December 12, 2019

Review of Snowden's book Permanent Record - Part II: At the NSA

(Updated: December 20, 2019)

More than 6 years after the first disclosure of Top Secret documents from the NSA, after numerous video appearances and more than 4000 tweets, Edward Snowden has now written an autobiography. It's titled Permanent Record and was published simultaneously in over 20 countries on September 17.

An extensive discussion of the first half of this book, from Snowden's youth to his jobs at the CIA, is provided in Part I of this review. Here, it's about his time at the NSA, which he accuses of collecting everyone's information and storing it forever. However, the book in no way substantiates these claims, misrepresents the NSA collection programs and fails to justify his massive theft of classified data.




 


Sysadmin at the NSA in Japan

In August 2009 Snowden moved to Japan for his first job at the NSA. This was yet another a contractor job, as he was hired by Perot Systems (which was taken over by Dell in September 2009) under the Agency Extended Information Systems Services (AXISS) contract of the NSA.

His new workplace was at the NSA's Pacific Technical Center (PTC) at Yokota Air Base, near Tokyo. This facility was opened in 2003 as "the sister organization to the highly successful European Technical Center (ETC), essential technical and logistical services to vital cryptologic missions in the Pacific Theater."

Here, Snowden worked as a systems administrator responsible for maintaining the local NSA systems and helping to connect the NSA's systems to those of the CIA. As such he found out that the NSA was far ahead in terms of cyberintelligence, but far behind when it came to cybersecurity:
"In Geneva, we'd had to haul the hard drives out of the computer every night and lock them up in a safe - and what's more, those drives were encrypted. The NSA, by contrast, hardly bothered to encrypt anything."
(p. 166)

EPICSHELTER

In Japan, Snowden noticed that the NSA had no proper backup system: because of limited bandwith, local collection sites often did not send copies back to NSA headquarters. He then engineered an automated backup and storage system, that was initially named EPICSHELTER, but was later renamed into Storage Modernization Plan/Program. (p. 166-168)

This system would constantly scan the files at every NSA facility and only if the agency lacked a copy of it back home would the data be automatically queued for transmission. It's not known how accurate this description is, because no original documents about EPICSHELTER have been published.

It's likely though that the scope of the system was smaller than the book suggests and only handled documents and reports produced by NSA employees, not the data the agency intercepted (in Oliver Stone's biographical thriller the fictional Snowden says that EPICSHELTER was only "collecting our finished intel").

For its intercepted communications, the NSA already had a system with a more or less similar function: XKEYSCORE, which in 2008 consisted of filtering systems at some 150 local collection sites. Analysts instruct these local filters to select data of interest, which are subsequently transferred to the agency's central databases. Data that are not of interest disappear from the system's rolling buffer after around 30 days.



Slide from an NSA presentation about XKEYSCORE
showing its federated query hierarchy
(click to enlarge)


Leaving readers with the impression that EPICSHELTER copied and stored virtually all of the NSA's data, Snowden writes:
"The combination of deduplication and constant improvements in storage technology allowed the agency to store intelligence data for progressively longer periods of time. Just over the course of my career, the agency's goal went from being able to store intelligence for days, to weeks, to months, to five years or more after its collection. By the time of this book's publication, the agency might already be able to store it for decades." (p. 167)
Snowden then claims that it is the NSA's ultimate dream "to store all of the files it has ever collected or produced for perpetuity, and so create a perfect memory. The permanent record." (p. 168)
 

The Utah Data Center

Given that Permanent Record is the title of the book, one would expect a solid substantiation of this claim, but the only "corpus delicti" that Snowden comes up with is the huge $ 1.2 billion data center that NSA built near Bluffdale, Utah, which was probably reported first in July 2009. (p. 246-247)

Snowden says that within the NSA this data center was initially called "Massive Data Repository" but then renamed to "Mission Data Repository" to sound less creepy. This isn't a unique designation for the Utah complex though, because from other sources we know that the NSA has multiple Mission Data Repository (MDR) cloud platforms.

We can assume that Snowden looked and searched for internal NSA documents about the Utah Data Center (UDC), but either he found nothing, or nothing has been published. Maybe that's because it's simply a big back-up facility for the US Intelligence Community as a whole?

That at least seems a plausible option given its official name of "Intelligence Community Comprehensive National Cybersecurity Initiative Data Center" with the purpose of providing a secure and resilient environment supporting the nation's cyber security.

The only relevant piece from the Snowden trove is a map showing that in Utah one can find the NSA's Utah Language Center and two of the NSA's GHOSTMACHINE (GM) cloud computing platforms, codenamed gmCAVE and gmPEACH. It's not clear though whether this is the situation before or after the opening of the data center.



