March 26, 2020

Edward Snowden and the STELLARWIND report

Last September, Edward Snowden published his memoir titled Permanent Record (see Part I and Part II of my extensive review). According to this book, he had one of his "atomic moments" when he read a highly classified report about the controversial NSA program codenamed STELLARWIND, somewhere in 2009 or 2010.

But one month after the book release, during a podcast interview in October 2019, Snowden said that he found that particular report only somewhere in 2012. This discrepancy makes it worth to take a close look at the STELLARWIND program: what it was about, how it was revealed, which conspiracy theories it evoked and how it's misrepresented in Snowden's book.



STELLARWIND is the cover name and the classification compartment for what was officially called the President's Surveillance Program (PSP), which was authorized by president George W. Bush on October 4, 2001 as a response to the 9/11 Attacks.

The NSA had noticed that al-Qaeda terrorists used American networks and providers for their e-mail communications, but because this was cable-bound, the Foreign Intelligence Surveillance Act (FISA) from 1978 required a warrant from the FISA Court to intercept them. Had these communications been wireless, like previously over a satellite link, the NSA would not have been required to get a warrant.

Requesting a FISA warrant took four to six weeks, so terrorists could have changed their phone numbers and e-mail addresses well before the NSA received court approval.* To "fix" this, Bush unilaterally allowed the NSA to also track down the cable-bound communications of foreign terrorists without having to obtain a warrant. Therefore, this became also known as the Warrantless Wiretapping.

In a very controversial legal opinion by Justice Department lawyer John Yoo, the PSP was justified by the president's wartime powers according to Article Two of the US Constitution.* In practice, the program encompassed four components for collecting the following types of data ("internet" actually means e-mail communications):

- Telephony content
- Internet content
- Telephony metadata
- Internet metadata

It should be noted that although these data were intercepted at internet backbone cables and switching facilities inside the United States, the targets were some clearly defined groups of foreign enemies: Al-Qaeda terrorists and other targets related to Afghanistan as well as the Iraqi Intelligence services.

Overview of the President's Surveillance Program a.k.a. STELLARWIND
(click to enlarge)

The first revelations about STELLARWIND

Parts of the President's Surveillance Program were first revealed by The New York Times on December 16, 2005, saying that the NSA "has monitored the international telephone calls and international e-mail messages of hundreds, perhaps thousands, of people inside the United States without warrants over the past three years in an effort to track possible "dirty numbers" linked to Al Qaeda."

In a radio address the next day, president Bush admitted that the NSA was collecting the content of one-end foreign telephone and internet communications. He called this publicly acknowledged part of STELLARWIND the Terrorist Surveillance Program (TSP), but stayed silent about the other components of the PSP, which involved the bulk collection of domestic metadata.

One of the sources for The New York Times story was former NSA employee Russell Tice, who had his security clearance revoked in May 2005 based on what the NSA called psychological concerns. In January 2006, Tice claimed that "the number of Americans subject to eavesdropping by the NSA could be in the millions if the full range of secret NSA programs is used."

Three years later, in December 2008, Newsweek revealed that Thomas Tamm, a former lawyer at the Justice Department, had also been one of the sources for The New York Times. Because Tamm wasn't "read into" the PSP he wasn't able to explain its full scope and the exact details. It seems that Newsweek was also the first to disclose the code name of this program: "Stellar Wind".

Two less-known revelations

On May 10, 2006, USA Today revealed that the NSA "has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth", which the NSA used "to analyze calling patterns in an effort to detect terrorist activity". This was one of the STELLARWIND components that president Bush had kept secret, so a big scoop, which nonetheless got very little public attention.*

Also largely unnoticed was the surprisingly frank interview that Director of National Intelligence John McConnell gave to the El Paso Times in August 2007. He provided numbers about the targeted content collection under the PSP: "On the U.S. persons side it's 100 or less. And then the foreign side, it's in the thousands. Now there's a sense that we're doing massive data mining. In fact, what we're doing is surgical."

Snowden's narrative

In his book Permanent Record, Snowden writes about the initial revelation by The New York Times, which angered him because the paper delayed it more than a year because of pressure from the White House. (p. 245)

Snowden's book doesn't mention the USA Today article, nor the McConnell interview, probably because they didn't fit his narrative: USA Today had revealed the bulk collection of domestic phone records seven years before The Guardian did based upon Snowden's documents, while McConnell made it clear that the PSP was limited and targeted instead of the alleged domestic mass surveillance.

New legal authorities

In the beginning of 2004, two newly appointed officials at the Justice Department, Jack Goldsmith and James Comey, had become worried that the bulk collection of internet metadata might be illegal. This led to a dramatic fight with the White House, after which the various components of STELLARWIND were transferred from the president's authority to that of the FISA Court (FISC). The final presidential authorization expired on February 1, 2007.

The first transfer was of the bulk collection of internet metadata, which was henceforth based on Section 402 FISA (the Pen Register/Trap & Trace (PR/TT) provision) and first authorized as such by the FISC on July 14, 2004.

The new legal basis for the bulk collection of domestic telephone records was found in Section 215 of the Patriot Act, which was approved by the FISC on May 24, 2006. Because these two components of the STELLARWIND program were not publicly acknowledged, this happened in secret.

The parts of the program that had already been disclosed by the press and admitted by president Bush, the targeted collection of content, got a temporary authorization under FISC orders as of January 2007 and were then legalized by the Protect America Act (PAA) from August 2007, which was replaced by Section 702 of the FISA Amendments Act (FAA) in July 2008.

The Inspectors General report

The FAA required the inspectors general (IG) of all five agencies that participated in the President's Surveillance Program (NSA, CIA, Defense Department, Justice Department and the Office of the Director of National Intelligence) to conduct a comprehensive review of the program.

The original and highly classified joint report of these five inspectors general is almost 750 pages long and was finished on July 10, 2009. It was eventually declassified (but with significant sections redacted) in September 2015. A short unclassified summary of this report had already been published in July 2009:

Front page of the unclassified report about the PSP
(click for the full report)

At that time, Edward Snowden worked as a systems administrator at the NSA's Pacific Technical Center (PTC) in Japan and in Permanent Record he says that he read the unclassified report about the President's Surveillance Program in the Summer of 2009, so shortly after it came out. (p. 173)

He concluded that the new FAA extended the NSA's powers: "In addition to collecting inbound communications coming from foreign countries, the NSA now also had policy approval for the warrantless collection of outbound telephone and internet communications originating within American borders." (p. 173)

It seems that Snowden, at least at the time, didn't really understand this subject, because the expansion provided by the FAA wasn't from inbound to outbound communications, but from a few specific foreign enemies (like al-Qaeda) to a wider variety of foreign intelligence targets. As such, Section 702 FAA became the legal basis for Upstream collection and the PRISM program.

Searching for the classified Stellarwind report

Snowden read the unclassified PSP report very closely because he noticed that the program also encompassed "Other Intelligence Activities" that remained classified. This gave him the impression that graver things had been going on than just targeted interception and so he went searching for the original, classified version of the report. To his surprise he couldn't find it and so after a while he dropped the issue. (p. 174)

In Permanent Record, Snowden says that "It was only later, long after I'd forgotten about the missing IG report, that the classified version came skimming across my desktop". He doesn't share how much later, but apparently it was before he left Japan in September 2010: "After reading this classified report, I spent the next weeks, even months, in a daze. [...] that's what was going on in my head, toward the end of my stint in Japan." (p. 175 & 180)

An unexpected discrepancy

But on October 23, 2019, one month after Permanent Record was published, Snowden was interviewed in the Joe Rogan Experience podcast. There, he revealed that he found the classified report only somewhere in 2012. It turned up when he ran some "dirty word searches" to help out the Windows network systems administration team that sat next to him when he was the sole employee of the Office of Information Sharing at NSA Hawaii.

Another new detail that Snowden provided during the podcast interview is that the draft report was from someone from the office of the NSA's Inspector General who had come to Hawaii. This person then left the document on a lower-security system where its classification marking STLW popped up during the dirty word search as something that shouldn't be there.

A decisive moment?

The moment when Snowden found the classified Stellarwind report is of some importance because it could have incited him to download and eventually leak the NSA files to the press. On October 18, 2013, The New York Times wrote:
"Mr. Snowden said he finally decided to act when he discovered a copy of a classified 2009 inspector general's report on the N.S.A.'s warrantless wiretapping program during the Bush administration."

