Permanent Record (21 page)

Imagine you’re entering a tunnel. Imagine the perspective: as you look down the length that stretches ahead of you, notice how the walls seem to narrow to the tiny dot of light at the other end. The light at the end of the tunnel is a symbol of hope, and it’s also what people say they see in near-death experiences. They have to go to it, they say. They’re drawn to it. But then where else is there to go in a tunnel, except through it? Hasn’t everything led up to this point?

My tunnel was the Tunnel: an enormous Pearl Harbor–era airplane factory turned NSA facility located under a pineapple field in Kunia, on the island of Oahu, Hawaii. The facility was built out of reinforced concrete, its eponymous tunnel a kilometer-long tube in the side of a hill opening up into three cavernous floors of server vaults and offices. At the time the Tunnel was built, the hill was covered over with huge amounts of sand, soil, desiccated pineapple plant leaves, and patches of sun-parched grass to camouflage it from Japanese bombers. Sixty years later it resembled the vast burial mound of a lost civilization, or some gigantic arid pile that
a weird god had heaped up in the middle of a god-size sandbox. Its official name was the Kunia Regional Security Operations Center.

I went to work there, still on a Dell contract, but now for the NSA again, early in 2012. One day that summer—actually, it was my birthday—as I passed through the security checks and proceeded down the tunnel, it struck me: this, in front of me, was my future.

I’m not saying that I made any decisions at that instant. The most important decisions in life are never made that way. They’re made subconsciously and only express themselves consciously once fully formed—once you’re finally strong enough to admit to yourself that this is what your conscience has already chosen for you, this is the course that your beliefs have decreed. That was my twenty-ninth birthday present to myself: the awareness that I had entered a tunnel that would narrow my life down toward a single, still-indistinct act.

Just as Hawaii has always been an important waystation—historically, the US military treated the island chain as little more than a mid-Pacific refueling depot for boats and planes—it had also become an important switchpoint for American communications. These include the intelligence that flowed between the contiguous forty-eight states and my former place of employment, Japan, as well as other sites in Asia.

The job I’d taken was a significant step down the career ladder, with duties I could at this point perform in my sleep. It was supposed to mean less stress, a lighter burden. I was the sole employee of the aptly named Office of Information Sharing, where I worked as a SharePoint systems administrator. SharePoint is a Microsoft product, a dopey poky program, or rather a grab-bag of programs, focused on internal document management: who can read what, who can edit what, who can send and receive what, and so on. By making me Hawaii’s SharePoint systems administrator, the NSA had made me the manager of document management. I was, in effect, the reader in chief at one of the agency’s most significant facilities. As was my typical practice in any new technical position,
I spent the earliest days automating my tasks—meaning writing scripts to do my work for me—so as to free up my time for something more interesting.

Before I go any further, I want to emphasize this: my active searching out of NSA abuses began not with the copying of documents, but with the reading of them. My initial intention was just to confirm the suspicions that I’d first had back in 2009 in Tokyo. Three years later, I was determined to find out if an American system of mass surveillance existed and, if it did, how it functioned. Though I was uncertain about how to conduct this investigation, I was at least sure of this: I had to understand exactly how the system worked before I could decide what, if anything, to do about it.

T
HIS
,
OF COURSE
, was not why Lindsay and I had come to Hawaii. We hadn’t hauled all the way out to paradise just so I could throw our lives away for a principle.

We’d come to start over. To start over yet again.

My doctors told me that the climate and more relaxed lifestyle in Hawaii might be beneficial for my epilepsy, since lack of sleep was thought to be the leading trigger of the seizures. Also, the move eliminated the driving problem: the Tunnel was within bicycling distance of a number of communities in Kunia, the quiet heart of the island’s dry, red interior. It was a pleasant, twenty-minute ride to work, through sugarcane fields in brilliant sunshine. With the mountains rising calm and high in the clear blue distance, the gloomy mood of the last few months lifted like the morning fog.

Lindsay and I found a decent-size bungalow-type house on Eleu Street in Waipahu’s Royal Kunia, which we furnished with our stuff from Columbia, Maryland, since Dell paid relocation expenses. The furniture didn’t get much use, though, since the sun and heat would often cause us to walk in the door, strip off our clothes, and lie naked on the carpet beneath the overworked air conditioner. Eventually, Lindsay turned the garage into a fitness studio, filling it with yoga mats and the spinning pole she’d
brought from Columbia. I set up a new Tor server. Soon, traffic from around the world was reaching the Internet via the laptop sitting in our entertainment center, which had the ancillary benefit of hiding my own Internet activity in the noise.

