The Edward Snowden Affair (11 page)

Having perhaps learned their lesson the day before, members of Congress were notably silent. This may have been due to a White House directive. The surveillance issue had attracted enough attention for the president to formally address it. He did so on June 7 at the Fairmont Hotel in San Jose, California, hours before entering a summit with China’s president. Obama stated the PRISM program “does not apply to U.S. citizens and it does not apply to people living in the United States” before paradoxically adding, “I think it’s important to recognize that you can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience.”
³⁸
He echoes the legislation within Section 702 of FISA (which was reauthorized under the Obama administration in December 2012 after having been expanded by Bush four years before). The statute refuses any data request of an American citizen in or outside the United States. Under this law, an application is brought before FISC judges to determine if “targeting” and “minimization” requirements have been met (the latter process ensures there is a 51 percent or greater likelihood the target is not American). Upon approval, an order is then issued.

If the Internet companies were merely submitting data upon receipt of a subpoena, there would have been no story to report. It was logical for Greenwald and Gellman to assume that since the government went to great lengths to gerrymander access to telecommunications providers’ call data, it had done the same with the treasure trove of information the Internet offered. This idea had its own validity but PRISM’s existence all but declared this was taking place. What made the notion even more plausible were the dropboxes. If court orders demanded data, the Internet providers could merely extract and present it. There would be no need for the U.S. government to pay the companies millions of dollars to set up “secure portals.”
³⁹
Microsoft, Facebook and Yahoo affirmed they had built the requested data facilities.
⁴⁰
This indicated a blanket FISC order existed. Yet it was still unclear whether the Internet providers were depositing data after receiving individual FISC orders—in the firms’ terms, National Security Letters (NSL)—or whether the intelligence community had full, unfettered access to the dropboxes which were duplicating all incoming data.

Gellman believed he had the U.S. government in a corner. At any moment Washington would bow to the Internet companies’ pressure to let them release the paperwork that forced them to turn over data. The message from the companies was clear: “Either let us regain the confidence of the consumer before our stocks plummet, or the next election cycle will be sparsely funded.” It was a good plan and almost worked.

NSLs would prove blanket access hadn’t been granted and Section 702 was being followed. The next week Microsoft
⁴¹
and Facebook
⁴²
presented transparency reports for the second half of 2012, but they were accompanied by an asterisk: The government would only allow the information to be made public if the data lumped together all other requests from local, state and federal law enforcement agencies. To further obfuscate the issue, totals were rounded to the nearest 1,000. Microsoft showed a minimum average of 32 requests per day, affecting user accounts every six minutes. The following week Yahoo
⁴³
and Apple
⁴⁴
would report the first half of 2013. PalTalk and AOL didn’t even bother to appease their clients, because it was futile. The implication was apparent. Without permission to publish the individual court order or letters and no way to prove to customers the aggregated data wasn’t fabricated or merely the number of times the government had dipped into a company’s dropbox, Greenwald and Gellman’s claims could not be successfully refuted. But they had not been conclusively proven either. Though the argument was in their favor, Greenwald and Gellman still needed to establish they were right.

Gellman was no Greenwald when it came to journalistic blackmail. Washington had been unwilling to take another direct hit after the Verizon fiasco. Internet companies adamantly objected. They could only watch as people uninstalled Yahoo toolbars, turned off Skype, deactivated Facebook accounts and transferred Gmail files to email providers with reputations for privacy. Questions continued to linger.

Though The Electronic Privacy Information Center had released data showing applications had indeed been presented to the FISC, the report didn’t ease tensions or fill in any blanks. The requests had been rubber stamped. Only two of 8,591 appeals had been rejected between 2008 and 2012.
⁴⁵
(A single rejection out of 1,789 requests had taken place in 2012.)
⁴⁶
This does not mean that out of nearly a quarter of a billion American Internet users, only five per day were being investigated. Under 702, once an application has been approved, additional names and Internet services can be added without further authorization. This is undoubtedly when contact chaining commences. An approved order remains open for one year.

Loose ends were abundant. The PRISM slide clearly informs an analyst that data is “[c]ollect[ed] directly from the servers.” Yet Gellman included in his revision, “[C]ollection managers [can send] content tasking instructions directly to equipment installed at company-controlled locations.” Even more puzzling is that Google admitted compliance with PRISM but, unlike its Internet peers, does not use a dropbox to deliver information. It either transports by hand or transfers data over an encrypted FTP channel.
⁴⁷
There was no subsequent explanation why the NSA permits this form of electronic (and much less expensive) transport for one company but the other eight firms were bound to dropboxes. The reports either fail to explore or barely mention whether domestic communication providers were being obligated to release data they had access to as a result of business arrangements with foreign providers or if U.S. law applied to an American company’s overseas servers. This is important because a Texan’s email may travel to Europe to reach a friend in Florida. Servers do not take the shortest route but the cheapest.
⁴⁸
Google operates in Europe, Asia and South America.
⁴⁹

Greenwald didn’t have to change a word of his article because he knew he was right. Gellman tried extortion because he lacked something Greenwald had when presenting his Verizon exposé: proof. But Greenwald was aware it had been a trying time for the American government. He opted to give Washington a thematic intermission before producing conclusive evidence the U.S. government was spying on its citizens.