Slide from a 2012 NSA presentation showing the locations
of the agency's GHOSTMACHINE cloud platforms
(click to enlarge)
 

Permanent Record?

Contrary to Snowden's claim about a "permanent record", many of the data the NSA collects are actually stored for much shorter periods of time. For the programs where communications from foreign targets are collected inside the United States the maximum retention periods for unevaluated data are:
- PRISM (targeted collection from internet companies): 5 years
- Upstream (targeted collection from backbone cables): 2 years
- Section 215 (bulk collection of domestic telephone metadata): 5 years

It seems there were no clear storage restrictions for data collected outside the US under EO 12333 authority, but examples show that they were not kept very long: the NSA's main database for internet metadata, MARINA, stored data for a year, while the massive data processing system RT-RG used in Iraq and Afghanistan could hold its data initially for not more than a month.

In response to the Snowden disclosures, president Obama issued Presidential Policy Directive 28 (PDD-28) in which he determined that personal information about foreigners shall also "not be retained for more than 5 years".

However, Obama's directive didn't change the policy that encrypted communications may be stored indefinitely, something that was useful in the past when only things of importance were encrypted, but makes less sense nowadays. It's ironical that when Snowden urges us to encrypt our data, that actually means they could be stored much longer than if we don't.

Update:
On December 12, 2019, the NSA's Inspector General (IG) published a report about the retention requirements for SIGINT data. Many data have to be deleted after a number of years, but the report found several deficiencies in that process. The IG made 11 recommendations and the NSA agreed to implement all of them.


Misleading

The limitations on storing data from PRISM, Upstream and Section 215 only became public through the declassification of opinions from the FISA Court as well as from a report from the NSA's Civil Liberties and Privacy Office, both in response to one-sided press reports about these programs.

This means that while he was working at the NSA, Snowden may not have been aware of these limitations and therefore jumped to the conclusion that the agency wanted to store its data as long as possible. But by still not mentioning these limited retention periods in his book, Snowden deliberately misleads his readers.
 

Snowden's atomic moments

According to Permanent Record, Japan was Snowden's "atomic moment" where he realized that "if my generation didn't intervene the escalation would only continue" and surveillance would become "the ear that always hears, the eye that always sees, a memory that is sleepless and permanent." (p. 184-185)

There were however two moments that raised his suspicions:


1. China's domestic surveillance

The first moment was when the NSA's Pacific Technical Center hosted a conference on China and Snowden had to step in as a replacement by giving a briefing about the intersection between counterintelligence and cyberintelligence. (p. 169)

Preparing his briefing, he read about China's mass surveillance against its own citizens and then suspected that the US government was doing the same, because "if something can be done, it probably will be done, and possibly already has been". (p. 170-171)

But how could such surveillance remain secret in an open society like that of the United States, while even the censoring and monitoring measures from the tightly controlled Chinese society are well known? And what would such domestic surveillance have to do with the NSA, which is a military foreign intelligence agency?

Like more radical privacy activists Snowden seems to assume that intelligence agencies like the NSA and CIA desperately want to spy on their own citizens.* But if the government really wants to do so, there are other and easier options, for instance through the FBI and other law enforcement agencies that have the power to wiretap and access to government and private databases.

Another example of mixing these things up is when Snowden describes that he couldn't tell his girlfriend that his "former coworkers at the NSA could target her for surveillance and read the love poems she texted me." It's hard to believe that Snowden really thought that: if there would have been a reason to monitor her, it would have been done by the FBI, not the NSA. (p. 197)
 

2. The STELLARWIND report

The second moment that apparently scared Snowden was when he read a very secret report about the President's Surveillance Program (PSP), which was established by president George W. Bush after the attacks of 9/11. It gave the NSA the power to track down foreign terrorists without a warrant from the Foreign Intelligence Surveillance Court (FISC) and was therefore also known as Warrantless Wiretapping.

An unclassified report about the PSP was published in July 2009, which gave Snowden the impression that graver things had been going on than just targeted interception of terrorists. This suspicion sent him searching for the classified report on the President's Surveillance Program, which he only found somewhat later by chance. (p. 174-175)
Update:
While being interviewed for The Joe Rogan Experience podcast on October 23, 2019, Snowden said that he found the classified version of the STELLARWIND report only somewhere in 2012. It turned up when he ran some "dirty word searches" to help out the Windows network systems administration team that sat next to him when he was in the Office of Information Sharing at NSA Hawaii (see below).