Many people, however, will remember another moment that Snowden claimed as a "breaking point", namely when Director of National Intelligence James Clapper was forced to lie during a Senate committee hearing on March 12, 2013, which Snowden recalled in an interview from January 23, 2014 with the German broadcaster ARD:
"I would say sort of the breaking point was seeing the Director of National Intelligence, James Clapper, directly lie on oath to Congress. There’s no saving an intelligence community that believes it can lie to the public and the legislators who need to be able to trust it and regulate its actions.

Seeing that really meant for me that there was no going back. Beyond that, it was the creeping realisation that noone else was going to do this. The public had a right to know about these programmes."

Clappers testimony is also described in Snowden's book Permanent Record, but only as an example of how the legislative branch of government fails to exercise effective oversight of the Intelligence Community. It says nothing about whether the hearing had any special impact on himself. (p. 231)

All this seems contradictory, but the memoir suggests there actually was no single decisive moment: "The most important decisions in life are never made that way [at an instant]. They're made subconsciously and only express themselves consciously once fully formed". (p. 214)

So, if discovering the STELLARWIND report, nor Clapper's testimony were the single decisive moments and it apparently was a more gradual process, then there may have been other moments or events that influenced Snowden - like the following ones:

Bill Binney and the Utah Data Center

On March 15, 2012, Wired published a piece about the Utah Data Center (UDC), written by James Bamford, a well-known author of three books about the NSA. This article includes a number of speculations and accusations which are almost identical to those expressed later on by Snowden, who presents this data center as the "corpus delicti" for his claim that the NSA wants to store all our data forever. (p. 246-247)

Bamford's article says that "the NSA has turned its surveillance apparatus on the US and its citizens" and now wants to "collect and sift through billions of email messages and phone calls, whether they originate within the country or overseas" - hence the need for the huge new data center near Bluffdale, Utah.

The 1.5 million square feet Utah Data Center near Bluffdale, Utah in June 2013
(photo: AP/Rick Bowmer - click to enlarge)

The Wired article was also the first time that Bill Binney spoke out publicly. Binney worked at the NSA for almost four decades, first as a crypto-mathematician and later as the technical director of the NSA's World Geopolitical and Military Analysis Reporting Group. He was also the chief and one of the two co-founders of the agency's Signals Intelligence Automation Research Center (SARC).

Binney left the NSA late 2001, disillusioned by the fact that the agency chose the TRAILBLAZER collection and analysis system instead of the more efficient and cheaper THINTHREAD, which he had helped designing. Binney critized the NSA's operations after 9/11 as unconstitutional, claiming that we are close to a "turnkey totalitarian state" - which Snowden shortened to "turnkey tyranny".

In Wired, Binney claimed that STELLARWIND was far larger than has been publicly disclosed and included not just eavesdropping on domestic phone calls, but also the inspection of domestic e-mails. Binney suspected that STELLARWIND was now simply collecting everything, including financial records. Just like Snowden, Binney saw only one method to prevent this: strong encryption.

Democracy Now! and a Surveillance Teach-In

One month later, on April 20, 2012, Bill Binney appeared for the first time on American national television. Together with documentary filmmaker Laura Poitras and hacktivist Jacob Appelbaum he was interviewed in Amy Goodman's news program Democracy Now! (a full transcript can be found here).

Binney again claimed that after 9/11 "all the wraps came off for NSA, and they decided to eliminate the protections on U.S. citizens and collect on domestically". He saw this as a direct violation of the constitution and various other laws and decided he could not stay at NSA anymore.

Appelbaum repeated what he said at the HOPE conference in 2010: "I feel that people like Bill need to come forward to talk about what the U.S. government is doing, so that we can make informed choices as a democracy" - which is exactly what Snowden would do: leaking documents because "the public needs to decide whether these programs and policies are right or wrong."

Binney also said that a secret interpretation of Section 215 gave the government a "license to take all the commercially held data about us" and "having that knowledge then allows them the ability to concoct all kinds of charges, if they want to target you" - an allegation that comes back almost literally in Snowden's memoir. (p. 178)

A Surveillance Teach-In

Right after the Democracy Now! interview, Binney, Poitras and Appelbaum went to the Whitney Museum of American Art in New York City, where Poitras organized a Surveillance Teach-In, an event to present an "artistic and practical commentary on living in the contemporary Panopticon":

During the Teach-In, Bill Binney and Jacob Appelbaum discussed government surveillance and came up with claims like "each and everyone of us is targeted by the NSA". Appelbaum also presented a list with eight specific addresses of "possible domestic interception points" which he had received from an anonymous source.
(In June 2018, The Intercept identified eight locations in the United States where there's cable interception equipment for the NSA's FAIRVIEW program. Six of these locations appeared to be identical with those on Appelbaum's list. However, these facilities are not for spying on Americans, but for collecting communications of legitimate foreign targets)

Appelbaum then called upon anyone to infiltrate AT&T to find out whether these locations are really NSA listening posts: "taking direct, non-violent action is not a violation of the constitution". This, he said, was also important for privacy and civil liberties organizations: because of a lack of hard evidence and concrete harm it was almost impossible for them to fight NSA surveillance in court.

The actual incentive?

It's not clear whether there was a livestream of this meeting, so we don't know whether or when Snowden, who was in Hawaii at that time, was able to see it (the official video was put online on September 11, 2012). The Democracy Now! interviews must certainly have attracted his attention, while the Wired article about the Utah Data Center is explicitly mentioned in Permanent Record. (p. 246)

These three events took place just around the time that Snowden started his new job at the NSA in Hawaii by the end of March 2012. Therefore, it may have actually been those statements by Binney, Bamford and Appelbaum, rather than the classified STELLARWIND report that confirmed Snowden's vague suspicions of domestic mass surveillance.

And with his all-prevailing curiosity, their claims must have been an incentive to search for the evidence for those allegations. Providing that to the press would enable the public to "understand what’s actually happening in their names" and give civil liberties organizations standing in court: ACLU attorney Ben Wizner said that in his first conversation with Snowden, one of his first questions was "Do you have standing now?"

The classified STELLARWIND report

According to the podcast interview, it was at some moment during his job in Hawaii that Snowden found the highly classified draft report about the STELLARWIND program. It's not known whether this was before or after he started downloading NSA files, but given what has been discussed above, the report seems not that important anymore as starting point for that effort. The question is rather why it didn't stop him.

The first page of the highly classified STELLARWIND report
(click for the full report)

Snowden likely read this classified report as close as the unclassified version back in 2009. Doing so, the first thing he must have noticed is that the STELLARWIND program was not meant for monitoring innocent Americans. The report clearly says that it was used to track down specific groups of foreigners:
- Members of al-Qaeda and its affiliates (since October 2001)
- Targets related to Afghanistan (until January 2002)
- The Iraqi Intelligence Service (from March 2003 to March 2004)

The classified report also specifies the approximate number of selectors that had been used for targeted collection of content between October 2001 and January 2007:
- Foreign telephone numbers: 15,646
- Domestic telephone numbers: 2,612
- Foreign e-mail addresses: 19,000
- Domestic e-mail addresses: 406

Because targets located in the US (not necessarily US citizens) were extremely sensitive, each of their selectors had to be approved by the chief of the Counterterrorism product line, to ensure strict compliance with the presidential authorization.
According to the final joint Inspectors General report, the NSA IG inspected a sample of the domestic selectors in 2006 and found that 95% of them were linked to al-Qaeda or international terrorist threats inside the US. Almost all the "tippers" that the NSA sent to the FBI contained domestic selectors (phone numbers, but also some content).

The draft report says that the bulk collection of telephone records was also strictly limited to "perform call chaining and network reconstruction between known al Qaeda and al Qaeda-affiliate telephone numbers and previously unknown telephone numbers with which they had been in contact."
The final joint Inspectors General report says that in 2006, as result of the contact chaining, one of every four million metadata records were seen by analysts, who determined that it was not analytically useful to chain more than two hops from a target, even though that wasn't prohibited by the presidential authorization.

Althogether, the classified review of the STELLARWIND program shows that the NSA did filter telephone and internet backbone cables inside the US and collected a huge amount of domestic metadata, but did not use this for monitoring millions of American citizens, as many critics had assumed.*

Snowden's problems with the program

After reading the report, Snowden could have concluded that his fears about domestic mass surveillance turned out to be unfounded. But on the contrary, he hid the exculpatory evidence by leaving all the aforementioned details out of his book and even said that what he found in the report was "so deeply criminal that no government would ever allow it to be released unredacted". (p. 176)

Permanent Record says that Snowden found two things in the report which he considered evidence of illegal domestic surveillance. The first thing is that the President's Surveillance Program marked a transition "from targeted collection of communications to "bulk collection", which is the agency's euphemism for mass surveillance". (p. 176)

But that's not what happened. The NSA has always conducted bulk collection for contact chaining, although traditionally that involved foreign military communications. The real shift in 2001 was not from targeted to bulk collection, but from collection abroad to collection inside the United States - but still against foreign targets.