Within hours of the
Post
rewrite and just before President Obama was to host his Chinese equivalent—newly elected Xi Jinping—at Rancho Mirage, California, to discuss alleged cyberattacks emanating out of the People’s Republic,
The Guardian
released, “Obama orders US to draw up overseas target list for cyber-attacks.”
⁵⁰

The article presents an unpublished Presidential Policy Directive issued in October 2012.
⁵¹
The document instructs the secretary of defense, director of national intelligence and head of the CIA to create a list of overseas targets of “national importance” for possible cyberattacks. The purpose of the tentative attacks is not heightened defense, retaliatory action or even as a pre-emptive measure. It is to “advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.” Dauntingly the commander in chief also humors domestic targeting but specifies such theoretical operations cannot be carried out unless he has issued his consent or there is a national emergency, whereby various departments are authorized to act autonomously. Likewise the 18-page manuscript states cyberattacks are to conform to U.S. and international law unless they are overridden by presidential approval.

The order tells its recipients to remain mindful of the possible consequences: loss of life, property damage, retaliatory responses, injury to international trade and regressive foreign policy impact. Greenwald acknowledges a history of debate precedes the directive. Security researchers and academes have frequently voiced concern over the possibility that offensive cyber initiatives may result in full-scale warfare if collateral damages are heavy enough.

Greenwald quotes an unnamed intelligence insider as stating that the president’s pending cyber grievance with China is hypocritical. A month after the directive’s April deadline expired and less than half a year after the Pentagon greenlit expansion of American’s Cyber Command Unit, the U.S. government reported on what could easily be interpreted as retaliatory hacking by China into the Pentagon’s military programs. Obama was already entering the informal summit with China holding, in the words of the Director of the National Computer Network Emergency Response Technical Team/Coordination Center of China Huang Chengqing, “mountains of data” documenting previous American attacks.
⁵²
The timeline of American cyber aggression toward the Asian superpower is unspecified, but Obama’s order was an update of a 2004 National Security Presidential Directive. In only a few days, Snowden would provide evidence that China’s attacks had emanated from the clandestine offices of the American government.

At the end of the two-day conference, pundits criticized Obama for skirting around the subject of international cyberattacks. Though China refused to deny it had hacked combat aircraft and ship designs atop missile defense systems (Huang merely muttered that if the U.S. wanted to keep such documents secret, it shouldn’t put them online), America was contending with its Eastern competitor being aware that almost three-million Chinese computers had been hacked by 4,062 U.S.-based computer servers.
⁵³
They deliberately spoke in ambiguous umbrella terms and shied away from particulars. The two leaders agreed they had “similar concerns” over an issue that is a “doubled-edged sword.” Jinping let the American president escort the conversation over to mutual disapproval of North Korea’s continued nuclear development and the topic of global warming.
⁵⁴

Intermission was over. Greenwald didn’t have time to see if the American government would take the bait from the Internet companies’ demands for transparency. It was time to prove to the American people they were being watched.

On Saturday, June 8, Greenwald hit hard with “Boundless Informant: the NSA’s secret tool to track global surveillance data.”
⁵⁵
This exposé is relatively short compared to his previous three articles, because the data speaks for itself. The report opens with the news agency declaring it has irrefutable proof the NSA is recording American communications. Accompanied by a screenshot, four slides and an unclassified but in-house user guide for analysts, Greenwald introduces the top secret program Boundless Informant, a tool that summarizes and reports the NSA’s metadata collection records and history.

The crux of the article focuses upon a color-coded heat map of the world produced by Boundless Informant. It shows how much data had been collected from each country during March 2013. Condemningly, the United States is presented in a median color after having nearly three billion pieces of data extracted. The program offers an analyst the option of reviewing a particular nation’s recorded volume and can break it down into categorical types of surveilled information.

Greenwald humbly announces that the existence of Boundless Informant makes it extremely difficult for the NSA to declare it doesn’t spy on its citizenry. He notes that the month the screenshot was captured, Senator Wyden asked Intelligence Director Clapper, “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?” Clapper starkly replied, “No sir.” (He would later infamously state that his response had been the “least most untruthful.”)
⁵⁶
One of the accompanying slides attests that the program has been in use since at least July 2012. For obvious reasons, the NSA does not want Congress to know it has or is using this type of technology. This is likely the reason one of its slides states that FISA data is not collected by Boundless Informant.

Greenwald makes sure to highlight that the NSA knew it had to quickly change its story. NSA spokesperson Judith Emmel informed
The Guardian
that U.S. intelligence does “not have the ability to determine with certainty the identity or location of
all
[my emphasis] communicants within a given communication.” Greenwald relays that Boundless Informant’s data breakdown can pinpoint report information to an individual Internet Protocol (IP) address. This means the analyst knows at least what region, if not city, a person is in, if not the exact computer that produced the data. When placed alongside consumer reports or even the social networking information derived from telecoms’ metadata, a user’s search habits easily confirm who they are. As she desperately tries to validate her claims, Emmel digs the hole even deeper: “Current technology simply does not permit us to positively identify
all
[my emphasis] of the persons or locations associated with a given communication. [ … ] It is harder to know the ultimate source or destination, or more particularly the identity of the person represented by the TO:, FROM: or CC: field of an email address or the abstraction of an IP address.” Aside from the frightening insinuation involved in her use of the term “current,” Emmel is careful not to categorically deny that individual identification is impossible, merely “harder.”

The existence of Boundless Informant proved surveillance programs like PRISM were capturing American data. The question that remained was whether U.S. intelligence was deliberately seeking its citizens’ information. After shifting gears once Boundless Informant was revealed, the official statement became that American data interception was “incidental.” What makes this claim immediately suspicious is the previously mentioned requirement that analysts must possess a 51% or greater certainty a slated target isn’t a U.S. citizen. No one seemed to know why the federal government had to resort to guessing which of its people were its own. Though Greenwald had cast light on what the U.S. government had been doing behind closed doors, questions remained. But it appeared as if the journalist had run out of answers. Indeed he had for the time being, but he knew someone who did.