The report appeared to be in a separate classification compartment under the code name STELLARWIND (STLW) and only because someone in the office of the NSA's Inspector General and who had come to Hawaii had left a draft copy on a lower-security system, it popped up as something that Snowden had to remove and delete. Instead, he read it all the way through. (p. 175)



The first page of the highly classified STELLARWIND report
(click for the full report)


After reading the highly restricted report, Snowden found that "the activities it outlined were so deeply criminal that no government would ever allow it to be released unredacted". (p. 176)

This claim requires an explanation of the STELLARWIND program, which doesn't follow in the book, despite the fact that the classified report is very detailed. It makes clear that the program encompassed 4 components:
- Targeted collection of telephony content
- Targeted collection of internet content
- Bulk collection of domestic telephony metadata
- Bulk collection of domestic internet metadata

This may look massive, but on page 9 of the report NSA director Michael Hayden is cited saying that "NSA would not collect domestic communications". Furthermore it explains that the program was only used to collect communications from:
- Members of al-Qaeda and its affiliates (since October 2001)
- Targets related to Afghanistan (until January 2002)
- The Iraqi Intelligence Service (from March 2003 to March 2004)

The content of these target's communications was collected by filtering backbone cable traffic using some 11,000 phone numbers and e-mail addresses.* On pages 38 and 39 the report says that the bulk collection of both telephone and internet metadata was also strictly limited to finding unknown conspirators of known members of al-Qaeda.

Between 2004 and 2007, all four components of the STELLARWIND program were moved from the president's authority to that of the FISA Court (FISC), based upon a creative interpretation of the Patriot Act and the new Protect America Act.

According to the original report, STELLARWIND was not used for large-scale monitoring of American citizens,* but that's not something we learn from Permanent Record, which is not only misleading but also fails to account for the reason why Snowden was apparently so upset after reading it.


Security clearance reinvestigation

In September 2010, Edward Snowden left Japan and returned to Maryland, where Dell provided him a new job as a technical solutions consultant for their CIA contract, a job that didn't require a security clearance, because the CIA refused to grant him access to classified information (see Part I of this review).

Around that time, Snowden was also due for a periodic background reinvestigation, but when the review was completed in May 2011, no derogatory information had been found. According to the HPSCI-report this was because the investigation was incomplete as, for example, it "never attempted to verify Snowden's CIA employment or speak to his CIA supervisors".

Not much later, Snowden was diagnosed with epilepsy after which he took a four-month disability leave from work until January 2012. According to his memoir, he decided "to start over" and take a less stressful job in Hawaii where the climate and more relaxed lifestyle was better to prevent epileptic seizures. (p. 215)

Did Snowden, who clearly didn't fit into a government bureaucracy, ever considered a private sector job in Silicon Valley, where there's an equally nice climate? Or was he determined enough to find out more about mass surveillance to stay inside the Intelligence Community, although not yet ready to sacrifice everything for that goal? (p. 215)
 

Sysadmin at the NSA in Hawaii

By the end of March 2012, Snowden and his girlfriend had moved to Hawaii, where he got a new job for Dell at the NSA's regional Cryptologic Center.

While most NSA employees had moved to a new building in the beginning of 2012, Snowden and other technical support workers remained in the so-called Kunia Tunnel, a three story underground bunker facility originally built for aircraft assembly during World War II.

Here, he worked for exactly one year, until March 2013, as a SharePoint systems administrator and the sole employee of the Office of Information Sharing. It was "a significant step down the career ladder, with duties I could at this point perform in my sleep." (p. 214)



The tunnel entrance to the former Kunia Regional Security Operations Center
in Hawaii, where Snowden worked from March 2012 to March 2013
(photo: NSA - click to enlarge)
 

Whistleblower?

Just like in his first job at CIA headquarters Snowden started with automating his tasks by writing scripts to do the work for him "so as to free up my time for something more interesting." (p. 214)

That more interesting activity is described in what is probably the most important and most surprising revelation of Permanent Record:
"I want to emphasize this: my active searching out of NSA abuses began not with the copying of documents, but with the reading of them. My initial intention was just to confirm the suspicions that I'd first had back in 2009 in Tokyo. Three years later I was determined to find out if an American system of mass surveillance existed and, if it did, how it functioned." (p. 215)

Here, Snowden basically admits that he isn't a whistleblower: he wasn't confronted with illegal activities or significant abuses and subsequently collected evidence of that, but acted the other way around by gathering as much information he could get, only based upon a vague and, as we have seen, rather far-fetched suspicion.

