· 5 years ago · Dec 28, 2019, 03:54 PM
1PART TWO
2 https://gsu.st/hW5y
3 https://gsu.st/hW5y
4 https://gsu.st/hW5y
5In sum, during my time in the field, the field was rapidly changing. The agency was increasingly adamant that COs
6 https://gsu.st/hW5y
7enter the new millennium, and technical field officers like myself were tasked with helping them do that in addition
8 https://gsu.st/hW5y
9to all of our other duties. We put them online, and they put up with us.
10 https://gsu.st/hW5y
11Geneva was regarded as ground zero for this transition because it contained the world’s richest environment of
12 https://gsu.st/hW5y
13sophisticated targets, from the global headquarters of the United Nations to the home offices of numerous specialized
14 https://gsu.st/hW5y
15UN agencies and international nongovernmental organizations. There was the International Atomic Energy Agency, which
16 https://gsu.st/hW5y
17promotes nuclear technology and safety standards worldwide, including those that relate to nuclear weaponry; the
18 https://gsu.st/hW5y
19International Telecommunication Union, which— through its influence over technical standards for everything from the
20 https://gsu.st/hW5y
21radio spectrum to satellite orbits—determines what can be communicated and how; and the World Trade Organization,
22 https://gsu.st/hW5y
23which—through its regulation of the trade of goods, services, and intellectual property among participating nations—
24 https://gsu.st/hW5y
25determines what can be sold and how. Finally, there was Geneva’s role as the capital of private finance, which
26 https://gsu.st/hW5y
27allowed great fortunes to be stashed and spent without much public scrutiny regardless of whether those fortunes were
28 https://gsu.st/hW5y
29ill-gotten or well earned.
30 https://gsu.st/hW5y
31The notoriously slow and meticulous methods of traditional spycraft certainly had their successes in manipulating
32 https://gsu.st/hW5y
33these systems for America’s benefit, but ultimately too few to satisfy the ever-increasing appetite of the American
34 https://gsu.st/hW5y
35policy makers who read the IC’s reports, especially as the Swiss banking sector—along with the rest of the world—went
36 https://gsu.st/hW5y
37digital. With the world’s deepest secrets now stored on computers, which were more often than not connected to the
38 https://gsu.st/hW5y
39open Internet, it was only logical that America’s intelligence agencies would want to use those very same connections
40 https://gsu.st/hW5y
41to steal them.
42 https://gsu.st/hW5D
43Before the advent of the Internet, if an agency wanted to gain access to a target’s computer it had to recruit an
44 https://gsu.st/hW5D
45asset who had physical access to it. This was obviously a dangerous proposition: the asset might be caught in the act
46 https://gsu.st/hW5D
47of downloading the secrets, or of implanting the exploitative hardware and
48software that would radio the secrets to their handlers. The global spread of digital technology simplified this
49 https://gsu.st/hW5D
50process enormously. This new world of “digital network intelligence” or “computer network operations” meant that
51 https://gsu.st/hW5D
52physical access was almost never required, which reduced the level of human risk and permanently realigned the
53
54HUMINT/SIGINT balance. An agent now could just send the target a message, such as an email, with attachments or links
55 https://gsu.st/hW5D
56that unleashed malware that would allow the agency to surveil not just the target’s computer but its entire network.
57
58Given this innovation, the CIA’s HUMINT would be dedicated to the identification of targets of interest, and SIGINT
59 https://gsu.st/hW5D
60would take care of the rest. Instead of a CO cultivating a target into an asset—through cash-on-the-barrel bribery,
61
62or coercion and blackmail if the bribery failed—a few clever computer hacks would provide a similar benefit. What’s
63 https://gsu.st/hW5D
64more, with this method the target would remain unwitting, in what would inevitably be a cleaner process.
65 https://gsu.st/hW5D
66That, at least, was the hope. But as intelligence increasingly became “cyberintelligence” (a term used to
67 https://gsu.st/hW5D
68distinguish it from the old phone-and-fax forms of off-line SIGINT), old concerns also had to be updated to the new
69 https://gsu.st/hW5D
70medium of the Internet. For example: how to research a target while remaining anonymous online.
71 https://gsu.st/hW5D
72This issue would typically emerge when a CO would search the name of a person from a country like Iran or China in
73 https://gsu.st/hW5D
74the agency’s databases and come up empty-handed. For casual searches of prospective targets like these, No Results
75
76was actually a fairly common outcome: the CIA’s databases were mostly filled with people already of interest to the
77
78agency, or citizens of friendly countries whose records were more easily available. When faced with No Results, a CO
79
80would have to do the same thing you do when you want to look someone up: they’d turn to the public Internet. This was
81 https://gsu.st/hW5D
82risky.
83
84Normally when you go online, your request for any website travels from your computer more or less directly to the
85 https://gsu.st/hW5D
86server that hosts your final destination—the website you’re trying to visit. At every stop along the way, however,
87
88your request cheerfully announces exactly where on the Internet it came from, and exactly where on the Internet it’s
89 https://gsu.st/hW5D
90going, thanks to identifiers called source and destination headers, which you can think of as the address information
91
92on a postcard. Because of these headers, your Internet browsing can easily be identified as yours by, among others,
93
94webmasters, network administrators, and foreign intelligence services.
95 https://gsu.st/hW5D
96It may be hard to believe, but the agency at the time had no good answer for what a case officer should do in
97
98this situation, beyond weakly
99recommending that they ask CIA headquarters to take over the search on their behalf. Formally, the way this
100
101ridiculous procedure was supposed to work was that someone back in McLean would go online from a specific computer
102 https://gsu.st/hW5D
103terminal and use what was called a “nonattributable research system.” This was set up to proxy—that is, fake the
104
105origin of—a query before sending it to Google. If anyone tried to look into who had run that particular search, all
106
107they would find would be an anodyne business located somewhere in America—one of the myriad fake executive-headhunter
108
109or personnel-services companies the CIA used as cover.
110
111I can’t say that anyone ever definitively explained to me why the agency liked to use “job search” businesses as a
112
113front; presumably they were the only companies that might plausibly look up a nuclear engineer in Pakistan one day
114
115and a retired Polish general the next. I can say with absolute certainty, however, that the process was ineffective,
116
117onerous, and expensive. To create just one of these covers, the agency had to invent the purpose and name of a
118
119company, secure a credible physical address somewhere in America, register a credible URL, put up a credible website,
120
121and then rent servers in the company’s name. Furthermore, the agency had to create an encrypted connection from those
122
123servers that allowed it to communicate with the CIA network without anyone noticing the connection. Here’s the
124
125kicker: After all of that effort and money was expended just to let us anonymously Google a name, whatever front
126
127business was being used as a proxy would immediately be burned—by which I mean its connection to the CIA would be
128
129revealed to our adversaries—the moment some analyst decided to take a break from their research to log in to their
130
131personal Facebook account on that same computer. Since few of the people at headquarters were undercover, that
132
133Facebook account would often openly declare, “I work at the CIA,” or just as tellingly, “I work at the State
134
135Department, but in McLean.”
136
137Go ahead and laugh. Back then, it happened all the time.
138
139During my stint in Geneva, whenever a CO would ask me if there was a safer, faster, and all-around more efficient way
140
141to do this, I introduced them to Tor.
142
143The Tor Project was a creation of the state that ended up becoming one of the few effective shields against the
144
145state’s surveillance. Tor is free and open- source software that, if used carefully, allows its users to browse
146
147online with the closest thing to perfect anonymity that can be practically achieved at scale. Its protocols were
148
149developed by the US Naval Research Laboratory throughout the mid-1990s, and in 2003 it was released to the public—to
150
151the
152worldwide civilian population on whom its functionality depends. This is because Tor operates on a cooperative
153
154community model, relying on tech- savvy volunteers all over the globe who run their own Tor servers out of their
155
156basements, attics, and garages. By routing its users’ Internet traffic through these servers, Tor does the same job
157
158of protecting the origin of that traffic as the CIA’s “non-attributable research” system, with the primary difference
159
160being that Tor does it better, or at least more efficiently. I was already convinced of this, but
161
162convincing the gruff COs was another matter altogether.