One night during the summer I turned twenty-nine, Lindsay finally prevailed on me to go out with her to a luau. She’d been after me to go for a while, because a few of her pole-fitness friends had been involved in some hula-girl capacity, but I’d been resistant. It had seemed like such a cheesy touristy thing to do, and had felt, somehow, disrespectful. Hawaiian culture is ancient, although its traditions are very much alive; the last thing I wanted was to disturb someone’s sacred ritual.

Finally, however, I capitulated. I’m very glad I did. What impressed me the most was not the luau itself—though it was very much a fire-twirling spectacle—but the old man who was holding court nearby in a little amphitheater down by the sea. He was a native Hawaiian, an erudite man with that soft but nasal island voice, who was telling a group of people gathered around a fire the creation stories of the islands’ indigenous peoples.

The one story that stuck with me concerned the twelve sacred islands of the gods. Apparently, there had existed a dozen islands in the Pacific that were so beautiful and pure and blessed with freshwater that they had to be kept secret from humanity, who would spoil them. Three of them were especially revered: Kane-huna-moku, Kahiki, and Pali-uli. The lucky gods who inhabited these islands decided to keep them hidden, because they believed that a glimpse of their bounty would drive people mad. After considering numerous ingenious schemes by which these islands might be concealed, including dyeing them the color of the sea, or sinking them to the bottom of the ocean, they finally decided to make them float in the air.

Once the islands were airborne, they were blown from place to place, staying constantly in motion. At sunrise and sunset, especially, you might think that you’d noticed one, hovering far at the
horizon. But the moment you pointed it out to anyone, it would suddenly drift away or assume another form entirely, such as a pumice raft, a hunk of rock ejected by a volcanic eruption—or a cloud.

I thought about that legend a lot while I went about my search. The revelations I was pursuing were exactly like those islands: exotic preserves that a pantheon of self-important, self-appointed rulers were convinced had to be kept secret and hidden from humanity. I wanted to know what the NSA’s surveillance capabilities were exactly; whether and how they extended beyond the agency’s actual surveillance activities; who approved them; who knew about them; and, last but surely not least, how these systems—both technical and institutional—really operated.

The moment I’d think that I spotted one of these “islands”—some capitalized code name I didn’t understand, some program referenced in a note buried at the end of a report—I’d go chasing after further mentions of it in other documents, but find none. It was as if the program I was searching for had floated away from me and was lost. Then, days later, or weeks later, it might surface again under a different designation, in a document from a different department.

Sometimes I’d find a program with a recognizable name, but without an explanation of what it did. Other times I’d just find a nameless explanation, with no indication as to whether the capability it described was an active program or an aspirational desire. I was running up against compartments within compartments, caveats within caveats, suites within suites, programs within programs. This was the nature of the NSA—by design, the left hand rarely knew what the right hand was doing.

In a way, what I was doing reminded me of a documentary I once watched about map-making—specifically, about the way that nautical charts were created in the days before imaging and GPS. Ship captains would keep logs and note their coordinates, which landbound mapmakers would then try to interpret. It was
through the gradual accretion of this data, over hundreds of years, that the full extent of the Pacific became known, and all its islands identified.

But I didn’t have hundreds of years or hundreds of ships. I was alone, one man hunched over a blank blue ocean, trying to find where this one speck of dry land, this one data point, belonged in relation to all the others.

Back in 2009 in Japan, when I went to that fateful China conference as a substitute briefer, I guess I’d made some friends, especially at the Joint Counterintelligence Training Academy (JCITA) and its parent agency, the Defense Intelligence Agency (DIA). In the three years since, JCITA had invited me a half-dozen or so times to give seminars and lectures at DIA facilities. Essentially, I was teaching classes in how the American Intelligence Community could protect itself from Chinese hackers and exploit the information gained from analyzing their hacks to hack them in return.

I always enjoyed teaching—certainly more than I ever enjoyed being a student—and in the early days of my disillusionment, toward the end of Japan and through my time at Dell, I had the sense that were I to stay in intelligence work for the rest of my career, the positions in which my principles would be least compromised, and my mind most challenged, would almost certainly be academic. Teaching with JCITA was a way of keeping that door open. It was also a way of keeping up to date—when you’re teaching, you can’t let your students get ahead of you, especially in technology.

This put me in the regular habit of perusing what the NSA
called “readboards.” These are digital bulletin boards that function something like news blogs, only the “news” here is the product of classified intelligence activities. Each major NSA site maintains its own, which its local staff updates daily with what they regard as the day’s most important and interesting documents—everything an employee has to read to keep current.

As a holdover from my JCITA lecture preparation, and also, frankly, because I was bored in Hawaii, I got into the habit of checking a number of these boards every day: my own site’s readboard in Hawaii, the readboard of my former posting in Tokyo, and various readboards from Fort Meade. This new low-pressure position gave me as much time to read as I wanted. The scope of my curiosity might have raised a few questions at a prior stage of my career, but now I was the only employee of the Office of Information Sharing—I
was
the Office of Information Sharing—so my very job was to know what sharable information was out there. Meanwhile, most of my colleagues at the Tunnel spent their breaks streaming Fox News.

