Even now, there is much that remains unconfessed. I never found a way to tell this part of the story in newspaper form.
One reason the story never saw print is that it calls for a grant of patience from the reader. The evidence emerges in fragments. Some assembly is required. Small facts build toward consequential ones. We are heading toward something important, I think, and I want to show my work.
In that summer of 2013, I imagined the phone records as a simple, if gargantuan, list. I assumed that the NSA cleaned up the list—date goes here, call duration there—and converted it to the agency’s preferred “atomic sigint data format.” Otherwise I thought of the records as inert. I had no reason to doubt Blair’s explanation that they were “stored,” untouched, until the next Tsarnaev came along.
Even by that account, the scale of collection brought to mind an evocative phrase from legal scholar Paul Ohm. Any information in sufficient volume, he wrote, amounted to a “database of ruin.” It held personal secrets that “if revealed, would cause more than embarrassment or shame; it would lead to serious, concrete, devastating harm.” Nearly anyone in the developed world, he wrote, “can be linked to at least one fact in a computer database that an adversary could use for blackmail, discrimination, harassment, or financial or identity theft.” Revelations of “past conduct, health or family shame,” for example, could cost a person his marriage, his career, his legal residence, or his physical safety.
Mere creation of such a database, especially in secret, profoundly changed the balance of power between government and governed. This was the Dark Mirror embodied, one side of the glass transparent and the other blacked out. If the power implications do not seem convincing, try inverting the relationship in your mind. What if a small group of citizens had secret access to the telephone logs and social networks of government officials? How might the privileged knowledge affect their power to shape events? How might their interactions change if they possessed the means to humiliate and destroy the careers of the men and women in power? Capability matters, always, regardless of whether it is used. An unfired gun is no less lethal before it is drawn. And, in fact, in history, capabilities do not go unused in the long term. Chekhov’s famous admonition to playwrights is apt not only in drama but in the lived experience of humankind. The gun on display in the first act—nuclear warheads, weaponized disease, Orwellian cameras tracking faces on every street—must be fired in the last. The latent power of new inventions, no matter how repellent at first, does not lie forever dormant in government armories.
These could be cast as abstract concerns, “just math” of another kind, but I thought them quite real. By September, it dawned on me that there were also concrete questions that I had not sufficiently explored. Where in the innards of the NSA did the phone records live? What happened to them there? The Snowden archive did not answer those questions directly, but there were clues.
I stumbled across the first clue while looking for something else. I had become interested in the NSA’s internal conversation about “bulk collection,” the acquisition of high-volume data sets in their entirety. Phone records were one of several kinds. The agency had grown more and more adept, brilliantly creative in fact, at finding and swallowing other people’s information whole. Lately the NSA had begun to see that it consumed too much to digest. Midlevel managers and engineers sounded notes of alarm in briefings prepared for their chains of command. The cover page of one presentation asked, “Is It the End of the SIGINT World as We Have Come to Know It?” The authors tried for a jaunty tone but had no sure answer. The surveillance infrastructure was laboring under serious strain.
One name caught my eye on a chart that listed systems at highest risk.
MAINWAY. I knew that one. NSA engineers had built MAINWAY in urgent haste after September 11, 2001. Vice President Cheney’s office had drafted orders, signed by President Bush, to do something the NSA had never done before. The assignment, forbidden by statute, was to track telephone calls made and received by Americans on American soil. The resulting operation, one of the STELLARWIND progr
ams I described in chapter 1, was the lawless precursor of the broader one I debated with Negroponte and Blair.