163
164With the Tor protocol, your traffic is distributed and bounced around through randomly generated pathways from Tor
165
166server to Tor server, with the purpose being to replace your identity as the source of a communication with that of
167
168the last Tor server in the constantly shifting chain. Virtually none of the Tor servers, which are called “layers,”
169
170know the identity of, or any identifying information about, the origin of the traffic. And in a true stroke of
171
172genius, the one Tor server that does know the origin—the very first server in the chain—does not know where that
173
174traffic is headed. Put more simply: the first Tor server that connects you to the Tor network, called a gateway,
175
176knows you’re the one sending a request, but because it isn’t allowed to read that request, it has no idea whether
177
178you’re looking for pet memes or information about a protest, and the final Tor server that your request passes
179
180through, called an exit, knows exactly what’s being asked for, but has no idea who’s asking for it.
181
182This layering method is called onion routing, which gives Tor its name: it’s The Onion Router. The classified joke
183
184was that trying to surveil the Tor network makes spies want to cry. Therein lies the project’s irony: here was a US
185
186military–developed technology that made cyberintelligence simultaneously harder and easier, applying hacker know-how
187
188to protect the anonymity of IC officers, but only at the price of granting that same anonymity to adversaries and to
189
190average users across the globe. In this sense, Tor was even more neutral than Switzerland. For me personally, Tor was
191
192a life changer, bringing me back to the Internet of my childhood by giving me just the slightest taste of freedom
193
194from being observed.
195
196
197
198NONE OF THIS account of the CIA’s pivot to cyberintelligence, or SIGINT on the Internet, is meant to imply that
199
200the agency wasn’t still doing some significant HUMINT, in the same manner in which it had always done so, at
201
202least since the advent of the modern IC in the aftermath of World War II.
203Even I got involved, though my most memorable operation was a failure. Geneva was the first and only time in my
204
205intelligence career in which I made the personal acquaintance of a target—the first and only time that I looked
206
207directly into the eyes of a human being rather than just recording their life from afar. I have to say, I found the
208
209whole experience unforgettably visceral and sad.
210
211Sitting around discussing how to hack a faceless UN complex was psychologically easier by a wide margin. Direct
212
213engagement, which can be harsh and emotionally draining, simply doesn’t happen that much on the technical side of
214
215intelligence, and almost never in computing. There is a depersonalization of experience fostered by the distance of a
216
217screen. Peering at life through a window can ultimately abstract us from our actions and limit any meaningful
218
219confrontation with their consequences.
220
221I met the man at an embassy function, a party. The embassy had lots of those, and the COs always went, drawn as much
222
223by the opportunities to spot and assess potential candidates for recruitment as by the open bars and cigar salons.
224
225Sometimes the COs would bring me along. I’d lectured them on my specialty long enough, I guess, that now they were
226
227all too happy to lecture me on theirs, cross-training me to help them play “spot the sap” in an
228
229environment where there were always more people to meet than they could possibly handle on their own. My native
230
231geekiness meant I could get the young researchers from CERN (Conseil Européen pour la Recherche Nucléaire: European
232
233Council for Nuclear Research) talking about their work with a voluble excitement that the MBAs and political science
234
235majors who comprised the ranks of our COs had trouble provoking on their own.
236
237As a technologist, I found it incredibly easy to defend my cover. The moment some bespoke-suited cosmopolite asked me
238
239what I did, and I responded with the four words “I work in IT” (or, in my improving French, je travaille dans
240
241l’informatique), their interest in me was over. Not that this ever stopped the conversation. When you’re a fresh-
242
243faced professional in a conversation outside your field, it’s never that surprising when you ask a lot of questions,
244
245and in my experience most people will jump at the chance to explain exactly how much more they know than you do about
246
247something they care about deeply.
248
249The party I’m recalling took place on a warm night on the outside terrace of an upscale café on one of the side
250
251streets alongside Lake Geneva. Some of the COs wouldn’t hesitate to abandon me at such a gathering if they had to in
252order to sit as close as possible to whatever woman happened to match their critical intelligence-value indicators of
253
254being highly attractive and no older than a student, but I wasn’t about to complain. For me, spotting targets was a
255
256hobby that came with a free dinner.
257
258I took my plate and sat down at a table next to a well-dressed Middle Eastern man in a cuff-linked, demonstratively
259
260Swiss pink shirt. He seemed lonely, and totally exasperated that no one seemed interested in him, so I asked him
261
262about himself. That’s the usual technique: just be curious and let them talk. In this case, the man did so much
263
264talking that it was like I wasn’t even there. He was Saudi, and told me about how much he loved Geneva, the relative
265
266beauties of the French and Arabic languages, and the absolute beauty of this one Swiss girl with whom he—yes—had a
267
268regular date playing laser tag. With a touch of a conspiratorial tone, he said that he worked in private wealth
269
270management. Within moments I was getting a full-on polished presentation about what, exactly, makes a private bank
271
272private, and the challenge of investing without moving markets when your clients are the size of sovereign wealth
273
274funds.
275
276“Your clients?” I asked.
277
278That’s when he said, “Most of my work is on Saudi accounts.”
279
280After a few minutes, I excused myself to go to the bathroom, and on the way there I leaned over to tell the CO who
281
282worked finance targets what I’d learned. After a necessarily too-long interval “fixing my hair,” or texting Lindsay
283
284in front of the bathroom mirror, I returned to find the CO sitting in my chair. I waved to my new Saudi friend before
285
286sitting down beside the CO’s discarded, smoky-eyed date. Rather than feeling bad, I felt like I’d really earned the
287
288Pavés de Genève that were passed around for dessert. My job was done.
289
290The next day, the CO, whom I’ll call Cal, heaped me with praise and thanked me effusively. COs are promoted or passed
291
292over based primarily on how effective they are at recruiting assets with access to information on matters substantial
293
294enough to be formally reported back to headquarters, and given Saudi Arabia’s suspected involvement in financing
295
296terror, Cal felt under tremendous pressure to cultivate a qualifying source. I was sure that in no time at all our
297
298fellow party guest would be getting a second paycheck from the agency.
299
300That was not quite how it worked out, however. Despite Cal’s regular forays with the banker to strip clubs and bars,
301
302the banker wasn’t warming up
303to him—at least not to the point where a pitch could be made—and Cal was getting impatient.
304
305After a month of failures, Cal was so frustrated that he took the banker out drinking and got him absolutely
306
307plastered. Then he pressured the guy to drive home drunk instead of taking a cab. Before the guy had even left the
308
309last bar of the night, Cal was calling the make and plate number of his car to the Geneva police, who not fifteen
310
311minutes later arrested him for driving under the influence. The banker faced an enormous fine, since in Switzerland
312
313fines aren’t flat sums but based on a percentage of income, and his driver’s license was suspended for three months—a
314
315stretch of time that Cal would spend, as a truly wonderful friend with a fake-guilty conscience, driving the guy back
316
317and forth between his home and work, daily, so that the guy could “keep his office from finding out.” When the fine
318
319was levied, causing his friend cash-flow problems, Cal was ready with a loan. The banker had become dependent, the
320
321dream of every CO.
322
323There was only one hitch: when Cal finally made the pitch, the banker turned him down. He was furious, having figured
324
325out the planned crime and the engineered arrest, and felt betrayed that Cal’s generosity hadn’t been genuine. He cut
326
327off all contact. Cal made a halfhearted attempt to follow up and do damage control, but it was too late. The banker
328
329who’d loved Switzerland had lost his job and was returning—or being returned—to Saudi Arabia. Cal himself was rotated
330
331back to the States.
332
333Too much had been hazarded, too little had been gained. It was a waste, which I myself had put in motion and then was
334
335powerless to stop. After that experience, the prioritizing of SIGINT over HUMINT made all the more sense to me.
336
337In the summer of 2008, the city celebrated its annual Fêtes de Genève, a giant carnival that culminates in fireworks.
338
339I remember sitting on the left bank of Lake Geneva with the local personnel of the SCS, or Special Collection
340
341Service, a joint CIA-NSA program responsible for installing and operating the special surveillance equipment that
342
343allows US embassies to spy on foreign signals. These guys worked down the hall from my vault at the embassy, but they
344
345were older than I was, and their work was not just way above my pay grade but way beyond my abilities—they had access
346
347to NSA tools that I didn’t even know existed. Still, we were friendly: I looked up to them, and they looked out for
348
349me.
350
351As the fireworks exploded overhead, I was talking about the banker’s case, lamenting the disaster it had been, when
352
353one of the guys turned to me
354and said, “Next time you meet someone, Ed, don’t bother with the COs—just give us his email address and we’ll take
355
356care of it.” I remember nodding somberly to this, though at the time I barely had a clue of the full implications of
357
358what that comment meant.
