Authors: Fred Kaplan
One leak was the full, fifty-page catalogue of tools and techniques used by the elite hackers in the NSA's Office of Tailored Access Operations. No American or British newspaper published that document, though
Der Spiegel
did, in its print and online editions.
Fort Meade's crown jewels were now scattered all over the global street,
for interested parties everywhere to pick up. Even the material that no one publishedâand Snowden's cache amounted to tens of thousands of highly classified documentsâcould have been perused by any foreign intelligence agency with skilled cyber units. If the NSA and its Russian, Chinese, Iranian, French, and Israeli variants could hack into one another's computers, they could certainly hack into the computers of journalists, some of whom were less careful than others in guarding the cache. Once Snowden took his laptops out of the building in Oahu, its contentsâencrypted or otherwiseâwere up for grabs.
But the leaks about foreign intelligence operationsâthe intercepts of email in Afghanistan and Pakistan, the TAO catalogue, and the likeâwere overshadowed, among American news readers, by the detailed accounts of domestic surveillance. It was these leaks that earned Snowden applause as a whistleblower and engulfed the NSA in a storm of controversy and protest unseen since the Church Committee hearings of the 1970s.
The Snowden papers unveiled a massive data-mining operation, more vast than any outsider had imagined. In effect, it was Keith Alexander's metadata experiment at Fort Belvoir writ very largeâthe realization of his philosophy about big data: collect and store everything, so that you can go back and search for patterns and clues of an imminent attack; when you're looking for a needle in a haystack, you need the whole haystack.
Under the surveillance system described in the Snowden documents, when the NSA found someone in contact with foreign terrorists, its analysts could go back and look at every phone number the suspect had called (and every number that had called the suspect) for the previous five years. The retrieval of all those associated numbers was called the first “hop.” To widen the probe, analysts could then look at all the numbers that
those
people had called (the second hop) and, in a third hop, the numbers that
those
people had called.
The math suggested, at least potentially, a staggering level of surveillance. Imagine someone who had dialed the number of a known al Qaeda member, and assume that this person had phoned 100 other people over the previous five years. That would mean the NSA could start tracking not only the suspect's calls but also the calls of those 100 other people. If each of
those
people also called 100 people, the NSAâin the second hopâcould track their calls, too, and that would put (100 times 100) 10,000 people on the agency's screen. In the third hop, the analysts could trace the calls of those 10,000 people and the calls that
they
had madeâor (10,000 times 100) 1 million people.
In other words, the active surveillance of a single terrorist suspect could put a million people, possibly a million Americans, under the agency's watch. The revelation came as a shock, even to those who otherwise had few qualms about the occasional breach of personal privacy.
Following this disclosure, Keith Alexander gave several speeches and interviews, in which he emphasized that the NSA did not examine the
contents
of those calls or the names of the callers (that information was systematically excluded from the database) but rather only the
metadata
: the traffic patternsâwhich phone numbers called which other phone numbersâalong with the dates, times, and durations of those calls.
But amid the dramatic news stories, an assurance from the director of the National Security Agency struck a weak chord: he might
say
that his agency didn't listen to these phone calls, but many wondered why they should believe him.
The distrust deepened when Obama's director of national intelligence, James Clapper, a retired Air Force lieutenant general and a veteran of various spy agencies, was caught in a lie. Back on March 12, three months before anyone had heard of metadata, PRISM, or Edward Snowden, Clapper testified at a public hearing of the
Senate Select Committee on Intelligence. At one point, Senator Ron Wyden, Democrat from Oregon, asked him,
“Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”
Clapper replied, “No, sir . . . not wittingly.”
As a member of the select committee, Wyden had been read in on the NSA metadata program, so he knew that Clapper wasn't telling the truth.
The day before, he'd given Clapper's office a heads-up on the question that he planned to ask. He knew that he'd be putting Clapper in a box: the correct answer to his question was “Yes,” but Clapper would have a hard time saying so without making headlines; so Wyden wanted to give the director a chance to formulate an answer that addressed the issue without revealing too much. He was surprised that Clapper dealt with it by simply lying. After the hearing, Wyden had an aide approach Clapper to ask if he'd like to revise and extend his reply for the record; again to Wyden's surprise, Clapper declined. Wyden couldn't say anything further in public without violating his own pledge to keep quiet about high-level secrets, so he let the matter rest.
Then came the Snowden revelations, which prompted many to reexamine that exchange. On June 9, the first Sunday after the Snowden leaks were published, Clapper agreed to an interview with NBC-TV's Andrea Mitchell. She asked him why he'd answered Wyden's question the way he did.
Clapper came off as astonishingly unprepared.
“I thought, though in retrospect, I was asked âwhen are you going to . . . stop beating your wife' kind of question, which is . . . not answered necessarily by a simple yes or no,” he began in an incoherent ramble. Then, digging himself still deeper in the hole, he said, “So, I responded in what I thought was the most truthfulâor least untruthfulâmanner by saying, âNo.'â”
Doubling down, Clapper homed in on Wyden's use of the word
“collect,” as in, “Did the NSA
collect
any type of data . . . on millions of Americans?” Imagine, Clapper said, a vast library of books containing vast amounts of data on every American. “To me,” he went on, “
collection
of U.S. persons' data would mean taking the book off the shelf and opening it up and reading it.” Therefore, he reasoned, it wasn't quite a lie to say that the NSA did not
collect
data on Americans, at least not wittingly.
The morning after the broadcast, Clapper called his old friend Ken Minihan, the former NSA director, to ask how he did. Minihan was now managing director of the Paladin Capital Group, which invested in cyber security technology firms worldwide: he'd been out of government for more than a decade, but he kept up his contacts throughout the intelligence world; he still had both feet in the game, and he'd watched Clapper's interview in sorrow.