Section from the full report of the 5 Inspectors General about STELLARWIND
(July 10, 2009, pdf-page 30, declassified in September 2015)

A redefinition of collection?

An issue that upset Snowden even more was an alleged "redefinition" that allowed the NSA to "collect whatever communications records it wanted to, without having to get a warrant, because it could only be said to have acquired or obtained them, in the legal sense, if and when the agency "searched for and retrieved" them from its database." (p. 177-178)

But while Snowden claims that the Bush administration used this redefinition in 2004 to legitimize STELLARWIND's collection of "communications" ex post facto, the report itself says that the aforementioned theory was used as a justification only for the bulk collection of internet metadata and only until March 2004.

A few months later the collection of internet metadata was brought under FISA Court authority and based upon Section 402 FISA (PR/TT). Nothing supports the idea that this definition was used as a trick to turn the NSA into "an eternal law-enforcement agency" able "to retain as much data as it could for as long as it could - for perpetuity" as Snowden wildly speculates. (p. 178)

The NSA's original privacy rules, the 1980 US Signals Intelligence Directive 18, defined "collection" as the "intentional tasking and/or selection" of specific communications, but as Timothy Edgar noted in his book Beyond Snowden: "Even if data are not "collected" under the agency's internal definition, that does not mean the agency may violate federal laws or the Constitution."

Unprotected phone records

For the bulk collection of telephone metadata the legal situation was different, but this is also misrepresented in Snowden's book. To justify this collection, the NSA didn't need a sneaky definition, because in 1979 the Supreme Court had ruled that telephone records provided to a telecom provider are not protected under the Fourth Amendment of the US Constitution. The FISA Court also applied this to metadata collected in bulk.*

In his memoir, however, Snowden made it seem like it was the NSA's own interpretation that the Fourth Amendment didn't apply to telephone metadata,* but in the Joe Rogan podcast he explained it correct, saying that "the scandal isn't how they're breaking the law, the scandal is that they don't have to break the law" - basically admitting that the NSA's bulk collection of phone records wasn't illegal.

Section from the classified STELLARWIND report, page 16

The STELLARWIND report didn't confront Snowden with something clear and outright illegal (despite saying so in Permanent Record), but with legal interpretations he didn't agree with and which he thought the public should know about. Anyone may disagree with certain policies and legal interpretations, but that's not something covered by whistleblower protection laws.

Revelations by the press

Even though the STELLARWIND report didn't show significant abuses, one can argue that leaking it to the press was in the public interest because it revealed the true scope of the NSA's most controversial program. But wasn't that enough? Why did Snowden continued downloading classified files? What could they reveal more than one of the NSA's most sensitive and highly classified documents?

His memoir says: "It wouldn't be enough, after all, to merely reveal a particular abuse or set of abuses, which the agency could stop (or pretend to stop) while preserving the rest of the shadowy apparatus intact. Instead, I was resolved to bring to light a single, all-encompassing fact: that my government had developed and deployed a global system of mass surveillance without the knowledge or consent of its citizenry". (p. 239)

Publication of the Verizon order

Snowden's continued scraping of NSA networks actually paid off: eventually he not only found the PRISM presentation, but also the Verizon order from April 25, 2013. This appeared to be an even better catch than the STELLARWIND report, not only because it was about the current situation, but maybe also because it contained less "inconvenient" facts.

The first page of the Verizon order from April 25, 2013
(click for the full document)

And indeed, the very first story of the Snowden-leaks was not about STELLARWIND, but about the Verizon order. It was published by The Guardian on June 5, 2013 and revealed the Section 215 program, which this time generated a lot more attention than when USA Today first wrote about this program back in 2006.

Section 215 became the most controversial part of the Snowden revelations and was therefore replaced in 2015 by the USA FREEDOM Act, under which the NSA cannot collect domestic metadata in bulk anymore, but has to request these from the telecommunication providers based upon a warrant from the FISA Court.

Publication of the STELLARWIND report

Some three weeks later, on June 27, 2013, The Guardian published the STELLARWIND report. The accompanying article, however, was only about the NSA's collection of domestic internet metadata, probably because this was the only part of the President's Surveillance Program that hadn't been reported on before.

The Guardian said nothing about how the report debunked the fears for massive domestic surveillance, but focused on the fact that bulk collection of internet metadata had continued under Obama and eventually had been ended in 2011.

The Guardian's report about the STELLARWIND program, June 27, 2013

Along with the STELLARWIND report, The Guardian published a 2007 memorandum from the Justice Department, which revealed that American's metadata (both telephone and internet) may still be subject of database queries when these metadata have already been collected (through collection systems abroad for example). This is based upon the rather controversial theory that because such metadata have already been lawfully collected, there's no actual interception and therefore no breach of applicable laws.


Ever since the NSA illegally assisted the FBI in monitoring subversive Americans and civil liberties organizations in the 1950s and 1960s, there have been people who assumed or were convinced that CIA and NSA continued to spy on American citizens, despite the strict separation between foreign intelligence and domestic surveillance imposed by the Foreign Intelligence Surveillance Act (FISA) from 1978.

The idea of CIA and NSA as all powerful enemies of the people became a conspiracy theory which Hollywood gratefully made use of. It got a new impulse in 2006, when Russell Tice claimed that the NSA could be eavesdropping on millions of Americans and Mark Klein revealed that there was interception equipment inside the AT&T switching facility in San Francisco.

Six years later, James Bamford presented the Utah Data Center as "fresh evidence" that the NSA was now spying inside the United States while Bill Binney turned the STELLARWIND program into something like the sum of all fears by suggesting that it collected almost everything. Jacob Appelbaum urged insiders to leak classified information about these programs to the public.

And that became the mission of NSA contractor Edward Snowden: providing the press with as much information about the NSA's collection efforts as possible so the general public could decide whether it was right or wrong - an unprecedented action that could only be justified when (afterwards) these files would reveal clear evidence of illegal activities and massive abuses.

Therefore Snowden seems to have had no choice but to continue and uphold the narrative of people like Tice, Binney and Bamford, which is that the NSA was unconstitutionally monitoring millions of Americans. However, one of his luckiest finds, the highly classified STELLARWIND report, actually debunks that story, which explains why its content is misrepresented in Permanent Record.

Links & sources

- Emptywheel: Stellar Wind IG Report, Working Thread (2015)
- Ars Technica: What the Ashcroft “Hospital Showdown” on NSA spying was all about (2013)
- The Guardian: NSA collected US email records in bulk for more than two years under Obama (2013)
- The Washington Post: U.S. surveillance architecture includes collection of revealing Internet, phone metadata (2013)
- Wired: The NSA Is Building the Country's Biggest Spy Center (Watch What You Say) (2012)
- NSA: STELLARWIND Classification Guide (2009)
- The NSA's STELLARWIND Classification Guide (2009)
- USA Today: NSA has massive database of American's phone calls (2006)
- The New York Times: Bush Lets U.S. Spy on Callers Without Courts (2005)

February 15, 2020

The serial numbers of NSA reports

(Updated: March 2, 2020)

On January 14, the NSA disclosed a serious vulnerability in the CryptoAPI service of the Windows 10 operating system (vulnerability identifier: CVE-2020-0601). In a rare public Cybersecurity Advisory the agency even offered further details about this issue.

An interesting detail is that this Cybersecurity Advisory has two serial numbers in the same format as the NSA uses on their Top Secret intelligence reports, some of which have been published by Wikileaks and as part of the Snowden-leaks.

The serial numbers on the NSA's Cybersecurity Advisory from January 14, 2020

The NSA's Cybersecurity Advisory has three groups of letters and numbers, the last one being the date of the document in the format month/day/year, which is typical for the United States.

The first group seems to be an external serial number, while the second group is more like an internal serial number. Below, the components of both serial numbers will be discussed in detail.

External serial number

The first serial number on the public Cybersecurity Advisory is similar to the serial numbers on a range of highly classified intelligence reports which were published by Wikileaks in June and July 2015 and in February 2016. These documents were not attributed to Edward Snowden, so they were probably provided by a still unknown "second source".

These intelligence reports were part of various editions of the "Global SIGINT Highlights - Executive Edition" briefings. Wikileaks published only one report in the original layout with header and a disclaimer. In the bottom right corner they have one or two serial numbers, one number for each source of intelligence:

NSA intelligence report about an intercepted conversation between French president
François Hollande and prime minister Jean-Marc Ayrault, May 22, 2012.
(Watermarked by Wikileaks - Click to enlarge)

The serial numbers are followed by a timestamp in the standard military notation: for example, 161711Z stands for the 16th day, 17 hours and 11 minutes ZULU (= Greenwich Mean) Time, with the month and the year as mentioned in the briefing.