359
360I steered clear of parties for the rest of the year and mostly just hung around the cafés and parks of Saint-Jean
361
362Falaises with Lindsay, taking occasional vacations with her to Italy, France, and Spain. Still, something had soured
363
364my mood, and it wasn’t just the banker debacle. Come to think of it, maybe it was banking in general. Geneva is an
365
366expensive city and unabashedly posh, but as 2008 drew to a close its elegance seemed to tip over into extravagance,
367
368with a massive influx of the superrich—most of them from the Gulf states, many of them Saudi—enjoying the profits of
369
370peak oil prices on the cusp of the global financial crisis. These royal types were booking whole floors of five-star
371
372grand hotels and buying out the entire inventories of the luxury stores just across the bridge. They were putting on
373
374lavish banquets at the Michelin-starred restaurants and speeding their chrome-plated Lamborghinis down the cobbled
375
376streets. It would be hard at any time to miss Geneva’s display of conspicuous consumption, but the profligacy now on
377
378display was particularly galling—coming as it did during the worst economic disaster, as the American media kept
379
380telling us, since the Great Depression, and as the European media kept telling us, since the interwar period and
381
382Versailles.
383
384It wasn’t that Lindsay and I were hurting: after all, our rent was being paid by Uncle Sam. Rather, it’s that every
385
386time she or I would talk to our folks back home, the situation seemed grimmer. Both of our families knew people who’d
387
388worked their entire lives, some of them for the US government, only to have their homes taken away by banks after an
389
390unexpected illness made a few mortgage payments impossible.
391
392To live in Geneva was to live in an alternative, even opposite, reality. As the rest of the world became more
393
394and more impoverished, Geneva flourished, and while the Swiss banks didn’t engage in many of the types of risky
395
396trades that caused the crash, they gladly hid the money of those who’d profited from the pain and were never held
397
398accountable. The 2008 crisis, which laid so much of the foundation for the crises of populism that a decade later
399
400would sweep across Europe and America, helped me realize that something that is devastating for the public can be,
401
402and often is, beneficial to the elites. This was a lesson that the US government would confirm for me in other
403
404contexts, time and again, in the years ahead.
40516
406
407Tokyo
408
409The Internet is fundamentally American, but I had to leave America to fully understand what that meant. The World
410
411Wide Web might have been invented in Geneva, at the CERN research laboratory in 1989, but the ways by which the Web
412
413is accessed are as American as baseball, which gives the American Intelligence Community the home field advantage.
414
415The cables and satellites, the servers and towers—so much of the infrastructure of the Internet is under US control
416
417that over 90 percent of the world’s Internet traffic passes through technologies developed, owned, and/or operated by
418
419the American government and American businesses, most of which are physically located on American territory.
420
421Countries that traditionally worry about such advantages, like China and Russia, have attempted to make alternative
422
423systems, such as the Great Firewall, or the state-sponsored censored search engines, or the nationalized satellite
424
425constellations that provide selective GPS—but America remains the hegemon, the keeper of the master switches that can
426
427turn almost anyone on and off at will.
428
429It’s not just the Internet’s infrastructure that I’m defining as fundamentally American—it’s the computer software
430
431(Microsoft, Google, Oracle) and hardware (HP, Apple, Dell), too. It’s everything from the chips (Intel, Qualcomm), to
432
433the routers and modems (Cisco, Juniper), to the Web services and platforms that provide email and social networking
434
435and cloud storage (Google, Facebook, and the most structurally important but invisible Amazon, which provides cloud
436
437services to the US government along with half the Internet). Though some of these companies might manufacture their
438
439devices in, say, China, the companies themselves are American and are subject to American law. The problem is,
440
441they’re also subject to classified American policies that pervert law and permit the US government to surveil
442
443virtually every man, woman, and child who has ever touched a computer or picked up a phone.
444
445Given the American nature of the planet’s communications infrastructure, it should have been obvious that the US
446
447government would engage in this type of mass surveillance. It should have been especially obvious to me. Yet it
448
449wasn’t—mostly because the government kept insisting that it did nothing of the sort, and generally disclaimed the
450
451practice in courts and in the media in a manner so adamant that the few remaining skeptics who accused it of lying
452
453were treated like wild-haired conspiracy junkies. Their suspicions about secret NSA programs seemed
454
455hardly different from paranoid delusions
456involving alien messages being beamed to the radios in our teeth. We—me, you, all of us—were too trusting. But what
457
458makes this all the more personally painful for me was that the last time I’d made this mistake, I’d supported the
459
460invasion of Iraq and joined the army. When I arrived in the IC, I felt sure that I’d never be fooled again,
461
462especially given my top secret clearance. Surely that had to count for some degree of transparency. After all, why
463
464would the government keep secrets from its secret keepers? This is all to say that the obvious didn’t even become the
465
466thinkable for me until some time after I moved to Japan in 2009 to work for the NSA, America’s premier signals
467
468intelligence agency.
469
470It was a dream job, not only because it was with the most advanced intelligence agency on the planet, but also
471
472because it was based in Japan, a place that had always fascinated Lindsay and me. It felt like a country from the
473
474future. Though mine was officially a contractor position, its responsibilities and, especially, its location were
475
476more than enough to lure me. It’s ironic that only by going private again was I put in a position to understand what
477
478my government was doing.
479
480On paper, I was an employee of Perot Systems, a company founded by that diminutive hyperactive Texan who founded the
481
482Reform Party and twice ran for the presidency. But almost immediately after my arrival in Japan, Perot Systems was
483
484acquired by Dell, so on paper I became an employee of Dell. As in the CIA, this contractor status was all just
485
486formality and cover, and I only ever worked in an NSA facility.
487
488The NSA’s Pacific Technical Center (PTC) occupied one-half of a building inside the enormous Yokota Air Base. As the
489
490headquarters of US Forces Japan, the base was surrounded by high walls, steel gates, and guarded checkpoints.
491
492Yokota and the PTC were just a short bike ride from where Lindsay and I got an apartment in Fussa, a city at the
493
494western edge of Tokyo’s vast metropolitan spread.
495
496The PTC handled the NSA’s infrastructure for the entire Pacific, and provided support for the agency’s spoke sites in
497
498nearby countries. Most of these were focused on managing the secret relationships that let the NSA cover the Pacific
499
500Rim with spy gear, as long as the agency promised to share some of the intelligence it gleaned with regional
501
502governments—and so long as their citizens didn’t find out what the agency was doing. Communications interception was
503
504the major part of the mission. The PTC would amass “cuts” from captured signals and push them back across the ocean
505
506to Hawaii, and Hawaii, in turn, would push them back to the continental United States.
507My official job title was systems analyst, with responsibility for maintaining the local NSA systems, though much of
508
509my initial work was that of a systems administrator, helping to connect the NSA’s systems architecture with the
510
511CIA’s. Because I was the only one in the region who knew the CIA’s architecture, I’d also travel out to US embassies,
512
513like the one I’d left in Geneva, establishing and maintaining the links that enabled the agencies to share
514
515intelligence in ways that hadn’t previously been possible. This was the first time in my life that I truly realized
516
517the power of being the only one in a room with a sense not just of how one system functioned internally, but of how
518
519it functioned together with multiple systems—or didn’t. Later, as the chiefs of the PTC came to recognize that I had
520
521a knack for hacking together solutions to their problems, I was given enough of a leash to propose projects of my
522
523own.
524
525Two things about the NSA stunned me right off the bat: how technologically sophisticated it was compared with the
526
527CIA, and how much less vigilant it was about security in its every iteration, from the compartmentalization of
528
529information to data encryption. In Geneva, we’d had to haul the hard drives out of the computer every night and lock
530
531them up in a safe—and what’s more, those drives were encrypted. The NSA, by contrast, hardly bothered to encrypt
532
533anything.
534
535In fact, it was rather disconcerting to find out that the NSA was so far ahead of the game in terms of
536
537cyberintelligence yet so far behind it in terms of cybersecurity, including the most basic: disaster recovery, or
538
539backup. Each of the NSA’s spoke sites collected its own intel, stored the intel on its own local servers, and,
540
541because of bandwidth restrictions—limitations on the amount of data that could be transmitted at speed—often didn’t
542
543send copies back to the main servers at NSA headquarters. This meant that if any data were destroyed at a particular
544
545site, the intelligence that the agency had worked hard to collect could be lost.