Snowden also doesn't share whether he found any concrete misconducts in those numerous files, things that could have triggered his decision to hand them over to journalists. He even omits almost all the disclosures made by the press, which makes that Permanent Record contains hardly anything that justifies his unprecedented data theft.



E-mail from Snowden as systems administrator in Hawaii, August 2012
Declassified by the NSA in June 2016
(Click to enlarge)


Readboards and Heartbeat

While his colleagues at the Kunia Tunnel watched Fox News, Snowden's quest for information started with reading what he calls "readboards", a kind of digital bulletin boards where each NSA site posted news and updates. (p. 220)

He started hoarding documents from all these readboards, creating an archive of everything he thought was interesting. After a complaint about exceeding his storage quotum, Snowden came up with the idea to share his personal collection with his colleagues, as a justification, or "the perfect cover", for collecting material from more and more sources. (p. 221, 256)

He then got approval from his boss to create an automated readboard that would perpetually scan for new and unique documents, not only from NSAnet, but also from the networks of the CIA, the FBI as well as from JWICS, the high-level Defense Department intelligence network. (p. 221)

Instead of only gathering titles and metadata like common RSS-readers do, the system had to pull in full documents so NSA Hawaii would have access to all the necessary information in case the fiber-optic cable that connected it with NSA headquarters would be disconnected as a result of a power outage or a cyber attack.

Snowden called the new system Heartbeat (not in capitals in the book) because "it took the pulse" of the NSA and of the wider Intelligence Community (IC), but the program was also important for another reason: "Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat." (p. 221-222)



Mock-up of the Heartbeat interface in Oliver Stone's biographical thriller Snowden
(screenshot from Snowden - click to enlarge)


Scraping tools and stolen passwords

The HPSCI-report says Snowden started his mass downloading of NSA data somewhere around August 1, 2012, using two common scraping tools, called DownThemAll! and wget. These tools were available for legitimate system administrator purposes, but Snowden used them to scrape "all information from internal NSA networks and classified webpages of other IC elements."

This is followed by two redacted sections, so it's not known whether the report acknowledges that this scraping effort was part of an authorized program named Heartbeat. Snowden doesn't mention the scraping tools in his book, but in a video appearance on August 20, 2019, he admitted that he "wrote some scrapers".

Besides the bulk downloading, the HPSCI-report says that Snowden used "his systems administrator privileges to search across other NSA employees' personal network drives and copy what he found on their drives". He also searched for "files related to the promotion and hiring decisions" on the personal network drives of people who had been involved in decisions about jobs for which Snowden had applied.

Already in November 2013, Reuters reported that Snowden even persuaded maybe up to 25 fellow workers to give him their logins and passwords, but in a live chat in January 2014, Snowden vehemently denied this: "I never stole any passwords, nor did I trick an army of co-workers".

The HPSCI-report from 2016 confirmed Reuters' reporting and says that Snowden asked "several of his co-workers for their security credentials so he could obtain information that they could access, but he could not. One of these co-workers subsequently lost his security clearance and resigned from NSA employment."

One would expect that Permanent Record addresses these specific and quite serious accusations, but they are completely ignored. In more general terms however, the book confirms Snowden's almost insatiable desire for information regardless of whether he was entitled to it - he almost seems proud of how easy he could circumvent auditing controls and internal monitoring systems like MIDNIGHTRIDER. (p. 256)


"Collect it All"

While almost "every journalist who later reported on the disclosures was primarily concerned with the targets of surveillance", like American citizens or foreign leaders, Snowden's own curiosity was of technical nature: "the better you can understand a program's mechanics, the better you can understand its potential for abuse." (p. 222)

While Glenn Greenwald saw the slide below as evidence that NSA really wants to "Collect it All", Snowden now says that this was "just PR speak, marketing jargon" intended to impress America's Five Eyes partners and therefore gave him "no insight into how exactly that ambition was realized in technological terms." (p. 222-224)



Slide from a presentation about satellite collection capabilities
at Menwith Hill Station in the United Kingdom, 2011


Given how keen Snowden was to find out the inner workings of the NSA's collection systems, surprisingly little detail about them is found in his book. For example, the best-known and most controversial programs, Section 215 and PRISM, are addressed in only one paragraph each. (p. 222-223)

Just as little information is provided about other NSA collection programs - apparently because such details would undermine Snowden's repetitive claim that the NSA tries to collect everyone's data to store them forever. For example:

- Bulk collection of domestic telephone metadata under Section 215 was limited to counter-terrorism investigations and only used for contact-chaining with no more than 288 seed numbers in 2012, resulting in 6000 numbers that analysts actually looked at.

