Research and writing can be solitary work, but I had a lot of help. I relied most often and most heavily on Sam Adler-Bell, who produced countless research memos, brainstormed about mysteries, chased down leads, challenged my assumptions, fact-checked every chapter, and produced a first draft on Snowden’s early life for chapter 2. Sam influenced my thinking particularly on the intersections of justice and privacy, taking the lead on our long report* about the disparate impact of surveillance on people of color. He is a resourceful reporter, gifted writer, and passionate critic, well launched now into his own career, and I can’t wait to see what he produces next.
A platoon of talented young women and men provided additional research assistance at various stages: Victoria Beale, Erica Portnoy, Rachel Adler, Jordan Larson, Harrison Cramer, James McAuley, Colson Lin, and Dina Lamdany.
Since the spring of 2013, before the NSA disclosures began, my professional and intellectual home has been the Century Foundation, a bipartisan public policy research institute in New York that punches above its weight in the world of ideas. I owe debts to the late Janice Nittoli, who hired me; her successor as president, Mark Zuckerman, who gave me the luxury of time as the book progressed; and the board of trustees for its interest in and substantial support for my work. Under Century’s umbrella, Mark sponsored a series of policy papers on surveillance and privacy, and he arranged for the foundation to cohost Snowden’s first public debate. I am grateful, not least, for the laughter and comradeship of my colleagues. My work at Century received generous support from the Addy Foundation, the Open Society Foundations, and the Ford Foundation.
Princeton University was a second professional home before and during the research for Dark Mirror. I twice taught a seminar on national security secrecy at the Woodrow Wilson School of Public and International Affairs, where I learned a great deal from my students and the questions they posed. Later I had the good fortune to become a visiting research collaborator at the Center for Information Technology Policy, a prodigiously creative and stimulating environment. I owe particular debts there to Ed Felten, Jonathan Mayer, Tithi Chattopadhyay, and Laura Cummings-Abdo. Grants to the center from the John D. and Catherine T. MacArthur Foundation and the Microsoft Foundation helped support my work.
When I needed a place to hide and write, Columbia Law School graciously provided an office and anointed me a distinguished visiting journalist. I enjoyed the opportunity, while there, to guest-teach a class for an interdepartmental course on cyber security offered by the high-powered team of Matthew Waxman, Steve Bellovin, and Jason Healey.
My work on the NSA disclosures began at the Washington Post, where I had grown up as a reporter and spent the larger part of my journalistic career before departing in 2010. I returned in 2013 as a freelance writer with the Snowden documents in hand and found an extraordinary newsroom leader in Marty Baron. Marty committed himself to the story in every way I could have asked, with guts and resources and never a foot wrong. Anne Kornblut managed the team and held my wits together; she was the one I called late at night when I was well and truly stuck. Among the many colleagues who played important roles in our NSA coverage, I want to recognize editors Kevin Merida, Jeff Leen, Cameron Barr, Jason Ukman, and Peter Finn; reporters Greg Miller, Ellen Nakashima, Carol Leonnig, Craig Timberg, Steven Rich, Marc Fisher, and Craig Whitlock; and researchers Alice Crites, Jennifer Jenkins, and above all Julie Tate. Julie, who has collaborated on more of my work than anyone alive, also fact-checked this manuscript, saved me from foolish errors, and improved the citations. The Post supported our work with clear-eyed legal advice from Jay Kennedy and James McLaughlin, reinforced by Kevin Baine and Barry Simon of Williams & Connolly. As I struggled with some of my early decisions, I thought more clearly after consulting two distinguished Post alumni: Bob Kaiser and Steve Coll. Len Downie, the Post’s former executive editor, helped me work through a hard question that came up later.
My agent, Andrew Wylie, guided me with a sure hand through unusual terrain in the course of Dark Mirror’s journey. I am obliged for above-and-beyond support from the Wylie Agency’s James Pullen, Jessica Calagione, Jacqueline Ko, and Katie Cacouris.