546
547My chiefs at the PTC understood the risks the agency was taking by not keeping copies of many of its files, so they
548
549tasked me with engineering a solution and pitching it to the decision makers at headquarters. The result was a backup
550
551and storage system that would act as a shadow NSA: a complete, automated, and constantly updating copy of all
552
553of the agency’s most important material, which would allow the agency to reboot and be up and running again, with
554
555all its archives intact, even if Fort Meade were reduced to smoldering rubble.
556
557The major problem with creating a global disaster-recovery system—or
558really with creating any type of backup system that involves a truly staggering number of computers—is dealing with
559
560duplicated data. In plain terms, you have to handle situations in which, say, one thousand computers all have copies
561
562of the same single file: you have to make sure you’re not backing up that same file one thousand times, because that
563
564would require one thousand times the amount of bandwidth and storage space. It was this wasteful duplication, in
565
566particular, that was preventing the agency’s spoke sites from transmitting daily backups of their records to Fort
567
568Meade: the connection would be clogged with a thousand copies of the same file containing the same intercepted phone
569
570call, 999 of which the agency did not need.
571
572The way to avoid this was “deduplication”: a method to evaluate the uniqueness of data. The system that I designed
573
574would constantly scan the files at every facility at which the NSA stored records, testing each “block” of data down
575
576to the slightest fragment of a file to find out whether or not it was unique. Only if the agency lacked a copy of it
577
578back home would the data be automatically queued for transmission—reducing the volume that flowed over the agency’s
579
580transpacific fiber-optic connection from a waterfall to a trickle.
581
582The combination of deduplication and constant improvements in storage technology allowed the agency to store
583
584intelligence data for progressively longer periods of time. Just over the course of my career, the agency’s goal went
585
586from being able to store intelligence for days, to weeks, to months, to five years or more after its collection. By
587
588the time of this book’s publication, the agency might already be able to store it for decades. The NSA’s conventional
589
590wisdom was that there was no point in collecting anything unless they could store it until it was useful, and there
591
592was no way to predict when exactly that would be. This rationalization was fuel for the agency’s ultimate dream,
593
594which is permanency—to store all of the files it has ever collected or produced for perpetuity, and so create a
595
596perfect memory. The permanent record.
597
598The NSA has a whole protocol you’re supposed to follow when you give a program a code name. It’s basically an I
599
600Ching–like stochastic procedure that randomly picks words from two columns. An internal website throws imaginary dice
601
602to pick one name from column A, and throws again to pick one name from column B. This is how you end up with names
603
604that don’t mean anything, like FOXACID and EGOTISTICALGIRAFFE. The point of a code name is that it’s not supposed to
605
606refer to what the program does. (As has been reported, FOXACID was the code name for NSA servers that host malware
607
608versions of familiar websites; EGOTISTICALGIRAFFE was an NSA program intended to exploit a vulnerability in certain
609
610Web browsers
611running Tor, since they couldn’t break Tor itself.) But agents at the NSA were so confident of their power and the
612
613agency’s absolute invulnerability that they rarely complied with the regulations. In short, they’d cheat and redo
614
615their dice throws until they got the name combination they wanted, whatever they thought was cool: TRAFFICTHIEF, the
616
617VPN Attack Orchestrator.
618
619I swear I never did that when I went about finding a name for my backup system. I swear that I just rolled the bones
620
621and came up with EPICSHELTER.
622
623Later, once the agency adopted the system, they renamed it something like the Storage Modernization Plan or Storage
624
625Modernization Program. Within two years of the invention of EPICSHELTER, a variant had been
626
627implemented and was in standard use under yet another name.
628
629
630
631THE MATERIAL THAT I disseminated to journalists in 2013 documented such an array of abuses by the NSA,
632
633accomplished through such a diversity of technological capabilities, that no one agent in the daily discharge of
634
635their responsibilities was ever in the position to know about all of them—not even a systems administrator. To find
636
637out about even a fraction of the malfeasance,
638you had to go searching. And to go searching, you had to know that it existed.
639
640It was something as banal as a conference that first clued me in to that existence, sparking my initial suspicion
641
642about the full scope of what the NSA was perpetrating.
643
644In the midst of my EPICSHELTER work, the PTC hosted a conference on China sponsored by the Joint Counterintelligence
645
646Training Academy (JCITA) for the Defense Intelligence Agency (DIA), an agency connected to the Department of
647
648Defense that specializes in spying on foreign militaries and foreign military–related matters. This conference
649
650featured briefings given by experts from all the intelligence components, the NSA, CIA, FBI, and military, about how
651
652the Chinese intelligence services were targeting the IC and what the IC could do to cause them trouble. Though China
653
654certainly interested me, this wasn’t the kind of work I would ordinarily have been involved in, so I didn’t pay the
655
656conference much mind until it was announced that the only technology briefer was unable to attend at the last minute.
657
658I’m not sure what the reason was for that absence—maybe flu, maybe kismet— but the course chair for the conference
659
660asked if there was anyone at the PTC who might be able to step in as a replacement, since it was too late to
661
662reschedule. One of the chiefs mentioned my name, and when I was asked if I wanted to give it a shot, I said yes. I
663
664liked my boss, and wanted to help him
665out. Also, I was curious, and relished the opportunity to do something that wasn’t about data deduplication for a
666
667change.
668
669My boss was thrilled. Then he told me the catch: the briefing was the next day.
670
671I called Lindsay and told her I wouldn’t be home. I was going to be up all night preparing the presentation, whose
672
673nominal topic was the intersection between a very old discipline, counterintelligence, and a very new discipline,
674
675cyberintelligence, coming together to try to exploit and thwart the adversary’s attempts to use the Internet to
676
677gather surveillance. I started pulling everything off the NSA network (and off the CIA network, to which I still had
678
679access), trying to read every top secret report I could find about what the Chinese were doing online. Specifically,
680
681I read up on so-called intrusion sets, which are bundles of data about particular types of attacks, tools,
682
683and targets. IC analysts used these intrusion sets to identify specific Chinese military cyberintelligence or
684
685hacking groups, in the same way that detectives might try to identify a suspect responsible for a string of
686
687burglaries by a common set of characteristics or modus operandi.
688
689The point of my researching this widely dispersed material was to do more than merely report on how China was hacking
690
691us, however. My primary task was to provide a summary of the IC’s assessment of China’s ability to
692
693electronically track American officers and assets operating in the region.
694
695Everyone knows (or thinks they know) about the draconian Internet measures of the Chinese government, and some people
696
697know (or think they know) the gravamen of the disclosures I gave to journalists in 2013 about my own government’s
698
699capabilities. But listen: It’s one thing to casually say, in a science-fiction dystopic type of way, that a
700
701government can theoretically see and hear everything that all of its citizens are doing. It’s a very different thing
702
703for a government to actually try to implement such a system. What a science- fiction writer can describe in a
704
705sentence might take the concerted work of thousands of technologists and millions of dollars of equipment. To read
706
707the technical details of China’s surveillance of private communications—to read a complete and accurate accounting of
708
709the mechanisms and machinery required for the constant collection, storage, and analysis of the billions of
710
711daily telephone and Internet communications of over a billion people—was utterly mind-boggling. At first I was so
712
713impressed by the system’s sheer achievement and audacity that I almost forgot to be appalled by its totalitarian
714
715controls.
716
717After all, China’s government was an explicitly antidemocratic single- party state. NSA agents, even more than most
718
719Americans, just took it for
720granted that the place was an authoritarian hellhole. Chinese civil liberties weren’t my department. There wasn’t
721
722anything I could do about them. I worked, I was sure of it, for the good guys, and that made me a good guy, too.
723
724But there were certain aspects of what I was reading that disturbed me. I was reminded of what is perhaps the
725
726fundamental rule of technological progress: if something can be done, it probably will be done, and possibly
727
728already has been. There was simply no way for America to have so much information about what the Chinese were doing
729
730without having done some of the very same things itself, and I had the sneaking sense while I was looking through all
731
732this China material that I was looking at a mirror and seeing a reflection of America. What China was doing publicly
733
734to its own citizens, America might be—could be—doing secretly to the world.