“Well,” Minihan replied, in his folksy drawl, “you couldn't have
made
things any worse.”
Clapper might have been genuinely perplexed. Five years earlier, the FISA Court had allowed the NSA to redefine “collection” in exactly the way Clapper had done on national televisionâas the retrieval of data that had already been scooped up and stored. At the time of that ruling, Alexander was laying the foundations of his metadata program; it was illegal to “collect” data from Americans, so the program couldn't have gone forward without redefining the term.
But the FISA Court was a secret body: it met in secret; its cases were heard in secret; its rulings were classified Top Secret. To Clapper and other veterans of the intelligence community, this reworking of a common English word had insinuated its way into official parlance. To anyone outside the walls, the logic seemed disingenuous at best. Clearly, to
collect
meant to gather, to sweep up, to bring together. No one would say, “I'm going to collect
The Great Gatsby
from my bookshelf and read it,” nor did it seem plausible that anyone in the
NSA would say, “I'm going to collect this phone conversation from my archive and insert it in my database.”
The NSA had basked in total secrecy for so long, from the moment of its inception, that its denizens tended to lose touch with the outside world. In part, its isolation was a product of its mandate: making and breaking codes in the interest of national security ranked among the most sensitive and secretive tasks in all government. Yet the insularity left them without defenses when the bubble was suddenly pierced. They'd had no training or experience in dealing with the public. And as the secrets in Snowden's documents were splashed on front-page headlines and cable newscasts day after jaw-dropping day, the trust in the nation's largest, most intrusive intelligence agencyâa trust that had never been more than tenuousâbegan to crumble.
Opinion polls weren't the only place where the agency took a beating. The lashes were also felt, and more damagingly so, in the agitated statements and angry phone calls from corporate Americaâin particular, the telecoms and Internet providers, whose networks and servers the NSA had been piggybacking for years, in some cases decades.
This arrangement had been, for many firms, mutually beneficial. As recently as 2009, after the Chinese launched a major cyber attack against Google, stealing the firm's source-code software, the crown jewels of any Internet company, the NSA's Information Assurance Directorate helped repair the damage. One year earlier, after the U.S. Air Force rejected Microsoft's XP operating system on the grounds that it was riddled with security flaws, the directorate helped the firm design XP Service Pack 3, one of the company's most successful systems, which Air Force technicians (and many consumers) deemed secure straight out of the box.
Yet now with their complicity laid bare for all to see, the executives of these corporations backed away, some howling in protest, like Captain Renault, the Vichy official in the film
Casablanca
who pronounced himself “shocked, shocked to find that gambling is
going on in here,” just as the croupier delivered his winnings for the night. Their fear was that customers in the global marketplace would stop buying their software, suspecting that it was riddled with back doors for NSA intrusion. As Howard Charney, senior vice president of Cisco, a company that had done frequent business with the NSA, told one journalist, the Snowden revelations were
“besmirching the reputation of companies of U.S. origin around the world.”
Allied governments around the world were clamoring as well. The English-speaking nations that had been sharing intelligence with the United States for decadesâthe fellow “five-eyes” countries, Great Britain, Canada, Australia, and New Zealandâheld firm. But other state leaders, who had not been let into the club, started slipping away. President Obama had planned to rally European leaders in his pressure campaign against Chinaâwhich had launched cyber attacks on a lot of their companies, tooâbut his hopes were dashed when a Snowden document revealed that the NSA had once hacked German chancellor Angela Merkel's cell phone.
Merkel was outraged.
There was more than a trace of Captain Renault in her fuming, too; as subsequent news stories revealed, the BND, Germany's security service, continued to cooperate with the NSA in monitoring suspected terrorist groups. But at the time, Merkel played populist, as vast swaths of the German people, including many who had once seen America as a protector and friend, started likening the NSA to Stasi, the extremely intrusive surveillance service of the long-imploded East German dictatorship. Other Snowden documents exposed NSA intercepts in Central and South America, infuriating leaders and citizens in the Western Hemisphere, as well.
Something had to be done; the stenchâpolitical, economic, and diplomaticâhad to be contained. So President Obama did what many of his predecessors had done in the face of crises: he appointed a blue-ribbon commission.
O
N
August 9, 2013, a hot, humid Friday, shortly after three in the afternoon, the laziest hour in the dreariest month for news in the nation's capital, President Obama held a press conference in the East Room of the White House to announce that he was forming
“a high-level group of outside experts” to review the charges of abuse in NSA surveillance.
“If you are outside of the intelligence community, if you are the ordinary person and you start seeing a bunch of headlines saying U.S. Big Brother is looking down on you, collecting telephone records, etc., well, understandably,” he said, “people would be concerned. I would be concerned too, if I wasn't inside the government.” But Obama
was
inside the government, at its apex, and he'd developed a trust in the agencies' propriety. Of course, he acknowledged, “it's not enough for me, as President, to have confidence in these programs. The American people need to have confidence in them as well.”
And that, he seemed to be saying, would be the mission of this high-level group of outside experts: not so much to recommend major reforms or even to conduct a particularly hard-hitting probe, but rather, as he put it, to “consider how we can maintain the
trust
of the people.” He would also work with Congress to “improve the public's confidence in the oversight conducted by the Foreign Intelligence Surveillance Court.” Both efforts would be “designed to ensure that the American people can trust” that the intelligence agencies' actions were “in line with our interests and our values.” The high-level group, or the select intelligence committees of Congress, might come up with ways “to jigger slightly” the balance between national security and privacy, and that was fine. “If there are some additional things that we can do to build that trust back up,” Obama said, “then we should do them.” But he seemed to assume that big changes wouldn't be necessary. “I am comfortable that the program currently is not being abused,” he said. “The question is, how do I make the American people more comfortable?”