It is my honor and privilege to work with Penguin Press, which is everything an author could want. Ann Godoff, the founder and president, earned Penguin Press’s place long ago as the house of choice for serious nonfiction. I am especially fortunate to have the brilliant Scott Moyers, Penguin Press’s publisher, as my editor. He saw the shape of this story before it took form on the page, steered me through delicate choices, encouraged me when I faltered, and sharpened the manuscript with every stroke of his pen. Scott put himself on the line for this book, and I will not forget that. As I write this, the Penguin team is ramping up production, copyediting, legal review, and preparation for publicity and marketing. I want to give special thanks to Bruce Giffords, Roland Ottewell, Yuki Hirose, Colleen McGarvey, Danielle Plafsky, and Mia Council for the energy and focus they bring to the enterprise.
Litigation continues at this writing in Gellman v. DHS, the freedom of information case that has produced both questions and answers for this book. I tip my hat to the dedicated and ferocious lawyers of the Reporters Committee for Freedom of the Press, who have represented me throughout: Katie Townsend, Adam Marshall, Linda Moon, Gunita Singh, Selina MacLaren, and Hannah Bloch-Wehba.
Secrecy is a complex subject at the heart of this book, and I want to acknowledge some of the people who influenced my thinking on the subject, in conversation and in their published work. Special thanks go to Mary Graham, David Pozen, Jack L. Goldsmith, Fritz Schwarz, and Steven Aftergood. Aftergood’s Secrecy News blog at the Federation of American Scientists is an essential resource on the workings of FOIA and the classification apparatus.
It is hard to single out friendships, but these especially helped me keep my balance when the book threatened to swallow everything else: Robin Miller, Craig Snyder, Debora Cahn, Michael Heller, Freyda Spira, and Ben Slavin.
Finally, closest to the core, I am grateful for family: my late mother, Marcia Jacobs; my father, Stuart Gellman; my late stepfather, Abe Jacobs; my sisters, Sheri Throlson and Cheryl Jacobs; and my brother, Alan Gellman. Alan, a marketing executive turned executive coach, lent me his coaching superpowers this year when I needed them. My children—Abigail Gellman, Micah Gellman, Lily Gellman, and Benjamin Gellman—enrich my life and fill me with pride. Dafna Linzer, my partner in all things, gave me the gifts of her honesty, counsel, and love, and sustained our family life when book writing kept me away. I look ahead with hope for decades to come.
NOTES
PREFACE
“How did you do it?”: Snowden and I did not use standard commercial chat services from Skype, Yahoo, or Google, which are easy for authorities to monitor. We used channels that were both encrypted (our words unreadable by others) and anonymized (our locations and identities concealed). For the technically minded: we used Pidgin on the Tails operating system, connected to Jabber accounts over Tor hidden services, with Off the Record encryption.
panels of blue-black glass: The architect Jack Self described the elegant cuboid structure of OPS2A/B, the NSA’s operations center, in an article titled “The Authorised Information Available on This Building Could Be Published in a Single Tweet,” Dezeen, March 26, 2015, at https://perma.cc/S8P7-MWJ8. Wikimedia hosts a public-domain photograph of the headquarters building at https://perma.cc/9J6A-WGDN.
“golden age of SIGINT”: The term appears in a high-level policy planning paper titled “SIGINT Strategy,” February 23, 2012, and shared with allied services from the United Kingdom, Canada, New Zealand, and Australia. The paper has been reproduced online at https://perma.cc/CL7E-6VY9. It was first described publicly in James Risen and Laura Poitras, “N.S.A. Report Outlined Goals for More Power,” New York Times, November 22, 2013, https://nyti.ms/31ToL5T.
“I’m not sure I’ll ever”: Edward Snowden and Barton Gellman, live encrypted
chat, October 2013.
his memoir last year: Edward Snowden, Permanent Record (New York: Henry Holt, 2019).
a book about power: See, for example, Jeffrey Vagle, “Surveillance Is Still About Power,” Just Security, February 9, 2016, www.justsecurity.org/29240/surveillance-power/.