735
736And although you should hate me for it, I have to say that at the time I tamped down my unease. Indeed, I did my best
737
738to ignore it. The distinctions were still fairly clear to me. China’s Great Firewall was domestically censorious and
739
740repressive, intended to keep its citizens in and America out in the most chilling and demonstrative way, while the
741
742American systems were invisible and purely defensive. As I then understood US surveillance, anyone in the world could
743
744come in through America’s Internet infrastructure and access whatever content they pleased, unblocked and unfiltered
745
746—or at least only blocked and filtered by their home countries and American businesses, which are, presumptively, not
747
748under US government control. It was only those who’d been expressly targeted for visiting, for example, jihadist
749
750bombing sites or malware marketplaces who would find themselves tracked and scrutinized.
751
752Understood this way, the US surveillance model was perfectly okay with me. It was more than okay, actually—I fully
753
754supported defensive and targeted surveillance, a “firewall” that didn’t keep anybody out, but just burned the guilty.
755
756But in the sleepless days after that sleepless night, some dim suspicion still stirred in my mind. Long after I gave
757
758my China briefing, I couldn’t help but keep digging around.
759
760
761
762AT THE START of my employment with the NSA, in 2009, I was only slightly more knowledgeable about its practices than
763
764the rest of the world. From journalists’ reports, I was aware of the agency’s myriad surveillance
765
766initiatives authorized by President George W. Bush in the immediate
767aftermath of 9/11. In particular, I knew about its most publicly contested initiative, the warrantless wiretapping
768
769component of the President’s Surveillance Program (PSP), which had been disclosed by the New York Times in 2005
770
771thanks to the courage of a few NSA and Department of Justice whistleblowers.
772
773Officially speaking, the PSP was an “executive order,” essentially a set of instructions set down by the American
774
775president that the government has to consider the equal of public law—even if they’re just scribbled secretly on a
776
777napkin. The PSP empowered the NSA to collect telephone and Internet communications between the United States
778
779and abroad. Notably, the PSP allowed the NSA to do this without having to obtain a special warrant from a Foreign
780
781Intelligence Surveillance Court, a secret federal court established in
7821978 to oversee IC requests for surveillance warrants after the agencies were caught domestically spying on the
783
784anti–Vietnam War and civil rights movements.
785
786Following the outcry that attended the Times revelations, and American Civil Liberties Union challenges to the
787
788constitutionality of the PSP in non- secret, regular courts, the Bush administration claimed to have let the program
789
790expire in 2007. But the expiration turned out to be a farce. Congress spent the last two years of the Bush
791
792administration passing legislation that retroactively legalized the PSP. It also retroactively immunized from
793
794prosecution the telecoms and Internet service providers that had participated in it. This legislation—the Protect
795
796America Act of 2007 and the FISA Amendments Act of 2008—employed intentionally misleading language to reassure US
797
798citizens that their communications were not being explicitly targeted, even as it effectively extended the
799
800PSP’s remit. In addition to collecting inbound communications coming from foreign countries, the NSA now also had
801
802policy approval for the warrantless collection of outbound telephone and Internet communications originating within
803
804American borders.
805
806That, at least, was the picture I got after reading the government’s own summary of the situation, which was issued
807
808to the public in an unclassified version in July 2009, the very same summer that I spent delving into Chinese cyber-
809
810capabilities. This summary, which bore the nondescript title Unclassified Report on the President’s Surveillance
811
812Program, was compiled by the Offices of the Inspector Generals of five agencies (Department of Defense, Department of
813
814Justice, CIA, NSA, and the Office of the Director of National Intelligence) and was offered to the public in lieu of
815
816a full congressional investigation of Bush-era NSA overreach. The fact that President Obama, once in office, refused
817
818to call for a full congressional
819investigation was the first sign, to me at least, that the new president—for whom Lindsay had enthusiastically
820
821campaigned—intended to move forward without a proper reckoning with the past. As his administration rebranded and
822
823recertified PSP-related programs, Lindsay’s hope in him, as well as my own, would prove more and more misplaced.
824
825While the unclassified report was mostly just old news, I found it informative in a few respects. I remember being
826
827immediately struck by its curious, they-do-protest-too-much tone, along with more than a few twists of logic and
828
829language that didn’t compute. As the report laid out its legal arguments in support of various agency
830
831programs—rarely named, and almost never described—I couldn’t help but notice the fact that hardly any of the
832
833executive branch officials who had actually authorized these programs had agreed to be interviewed by the inspector
834
835generals. From Vice President Dick Cheney and his counsel David Addington to Attorney General John Ashcroft and DOJ
836
837lawyer John Yoo, nearly every major player had refused to cooperate with the very offices responsible for
838
839holding the IC accountable, and the IGs couldn’t compel them to cooperate, because this wasn’t a formal investigation
840
841 involving testimony. It was hard for me to interpret their absence from the record as anything other than
842
843an admission of malfeasance.
844
845Another aspect of the report that threw me was its repeated, obscure references to “Other Intelligence Activities”
846
847(the capitalization is the report’s) for which no “viable legal rationale” or no “legal basis” could be found beyond
848
849President Bush’s claim of executive powers during wartime—a wartime that had no end in sight. Of course, these
850
851references gave no description whatsoever of what these Activities might actually be, but the process of deduction
852
853pointed to warrantless domestic surveillance, as it was pretty much the only intelligence activity not provided for
854
855under the various legal frameworks that appeared subsequent to the PSP.
856
857As I read on, I wasn’t sure that anything disclosed in the report completely justified the legal machinations
858
859involved, let alone the threats by then deputy attorney general James Comey and then FBI director Robert Mueller to
860
861resign if certain aspects of the PSP were reauthorized. Nor did I notice anything that fully explained the risks
862
863taken by so many fellow agency members—agents much senior to me, with decades of experience—and DOJ personnel
864
865to contact the press and express their misgivings about how aspects of the PSP were being abused. If they were
866
867putting their careers, their families, and their lives on the line, it had to be over something graver than the
868
869warrantless wiretapping that had already made headlines.
870That suspicion sent me searching for the classified version of the report, and it was not in the least dispelled by
871
872the fact that such a version appeared not to exist. I didn’t understand. If the classified version was merely a
873
874record of the sins of the past, it should have been easily accessible. But it was nowhere to be found. I wondered
875
876whether I was looking in the wrong places. After a while of ranging fairly widely and still finding nothing, though,
877
878I decided to drop the issue. Life took over and I had work to do. When you get asked to give recommendations on how
879
880to keep IC agents and assets from being uncovered and executed by the Chinese Ministry of State Security, it’s hard
881
882to remember what you were Googling the week before.
883
884It was only later, long after I’d forgotten about the missing IG report, that the classified version came skimming
885
886across my desktop, as if in proof of that old maxim that the best way to find something is to stop looking for it.
887
888Once the classified version turned up, I realized why I hadn’t had any luck finding it previously: it couldn’t be
889
890seen, not even by the heads of agencies. It was filed in an Exceptionally Controlled Information (ECI)
891
892compartment, an extremely rare classification used only to make sure that something would remain hidden even from
893
894those holding top secret clearance. Because of my position, I was familiar with most of the ECIs at the NSA, but not
895
896this one. The report’s full classification designation was TOP SECRET//STLW//HCS/COMINT//ORCON/NOFORN, which
897
898translates to: pretty much only a few dozen people in the world are allowed to read this.
899
900I was most definitely not one of them. The report came to my attention by mistake: someone in the NSA IG’s office had
901
902left a draft copy on a system that I, as a sysadmin, had access to. Its caveat of STLW, which I didn’t recognize,
903
904turned out to be what’s called a “dirty word” on my system: a label signifying a document that wasn’t supposed to be
905
906stored on lower-security drives. These drives were being constantly checked for any newly appearing dirty words, and
907
908the moment one was found I was alerted so that I could decide how best to scrub the document from the system. But
909
910before I did, I’d have to examine the offending file myself, just to confirm that the dirty word search hadn’t
911
912flagged anything accidentally. Usually I’d take just the briefest glance at the thing. But this time, as soon I
913
914opened the document and read the title, I knew I’d be reading it all the way through.