MAINWAY came to life alongside STELLARWIND in the first frantic weeks after al Qaeda flew passenger airplanes into the Pentagon and World Trade Center. STELLARWIND defined the operation. MAINWAY was a tool to carry it out. The NSA knew how to do this sort of thing with foreign telephone calls, but it did not have the machinery to do it at home. When NSA director Mike Hayden received the execution order on October 4, 2001, for “the vice president’s special program,” NSA engineers assembled a system from bare metal and borrowed code within a matter of days, a stupendous achievement under pressure. They commandeered fifty state-of-the-art computer servers from Dell, which was about to ship them to another customer, and lashed them into a quick and dirty but powerful cluster. Hayden cleared out space in a specially restricted wing of OPS 2B, an inner sanctum of the gleaming, mirrored headquarters complex at Fort Meade. When the cluster expanded, incorporating some two hundred machines, MAINWAY spilled into an annex in the Tordella supercomputer facility nearby. Trusted lieutenants began calling in a small group of analysts, programmers, and mathematicians on October 6 and 7. On Columbus Day, October 8, Hayden briefed them on their new jobs in a specially compartmented new operation. That day he called it STARBURST. The STELLARWIND cryptonym replaced it soon afterward. During the same holiday weekend, Hayden dispatched personnel from Special Source Operations to negotiate the secret purchase of telephone data in bulk from AT&T, Verizon, and Sprint. The price surpassed $102 million in the coming five years.
It was impossible to hide the hubbub from other NSA personnel, who saw new equipment arriving under armed escort at a furious pace, but even among top clearance holders hardly anyone knew what was going on. STELLARWIND was designated as ECI, “exceptionally controlled information,” the most closely held classification of all. From his West Wing office, Cheney ordered that STELLARWIND be concealed from the judges of the FISA Court and from members of the intelligence committees in Congress.
According to my sources and the documents I worked through in the fall of 2013, MAINWAY soon became the NSA’s most important tool for mapping social networks, an anchor of what the agency called Large Access Exploitation. “Large” is not an adjective in casual use at Fort Meade. MAINWAY was built for operations at stupendous scale. Other systems parsed the contents of intercepted communications: voice, video, email and chat text, attachments, pager messages, and so on. MAINWAY was queen of metadata, foreign and domestic, designed to find patterns that content did not reveal. Beyond that, MAINWAY was a prototype for still more ambitious plans. Next-generation systems, their planners wrote, could amplify the power of surveillance by moving “from the more traditional analysis of what is collected to the analysis of what to collect.” Patterns gleaned from call records would identify targets in email or location databases, and vice versa. Metadata was the key to the NSA’s plan to “identify, track, store, manipulate and update relationships” across all forms of intercepted content. An integrated map, presented graphically, would eventually allow the NSA to display nearly anyone’s movements and communications on a global scale. In their first mission statement, planners gave the project the unironic name “the Big Awesome Graph.” Inevitably it acquired a breezy acronym, “the BAG.”
The crucial discovery on this subject turned up at the bottom right corner of a large network diagram prepared in 2012. A little box in that corner, reproduced below, finally answered my question about where the NSA stashed the telephone records that Blair and Negroponte and I talked about. The records lived in MAINWAY. The implications were startling.
The diagram as a whole, too large to display in these pages, traced a “metadata flow sourced from billing records” at AT&T as they wended through a maze of intermediate stops along the way to Fort Meade. MAILORDER, the next-to-last stop, was an electronic traffic cop, a file sorting and forwarding system. The ultimate destination was MAINWAY. The “BRF Partitions” in the network diagram were named for Business Records FISA orders, among them the dozen signed in 2009 that poured the logs of hundreds of billions of phone calls into MAINWAY.
To a first-time reader of network maps, MAINWAY’s cylindrical icon might suggest a storage tank. It is not. The cylinder is a standard symbol for a database, an analytic service that runs on the hardware. MAINWAY was not a container for data at rest. The NSA has names for those. They are called data marts and data warehouses. If the agency merely stored the U.S. telephone records, it would have left them in a system called FASCIA II, the “call detail record warehouse” that feeds MAINWAY.
MAINWAY’s mission, laid out in its first fiscal year, was to “enable NSA . . . to dominate the global communications infrastructure, and the targets that currently operate anonymously within it.” It used contact chaining, the technique we discussed at Aspen, to pierce that anonymity.
For reasons that will become apparent soon, I want to reproduce the full entry for MAINWAY in the SSO Dictionary, a classified NSA reference document:
(TS//SI//REL) MAINWAY, or the MAINWAY Precomputed Contact Chaining Service, is an analytic tool for contact chaining. It’s helping analysts do target discovery by enabling them to quickly and easily navigate the increasing volumes of global communications metadata. MAINWAY attacks the volume problem of analyzing the global communications network.