CHAPTER ONE: PANDORA
brought her an enigmatic tip: Poitras, conversation with author, February 2, 2013. According to Micah Lee, who helped arrange the first contact with Poitras, the would-be confidential source wrote to him on January 11, 2013, saying, “I need to get information securely to Laura Poitras and her alone, but I can’t find an email/gpg key for her. Can you help?” Lee sent the source her key and verified that it was authentic (by tweeting its forty-character “fingerprint”) on January 28, 2013. Poitras emailed me three days later, on January 31, and we met on February 2. Micah Lee, “Ed Snowden Taught Me to Smuggle Secrets Past Incredible Danger. Now I Teach You,” Intercept, October 28, 2014, http://interc.pt/1DXiB2S.
NSA’s “Q Group”: The NSA is opaque in public about its organizational structure. Internal charts made available by Snowden, on file with author, use “Q” to designate internal security (not to be confused with the fictional Q Branch of the British Secret Intelligence Service, which makes spy gadgets for James Bond). Formally, it went by Associate Directorate for Security and Counterintelligence. As a relatively small office, in comparison to S (Signals Intelligence), T (Technology), and others, it was known as a “group.” Confidential source, interview with author, February 22, 2016.
There have been very few public references to Q Group. The best one I found is Eli Lake, “Inside the ‘Q Group,’ the Directorate Hunting Down Edward Snowden,” Daily Beast, June 10, 2013, http://thebea.st/1oYatwL.
Top Secret, compartmented: The markings on the document were “TOP SECRET//SI//ORCON//NOFORN.” Among other meanings, which I will take up later, those designations signify that the material includes “sensitive compartmented information” about signals intelligence sources and methods. Compartments are used to segregate classified information so that even people with sufficient clearances are not permitted to see the contents without an approved “need to know.” Although the PRISM slides were not marked “ECI,” a still more restricted category that stands for “exceptionally controlled information,” the accompanying speaker’s notes said that portions of the briefing should be treated as such. For more on classification markings, see “Intelligence Community Classification and Control Markings Implementation Manual,” Office of the Director of National Intelligence, May 31, 2011, www.fas.org/sgp/othergov/intel/capco_imp.pdf.
Under the cover name PRISM: PowerPoint presentation, “PRISM/US-984XN Overview,” April 2013 (hereafter cited as “PRISM Overview”), on file with author, published in part at www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/. Other news sites have published portions of additional slides. They are aggregated at https://nsa.gov1.info/dni/prism.html. See also Barton Gellman and Laura Poitras, “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program,” Washington Post, June 7, 2013, http://wapo.st/1LcAw6p.
Several U.S. government officials mocked our use of the term “program” in that headline and story, saying we demonstrated ignorance of the subject. Robert S. Litt, the general counsel of the Office of the Director of National Intelligence, habitually referred to “the so-called PRISM program” in public remarks. See his remarks, “Privacy, Technology, and National Security,” July 18, 2013, at https://perma.cc/U3ZL-UCSX, and “Facts on the Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act,” June 8, 2013, at https://perma.cc/Z567-NZ6M. The latter said PRISM was simply a name for “an internal government computer system.” That claim was misleading. In NSA argot, PRISM is a “sigad,” or “signals intelligence activity designator.” A sigad represents a point of access to data that the NSA wants to collect and a method of tapping into it. I do not know a better term than “program” to describe it for a lay audience.
Yahoo, Google, Microsoft, and Facebook accounts: The full list encompassed nine companies, also including AOL, Skype (owned by Microsoft), Apple, YouTube (owned by Google), and Paltalk. According to the briefing, similar access to Dropbox was imminent.
had six miles to travel: The distance is measured as the crow flies for illustration. Email does not actually follow a linear path across the internet. Standard network protocols break the message into “packets,” each of which is routed independently before the message is reassembled at its destination. Data takes the cheapest or fastest path, which may not be the shortest. The next endnote explains what was different about the precautions that Poitras and I took.
anonymous relays around the world: Ordinarily, when a computer connects to a website or an email server, it broadcasts a numeric string called its internet protocol address. That address identifies the device and its location. In order to protect our anonymity, Poitras and I connected to the internet using Tor, a free proxy service that routes each connection through three randomly chosen relays, many of them overseas. See the Tor Project, https://torproject.org. For an interactive graphic of the system, see “Data Flow in the Tor Network,” https://torflow.uncharted.software/.