915
916Here was everything that was missing from the unclassified version. Here was everything that the journalism I’d read
917
918had lacked, and that the court proceedings I’d followed had been denied: a complete accounting of the NSA’s most
919
920secret surveillance programs, and the agency directives and Department of Justice policies that had been used to
921
922subvert American law
923and contravene the US Constitution. After reading the thing, I could understand why no IC employee had ever leaked it
924
925to journalists, and no judge would be able to force the government to produce it in open court. The document was so
926
927deeply classified that anybody who had access to it who wasn’t a sysadmin would be immediately identifiable. And the
928
929activities it outlined were so deeply criminal that no government would ever allow it to be released unredacted.
930
931One issue jumped out at me immediately: it was clear that the unclassified version I was already familiar with
932
933wasn’t a redaction of the classified version, as would usually be the practice. Rather, it was a wholly
934
935different document, which the classified version immediately exposed as an outright and carefully concocted lie. The
936
937duplicity was stupefying, especially given that I’d just dedicated months of my time to deduplicating files. Most of
938
939the time, when you’re dealing with two versions of the same document, the differences between them are trivial—a few
940
941commas here, a few words there. But the only thing these two particular reports had in common was their title.
942
943Whereas the unclassified version merely made reference to the NSA being ordered to intensify its intelligence-
944
945gathering practices following 9/11, the classified version laid out the nature, and scale, of that intensification.
946
947The NSA’s historic brief had been fundamentally altered from targeted collection of communications to “bulk
948
949collection,” which is the agency’s euphemism for mass surveillance. And whereas the unclassified version obfuscated
950
951this shift, advocating for expanded surveillance by scaring the public with the specter of terror, the classified
952
953version made this shift explicit, justifying it as the legitimate corollary of expanded technological
954
955capability.
956
957The NSA IG’s portion of the classified report outlined what it called “a collection gap,” noting that existing
958
959surveillance legislation (particularly the Foreign Intelligence Surveillance Act) dated from 1978, a time when most
960
961communications signals traveled via radio or telephone lines, rather than fiber-optic cables and satellites. In
962
963essence, the agency was arguing that the speed and volume of contemporary communication had outpaced, and outgrown,
964
965American law—no court, not even a secret court, could issue enough individually targeted warrants fast enough to keep
966
967up—and that a truly global world required a truly global intelligence agency. All of this pointed, in the NSA’s
968
969logic, to the necessity of the bulk collection of Internet communications. The code name for this bulk collection
970
971initiative was indicated in the very “dirty word” that got it flagged on my system: STLW, an abbreviation of
972
973STELLARWIND. This turned out to be the single major component of the PSP that had continued, and even grown, in
974
975secret after the
976rest of the program had been made public in the press.
977
978STELLARWIND was the classified report’s deepest secret. It was, in fact, the NSA’s deepest secret, and the one that
979
980the report’s sensitive status had been designed to protect. The program’s very existence was an indication that the
981
982agency’s mission had been transformed, from using technology to defend America to using technology to control it
983
984by redefining citizens’ private Internet communications as potential signals intelligence.
985
986Such fraudulent redefinitions ran throughout the report, but perhaps the most fundamental and transparently
987
988desperate involved the government’s vocabulary. STELLARWIND had been collecting communications since the PSP’s
989
990inception in 2001, but in 2004—when Justice Department officials balked at the continuation of the initiative—
991
992the Bush administration attempted to legitimize it ex post facto by changing the meanings of basic English words,
993
994such as “acquire” and “obtain.” According to the report, it was the government’s position that the NSA could collect
995
996whatever communications records it wanted to, without having to get a warrant, because it could only be
997
998said to have acquired or obtained them, in the legal sense, if and when the agency “searched for and retrieved” them
999
1000from its database.
1001
1002This lexical sophistry was particularly galling to me, as I was well aware that the agency’s goal was to be able to
1003
1004retain as much data as it could for as long as it could—for perpetuity. If communications records would only be
1005
1006considered definitively “obtained” once they were used, they could remain “unobtained” but collected in storage
1007
1008forever, raw data awaiting its future manipulation. By redefining the terms “acquire” and “obtain”—from describing
1009
1010the act of data being entered into a database, to describing the act of a person (or, more likely, an algorithm)
1011
1012querying that database and getting a “hit” or “return” at any conceivable point in the future—the US government was
1013
1014developing the capacity of an eternal law-enforcement agency. At any time, the government could dig through the past
1015
1016communications of anyone it wanted to victimize in search of a crime (and everybody’s communications contain evidence
1017
1018of something). At any point, for all perpetuity, any new administration—any future rogue head of the NSA—could just
1019
1020show up to work and, as easily as flicking a switch, instantly track everybody with a phone or a computer, know who
1021
1022they were, where they were, what they were doing with whom, and what they had ever done in the past.
1023
1024
1025
1026THE TERM “MASS surveillance” is more clear to me, and I think to most people,
1027than the government’s preferred “bulk collection,” which to my mind threatens to give a falsely fuzzy impression of
1028
1029the agency’s work. “Bulk collection” makes it sound like a particularly busy post office or sanitation department, as
1030
1031opposed to a historic effort to achieve total access to—and clandestinely take possession of—the records of all
1032
1033digital communications in existence.
1034
1035But even once a common ground of terminology is established, misperceptions can still abound. Most people, even
1036
1037today, tend to think of mass surveillance in terms of content—the actual words they use when they make a phone call
1038
1039or write an email. When they find out that the government actually cares comparatively little about that content,
1040
1041they tend to care comparatively little about government surveillance. This relief is understandable, to a degree, due
1042
1043to what each of us must regard as the uniquely revealing and intimate nature of our communications: the sound of our
1044
1045voice, almost as personal as a thumbprint; the inimitable facial expression we put on in a selfie sent by text. The
1046
1047unfortunate truth, however, is that the content of our communications is rarely as revealing as its other elements—
1048
1049the unwritten, unspoken information that can expose the broader context and patterns of behavior.
1050
1051The NSA calls this “metadata.” The term’s prefix, “meta,” which traditionally is translated as “above” or “beyond,”
1052
1053is here used in the sense of “about”: metadata is data about data. It is, more accurately, data that is made by data
1054
1055—a cluster of tags and markers that allow data to be useful. The most direct way of thinking about metadata, however,
1056
1057is as “activity data,” all the records of all the things you do on your devices and all the things your devices do on
1058
1059their own. Take a phone call, for example: its metadata might include the date and time of the call, the call’s
1060
1061duration, the number from which the call was made, the number being called, and their locations. An email’s metadata
1062
1063might include information about what type of computer it was generated on, where, and when, who the computer belonged
1064
1065to, who sent the email, who received it, where and when it was sent and received, and who if anyone besides the
1066
1067sender and recipient accessed it, and where and when. Metadata can tell your surveillant the address you slept at
1068
1069last night and what time you got up this morning. It reveals every place you visited during your day and how long you
1070
1071spent there. It shows who you were in touch with and who was in touch with you.
1072
1073It’s this fact that obliterates any government claim that metadata is somehow not a direct window into the substance
1074
1075of a communication. With the dizzying volume of digital communications in the world, there is simply
1076no way that every phone call could be listened to or email could be read. Even if it were feasible, however, it still
1077
1078wouldn’t be useful, and anyway, metadata makes this unnecessary by winnowing the field. This is why it’s best to
1079
1080regard metadata not as some benign abstraction, but as the very essence of content: it is precisely the first line of
1081
1082information that the party surveilling you requires.
1083
1084There’s another thing, too: content is usually defined as something that you knowingly produce. You know what you’re
1085
1086saying during a phone call, or what you’re writing in an email. But you have hardly any control over the metadata you
1087
1088 produce, because it is generated automatically. Just as it’s collected, stored, and analyzed by machine,
1089
1090it’s made by machine, too, without your participation or even consent. Your devices are constantly communicating
1091
1092for you whether you want them to or not. And, unlike the humans you communicate with of your own volition, your
1093
1094devices don’t withhold private information or use code words in an attempt to be discreet. They merely ping the
1095
1096nearest cell phone towers with signals that never lie.
1097
1098One major irony here is that law, which always lags behind technological innovation by at least a generation, gives
1099
1100substantially more protections to a communication’s content than to its metadata—and yet intelligence agencies are
1101
1102far more interested in the metadata—the activity records that allow them both the “big picture” ability to analyze
1103
1104data at scale, and the “little picture” ability to make perfect maps, chronologies, and associative synopses of an
1105
1106individual person’s life, from which they presume to extrapolate predictions of behavior. In sum, metadata can tell
1107
1108your surveillant virtually everything they’d ever want or need to know about you, except what’s actually going on
1109
1110inside your head.