In the hopes of organizing all the documents I wanted to read from these various readboards, I put together a personal best-of-the-readboards queue. The files quickly began to pile up, until the nice lady who managed the digital storage quotas complained to me about the folder size. I realized that my personal readboard had become less a daily digest than an archive of sensitive information with relevance far beyond the day’s immediacy. Not wanting to erase it or stop adding to it, which would’ve been a waste, I decided instead to share it with others. This was the best justification for what I was doing that I could think of, especially because it allowed me to more or less legitimately collect material from a wider range of sources. So, with my boss’s approval, I set about creating an automated readboard—one that didn’t rely on anybody posting things to it, but edited itself.

Like EPICSHELTER, my automated readboard platform was designed to perpetually scan for new and unique documents. It did so in a far more comprehensive manner, however, peering beyond
NSAnet, the NSA’s network, into the networks of the CIA and the FBI as well as into the Joint Worldwide Intelligence Communications System (JWICS), the Department of Defense’s top-secret intranet. The idea was that its findings would be made available to every NSA officer by comparing their digital identity badges—called PKI certificates—to the classification of the documents, generating a personal readboard customized to their clearances, interests, and office affiliations. Essentially, it would be a readboard of readboards, an individually tailored newsfeed aggregator, bringing each officer all the newest information pertinent to their work, all the documents they had to read to stay current. It would be run from a server that I alone managed, located just down the hall from me. That server would also store a copy of every document it sourced, making it easy for me to perform the kind of deep interagency searches that the heads of most agencies could only dream of.

I called this system Heartbeat, because it took the pulse of the NSA and of the wider IC. The volume of information that crashed through its veins was simply enormous, as it pulled documents from internal sites dedicated to every specialty from updates on the latest cryptographic research projects to minutes of the meetings of the National Security Council. I’d carefully configured it to ingest materials at a slow, constant pace, so as not to monopolize the undersea fiber-optic cable tying Hawaii to Fort Meade, but it still pulled so many more documents than any human ever could that it immediately became the NSAnet’s most comprehensive readboard.

Early on in its operation I got an email that almost stopped Heartbeat forever. A faraway administrator—apparently the only one in the entire IC who actually bothered to look at his access logs—wanted to know why a system in Hawaii was copying, one by one, every record in his database. He had immediately blocked me as a precaution, which effectively locked me out, and was demanding an explanation. I told him what I was doing and showed him how to use the internal website that would let him read
Heartbeat for himself. His response reminded me of an unusual characteristic of the technologists’ side of the security state: once I gave him access, his wariness instantly turned into curiosity. He might have doubted a person, but he’d never doubt a machine. He could now see that Heartbeat was just doing what it’d been meant to do, and was doing it perfectly. He was fascinated. He unblocked me from his repository of records, and even offered to help me by circulating information about Heartbeat to his colleagues.

Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat. It showed me not just the aims but the abilities of the IC’s mass surveillance system. This is something I want to emphasize: in mid-2012, I was just trying to get a handle on how mass surveillance actually worked. Almost every journalist who later reported on the disclosures was primarily concerned with the targets of surveillance—the efforts to spy on American citizens, for instance, or on the leaders of America’s allies. That is to say, they were more interested in the topics of the surveillance reports than in the system that produced them. I respect that interest, of course, having shared it myself, but my own primary curiosity was still technical in nature. It’s all well and good to read a document or to click through the slides of a PowerPoint presentation to find out what a program is
intended
to do, but the better you can understand a program’s mechanics, the better you can understand its potential for abuse.

This meant that I wasn’t much interested in the briefing materials—like, for example, what has become perhaps the best-known file I disclosed, a slide deck from a 2011 PowerPoint presentation that delineated the NSA’s new surveillance posture as a matter of six protocols: “Sniff It All, Know It All, Collect It All, Process It All, Exploit It All, Partner It All.” This was just PR speak, marketing jargon. It was intended to impress America’s allies: Australia, Canada, New Zealand, and the UK, the primary countries with which the United States shares intelligence. (Together with the United States, these countries are known as the Five Eyes.) “Sniff It All” meant finding a data source; “Know It All” meant
finding out what that data was; “Collect It All” meant capturing that data; “Process It All” meant analyzing that data for usable intelligence; “Exploit It All” meant using that intelligence to further the agency’s aims; and “Partner It All” meant sharing the new data source with allies. While this six-pronged taxonomy was easy to remember, easy to sell, and an accurate measure of the scale of the agency’s ambition and the degree of its collusion with foreign governments, it gave me no insight into how exactly that ambition was realized in technological terms.