The first five intelligence reports published by Wikileaks were from 2006 to 2012 and have the following serial numbers:

These kind of briefings are called serialized reports, which are described in the NSA SIGINT Reporter's Style and Usage Manual as "The primary means by which we provide foreign intelligence information to intelligence users, most of whom are not part of the SIGINT community. A report can be in electrical, hard-copy, video, or digital form, depending on the information's nature and perishability."

The NSA Style Manual also explains the serial numbers of these reports: "Serial numbers are assigned to NSA reports on a one-up annual basis according to the PDDG issuing the report. Every serial includes the classification level, the PDDG of the originator, and a one-up annual number, as in the following examples:

The classification level of a report can be represented by a variety of codes. Comparing the first part of the serial number with the classification marking of a particular report shows that they are assigned according to the following scheme (updated and corrected):

1 = ?
2 = ?
3 = (Top Secret) Comint
  E = ?
G = (Top Secret) Comint-Gamma
I = ?
  S = ?
U = Unclassified
Z = NoForn

The Producer Designator Digraph (PDDG) consists of a combination of two letters and/or numbers and designates a particular "collector". These codes refer to NSA collection facilities and programs, but those with double vowels stand for the signals intelligence agencies of the Five Eyes partnership, as was already revealed in Nicky Hager's book Secret Power from 1996:
AA = GCHQ, United Kingdom
EE = DSD, now ASD, Australia
II = GCSB, New Zealand
OO = NSA, United States
UU = CSE, Canada

The one-up annual number doesn't seem like a continuous number for each year: on the Windows vulnerability report the one-up number is 104201, which would mean that the NSA produced already over one hundred thousand reports in the first two weeks of 2020 alone. That's not realistic, so maybe there are number ranges assigned to each producer or something similar.

Finally, the year in which the report was issued is represented by its last two digits.

Internal serial number

The second series of letters and numbers on the NSA's Cybersecurity Advisory seems to be an internal serial number. In this case it's PP-19-0031, a format that we also saw on the draft of the famous NSA Inspector General's report about the STELLARWIND program, which was leaked by Edward Snowden. This draft report is dated March 24, 2009 and has the serial number ST-09-0002:

Another declassified report from the NSA's Inspector General, about the "Special Study of NSA Controls to Comply with the FISA Amendments Act §§704 and 705{b) Targeting and Minimization Procedures" has a similar serial number: ST-15-0002:

Comparing these three serial numbers indicate that the two digits in the middle represent the year and the last four digits are most likely a one-up annual number. The first two letters may be an internal code for the producer: the office, bureau or unit that prepared and issued the report.

This two-letter code doesn't correspond to the PDDG and also not to NSA's organizational designators, which has D1 for the Office of the Inspector General, so there must be another, unknown system for these codes.

Two audit reports by the NSA Inspector General have the following serial numbers:
- April 3, 2019: AU-17-0008
- March 4, 2019: AU-18-0003
This could indicate that the two letter code doesn't designate an office, bureau or unit, but a particular type of report, like AU for an audit report.


After this comparative analysis it has become clear that the serial numbers (and the date) of the NSA's Cybersecurity Advisory can be explained as follows:

January 16, 2020

US government uses Swiss diplomatic network to communicate with Iran

(Updated: February 12, 2020)

A number of countries are connected to each other through bilateral hotlines in order to prevent misunderstandings and miscommunications in times of severe crisis. But what when there's a crisis between two countries that don't have a hotline?

Such a situation occurred after the United States killed the Iranian general Qassem Soleimani on January 3. Because there's no hotline between these countries, the US government used the Swiss diplomatic network urging Tehran not to escalate the crisis, as was reported by the Wall Street Journal.

The Swiss embassy in Tehran
(photo: FDFA - click to enlarge)

Intermediary since 1980

Already since 1980, when Iranian revolutionaries had seized the US embassy in Tehran and took 52 Americans hostage, the Swiss acted as a messenger (or briefträger) between the American and the Iranian government. The US appointed Switzerland as its "protecting power" in Iran and a special United States Interest Section was established in the Swiss embassy for handling informal contacts.

After the American invasion of Iraq in 2003, Swiss diplomats transmitted messages with Iran to prevent direct clashes and under president Obama Switzerland hosted the talks that led to the Iran nuclear deal from 2015. The Swiss ambassador in Iran regularly visits Washington to explain Iran's politics to officials from the Pentagon, the State Department and US intelligence agencies.

The Swiss embassy in Washington DC
(photo: keystone - click to enlarge)

The Soleimani crisis

Details about the informal contacts between the US and Iran have now been revealed by the Wall Street Journal (WSJ): immediately after Washington confirmed the death of general Soleimani on January 3, the US government sent a first urgent message to Tehran asking not to escalate the situation.

The Swiss ambassador delivered the American message by hand to the Iranian foreign minister Javad Zarif early on Friday morning, as the WSJ learned from US and Swiss officials. But Zarif apparently responded to the message with anger, saying that "[U.S. Secretary of State Mike] Pompeo is a bully" and that "The U.S. is the cause of all the problems."

Two days later, on January 5, Zarif called the Swiss ambassador asking to relay his response to the US government, which appeared more restrained. This was followed by a range of back and forth messages, "far more measured than the fiery rhetoric traded publicly by politicians", which for now seem to have helped prevent a military clash between both countries.

The Swiss diplomatic network

The message from the US government to Iran "arrived on a special encrypted fax machine in a sealed room of the Swiss mission" and the WSJ adds that this "equipment operates on a secure Swiss government network linking its Tehran embassy to the Foreign Ministry in Bern and its embassy in Washington. Only the most senior officials have the key cards needed to use the equipment."

Using the secure diplomatic communications network of a third party is a good option for exchanging sensitive messages between two countries, because it's not always possible to set up a direct communications link. One of the difficulties is that in order to encrypt such communications, both parties have to use the same algorithms and, obviously, countries don't like to share their crypto systems with others.

Similar to an official direct bilateral hotline, the back channel through the Swiss diplomatic network appears to be effective, because both parties "can trust a message will remain confidential, be delivered quickly, and will reach only its intended recipients. Statements passed on the back channel are always precisely phrased, diplomatic, and free of emotion" - according to the WSJ report.

The west wing of the Federal Palace (Bundeshaus) in Bern, Switzerland,
home of the Federal Department of Foreign Affairs (FDFA)
(photo: Mike Lehmann/Wikimedia Commons - click to enlarge)

Swiss crypto manufacturers

Switzerland's neutrality is not only useful for diplomatic negotiations, but was also an advantage for the manufacturers of crypto equipment.

One of the oldest companies was Gretag AG, which goes back to 1947. In 1987 most of its cryptographic business was split off and transferred to Omnisec AG, which had been founded especially for this purpose. However, the civil encryption machines as well as those for the Swiss government were sold to AT&T in 1991. Under a new owner, this product line was renamed to Safenet Data Systems, but the company declined rapidly and was liquidated in 2004.

Most of the business had already been taken over by Omnisec AG, which had become one of the most trusted crypto-companies in the world, selling its voice, fax and data encryptors to governments, armies and intelligence services. But gradually the market for proprietary Swiss encryption technology became smaller and smaller and so the company was dissolved in February 2018.

Another Swiss crypto manufacturer is Crypto AG, which was established in 1952 by Boris Hagelin for the activities of his original Swedish company AB Cryptoteknik. Crypto AG became one of the most famous companies in the crypto business, but there were also several allegations that it cooperated with intelligence agencies like the NSA and the German BND.

On February 11, 2020, American and German news outlets revealed that in 1970, the CIA and the German foreign intelligence agency BND took over the ownership of Crypto AG, which provided them an easier access to the encrypted diplomatic and military communications of over 100 countries (the Swiss government always got the secure versions of Crypto AG's equipment though). In 1993, the BND sold its share to the CIA, which continued to run the company until 2018, when Crypto AG was sold to a Swedish entrepreneur.

The Crypto AG Fax Encryption HC-4221
(photo: Crypto AG brochure)

Swiss fax encryption systems

Both Omnisec AG and Crypto AG produced devices for encrypting fax transmissions. Omnisec had the Omnisec 525 Fax Encryptor, which was available in 2007, while Crypto AG manufactured the Fax Encryption HC-4220, which was succeeded by the HC-4221 and was still available in 2011.