1111
1112After reading this classified report, I spent the next weeks, even months, in a daze. I was sad and low, trying to
1113
1114deny everything I was thinking and feeling—that’s what was going on in my head, toward the end of my stint in Japan.
1115
1116I felt far from home, but monitored. I felt more adult than ever, but also cursed with the knowledge that all of us
1117
1118had been reduced to something like children, who’d be forced to live the rest of our lives under omniscient parental
1119
1120supervision. I felt like a fraud, making excuses to Lindsay to explain my sullenness. I felt like a fool, as someone
1121
1122of supposedly serious technical skills who’d somehow helped to build an essential component of this system without
1123
1124realizing its purpose. I felt used, as an employee of the IC who only now was realizing that all along I’d been
1125
1126protecting not my country but the state. I felt, above all, violated. Being in Japan only accentuated the sense of
1127betrayal.
1128
1129I’ll explain.
1130
1131The Japanese that I’d managed to pick up through community college and my interests in anime and manga was enough for
1132
1133me to speak and get through basic conversations, but reading was a different matter. In Japanese, each word can be
1134
1135represented by its own unique character, or a combination of characters, called kanji, so there were tens of
1136
1137thousands of them—far too many for me to memorize. Often, I was only able to decode particular kanji if they were
1138
1139written with their phonetic gloss, the furigana, which are most commonly meant for foreigners and young readers and
1140
1141so are typically absent from public texts like street signs. The result of all this was that I walked around
1142
1143functionally illiterate. I’d get confused and end up going right when I should have gone left, or left when I should
1144
1145have gone right. I’d wander down the wrong streets and misorder from menus. I was a stranger, is what I’m saying, and
1146
1147often lost, in more ways than one. There were times when I’d accompany Lindsay out on one of her photography trips
1148
1149into the countryside and I’d suddenly stop and realize, in the midst of a village or in the middle of a forest, that
1150
1151I knew nothing whatsoever about my surroundings.
1152
1153And yet: everything was known about me. I now understood that I was totally transparent to my government. The phone
1154
1155that gave me directions, and corrected me when I went the wrong way, and helped me translate the traffic signs, and
1156
1157told me the times of the buses and trains, was also making sure that all of my doings were legible to my employers.
1158
1159It was telling my bosses where I was and when, even if I never touched the thing and just left it in my pocket.
1160
1161I remember forcing myself to laugh about this once when Lindsay and I got lost on a hike and Lindsay—to
1162
1163whom I’d told nothing—just spontaneously said, “Why don’t you text Fort Meade and have them find us?” She kept
1164
1165the joke going, and I tried to find it funny but couldn’t. “Hello,” she mimicked me, “can you help us with
1166
1167directions?”
1168
1169Later I would live in Hawaii, near Pearl Harbor, where America was attacked and dragged into what might have been its
1170
1171last just war. Here, in Japan, I was closer to Hiroshima and Nagasaki, where that war ignominiously ended. Lindsay
1172
1173and I had always hoped to visit those cities, but every time we planned to go we wound up having to cancel. On one of
1174
1175my first days off, we were all set to head down Honshu to Hiroshima, but I was called in to work and told to go in
1176
1177the opposite direction—to Misawa Air Base in the frozen north. On the day of our next scheduled attempt, Lindsay got
1178
1179sick, and then I
1180got sick, too. Finally, the night before we intended to go to Nagasaki, Lindsay and I were woken by our first major
1181
1182earthquake, jumped up from our futon, ran down seven flights of stairs, and spent the rest of the night out on the
1183
1184street with our neighbors, shivering in our pajamas.
1185
1186To my true regret, we never went. Those places are holy places, whose memorials honor the two hundred thousand
1187
1188incinerated and the countless poisoned by fallout while reminding us of technology’s amorality.
1189
1190I think often of what’s called the “atomic moment”—a phrase that in physics describes the moment when a nucleus
1191
1192coheres the protons and neutrons spinning around it into an atom, but that’s popularly understood to mean the advent
1193
1194of the nuclear age, whose isotopes enabled advances in energy production, agriculture, water potability, and the
1195
1196diagnosis and treatment of deadly disease. It also created the atomic bomb.
1197
1198Technology doesn’t have a Hippocratic oath. So many decisions that have been made by technologists in academia,
1199
1200industry, the military, and government since at least the Industrial Revolution have been made on the basis of “can
1201
1202we,” not “should we.” And the intention driving a technology’s invention rarely, if ever, limits its application and
1203
1204use.
1205
1206I do not mean, of course, to compare nuclear weapons with cybersurveillance in terms of human cost. But there is a
1207
1208commonality when it comes to the concepts of proliferation and disarmament.
1209
1210The only two countries I knew of that had previously practiced mass surveillance were those two other major
1211
1212combatants of World War II—one America’s enemy, the other America’s ally. In both Nazi Germany and Soviet Russia,
1213
1214the earliest public indications of that surveillance took the superficially innocuous form of a
1215
1216census, the official enumeration and statistical recording of a population. The First All-Union Census of the Soviet
1217
1218Union, in 1926, had a secondary agenda beyond a simple count: it overtly queried Soviet citizens about their
1219
1220nationality. Its findings convinced the ethnic Russians who comprised the Soviet elite that they were in the minority
1221
1222when compared to the aggregated masses of citizens who claimed a Central Asian heritage, such as Uzbeks, Kazakhs,
1223
1224Tajiks, Turkmen, Georgians, and Armenians. These findings significantly strengthened Stalin’s resolve to eradicate
1225
1226these cultures, by “reeducating” their populations in the deracinating ideology of Marxism-Leninism.
1227
1228The Nazi German census of 1939 took on a similar statistical project, but with the assistance of computer technology.
1229
1230It set out to count the Reich’s
1231population in order to control it and to purge it—mainly of Jews and Roma— before exerting its murderous efforts on
1232
1233populations beyond its borders. To effect this, the Reich partnered with Dehomag, a German subsidiary of the American
1234
1235IBM, which owned the patent to the punch card tabulator, a sort of analog computer that counted holes punched into
1236
1237cards. Each citizen was represented by a card, and certain holes on the cards represented certain markers of
1238
1239identity. Column 22 addressed the religion rubric: hole 1 was Protestant, hole 2 Catholic, and hole 3 Jewish. Shortly
1240
1241thereafter, this census information was used to identify and deport Europe’s Jewish population to the death camps.
1242
1243A single current-model smartphone commands more computing power than all of the wartime machinery of the Reich and
1244
1245the Soviet Union combined. Recalling this is the surest way to contextualize not just the modern American
1246
1247IC’s technological dominance, but also the threat it poses to democratic governance. In the century or so since those
1248
1249census efforts, technology has made astounding progress, but the same could not be said for the law or human scruples
1250
1251that could restrain it.
1252
1253The United States has a census, too, of course. The Constitution established the American census and enshrined it as
1254
1255the official federal count of each state’s population in order to determine its proportional delegation to the House
1256
1257of Representatives. That was something of a revisionist principle, in that authoritarian governments, including the
1258
1259British monarchy that ruled the colonies, had traditionally used the census as a method of assessing taxes and
1260
1261ascertaining the number of young men eligible for military conscription. It was the Constitution’s genius to
1262
1263repurpose what had been a mechanism of oppression into one of democracy. The census, which is officially under the
1264
1265jurisdiction of the Senate, was ordered to be performed every ten years, which was roughly the amount of time it took
1266
1267to process the data of most American censuses following the first census of 1790. This decade-long lag was shortened
1268
1269by the census of 1890, which was the world’s first census to make use of computers (the prototypes of the models that
1270
1271IBM later sold to Nazi Germany). With computing technology, the processing time was cut in half.
1272
1273Digital technology didn’t just further streamline such accounting—it is rendering it obsolete. Mass surveillance is
1274
1275now a never-ending census, substantially more dangerous than any questionnaire sent through the mail. All our
1276
1277devices, from our phones to our computers, are basically miniature census-takers we carry in our backpacks and in our
1278
1279pockets—census-takers that remember everything and forgive nothing.
1280Japan was my atomic moment. It was then that I realized where these new technologies were headed, and that if my
1281
1282generation didn’t intervene the escalation would only continue. It would be a tragedy if, by the time we’d finally
1283
1284resolved to resist, such resistance were futile. The generations to come would have to get used to a world in which
1285
1286surveillance wasn’t something occasional and directed in legally justified circumstances, but a constant and
1287
1288indiscriminate presence: the ear that always hears, the eye that always sees, a memory that is sleepless and
1289
1290permanent.