- Targeted collection from internet companies under PRISM doesn't allow "direct access" to the servers of the companies, has multiple layers of oversight and was used against roughly 160,000 specific foreign targets in 2018.


TURBULENCE, TURMOIL and TURBINE

The most detailed, but still rather limited description in Permanent Record is that of the technologies behind Upstream collection, which is the interception of foreign communications at backbone cables and switching facilities. Snowden says that if you want to look something up on the internet, it has to pass "through TURBULENCE, one of the NSA's most powerful weapons." (p. 225)


According to an internal NSA dictionary, TURBULENCE isn't so much a weapon, but a "framework of mission modernization". A detailed explanation of this framework on the weblog of Robert Sesek shows that it has nine different components, including TURMOIL and TURBINE, which also feature in Snowden's book:

TURMOIL is installed at many locations around the world and makes a copy of a data stream based upon selectors like e-mail addresses, credit card or phone numbers, etc. Suspicious traffic is then tipped over to TURBINE, which uses algorithms to decide whether computer exploits should be used against certain kinds of web traffic. Then, TURBINE injects the exploits in the web traffic back to the target's computer: "Your entire digital life now belongs to them". (p. 225-226)

Snowden claims that these systems "are the most invasive elements of NSA's mass surveillance system, if only because they're the closest to the user." But as TURMOIL filters communications traffic for data that match specific selectors, this qualifies as targeted collection, which is generally preferred above indiscriminate bulk collection.

It's only because Snowden has the habit of describing all the NSA's collection efforts as if they are directed against everyone and anyone ("your traffic", "your digital life") that even targeted collection sounds very scary, but as long as you're not a target, these exploits won't find their way to your computer.



A slide from an unpublished NSA presentation about the TUMULT component of
the TURBULENCE program as seen in the documentary film Citizenfour
(screenshot by paulmd - click to enlarge)
 

Exfiltrating the data

In his memoir, Snowden says that the big decisions in (his) life are made subconscious and only expressed themselves once fully formed: "once you're finally strong enough to admit to yourself that this is what your conscience has already chosen for you." (p. 214)

Snowden's preparations for leaking to the press apparently started in August 2012, which is earlier than previously assumed. But before handing over his personal collection of Top Secret files, he wanted to "search them and discard the irrelevant and uninteresting, along with those containing legitimate secrets". (p. 256-257)

This was quite difficult on monitored NSA computers, so he took an old Dell PC that he found in a forgotten corner: "Under the guise of compatibility testing, I could transfer the files to these old computers, where I could search, filter, and organize them as much as I wanted, as long as I was careful." (p. 256-257)

It seems that Snowden used this desktop computer as a "thin-on-thick" device, which means that it officially served as a thin client. According to the HPSCI-report Snowden requested such a thin-on-thick computer in late August 2012, which is less than a month after he started bulk downloading internal NSA files.


Careful evaluation?

This set-up allowed Snowden to get "the files I wanted all neatly organized into folders" and later on, he assured that he "carefully evaluated every single document I disclosed to ensure that each was legitimately in the public interest". (p. 258)

Given the huge number of files that he handed over (the book says nothing about their exact number), it's hard to imagine that Snowden was able to evaluate them as careful as he said. In his memoir he already admits how complicated this was:
"Sometimes I'd find a program with a recognizable name, but without an explanation of what it did. Other times I'd just find a nameless explanation, with no indication as to whether the capability it described was an active program or an aspirational desire. I was running up against compartments within compartments, caveats within caveats, suites within suites, programs within programs" (p. 217)

Apparently it was as difficult for Snowden as it was for the journalists to make sense out of these never-before-seen documents, but with the difference that Snowden had less than a year to study them part-time, while a dozen of journalists and their assistants have worked on them for over five years and may still haven't solved all the puzzles.

Even in his hotel room in Hong Kong, in the week before he would meet Greenwald and Poitras, Snowden was sorting his archive, and in order to make it as comprehensive as possible for nontechnical people he also put together dictionairies and glossaries of abbreviations like CCE, CSS, DNI and NOFORN. (p. 288-289)


All these efforts didn't prevent mistakes in the early press reportings, like for example that NSA had "direct access" to the servers of Facebook, Google, and other internet companies. The misinterpretation of the BOUNDLESSINFORMANT slides was another major case that made clear that both Snowden and the journalists lacked enough information about this tool.


When in April 2015, John Oliver expressly asked whether he really had read every single document, Snowden eventually backed down from his original statement saying "Well, I do understand what I turned over" and slowly conceded that his actions carried dangers regardless of his own intentions or competence.