These aren't secure fax machines in the strict sense, but separate crypto devices, which encrypt the signals from a commercial fax machine before being transmitted through the public switched telephone network (PSTN). As can be seen in the photo, the HC-4220 was designed to put the actual fax machine on top of it.

Currently, Crypto AG offers the HC-9300 Crypto Desktop, which is a futuristic looking touchscreen device that performs the encryption of telephone, fax, VoIP and e-mail communications. This device is available at least since 2015 and is approved by the Technical Secretariat of the OPCW to be used for inspections for example.

Maybe the Swiss diplomatic network already uses the HC-9300 to secure its fax messages, but in general, government agencies tend to be rather conservative and stick to older versions, also because new crypto equipment has to undergo rigorous testing before it may be used to protect classified information.

See also:
- The hotline between Washington and the former German capital Bonn
- The Washington-Moscow Hotline

December 12, 2019

Review of Snowden's book Permanent Record - Part II: At the NSA

(Updated: December 20, 2019)

More than 6 years after the first disclosure of Top Secret documents from the NSA, after numerous video appearances and more than 4000 tweets, Edward Snowden has now written an autobiography. It's titled Permanent Record and was published simultaneously in over 20 countries on September 17.

An extensive discussion of the first half of this book, from Snowden's youth to his jobs at the CIA, is provided in Part I of this review. Here, it's about his time at the NSA, which he accuses of collecting everyone's information and storing it forever. However, the book in no way substantiates these claims, misrepresents the NSA collection programs and fails to justify his massive theft of classified data.


Sysadmin at the NSA in Japan

In August 2009 Snowden moved to Japan for his first job at the NSA. This was yet another a contractor job, as he was hired by Perot Systems (which was taken over by Dell in September 2009) under the Agency Extended Information Systems Services (AXISS) contract of the NSA.

His new workplace was at the NSA's Pacific Technical Center (PTC) at Yokota Air Base, near Tokyo. This facility was opened in 2003 as "the sister organization to the highly successful European Technical Center (ETC), providing essential technical and logistical services to vital cryptologic missions in the Pacific Theater."

Here, Snowden worked as a systems administrator responsible for maintaining the local NSA systems and helping to connect the NSA's systems to those of the CIA. As such he found out that the NSA was far ahead in terms of cyberintelligence, but far behind when it came to cybersecurity:
"In Geneva, we'd had to haul the hard drives out of the computer every night and lock them up in a safe - and what's more, those drives were encrypted. The NSA, by contrast, hardly bothered to encrypt anything."
(p. 166)


In Japan, Snowden noticed that the NSA had no proper backup system: because of limited bandwith, local collection sites often did not send copies back to NSA headquarters. He then engineered an automated backup and storage system, that was initially named EPICSHELTER, but was later renamed into Storage Modernization Plan/Program. (p. 166-168)

This system would constantly scan the files at every NSA facility and only if the agency lacked a copy of it back home would the data be automatically queued for transmission. It's not known how accurate this description is, because no original documents about EPICSHELTER have been published.

It's likely though that the scope of the system was smaller than the book suggests and only handled documents and reports produced by NSA employees, not the data the agency intercepted (in Oliver Stone's biographical thriller the fictional Snowden says that EPICSHELTER was only "collecting our finished intel").

For its intercepted communications, the NSA already had a system with a more or less similar function: XKEYSCORE, which in 2008 consisted of filtering systems at some 150 local collection sites. Analysts instruct these local filters to select data of interest, which are subsequently transferred to the agency's central databases. Data that are not of interest disappear from the system's rolling buffer after around 30 days.

Slide from an NSA presentation about XKEYSCORE
showing its federated query hierarchy
(click to enlarge)

Leaving readers with the impression that EPICSHELTER copied and stored virtually all of the NSA's data, Snowden writes:
"The combination of deduplication and constant improvements in storage technology allowed the agency to store intelligence data for progressively longer periods of time. Just over the course of my career, the agency's goal went from being able to store intelligence for days, to weeks, to months, to five years or more after its collection. By the time of this book's publication, the agency might already be able to store it for decades." (p. 167)
Snowden then claims that it is the NSA's ultimate dream "to store all of the files it has ever collected or produced for perpetuity, and so create a perfect memory. The permanent record." (p. 168)

The Utah Data Center

Given that Permanent Record is the title of the book, one would expect a solid substantiation of this claim, but the only "corpus delicti" that Snowden comes up with is the huge $ 1.2 billion data center that NSA built near Bluffdale, Utah, which was probably reported first in July 2009. (p. 246-247)

Snowden says that within the NSA this data center was initially called "Massive Data Repository" but then renamed to "Mission Data Repository" to sound less creepy. This isn't a unique designation for the Utah complex though, because from other sources we know that the NSA has multiple Mission Data Repository (MDR) cloud platforms.

We can assume that Snowden looked and searched for internal NSA documents about the Utah Data Center (UDC), but either he found nothing, or nothing has been published. Maybe that's because it's simply a big back-up facility for the US Intelligence Community as a whole?

That at least seems a plausible option given its official name of "Intelligence Community Comprehensive National Cybersecurity Initiative Data Center" with the purpose of providing a secure and resilient environment supporting the nation's cyber security.

The only relevant piece from the Snowden trove is a map showing that in Utah one can find the NSA's Utah Language Center and two of the NSA's GHOSTMACHINE (GM) cloud computing platforms, codenamed gmCAVE and gmPEACH. It's not clear though whether this is the situation before or after the opening of the data center.

Slide from a 2012 NSA presentation showing the locations
of the agency's GHOSTMACHINE cloud platforms
(click to enlarge)

Permanent Record?

Contrary to Snowden's claim about a "permanent record", many of the data the NSA collects are actually stored for much shorter periods of time. For the programs where communications from foreign targets are collected inside the United States the maximum retention periods for unevaluated data are:
- PRISM (targeted collection from internet companies): 5 years
- Upstream (targeted collection from backbone cables): 2 years
- Section 215 (bulk collection of domestic telephone metadata): 5 years

It seems there were no clear storage restrictions for data collected outside the US under EO 12333 authority, but examples show that they were not kept very long: the NSA's main database for internet metadata, MARINA, stored data for a year, while the massive data processing system RT-RG used in Iraq and Afghanistan could hold its data initially for not more than a month.

In response to the Snowden disclosures, president Obama issued Presidential Policy Directive 28 (PDD-28) in which he determined that personal information about foreigners shall also "not be retained for more than 5 years".

However, Obama's directive didn't change the policy that encrypted communications may be stored indefinitely, something that was useful in the past when only things of importance were encrypted, but makes less sense nowadays. It's ironical that when Snowden urges us to encrypt our data, that actually means they could be stored much longer than if we don't.

On December 12, 2019, the NSA's Inspector General (IG) published a report about the retention requirements for SIGINT data. Many data have to be deleted after a number of years, but the report found several deficiencies in that process. The IG made 11 recommendations and the NSA agreed to implement all of them.


The limitations on storing data from PRISM, Upstream and Section 215 only became public through the declassification of opinions from the FISA Court as well as from a report from the NSA's Civil Liberties and Privacy Office, both in response to one-sided press reports about these programs.

This means that while he was working at the NSA, Snowden may not have been aware of these limitations and therefore jumped to the conclusion that the agency wanted to store its data as long as possible. But by still not mentioning these limited retention periods in his book, Snowden deliberately misleads his readers.

Snowden's atomic moments

According to Permanent Record, Japan was Snowden's "atomic moment" where he realized that "if my generation didn't intervene the escalation would only continue" and surveillance would become "the ear that always hears, the eye that always sees, a memory that is sleepless and permanent." (p. 184-185)

There were however two moments that raised his suspicions:

1. China's domestic surveillance

The first moment was when the NSA's Pacific Technical Center hosted a conference on China and Snowden had to step in as a replacement by giving a briefing about the intersection between counterintelligence and cyberintelligence. (p. 169)

Preparing his briefing, he read about China's mass surveillance against its own citizens and then suspected that the US government was doing the same, because "if something can be done, it probably will be done, and possibly already has been". (p. 170-171)

But how could such surveillance remain secret in an open society like that of the United States, while even the censoring and monitoring measures from the tightly controlled Chinese society are well known? And what would such domestic surveillance have to do with the NSA, which is a military foreign intelligence agency?

Like more radical privacy activists Snowden seems to assume that intelligence agencies like the NSA and CIA desperately want to spy on their own citizens.* But if the government really wants to do so, there are other and easier options, for instance through the FBI and other law enforcement agencies that have the power to wiretap and access to government and private databases.