There were two noteworthy terms in that short passage: “precomputed” and the “volume problem.” The first one—precomputed—turned my understanding of the call records program upside down. Before we get to that, a note on the volume problem.
The NSA has many volume problems, actually. Too much information moving too fast across global networks. Too much to ingest, too much to store, too much to retrieve through available pipes from distant collection points. Too much noise drowning too little signal. In the passage I just quoted, however, the volume problem referred to something else—something deeper inside the guts of the surveillance machine. It was the strain of an unbounded appetite on the NSA’s digestive tract. Collection systems were closing their jaws on more data than they could chew. Processing, not storage, was the problem.
Contact chaining on a scale as grand as a whole nation’s phone records was a prodigious computational task, even for MAINWAY. It called for mapping dots and clusters of calls as dense as a star field, each linked to others by webs of intricate lines. MAINWAY’s analytic engine traced hidden paths across the map, looking for relationships that human analysts could not detect. MAINWAY had to produce that map on demand, under pressure of time, whenever its operators asked for a new contact chain. No one could predict the name or telephone number of the next Tsarnaev. From a data scientist’s point of view, the logical remedy was clear. If anyone could become an intelligence target, MAINWAY should try to get a head start on everyone.
“You have to establish all those relationships, tag them, so that when you do launch the query you can quickly get them,” Rick Ledgett, the former NSA deputy director, told me years later. “Otherwise you’re taking like a month to scan through a gazillion-line phone bill.”
And that, right there, was where precomputation came in. MAINWAY chained through its database continuously—“operating on a 7x24 basis,” according to the classified project summary. You might compare its work, on the most basic level, to indexing a book—albeit a book with hundreds of millions of topics (phone numbers) and trillions of entries (phone calls). One flaw in this comparison is that it sounds like a job that will be finished eventually. MAINWAY’s job never ended. It was trying to index a book in progress, forever incomplete. The FBI brought the NSA more than a billion new records a day from the telephone companies. MAINWAY had to purge another billion a day to comply with the FISA Court’s five-year limit on retention. Every change cascaded through the social graph, redrawing the map and obliging MAINWAY to update ceaselessly.
MAINWAY’s purpose, in other words, was neither storage nor pr
eparation of a simple list. Constant, complex, and demanding operations fed another database called the Graph-in-Memory.
When the Boston bombs exploded, the Graph-in-Memory was ready. Absent unlucky data gaps, it already held a summary map of the contacts revealed by the Tsarnaev brothers’ calls. The underlying details—dates, times, durations, busy signals, missed calls, and “call waiting events”—were easily retrieved on demand. MAINWAY had already processed them. With the first hop precomputed, the Graph-in-Memory could make much quicker work of the second and the third.
In order to keep a Tsarnaev graph at the ready, MAINWAY also had to precompute a graph for everyone else. And if MAINWAY had your phone records, it also held a rough and ready diagram of your business and personal life.
As I parsed the documents and interviewed sources, the implications finally sank in. The NSA had built a live, ever-updating social graph of the United States.
Our phone records were not in cold storage. They did not sit untouched. They were arranged in a one-hop contact chain of each to all. All kinds of secrets—social, medical, political, professional—were precomputed, 24/7. Ledgett told me he saw no cause for concern because “the links are unassembled until you launch a query.” I saw a database that was preconfigured to map anyone’s life at the touch of a button.
Bill Binney, a mathematical cryptographer who quit the NSA in protest when he learned of STELLARWIND, was later falsely accused of passing information about it to the New York Times. By Binney’s account, which the government does not dispute, FBI agents raided his home in July 2007 and announced themselves at gunpoint as he stepped naked from the shower. The agents would not say exactly what classified program he was alleged to have leaked. Binney, who is as fearless a dissenter as any American I have met, asked them cheerfully, “Oh, you mean ‘Cosmic Fart’?” He was testing whether they had been cleared for compartmented information themselves. The agents stared back, stone-faced, until one cracked a tight smile at the STELLARWIND joke.
Dark Mirror Page 18