1291
1292Once the ubiquity of collection was combined with the permanency of storage, all any government had to do was select
1293
1294a person or a group to scapegoat and go searching—as I’d gone searching through the agency’s files
1295—for evidence of a suitable crime.
129617
1297
1298Home on the Cloud
1299
1300In 2011, I was back in the States, working for the same nominal employer, Dell, but now attached to my old agency,
1301
1302the CIA. One mild spring day, I came home from my first day at the new job and was amused to notice: the house I’d
1303
1304moved into had a mailbox. It was nothing fancy, just one of those subdivided rectangles common to town house
1305
1306communities, but still, it made me smile. I hadn’t had a mailbox in years, and hadn’t ever checked this one. I might
1307
1308not even have registered its existence had it not been overflowing— stuffed to bursting with heaps of junk mail
1309
1310addressed to “Mr. Edward J. Snowden or Current Resident.” The envelopes contained coupons and ad circulars for
1311
1312household products. Someone knew that I’d just moved in.
1313
1314A memory surfaced from my childhood, a memory of checking the mail and finding a letter to my sister. Although I
1315
1316wanted to open it, my mother wouldn’t let me.
1317
1318I remember asking why. “Because,” she said, “it’s not addressed to you.” She explained that opening mail intended for
1319
1320someone else, even if it was just a birthday card or a chain letter, wasn’t a very nice thing to do. In fact, it was
1321
1322a crime.
1323
1324I wanted to know what kind of crime. “A big one, buddy,” my mother said. “A federal crime.”
1325
1326I stood in the parking lot, tore the envelopes in half, and carried them to the trash.
1327
1328I had a new iPhone in the pocket of my new Ralph Lauren suit. I had new Burberry glasses. A new haircut. Keys to this
1329
1330new town house in Columbia, Maryland, the largest place I’d ever lived in, and the first place that really felt like
1331
1332mine. I was rich, or at least my friends thought so. I barely recognized myself.
1333
1334I’d decided it was best to live in denial and just make some money, make life better for the people I loved—after
1335
1336all, wasn’t that what everybody else did? But it was easier said than done. The denial, I mean. The money—that came
1337
1338easy. So easy that I felt guilty.
1339
1340Counting Geneva, and not counting periodic trips home, I’d been away for nearly four years. The America I returned to
1341
1342felt like a changed country. I won’t go as far as to say that I felt like a foreigner, but I did find myself mired
1343in way too many conversations I didn’t understand. Every other word was the name of some TV show or movie I didn’t
1344
1345know, or a celebrity scandal I didn’t care about, and I couldn’t respond—I had nothing to respond with.
1346
1347Contradictory thoughts rained down like Tetris blocks, and I struggled to sort them out—to make them disappear. I
1348
1349thought, pity these poor, sweet, innocent people—they’re victims, watched by the government, watched by the very
1350
1351screens they worship. Then I thought: Shut up, stop being so dramatic—they’re happy, they don’t care, and you don’t
1352
1353have to, either. Grow up, do your work, pay your bills. That’s life.
1354
1355A normal life was what Lindsay and I were hoping for. We were ready for the next stage and had decided to settle
1356
1357down. We had a nice backyard with a cherry tree that reminded me of a sweeter Japan, a spot on the Tama River where
1358
1359Lindsay and I had laughed and rolled around atop the fragrant carpet of Tokyo blossoms as we watched the sakura fall.
1360
1361Lindsay was getting certified as a yoga instructor. I, meanwhile, was getting used to my new position—in sales.
1362
1363One of the external vendors I’d worked with on EPICSHELTER ended up working for Dell, and convinced me that I was
1364
1365wasting my time with getting paid by the hour. I should get into the sales side of Dell’s business, he said, where I
1366
1367could earn a fortune—for more ideas like EPICSHELTER. I’d be making an astronomical leap up the corporate ladder, and
1368
1369he’d be getting a substantial referral bonus. I was ready to be convinced, especially since it meant distracting
1370
1371myself from my growing sense of unease, which could only get me into trouble. The official job title was solutions
1372
1373consultant. It meant, in essence, that I had to solve the problems created by my new partner, whom I’m going to call
1374
1375Cliff, the account manager.
1376
1377Cliff was supposed to be the face, and I was to be the brain. When we sat down with the CIA’s technical royalty and
1378
1379purchasing agents, his job was to sell Dell’s equipment and expertise by any means necessary. This meant reaching
1380
1381deep into the seat of his pants for unlimited slick promises as to how we’d do things for the agency, things that
1382
1383were definitely, definitely not possible for our competitors (and, in reality, not possible for us, either). My job
1384
1385was to lead a team of experts in building something that reduced the degree to which Cliff had lied by just enough
1386
1387that, when the person who signed the check pressed the Power button, we wouldn’t all be sent to jail.
1388
1389No pressure.
1390
1391Our main project was to help the CIA catch up with the bleeding edge—or
1392just with the technical standards of the NSA—by building it the buzziest of new technologies, a “private cloud.” The
1393
1394aim was to unite the agency’s processing and storage while distributing the ways by which data could be accessed.
1395
1396In plain American, we wanted to make it so that someone in a tent in Afghanistan could do exactly the same work in
1397
1398exactly the same way as someone at CIA headquarters. The agency—and indeed the whole IC’s technical leadership—was
1399
1400constantly complaining about “silos”: the problem of having a billion buckets of data spread all over the world that
1401
1402they couldn’t keep track of or access. So I was leading a team of some of the smartest people at Dell to come up with
1403
1404a way that anyone, anywhere, could reach anything.
1405
1406During the proof of concept stage, the working name of our cloud became “Frankie.” Don’t blame me: on the tech side,
1407
1408we just called it “The Private Cloud.” It was Cliff who named it, in the middle of a demo with the CIA, saying they
1409
1410were going to love our little Frankenstein “because it’s a real monster.”
1411
1412The more promises Cliff made, the busier I became, leaving Lindsay and me only the weekends to catch up with our
1413
1414parents and old friends. We tried to furnish and equip our new home. The three-story place had come empty, so we had
1415
1416to get everything, or everything that our parents hadn’t generously handed down to us. This felt very mature, but was
1417
1418at the same time very telling about our priorities: we bought dishes, cutlery, a desk, and a chair, but we still
1419
1420slept on a mattress on the floor. I’d become allergic to credit cards, with all their tracking, so we bought
1421
1422everything outright, with hard currency. When we needed a car, I bought a ’98 Acura Integra from a classified ad for
1423$3,000 cash. Earning money was one thing, but neither Lindsay nor I liked to spend it, unless it was for computer
1424
1425equipment—or a special occasion. For Valentine’s Day, I bought Lindsay the revolver she always wanted.
1426
1427Our new condo was a twenty-minute drive from nearly a dozen malls, including the Columbia Mall, which has nearly 1.5
1428
1429million square feet of shopping, occupied by some two hundred stores, a fourteen-screen AMC multiplex, a P.F.
1430
1431Chang’s, and a Cheesecake Factory. As we drove the familiar roads in the beat-up Integra, I was impressed, but also
1432
1433slightly taken aback, by all the development that had occurred in my absence. The post-9/11 government spending spree
1434
1435had certainly put a lot of money into a lot of local pockets. It was an unsettling and even overwhelming experience
1436
1437to come back to America after having been away for a while and to realize anew just how wealthy this part of the
1438
1439country was, and how many consumer options it offered—how many big-box retailers and high-end interior
1440
1441design
1442showrooms. And all of them had sales. For Presidents’ Day, Memorial Day, Independence Day, Labor Day, Columbus
1443
1444Day, Veterans’ Day. Festive banners announced the latest discounts, just below all the flags.
1445
1446Our mission was pretty much appliance-based on this one afternoon I’m recalling—we were at Best Buy. Having settled
1447
1448on a new microwave, we were checking out, on Lindsay’s healthful insistence, a display of blenders. She had her phone
1449
1450out and was in the midst of researching which of the ten or so devices had the best reviews, when I found myself
1451
1452wandering over to the computer department at the far end of the store.
1453
1454But along the way, I stopped. There, at the edge of the kitchenware section, ensconced atop a brightly decorated