Another example of mixing these things up is when Snowden describes that he couldn't tell his girlfriend that his "former coworkers at the NSA could target her for surveillance and read the love poems she texted me." It's hard to believe that Snowden really thought that: if there would have been a reason to monitor her, it would have been done by the FBI, not the NSA. (p. 197)

2. The STELLARWIND report

The second moment that apparently scared Snowden was when he read a very secret report about the President's Surveillance Program (PSP), which was established by president George W. Bush after the attacks of 9/11. It gave the NSA the power to track down foreign terrorists without a warrant from the Foreign Intelligence Surveillance Court (FISC) and was therefore also known as Warrantless Wiretapping.

An unclassified report about the PSP was published in July 2009, which gave Snowden the impression that graver things had been going on than just targeted interception of terrorists. This suspicion sent him searching for the classified report on the President's Surveillance Program, which he only found somewhat later by chance. (p. 174-175)
While being interviewed for The Joe Rogan Experience podcast on October 23, 2019, Snowden said that he found the classified version of the STELLARWIND report only somewhere in 2012. It turned up when he ran some "dirty word searches" to help out the Windows network systems administration team that sat next to him when he was in the Office of Information Sharing at NSA Hawaii (see below).

The report appeared to be in a separate classification compartment under the code name STELLARWIND (STLW) and only because someone in the office of the NSA's Inspector General and who had come to Hawaii had left a draft copy on a lower-security system, it popped up as something that Snowden had to remove and delete. Instead, he read it all the way through. (p. 175)

The first page of the highly classified STELLARWIND report
(click for the full report)

After reading the highly restricted report, Snowden found that "the activities it outlined were so deeply criminal that no government would ever allow it to be released unredacted". (p. 176)

This claim requires an explanation of the STELLARWIND program, which doesn't follow in the book, despite the fact that the classified report is very detailed. It makes clear that the program encompassed 4 components:
- Targeted collection of telephony content
- Targeted collection of internet content
- Bulk collection of domestic telephony metadata
- Bulk collection of domestic internet metadata

This may look massive, but on page 9 of the report NSA director Michael Hayden is cited saying that "NSA would not collect domestic communications". Furthermore it explains that the program was only used to collect communications from:
- Members of al-Qaeda and its affiliates (since October 2001)
- Targets related to Afghanistan (until January 2002)
- The Iraqi Intelligence Service (from March 2003 to March 2004)

The content of these target's communications was collected by filtering backbone cable traffic using some 11,000 phone numbers and e-mail addresses.* On pages 38 and 39 the report says that the bulk collection of both telephone and internet metadata was also strictly limited to finding unknown conspirators of known members of al-Qaeda.

Between 2004 and 2007, all four components of the STELLARWIND program were moved from the president's authority to that of the FISA Court (FISC), based upon a creative interpretation of the Patriot Act and the new Protect America Act.

According to the original report, STELLARWIND was not used for large-scale monitoring of American citizens,* but that's not something we learn from Permanent Record, which is not only misleading but also fails to account for the reason why Snowden was apparently so upset after reading it.

Security clearance reinvestigation

In September 2010, Edward Snowden left Japan and returned to Maryland, where Dell provided him a new job as a technical solutions consultant for their CIA contract, a job that didn't require a security clearance, because the CIA refused to grant him access to classified information (see Part I of this review).

Around that time, Snowden was also due for a periodic background reinvestigation, but when the review was completed in May 2011, no derogatory information had been found. According to the HPSCI-report this was because the investigation was incomplete as, for example, it "never attempted to verify Snowden's CIA employment or speak to his CIA supervisors".

Not much later, Snowden was diagnosed with epilepsy after which he took a four-month disability leave from work until January 2012. According to his memoir, he decided "to start over" and take a less stressful job in Hawaii where the climate and more relaxed lifestyle was better to prevent epileptic seizures. (p. 215)

Did Snowden, who clearly didn't fit into a government bureaucracy, ever considered a private sector job in Silicon Valley, where there's an equally nice climate? Or was he determined enough to find out more about mass surveillance to stay inside the Intelligence Community, although not yet ready to sacrifice everything for that goal? (p. 215)

Sysadmin at the NSA in Hawaii

By the end of March 2012, Snowden and his girlfriend had moved to Hawaii, where he got a new job for Dell at the NSA's regional Cryptologic Center.

While most NSA employees had moved to a new building in the beginning of 2012, Snowden and other technical support workers remained in the so-called Kunia Tunnel, a three story underground bunker facility originally built for aircraft assembly during World War II.

Here, he worked for exactly one year, until March 2013, as a SharePoint systems administrator and the sole employee of the Office of Information Sharing. It was "a significant step down the career ladder, with duties I could at this point perform in my sleep." (p. 214)

The tunnel entrance to the former Kunia Regional Security Operations Center
in Hawaii, where Snowden worked from March 2012 to March 2013
(photo: NSA - click to enlarge)


Just like in his first job at CIA headquarters Snowden started with automating his tasks by writing scripts to do the work for him "so as to free up my time for something more interesting." (p. 214)

That more interesting activity is described in what is probably the most important and most surprising revelation of Permanent Record:
"I want to emphasize this: my active searching out of NSA abuses began not with the copying of documents, but with the reading of them. My initial intention was just to confirm the suspicions that I'd first had back in 2009 in Tokyo. Three years later I was determined to find out if an American system of mass surveillance existed and, if it did, how it functioned." (p. 215)

Here, Snowden basically admits that he isn't a whistleblower: he wasn't confronted with illegal activities or significant abuses and subsequently collected evidence of that, but acted the other way around by gathering as much information he could get, only based upon a vague and, as we have seen, rather far-fetched suspicion.

Snowden also doesn't share whether he found any concrete misconducts in those numerous files, things that could have triggered his decision to hand them over to journalists. He even omits almost all the disclosures made by the press, which makes that Permanent Record contains hardly anything that justifies his unprecedented data theft.

E-mail from Snowden as systems administrator in Hawaii, August 2012
Declassified by the NSA in June 2016
(Click to enlarge)

Readboards and Heartbeat

While his colleagues at the Kunia Tunnel watched Fox News, Snowden's quest for information started with reading what he calls "readboards", a kind of digital bulletin boards where each NSA site posted news and updates. (p. 220)

He started hoarding documents from all these readboards, creating an archive of everything he thought was interesting. After a complaint about exceeding his storage quotum, Snowden came up with the idea to share his personal collection with his colleagues, as a justification, or "the perfect cover", for collecting material from more and more sources. (p. 221, 256)

He then got approval from his boss to create an automated readboard that would perpetually scan for new and unique documents, not only from NSAnet, but also from the networks of the CIA, the FBI as well as from JWICS, the high-level Defense Department intelligence network. (p. 221)

Instead of only gathering titles and metadata like common RSS-readers do, the system had to pull in full documents so NSA Hawaii would have access to all the necessary information in case the fiber-optic cable that connected it with NSA headquarters would be disconnected as a result of a power outage or a cyber attack.

Snowden called the new system Heartbeat (not in capitals in the book) because "it took the pulse" of the NSA and of the wider Intelligence Community (IC), but the program was also important for another reason: "Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat." (p. 221-222)

Mock-up of the Heartbeat interface in Oliver Stone's biographical thriller Snowden
(screenshot from Snowden - click to enlarge)

Scraping tools and stolen passwords

The HPSCI-report says Snowden started his mass downloading of NSA data somewhere around August 1, 2012, using two common scraping tools, called DownThemAll! and wget. These tools were available for legitimate system administrator purposes, but Snowden used them to scrape "all information from internal NSA networks and classified webpages of other IC elements."

This is followed by two redacted sections, so it's not known whether the report acknowledges that this scraping effort was part of an authorized program named Heartbeat. Snowden doesn't mention the scraping tools in his book, but in a video appearance on August 20, 2019, he admitted that he "wrote some scrapers".

Besides the bulk downloading, the HPSCI-report says that Snowden used "his systems administrator privileges to search across other NSA employees' personal network drives and copy what he found on their drives". He also searched for "files related to the promotion and hiring decisions" on the personal network drives of people who had been involved in decisions about jobs for which Snowden had applied.

Already in November 2013, Reuters reported that Snowden even persuaded maybe up to 25 fellow workers to give him their logins and passwords, but in a live chat in January 2014, Snowden vehemently denied this: "I never stole any passwords, nor did I trick an army of co-workers".

The HPSCI-report from 2016 confirmed Reuters' reporting and says that Snowden asked "several of his co-workers for their security credentials so he could obtain information that they could access, but he could not. One of these co-workers subsequently lost his security clearance and resigned from NSA employment."