Much more revealing was an order I found from the FISA Court, a legal demand for a private company to turn over its customers’ private information to the federal government. Orders such as these were notionally issued on the authority of public legislation; however, their contents, even their existence, were classified Top Secret. According to Section 215 of the Patriot Act, aka the “business records” provision, the government was authorized to obtain orders from the FISA Court that compelled third parties to produce “any tangible thing” that was “relevant” to foreign intelligence or terrorism investigations. But as the court order I found made clear, the NSA had secretly interpreted this authorization as a license to collect all of the “business records,” or metadata, of telephone communications coming through American telecoms, such as Verizon and AT&T, on “an ongoing daily basis.” This included, of course, records of telephone communications between American citizens, the practice of which was unconstitutional.

Additionally, Section 702 of the FISA Amendments Act allows the IC to target any foreigner outside the United States deemed likely to communicate “foreign intelligence information”—a broad category of potential targets that includes journalists, corporate employees, academics, aid workers, and countless others innocent of any wrongdoing whatsoever. This legislation was being used by the NSA to justify its two most prominent Internet surveillance methods: the PRISM program and upstream collection.

PRISM enabled the NSA to routinely collect data from Microsoft, Yahoo!, Google, Facebook, Paltalk, YouTube, Skype,
AOL, and Apple, including email, photos, video and audio chats, Web-browsing content, search engine queries, and all other data stored on their clouds, transforming the companies into witting coconspirators. Upstream collection, meanwhile, was arguably even more invasive. It enabled the routine capturing of data directly from private-sector Internet infrastructure—the switches and routers that shunt Internet traffic worldwide, via the satellites in orbit and the high-capacity fiber-optic cables that run under the ocean. This collection was managed by the NSA’s Special Sources Operations unit, which built secret wiretapping equipment and embedded it inside the corporate facilities of obliging Internet service providers around the world. Together, PRISM (collection from the servers of service providers) and upstream collection (direct collection from Internet infrastructure) ensured that the world’s information, both stored and in transit, was surveillable.

The next stage of my investigation was to figure out how this collection was actually accomplished—that is to say, to examine the documents that explained which tools supported this program and how they selected from among the vast mass of dragneted communications those that were thought worthy of closer inspection. The difficulty was that this information did not exist in any presentation, no matter the level of classification, but only in engineering diagrams and raw schematics. These were the most important materials for me to find. Unlike the Five Eyes’ pitch-deck cant, they would be concrete proof that the capacities I was reading about weren’t merely the fantasies of an overcaffeinated project manager. As a systems guy who was always being prodded to build faster and deliver more, I was all too aware that the agencies would sometimes announce technologies before they even existed—sometimes because a Cliff-type salesperson had made one too many promises, and sometimes just out of unalloyed ambition.

In this case, the technologies behind upstream collection did exist. As I came to realize, these tools are the most invasive elements of the NSA’s mass surveillance system, if only because
they’re the closest to the user—that is, the closest to the person being surveilled. Imagine yourself sitting at a computer, about to visit a website. You open a Web browser, type in a URL, and hit Enter. The URL is, in effect, a request, and this request goes out in search of its destination server. Somewhere in the midst of its travels, however, before your request gets to that server, it will have to pass through TURBULENCE, one of the NSA’s most powerful weapons.

Specifically, your request passes through a few black servers stacked on top of one another, together about the size of a four-shelf bookcase. These are installed in special rooms at major private telecommunications buildings throughout allied countries, as well as in US embassies and on US military bases, and contain two critical tools. The first, TURMOIL, handles “passive collection,” making a copy of the data coming through. The second, TURBINE, is in charge of “active collection”—that is, actively tampering with the users.

You can think of TURMOIL as a guard positioned at an invisible firewall through which Internet traffic must pass. Seeing your request, it checks its metadata for selectors, or criteria, that mark it as deserving of more scrutiny. Those selectors can be whatever the NSA chooses, whatever the NSA finds suspicious: a particular email address, credit card, or phone number; the geographic origin or destination of your Internet activity; or just certain keywords such as “anonymous Internet proxy” or “protest.”

If TURMOIL flags your traffic as suspicious, it tips it over to TURBINE, which diverts your request to the NSA’s servers. There, algorithms decide which of the agency’s exploits—malware programs—to use against you. This choice is based on the type of website you’re trying to visit as much as on your computer’s software and Internet connection. These chosen exploits are sent back to TURBINE (by programs of the QUANTUM suite, if you’re wondering), which injects them into the traffic channel and delivers them to you along with whatever website you requested.
The end result: you get all the content you want, along with all the surveillance you don’t, and it all happens in less than 686 milliseconds. Completely unbeknownst to you.

Once the exploits are on your computer, the NSA can access not just your metadata, but your data as well. Your entire digital life now belongs to them.