spoof their hardware and network addresses: Every device that connects to the internet has a network interface card with a unique address of twelve letters and numbers. This MAC address, short for “media access control,” identifies the hardware. Another string, a set of numbers arranged in four groups and known as the internet protocol, or IP, address, assigns the machine a local network identity. The latter usually corresponds closely to geographic location. See “What Is a MAC Address?,” http://whatismyipaddress.com/mac-address. Using software tools, one can randomize both of those addresses and thereby avoid many forms of tracking. Such tools, for example, are built into an operating system called Tails, which is based on Debian Linux and optimized for privacy. See “The Amnesic Incognito Live System,” https://tails.boum.org.
the ciphertext looked like this: Poitras to author, email, May 21, 2013. The ciphertext I quote here is for illustration. It is an encrypted version of the words Poitras wrote, verbatim, but it is not the same encrypted version she sent. For purposes of this book, I decrypted her message and reencrypted it with a different key. In effect, I changed the lock, which changed the ciphertext. If I reproduced her message exactly as sent, an intelligence agency could match it against internet traffic that it might have captured on the day she sent it. Such a match would identify our anonymous accounts and could compromise other confidential aspects of our work.
This risk is not remote. U.S. intelligence rules on “minimization,” the official term for limits placed on surveillance of U.S. citizens and residents, ordinarily require the NSA to discard the communications of U.S. citizens and residents if they are not relevant to a foreign intelligence purpose, and in any case after five years. The limits do not apply to encrypted messages. Still-classified regulations allow “retention of all communications that are enciphered or reasonably believed to contain secret meaning” for “any period of time” until the NSA is capable of decrypting them or no longer cares.
In the summer of 2013, after the Snowden revelations began, the Office of the Director of National Intelligence published a censored version of its 2011 minimization guidelines. The redacted document, which blacked out the provisions about encrypted text, was “Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence Information Pursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978, as Amended” (redacted), submitted by the U.S. Department of Justice to the U.S. Foreign Intelligence Surveillance Court on October 31, 2011, at https://perma.cc/R5JG-B356. Two months before the ODNI release, I published the full, unredacted text of the same document as submitted to the FISC on July 29, 2009. It is reproduced on Scribd at http
://bit.ly/1oQ97DL and also at https://edwardsnowden.com/wp-content/uploads/2013/10/FAA-Minimization-Procedures.pdf. The accompanying story was Ellen Nakashima, Barton Gellman, and Greg Miller, “New Documents Reveal Parameters of NSA’s Secret Surveillance Programs,” Washington Post, June 20, 2013, http://wapo.st/1QMis6c. Shortly after that story, the ODNI issued a news release but made no reference to the provisions on encrypted text. See “ODNI Fact Sheet,” June 25, 2013, http://wapo.st/1NpW28K [inactive].
“I feel a little bad”: Poitras to author, email, December 22, 2010.
Politics on the radical side: Mary Greendale, “Filming the Ravages of War: After Winning Peabody Award, Holliston Native Set to Focus on Iraq,” MetroWest Daily News (Framingham, MA), June 13, 2004, at https://perma.cc/9AXE-3ESR.
Grew up near Boston: Liz Karagianis, “Fulfilling a Dream,” MIT Spectrum (Spring 2008), http://spectrum.mit.edu/articles/fulfilling-a-dream-2/.
My Country, My Country: Praxis Films, press kit, 2006, www.praxisfilms.org/images/uploads/mycountrymycountry.presskit.pdf. The film’s broadcast premiere was October 25, 2006, on the Public Broadcasting Service. See www.pbs.org/pov/mycountry/. For the 2007 Academy Award nomination, see https://to.pbs.org/1QJZkGk.
failed attempt to install democracy: “Interview: Laura Poitras, Director of ‘My Country, My Country,’” Indiewire, July 31, 2006, www.indiewire.com/article/indiewire_interview_laura_poitras_director_of_my_country_my_country.
Dark Mirror Page 37