One would expect that Permanent Record addresses these specific and quite serious accusations, but they are completely ignored. In more general terms however, the book confirms Snowden's almost insatiable desire for information regardless of whether he was entitled to it - he almost seems proud of how easy he could circumvent auditing controls and internal monitoring systems like MIDNIGHTRIDER. (p. 256)

"Collect it All"

While almost "every journalist who later reported on the disclosures was primarily concerned with the targets of surveillance", like American citizens or foreign leaders, Snowden's own curiosity was of technical nature: "the better you can understand a program's mechanics, the better you can understand its potential for abuse." (p. 222)

While Glenn Greenwald saw the slide below as evidence that NSA really wants to "Collect it All", Snowden now says that this was "just PR speak, marketing jargon" intended to impress America's Five Eyes partners and therefore gave him "no insight into how exactly that ambition was realized in technological terms." (p. 222-224)

Slide from a presentation about satellite collection capabilities
at Menwith Hill Station in the United Kingdom, 2011

Given how keen Snowden was to find out the inner workings of the NSA's collection systems, surprisingly little detail about them is found in his book. For example, the best-known and most controversial programs, Section 215 and PRISM, are addressed in only one paragraph each. (p. 222-223)

Just as little information is provided about other NSA collection programs - apparently because such details would undermine Snowden's repetitive claim that the NSA tries to collect everyone's data to store them forever. For example:

- Bulk collection of domestic telephone metadata under Section 215 was limited to counter-terrorism investigations and only used for contact-chaining with no more than 288 seed numbers in 2012, resulting in 6000 numbers that analysts actually looked at.

- Targeted collection from internet companies under PRISM doesn't allow "direct access" to the servers of the companies, has multiple layers of oversight and was used against roughly 160,000 specific foreign targets in 2018.


The most detailed, but still rather limited description in Permanent Record is that of the technologies behind Upstream collection, which is the interception of foreign communications at backbone cables and switching facilities. Snowden says that if you want to look something up on the internet, it has to pass "through TURBULENCE, one of the NSA's most powerful weapons." (p. 225)

According to an internal NSA dictionary, TURBULENCE isn't so much a weapon, but a "framework of mission modernization". A detailed explanation of this framework on the weblog of Robert Sesek shows that it has nine different components, including TURMOIL and TURBINE, which also feature in Snowden's book:

TURMOIL is installed at many locations around the world and makes a copy of a data stream based upon selectors like e-mail addresses, credit card or phone numbers, etc. Suspicious traffic is then tipped over to TURBINE, which uses algorithms to decide whether computer exploits should be used against certain kinds of web traffic. Then, TURBINE injects the exploits in the web traffic back to the target's computer: "Your entire digital life now belongs to them". (p. 225-226)

Snowden claims that these systems "are the most invasive elements of NSA's mass surveillance system, if only because they're the closest to the user." But as TURMOIL filters communications traffic for data that match specific selectors, this qualifies as targeted collection, which is generally preferred above indiscriminate bulk collection.

It's only because Snowden has the habit of describing all the NSA's collection efforts as if they are directed against everyone and anyone ("your traffic", "your digital life") that even targeted collection sounds very scary, but as long as you're not a target, these exploits won't find their way to your computer.

A slide from an unpublished NSA presentation about the TUMULT component of
the TURBULENCE program as seen in the documentary film Citizenfour
(screenshot by paulmd - click to enlarge)

Exfiltrating the data

In his memoir, Snowden says that the big decisions in (his) life are made subconscious and only expressed themselves once fully formed: "once you're finally strong enough to admit to yourself that this is what your conscience has already chosen for you." (p. 214)

Snowden's preparations for leaking to the press apparently started in August 2012, which is earlier than previously assumed. But before handing over his personal collection of Top Secret files, he wanted to "search them and discard the irrelevant and uninteresting, along with those containing legitimate secrets". (p. 256-257)

This was quite difficult on monitored NSA computers, so he took an old Dell PC that he found in a forgotten corner: "Under the guise of compatibility testing, I could transfer the files to these old computers, where I could search, filter, and organize them as much as I wanted, as long as I was careful." (p. 256-257)

It seems that Snowden used this desktop computer as a "thin-on-thick" device, which means that it officially served as a thin client. According to the HPSCI-report Snowden requested such a thin-on-thick computer in late August 2012, which is less than a month after he started bulk downloading internal NSA files.

Careful evaluation?

This set-up allowed Snowden to get "the files I wanted all neatly organized into folders" and later on, he assured that he "carefully evaluated every single document I disclosed to ensure that each was legitimately in the public interest". (p. 258)

Given the huge number of files that he handed over (the book says nothing about their exact number), it's hard to imagine that Snowden was able to evaluate them as careful as he said. In his memoir he already admits how complicated this was:
"Sometimes I'd find a program with a recognizable name, but without an explanation of what it did. Other times I'd just find a nameless explanation, with no indication as to whether the capability it described was an active program or an aspirational desire. I was running up against compartments within compartments, caveats within caveats, suites within suites, programs within programs" (p. 217)

Apparently it was as difficult for Snowden as it was for the journalists to make sense out of these never-before-seen documents, but with the difference that Snowden had less than a year to study them part-time, while a dozen of journalists and their assistants have worked on them for over five years and may still haven't solved all the puzzles.

Even in his hotel room in Hong Kong, in the week before he would meet Greenwald and Poitras, Snowden was sorting his archive, and in order to make it as comprehensive as possible for nontechnical people he also put together dictionairies and glossaries of abbreviations like CCE, CSS, DNI and NOFORN. (p. 288-289)

All these efforts didn't prevent mistakes in the early press reportings, like for example that NSA had "direct access" to the servers of Facebook, Google, and other internet companies. The misinterpretation of the BOUNDLESSINFORMANT slides was another major case that made clear that both Snowden and the journalists lacked enough information about this tool.

When in April 2015, John Oliver expressly asked whether he really had read every single document, Snowden eventually backed down from his original statement saying "Well, I do understand what I turned over" and slowly conceded that his actions carried dangers regardless of his own intentions or competence.

The Rubik's Cube

The next step in exfiltrating the files was getting them out of the Kunia Tunnel complex. Taking pictures with a smartphone wasn't an option, so Snowden decided to copy them onto mini- and micro-SD cards. They have so little metal in them that they will hardly trigger metal detectors, but are extremely slow to write: it can take up to 8 hours to fill a single card. (p. 258-259)

This had to be repeated multiple times and so Snowden sneaked the SD cards past the security checks in different ways: in his sock, in his cheek (so he could swallow it if needed) and at the bottom of his pocket. He doesn't confirm or deny whether he also used a Rubik's Cube to hide an SD card, or that the cube was just used to distract the guards. (p. 259)

Oliver Stone's film Snowden showing how an SD card was hidden in a Rubik's Cube
(screenshot from Snowden - click to enlarge)

At home, Snowden transferred the files from the SD cards to a larger storage device and secured them with multiple layers and different methods of encryption. Altogether, the documents fitted on a single drive, which he left out in the open on his desk at his home, confident that they were protected by the encryption. (p. 262-263)

Handing over the files

On December 1, 2012 Snowden first contacted columnist Glenn Greenwald, but when it proved to be difficult for him to set up an encrypted communications channel, Snowden contacted film maker Laura Poitras on January 13, 2013, after he had received her public key through Micah Lee from the Electronic Frontier Foundation. (p. 250-253)

It's not clear when Snowden sent Poitras the first set of documents that she showed to Greenwald on their flight to Hong Kong.* Eventually, they each received a copy of the full archive when they met Snowden on June 2/3 at his room in the Mira Hotel.

An intriguing story that's not in Permanent Record, but was told in Harper's Magazine from May 2017 is that already on May 10, 2013, Snowden had sent (encrypted) backup copies of the NSA files in postal packages to Jessica Bruder in New York, to Trevor Timm of the Freedom of the Press Foundation, to one person who wants to remain anonymous, and to one unknown person.

In his book, Snowden tries to explain how thoroughly he secured his own archive of NSA documents (through some kind of key distribution scheme), but how about the keys for what was in these packages? And what has happened to the packages?


Infrastructure analyst at the NSA in Hawaii

On March 30, 2013, Edward Snowden had started a new job as an infrastructure analyst for intelligence contractor Booz Allen Hamilton (BAH) at the NSA/CSS Threat Operations Center (NTOC) of NSA Hawaii.

NTOC is a watch center that provides real-time network monitoring and cyber defense capabilities and is located in the NSA's new Joseph J. Rochefort Building (nicknamed "Roach Fort" or "The Roach"), which was officially opened in January 2012.