The Rubik's Cube

The next step in exfiltrating the files was getting them out of the Kunia Tunnel complex. Taking pictures with a smartphone wasn't an option, so Snowden decided to copy them onto mini- and micro-SD cards. They have so little metal in them that they will hardly trigger metal detectors, but are extremely slow to write: it can take up to 8 hours to fill a single card. (p. 258-259)

This had to be repeated multiple times and so Snowden sneaked the SD cards past the security checks in different ways: in his sock, in his cheek (so he could swallow it if needed) and at the bottom of his pocket. He doesn't confirm or deny whether he also used a Rubik's Cube to hide an SD card, or that the cube was just used to distract the guards. (p. 259)



Oliver Stone's film Snowden showing how an SD card was hidden in a Rubik's Cube
(screenshot from Snowden - click to enlarge)


At home, Snowden transferred the files from the SD cards to a larger storage device and secured them with multiple layers and different methods of encryption. Altogether, the documents fitted on a single drive, which he left out in the open on his desk at his home, confident that they were protected by the encryption. (p. 262-263)


Handing over the files

On December 1, 2012 Snowden first contacted columnist Glenn Greenwald, but when it proved to be difficult for him to set up an encrypted communications channel, Snowden contacted film maker Laura Poitras on January 13, 2013, after he had received her public key through Micah Lee from the Electronic Frontier Foundation. (p. 250-253)

It's not clear when Snowden sent Poitras the first set of documents that she showed to Greenwald on their flight to Hong Kong.* Eventually, they each received a copy of the full archive when they met Snowden on June 2/3 at his room in the Mira Hotel.

An intriguing story that's not in Permanent Record, but was told in Harper's Magazine from May 2017 is that already on May 10, 2013, Snowden had sent (encrypted) backup copies of the NSA files in postal packages to Jessica Bruder in New York, to Trevor Timm of the Freedom of the Press Foundation, to one person who wants to remain anonymous, and to one unknown person.

In his book, Snowden tries to explain how thoroughly he secured his own archive of NSA documents (through some kind of key distribution scheme), but how about the keys for what was in these packages? And what has happened to the packages?

 

Infrastructure analyst at the NSA in Hawaii

On March 30, 2013, Edward Snowden had started a new job as an infrastructure analyst for intelligence contractor Booz Allen Hamilton (BAH) at the NSA/CSS Threat Operations Center (NTOC) of NSA Hawaii.

NTOC is a watch center that provides real-time network monitoring and cyber defense capabilities and is located in the NSA's new Joseph J. Rochefort Building (nicknamed "Roach Fort" or "The Roach"), which was officially opened in January 2012.



The Joseph J. Rochefort Building of NSA/CSS Hawaii near Wahiawa in Honolulu
where Snowden worked from mid-April to mid-May 2013.
(still from CBS News - click to enlarge)


There are different versions of the reason why Snowden took this new job. In his memoir he says that after reading about all those NSA programs, systems and tools, his final desire was to see how they were operated by the analysts who take the actual targeting decisions: "Was there anyone this machine could not surveil?" (p. 275-276)

He was especially interested in the XKEYSCORE system, which would later be presented as the NSA's "widest-ranging tool, used to search nearly everything a user does on the Internet". The Booz Allen job as an infrastructure analyst allowed him to work with XKEYSCORE to monitor suspicious activities of hostile cyber actors on the infrastructure of the internet. (p. 277)


Dual-hat authority

Another and more specific reason was given in an interview from June 24, 2013 with the South China Morning Post (SCMP) in which Snowden said that he took the new job because: "My position with Booz Allen Hamilton granted me access to lists of machines all over the world the NSA hacked".

Later, Snowden explained that in his opinion "we’ve crossed lines. We're hacking [Chinese] universities and hospitals and wholly civilian infrastructure rather than actual government targets and military targets." It was to get access to this kind of information that he took the new job, which "gave him rare dual-hat authority covering both domestic and foreign intercept capabilities".

That "dual-hat" also allowed Snowden to find out whether "vast amounts of US communications were being intercepted and stored without a warrant, without any requirement for criminal suspicion, probable cause, or individual designation."

In his new job he continued copying internal NSA documents (maybe he could still use his previous sysadmin priviliges?), but to actually exfiltrate them, he had to return after hours to his old desk with the thin-on-thick computer at the Kunia Tunnel - according to the HPSCI-report.


By-catch conversations

According to Greenwald's book No Place to Hide, Snowden had an even bigger goal in mind when he applied for the job as an infrastructure analyst: the raw surveillance repositories of the NSA. "He took a pay cut to get that job, as it gave him access to download the final set of files he felt he needed to complete the picture of NSA spying."