The Joseph J. Rochefort Building of NSA/CSS Hawaii near Wahiawa in Honolulu
where Snowden worked from mid-April to mid-May 2013.
(still from CBS News - click to enlarge)

There are different versions of the reason why Snowden took this new job. In his memoir he says that after reading about all those NSA programs, systems and tools, his final desire was to see how they were operated by the analysts who take the actual targeting decisions: "Was there anyone this machine could not surveil?" (p. 275-276)

He was especially interested in the XKEYSCORE system, which would later be presented as the NSA's "widest-ranging tool, used to search nearly everything a user does on the Internet". The Booz Allen job as an infrastructure analyst allowed him to work with XKEYSCORE to monitor suspicious activities of hostile cyber actors on the infrastructure of the internet. (p. 277)

Dual-hat authority

Another and more specific reason was given in an interview from June 24, 2013 with the South China Morning Post (SCMP) in which Snowden said that he took the new job because: "My position with Booz Allen Hamilton granted me access to lists of machines all over the world the NSA hacked".

Later, Snowden explained that in his opinion "we’ve crossed lines. We're hacking [Chinese] universities and hospitals and wholly civilian infrastructure rather than actual government targets and military targets." It was to get access to this kind of information that he took the new job, which "gave him rare dual-hat authority covering both domestic and foreign intercept capabilities".

That "dual-hat" also allowed Snowden to find out whether "vast amounts of US communications were being intercepted and stored without a warrant, without any requirement for criminal suspicion, probable cause, or individual designation."

In his new job he continued copying internal NSA documents (maybe he could still use his previous sysadmin priviliges?), but to actually exfiltrate them, he had to return after hours to his old desk with the thin-on-thick computer at the Kunia Tunnel - according to the HPSCI-report.

By-catch conversations

According to Greenwald's book No Place to Hide, Snowden had an even bigger goal in mind when he applied for the job as an infrastructure analyst: the raw surveillance repositories of the NSA. "He took a pay cut to get that job, as it gave him access to download the final set of files he felt he needed to complete the picture of NSA spying."

He succeeded and handed the files over to Barton Gellman from The Washington Post, which in July 2014 reported on these ca. 22,000 collection reports from 2009 to 2012, which contained roughly 160,000 intercepted e-mails and instant-messages. Analysis showed that they came from more than 11,000 accounts, while 9 out of 10 account holders were not the intended targets and nearly half of them Americans.

These online conversations were intercepted through PRISM and Upstream, which is targeted collection, but in Snowden's view it clearly crossed the line of proportionality. In The Post he said that such a "continued storage of data of innocent bystanders in government databases is both troubling and dangerous. Who knows how that information will be used in the future?"

The future danger is largely mitigated by the limited retention period of up to 5 years, but the fact that even this targeted collection leads to such a large amount of by-catch is one of the most problematic aspects of the NSA's operations. Therefore it's puzzling that Snowden doesn't mention this issue at all in his book, especially because The Washington Post's report is not widely known.

Witnessing abuses?

Before starting his new job, Snowden first had to attend a two-week training course at NSA headquarters. There, and during "the short stint I put in at Booz back in Hawaii, were the only times I saw, firsthand, the abuses actually being committed that I'd previously read about in internal documentation." (p. 279)

Here, one expects an explanation of these abuses, but as we will see, Snowden only presents some minor cases in which the NSA's collection system was misused by individual analysts, which doesn't even come close to an organization "in which malfeasance has become so structural as to be a matter not of any particular initiative, but of an ideology" as Snowden puts it. (p. 235)


It's allegedly XKEYSCORE that enables these abuses, but it remains unclear whether Snowden actually has a good understanding of how this system works. At least his descriptions in the book are incomplete and misleading.

He says that by studying the technical specs he found out that XKEYSCORE works "by 'packetizing' and 'sessionizing,' or cutting up the data of a users' online sessions into manageable packets for analysis" - actually, 'sessionizing' means that the small IP packets in which internet communications travel are reassembled into a their original format for further analysis. (p. 278-279)

Diagram showing the dataflow for the DeepDive version of XKEYSCORE

Snowden describes the back end of XKEYSCORE as "an interface that allows you to type in pretty much anyone's address, telephone number, or IP address, and then basically go through the recent history of their online activity." He then says that he would have been able to type in the names of the NSA director or the US president. (p. 279)

He already claimed having such an "authority" in his very first video appearance on June 9, 2013, but afterwards, Glenn Greenwald had to admit that although such searches would not be legally permitted, they were technically possible.

The technical possibilities however are limited too, because in order to retrieve communications via XKEYSCORE, the NSA first has to have physical access to communication links that contain the target's traffic. Therefore it's definitely not the case that "Everyone's communications were in the system" as Snowden says. (p. 279)

What Snowden doesn't tell us is that the actual purpose of XKEYSCORE, and its unique capability, is finding files which are not associated with specific selectors so analysts can trace targets who are using the internet anonymously.

Intimate images

Snowden assumes that none of his new colleagues intended to abuse XKEYSCORE's capabilities, but if they would, then for personal rather than professional reasons. This led to what he calls "the practice known as LOVEINT [...] in which analysts used the agency's programs to surveil their current and former lovers". (p. 280)

It's rather exaggerated to call this a practice because in 2013, NSA Inspector General George Ellard reported that since January 2003, there had been 12 instances of intentional misuse of NSA collection systems. Of these 12 cases, only 8 involved current or past lovers or spouses, most of them foreigners and which were brought to light either through auditing controls or self-reporting.

Apparently more often, male analysts alerted each other of nude photos they found among target communications, "at least as long as there weren't any women around" - which may be one of the reasons that the NSA has adopted a strong diversity policy. (p. 280)

Snowden on the other hand was most touched by "the family stuff" and recalls how he saw a webcam recording of a little boy sitting in the lap of his father, an Indonesian engineer who had applied for a job at a research university in Iran "that was suspected of being related to a nuclear program or a cyberattack" and therefore became of interest to the NSA. (p. 281-282)

As unprofessional as some of his colleagues were by sharing nudes, Snowden seems to have had difficulty to keep a professional distance from his targets. The video with the boy reminded him so much of his own father that he, almost in shock, realized that he would probably never see his family again. (p. 282)

Daniel K. Inouye International Airport in Honolulu, Hawaii
(photo: hellochris/Wikimedia Commons - click to enlarge)

Leaving NSA Hawaii

In the weeks before leaving to Hong Kong, Snowden copied the last set of documents he intended to disclose and tried to decide in which country it would be best to meet Poitras and Greenwald. With Russia and China out of bounds, the elimination process left him with Hong Kong. (p. 283-284)

The final preparations he made "were those of a man about to die". He told his supervisor at Booz Allen that he needed a leave of absence of a couple of weeks for epilepsy treatment on the US mainland and he left his girlfriend a note saying that he was called away for work. (p. 283-284)

Then Snowden packed some luggage, including several thumb drives full of NSA documents, and four laptops: one for secure communications, one for normal communications, a decoy and one that he kept "airgapped". He left his smartphone at home, went to the airport and bought a ticket in cash for the next flight to Tokyo. There, he bought another ticket in cash and arrived in Hong Kong on May 20, 2013. (p. 285)

> To be continued!

Links & sources

- Le Monde: Bug Brother: Pourquoi je préfère la BD sur Snowden à son autobiographie (Dec. 18, 2019)
- Emptywheel: Snowden Needs a Better Public Interest Defense, Part I - Part II (Nov.-Dec. 2019)
- Rolf's Blog: Review of Ed Snowden's "Permanent Record" (Oct. 10, 2019)
- The New York Review of Books: Snowden in the Labyrinth (Oct. 2019)
- Matthew Green: Looking back at the Snowden revelations (Sept. 24, 2019)
- The New Yorker: Edward Snowden and the Rise of Whistle-Blower Culture (Sept. 23, 2019)
- The New Republic: Edward Snowden's Novel Makeover (Sept. 17, 2019)
- Wired: After 6 Years in Exile, Edward Snowden Explains Himself (Sept. 16, 2019)
- The Guardian: Interview by Ewen MacAskill (Sept. 13, 2019)
- Der Spiegel: 'If I Happen to Fall out of a Window, You Can Be Sure I Was Pushed' (Sept. 13, 2019)
- House Permanent Select Committee on Intelligence: Review of the Unauthorized Disclosures of Former National Securitty Agency Contractor Edward Snowden (Sept. 15, 2016)
- Wired: Edward Snowden: The Untold Story (Aug. 2014)
- Vanity Fair: The Snowden Saga: A Shadowland of Secrets and Light (May 2014)