He succeeded and handed the files over to Barton Gellman from The Washington Post, which in July 2014 reported on these ca. 22,000 collection reports from 2009 to 2012, which contained roughly 160,000 intercepted e-mails and instant-messages. Analysis showed that they came from more than 11,000 accounts, while 9 out of 10 account holders were not the intended targets and nearly half of them Americans.

These online conversations were intercepted through PRISM and Upstream, which is targeted collection, but in Snowden's view it clearly crossed the line of proportionality. In The Post he said that such a "continued storage of data of innocent bystanders in government databases is both troubling and dangerous. Who knows how that information will be used in the future?"

The future danger is largely mitigated by the limited retention period of up to 5 years, but the fact that even this targeted collection leads to such a large amount of by-catch is one of the most problematic aspects of the NSA's operations. Therefore it's puzzling that Snowden doesn't mention this issue at all in his book, especially because The Washington Post's report is not widely known.



Witnessing abuses?

Before starting his new job, Snowden first had to attend a two-week training course at NSA headquarters. There, and during "the short stint I put in at Booz back in Hawaii, were the only times I saw, firsthand, the abuses actually being committed that I'd previously read about in internal documentation." (p. 279)

Here, one expects an explanation of these abuses, but as we will see, Snowden only presents some minor cases in which the NSA's collection system was misused by individual analysts, which doesn't even come close to an organization "in which malfeasance has become so structural as to be a matter not of any particular initiative, but of an ideology" as Snowden puts it. (p. 235)


XKEYSCORE

It's allegedly XKEYSCORE that enables these abuses, but it remains unclear whether Snowden actually has a good understanding of how this system works. At least his descriptions in the book are incomplete and misleading.

He says that by studying the technical specs he found out that XKEYSCORE works "by 'packetizing' and 'sessionizing,' or cutting up the data of a users' online sessions into manageable packets for analysis" - actually, 'sessionizing' means that the small IP packets in which internet communications travel are reassembled into a their original format for further analysis. (p. 278-279)



Diagram showing the dataflow for the DeepDive version of XKEYSCORE


Snowden describes the back end of XKEYSCORE as "an interface that allows you to type in pretty much anyone's address, telephone number, or IP address, and then basically go through the recent history of their online activity." He then says that he would have been able to type in the names of the NSA director or the US president. (p. 279)

He already claimed having such an "authority" in his very first video appearance on June 9, 2013, but afterwards, Glenn Greenwald had to admit that although such searches would not be legally permitted, they were technically possible.

The technical possibilities however are limited too, because in order to retrieve communications via XKEYSCORE, the NSA first has to have physical access to communication links that contain the target's traffic. Therefore it's definitely not the case that "Everyone's communications were in the system" as Snowden says. (p. 279)

What Snowden doesn't tell us is that the actual purpose of XKEYSCORE, and its unique capability, is finding files which are not associated with specific selectors so analysts can trace targets who are using the internet anonymously.


Intimate images

Snowden assumes that none of his new colleagues intended to abuse XKEYSCORE's capabilities, but if they would, then for personal rather than professional reasons. This led to what he calls "the practice known as LOVEINT [...] in which analysts used the agency's programs to surveil their current and former lovers". (p. 280)

It's rather exaggerated to call this a practice because in 2013, NSA Inspector General George Ellard reported that since January 2003, there had been 12 instances of intentional misuse of NSA collection systems. Of these 12 cases, only 8 involved current or past lovers or spouses, most of them foreigners and which were brought to light either through auditing controls or self-reporting.

Apparently more often, male analysts alerted each other of nude photos they found among target communications, "at least as long as there weren't any women around" - which may be one of the reasons that the NSA has adopted a strong diversity policy. (p. 280)

Snowden on the other hand was most touched by "the family stuff" and recalls how he saw a webcam recording of a little boy sitting in the lap of his father, an Indonesian engineer who had applied for a job at a research university in Iran "that was suspected of being related to a nuclear program or a cyberattack" and therefore became of interest to the NSA. (p. 281-282)

As unprofessional as some of his colleagues were by sharing nudes, Snowden seems to have had difficulty to keep a professional distance from his targets. The video with the boy reminded him so much of his own father that he, almost in shock, realized that he would probably never see his family again. (p. 282)



Daniel K. Inouye International Airport in Honolulu, Hawaii
(photo: hellochris/Wikimedia Commons - click to enlarge)


Leaving NSA Hawaii

In the weeks before leaving to Hong Kong, Snowden copied the last set of documents he intended to disclose and tried to decide in which country it would be best to meet Poitras and Greenwald. With Russia and China out of bounds, the elimination process left him with Hong Kong. (p. 283-284)

The final preparations he made "were those of a man about to die". He told his supervisor at Booz Allen that he needed a leave of absence of a couple of weeks for epilepsy treatment on the US mainland and he left his girlfriend a note saying that he was called away for work. (p. 283-284)

Then Snowden packed some luggage, including several thumb drives full of NSA documents, and four laptops: one for secure communications, one for normal communications, a decoy and one that he kept "airgapped". He left his smartphone at home, went to the airport and bought a ticket in cash for the next flight to Tokyo. There, he bought another ticket in cash and arrived in Hong Kong on May 20, 2013. (p. 285)


> To be continued!


Links & sources

- Emptywheel.net: Insurance File: Glenn Greenwald’s Anger Is of More Use to Vladimir Putin than Edward Snowden’s Freedom (May 21, 2021)
- Le Monde: Bug Brother: Pourquoi je préfère la BD sur Snowden à son autobiographie (Dec. 18, 2019)
- Emptywheel: Snowden Needs a Better Public Interest Defense, Part I - Part II (Nov.-Dec. 2019)
- Rolf's Blog: Review of Ed Snowden's "Permanent Record" (Oct. 10, 2019)
- The New York Review of Books: Snowden in the Labyrinth (Oct. 2019)
- Matthew Green: Looking back at the Snowden revelations (Sept. 24, 2019)
- The New Yorker: Edward Snowden and the Rise of Whistle-Blower Culture (Sept. 23, 2019)
- The New Republic: Edward Snowden's Novel Makeover (Sept. 17, 2019)
- Wired: After 6 Years in Exile, Edward Snowden Explains Himself (Sept. 16, 2019)
- The Guardian: Interview by Ewen MacAskill (Sept. 13, 2019)
- Der Spiegel: 'If I Happen to Fall out of a Window, You Can Be Sure I Was Pushed' (Sept. 13, 2019)
- House Permanent Select Committee on Intelligence: Review of the Unauthorized Disclosures of Former National Securitty Agency Contractor Edward Snowden (Sept. 15, 2016)
- Wired: Edward Snowden: The Untold Story (Aug. 2014)
- Vanity Fair: The Snowden Saga: A Shadowland of Secrets and Light (May 2014)


6 comments:

Anonymous said...

Thanks of this very interesting & informative articles.

Anonymous said...

Excellent. Eager for more.

Michel Campillo said...

Edward Snowden is absolutely a hero. His actions have had a powerful impact on foreign policy relations between the United States and the rest of the world. Thanks to the actions of Snowden and Greenwald we know details of PRISM surveillance program.

Apokrif said...

Waiting for part 3 :-)

Anonymous said...

You write:

"On December 1, 2012 Snowden first contacted columnist Glenn Greenwald, but when it proved to be difficult for him to set up an encrypted communications channel, Snowden contacted film maker Laura Poitras on January 13, 2013, after he had received her public key through Micah Lee from the Electronic Frontier Foundation. (p. 250-253)
It's not clear when Snowden sent Poitras the first set of documents that she showed to Greenwald on their flight to Hong Kong.* Eventually, they each received a copy of the full archive when they met Snowden on June 2/3 at his room in the Mira Hotel."


The answer might be found in Citizenfour documentary. It has a scene (https://youtu.be/1CVs6-epA1o?si=lUBmyUBYNRR171Fb&t=1137) reportedly dated April 2013 in which Snowden instructs Poitras in an encypted message to use rsync-tool to download encrypted archive from a private server ("ghost@216.66.xx.xx"). Even shows that a key for the communication was indeed created January 13, 2013.


The archive is named "astro_noise" -- a name which Poitras later used as the name for her Whitney Museum of American Art exhibition and as the title of her book. From the exhibition promo material (https://whitney.org/exhibitions/laura-poitras): "The title, Astro Noise, refers to the faint background disturbance of thermal radiation left over from the Big Bang and is the name Edward Snowden gave to an encrypted file containing evidence of mass surveillance by the National Security Agency that he shared with Poitras in 2013. "

The archive she downloads seems to be quite large as the download takes around 20 seconds with around 200 kB/s download speed to reach 1%. The material Poitras showed to Greenwald on their fligh to Hong Kong probably came from this "astro_noise" archive.

This somewhat confusing given the story pushed by Snowden folks that he avoided connecting his loot to internet.

P/K said...

@Anonymous: Thank you for this very interesting observation!

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties