The Snowden Files: The Inside Story of the World's Most Wanted Man

4 PUZZLE PALACE

The origins of the dragnet surveillance of the world’s internet users can be clearly pinpointed. It started on 9/11, the day of the terrorist atrocities that so frightened and enraged the US. Over the ensuing decade, both in America and Britain, there came a new political willingness to invade individual privacy. At the same time, mushrooming technical developments started to make mass eavesdropping much more feasible.

The intricate web of the internet secretly became what Julian Assange of WikiLeaks was to call, with only some exaggeration, ‘the greatest spying machine the world has ever seen’. But before the appearance of Edward Snowden, very little of the truth about that had reached the surface.

The NSA – the biggest and most secretive of the US intelligence agencies – failed on 9/11 to give advance warning of al-Qaida’s surprise attack against the Twin Towers in New York. Michael Hayden, an obscure air force general, was running the agency at the time.

George Tenet, the CIA director and nominal head of all 16 intelligence agencies, therefore had a question for Hayden. It was really Vice President Dick Cheney’s question, and Tenet was merely the messenger. The query was simple: could Hayden do more? Tenet and Cheney wondered if it was possible for the general to be more aggressive with the NSA’s extraordinary powers to vacuum up vast amounts of electronic communications and telephone information, and turn them against the terrorists.

For five decades, since its founding in 1952, the NSA has accumulated almost mythical technical and mathematical expertise. So much so that in the 1970s, the reformist senator Frank Church had warned that the NSA had the power ‘to make tyranny total in America’.

Its neighbours in Maryland include a number of secret or sensitive US military sites, such as Fort Detrick, the home of the US bioweapons programme, and Edgewood Arsenal, where the US developed chemical weapons. But the NSA was the most secret of the lot. Its budget and personnel are a state secret too.

The NSA’s mission is to collect signals intelligence from around the globe. This means anything electronic: radio, microwave, satellite intercepts. And internet communications. This clandestine monitoring is done without the target finding out. The agency has intercept stations around the world – in US military bases, embassies and elsewhere.

Its capabilities are boosted by a unique intelligence-sharing arrangement dating back to just after the second world war, known as ‘Five Eyes’. Under Five Eyes, the NSA shares its intelligence product with four other Anglophone nations: the UK, Canada, Australia and New Zealand. In theory, these allies don’t spy on each other. In practice, they do.

Legally, the NSA cannot just do as it pleases. The fourth amendment to the US constitution prohibits unreasonable searches and seizures against American citizens. Searches, which include communications intercepts, are only legal against a specific suspect, backed by ‘probable cause’ and the issue of a judicial warrant.

These safeguards are not just irrelevant or antiquarian restrictions. In the 1970s, President Nixon demonstrated how such power could be abused, by ordering the NSA to tap the phones of several fellow Americans he didn’t like, under the notorious MINARET program. The NSA’s illegal domestic targets included some US senators themselves, plus the boxer Muhammad Ali, the writer Benjamin Spock, the actress Jane Fonda, the black activists Whitney Young and Martin Luther King, and other critics of the misbegotten Vietnam war.

The MINARET scandal brought about the Foreign Intelligence Surveillance Act (FISA), a seminal 1978 law. Under it, the NSA was supposed to steer clear of communications inside the US or involving Americans, unless it had a warrant.

Life was easier for the NSA’s smaller UK partners at GCHQ, who faced no written constitution, and who could pressurise government ministers to give them what they wanted under a cosy British blanket of secrecy. Britain’s RIPA (the 2000 Regulation of Investigatory Powers Act) was soon to be ‘interpreted’ to give GCHQ legal carte blanche to carry out mass surveillance on British soil, and pass on the results to the NSA – provided only that one end of a communications link was foreign.

As GCHQ boasted internally, in documents later to be revealed: ‘We have a light oversight regime compared with the US.’

That was certainly true in 2001. Within 72 hours of the devastating 9/11 attacks, Hayden had already taken the agency to the outer limits of its existing legal authorities.

In the midst of the emergency, Hayden secretly allowed his agency to match known terrorist phone numbers with US communications involving international calls. ‘Mission Creep’ rapidly occurred; within two weeks, the NSA was also cleared to give the FBI any US telephone number that contacted any Afghan telephone number. An internal NSA history would later call this ‘a more aggressive use’ of Hayden’s powers than his predecessors tolerated.

And so, under questioning from Cheney and Tenet in 2001, Hayden had to provide an answer that his bosses would find unsatisfying. What more can you do? Nothing. Nothing more can be done within the NSA’s existing authorities.

Later, Tenet asked Hayden a follow-up question over the phone. What could you do if you had more authorities?

As it happened, the NSA could do a tremendous amount.

Prior to the 9/11 attacks, the NSA had already been working on one experiment, which it had had to abandon because of FISA legal constraints. The idea was to perform something called ‘contact chaining’ on the records of communications, or metadata, it received. Contact chaining is a process of establishing connections between senders and recipients and their contacts. Done rigorously, it establishes a map of connections between people that doesn’t involve actually listening to their phone calls or reading the contents of their emails. Long before Facebook ever existed, the NSA was toying with what the social network would later unveil as a ‘social graph’.

But there was a problem. The Justice Department’s intelligence policy branch determined in 1999 that metadata was covered under FISA’s definition of electronic surveillance. That meant that contact chaining was kosher for non-American communications, but if it ensnared Americans, the NSA would be breaking the law.

Adding complexity, the transmission of electronic communications even between foreigners overseas could transit through the US, since the data splits apart into digital ‘packets’ rather than travelling from point to point over a telephone line. FISA protects transits inside the US. Yet, increasingly, that was how global telecommunications occurred.

There was, however, one avenue open to Hayden, Tenet, Cheney and George W Bush in the days after 9/11. They could go to Congress, which was rabid for war, and ask for more power by amending FISA. Congress was feeling generous to executive authority while the Twin Towers and the Pentagon still smouldered. In early October, representatives overwhelmingly passed the Patriot Act, granting federal investigators more authority to conduct searches in terrorism cases. Surely they would also wave through an amendment to the FISA regulations?

But the Bush administration decided against openly asking for more power. Instead, the White House simply instructed Hayden to go ahead in secret with more surveillance. The NSA’s official history hazards a guess why. ‘Anecdotal evidence suggests that government officials feared the public debate surrounding any changes to FISA would compromise intelligence sources and methods.’

So Hayden’s NSA began preparing a new program, one that would be kept in the strictest confidence while transgressing traditional NSA boundaries. It had four aspects: telephone communications, telephone metadata, internet communications like emails and web searches, and internet metadata. The NSA would collect as much of it as it could. Contact chaining from foreigners to Americans was back on, and the NSA could scoop up foreign communications even when they traversed the USA. The program received the elegant codename STELLAR WIND, although some of the NSA’s technologists took to calling it the Big Ass Graph. On 4 October 2001, STELLAR WIND began – the official covername would follow on the 31st, Halloween – thanks to an authorisation signed by President Bush and an initial outlay of $25 million.

Not many people knew about STELLAR WIND. Hayden kept Bush’s directive in a safe. The NSA’s top lawyer knew – along with approximately 90 NSA staff who implemented the program – and blessed it as legal. But there was no initial court approval: it would not be until January 2002 that the chief of the secret FISA court even heard of the effort; his colleagues, except for one, would not know about it for another four years. Even the NSA’s internal watchdog, the inspector general, would not learn about STELLAR WIND until August 2002, nearly a year into the program’s existence.

Nor would most members of Congress. Initial knowledge was limited to the top Democrat and Republican on the Senate and House intelligence committees. By January, the NSA included Democrat Ken Inouye and Republican Ted Stevens, the leaders of the Senate appropriations committee, which presides over the purse for the Senate. It would take until January 2007 for 60 people on Capitol Hill to be cleared to know the details of STELLAR WIND, out of 535 US legislators.

But from the start, STELLAR WIND appears to have had the enthusiastic support of the major telephone companies and internet service providers. This would prove to be crucial. Unlike in the old Soviet Union or modern-day China, the US government does not own and operate the internet’s fibre-optic cables and switches, even the parts that pass through and out of the US. For the NSA to have a hope of harvesting phone and email records, it needed the co-operation of those companies.

The NSA’s internal history records that unnamed ‘private-sector partners’ began providing the agency with phone and internet content from overseas in October 2001, the first month of the program, and phone and internet metadata from inside the US the following month.

The volume of communications traffic the companies opened up to the NSA was tremendous. Infrastructure controlled by three ‘corporate partners’, as the NSA referred to them, represented an estimated 81 per cent of international calls transiting through the United States. Close and secret partnership with telecoms is nothing new for the NSA: in fact, it is the way the NSA has operated since its inception. Those long-standing relationships, along with the patriotic sentiment of a nation wounded after 9/11, provided for a receptive audience from the firms. Two of the three ‘corporate partners’, for instance, contacted the NSA even before STELLAR WIND officially began and asked, ‘What can we do to help?’

The following two years saw at least three more telecommunications firms approached to provide support to STELLAR WIND – although strains were beginning to emerge. The demand for this additional data did not occur, thanks to a judge’s order. It was a unilateral request from the NSA, with nothing more official than a notice from Attorney General John Ashcroft – who periodically renewed the program – to back it up, and Ashcroft was no judge. One of the three firms provided merely ‘minimal’ support to the agency. Two others were even more hesitant. One, which the NSA wanted to provide it with email content, bucked the agency due to ‘corporate liability concerns’, according to an internal NSA draft history. Another wanted to bring in outside lawyers to review the legality of its compliance. The NSA, deeming the risk of exposure too great, withdrew the request.

There was unease within the Justice Department too, about the program’s legality. The deputy attorney general, James Comey, was reported to have refused to sign off renewals during his boss Ashcroft’s illness. Not only Hayden, the head of the NSA, but also President Bush himself were personally involved in a 2004 attempt to pressurise the New York Times to suppress a leak about the program. ‘The Bush administration actively misled us, claiming there was never a doubt that the wiretapping operations were legal,’ says Eric Lichtblau, one of the authors, along with Risen, of the subsequent exposé of the scandal in the newspaper.

In December 2005, the NSA’s worst fear eventually came true. ‘BUSH LETS US SPY ON CALLERS WITHOUT COURTS’ read the front-page headline in the New York Times. The story gave only a fraction of the picture. It focused on the warrantless NSA interception of Americans’ international phone calls and email traffic, without disclosing the bulk collection of the metadata that essentially provided the agency with a social network of everyone inside the US and their ties abroad.

While denouncing the Times, Bush publicly launched a vigorous defence of the program as one of the biggest post-9/11 intelligence successes. Even shrewder, Bush confirmed only the parts of STELLAR WIND that the Times had reported, and gave them a new, politically powerful name that would put its critics on the defensive: the Terrorist Surveillance Program.

As with nearly every element of Bush’s national security policies, the subsequent furore was largely partisan and predictable: Republicans fell over themselves to defend the warrantless surveillance as necessary to thwart terrorists; Democrats just as quickly denounced it as a constitutional atrocity.

In October 2001, Nancy Pelosi, the liberal Californian House minority leader and parliamentary tactician, had been the ranking Democrat on the House intelligence committee, and she attended Hayden’s initial briefings. Bush administration officials and allies, smelling hypocrisy and opportunism, accused Pelosi of abandoning a program she had safeguarded in secret.

Pelosi fought back. She declassified a letter she wrote to Hayden days after STELLAR WIND became operational, which expressed uneasiness: ‘Until I understand better the legal analysis regarding the sufficiency of the authority which underlies your decision on the appropriate way to proceed on this matter, I will continue to be concerned.’

Pelosi was not the only one personally affected by the revelations. Vito Potenza had a problem on his hands the moment the Times ran with the story. As the general counsel for the NSA, one of Potenza’s responsibilities was interacting with the telecoms and internet service providers, to reassure them that their co-operation was legal. But that was an easier arrangement to maintain in secret. Now that the media had run with the story, the telecoms worried about both their bottom lines and their legal exposure. But they also didn’t contemplate ending the arrangement with the NSA.

One of the service providers passed on a potential solution to Potenza. Don’t ask us to provide telephone metadata. Make us do it. ‘The provider preferred to be compelled to do so by a court order,’ the NSA’s internal history noted.

So during the early months of 2006, the Justice Department and NSA lawyers worked together to craft a secret legal authorisation for domestic telephone metadata collection that would withstand the scrutiny of the equally secret FISA court, now briefed on STELLAR WIND. The answer was the so-called ‘business records provision’ of the Patriot Act, its now-notorious section 215.

Under section 215, passed after 9/11 and already detested by civil libertarians, the government had the power to compel businesses to turn over items ‘relevant’ to an ‘ongoing’ terrorism investigation. Shoehorning bulk metadata collection into that statutory requirement was tricky. It was questionable whether all Americans’ phone records posed any relevance to any actual ongoing investigation. The metadata was more like a body of information that occurred prior to an investigation, creating the conditions for divining investigative threads.

Yet the newly briefed FISA court proved to be receptive. ‘There are reasonable grounds to believe that the tangible things sought are relevant to authorised threat investigations… being conducted by the FBI,’ wrote Judge Michael Howard of the FISA court on 24 May 2006, in a classified decision, granting the court orders the companies wanted.

Keith Alexander, the next director of the NSA, was to describe these relationships with telecoms and internet service providers during a contentious hearing of the House intelligence committee on 29 October 2013: ‘We’ve asked industry’s help. Asked? OK, more accurately, we have compelled industry to help us in this manner by court order.’

It would have been more accurate, perhaps, to say ‘industry’ compelled Alexander to compel industry by court order.

The administration then wrote itself more legal cover in the hotly contested FISA Amendments Act (FAA). The FAA legalised and blessed any communications interception between an American and a foreigner. The foreigner did not have to be a terrorist suspect: he merely had to be ‘reasonably’ suspected of having foreign intelligence value. Nor did he even have to be actually overseas: he merely had to be ‘reasonably’ suspected of being overseas during the time of interception. Approvals came from the FISA court in bulk, annually.

In one of the most important provisions of the bill, the FAA granted explicit legal immunity to any telecommunications firm that participated in the bulk surveillance. The immunity was both retroactive and prospective. Essentially, no private-sector partner of the NSA’s would ever face criminal charges or financial damages.

The FAA was passed in mid-2008, the thick of presidential election season. It was a tremendous success for the NSA. What had begun as a lawless secret, controlled entirely by the executive branch, had now won the explicit approval of Congress, many of whose members little understood its significance. There was now a new term in the NSA lexicon: ‘702’, a reference to the legal text of FISA that the FAA changed, which would now be a wellspring for much of the NSA’s overseas and ostensibly terrorism-related collection.

Civil libertarians rued a fight they bitterly contested and had now lost. Bulk collection of communications on a massive scale would follow, warned the ACLU, and some of it would inevitably be American, all without individual suspicion or a way to adequately challenge its occurrence. It sounded like the General Warrants issued by the British colonial authorities – the very unreasonable searches and seizures that had provoked the American Revolution and the constitution itself.

In the House of Representatives, where the FAA was passed by a 293–129 margin in June, the overwhelming majority of dissenting votes were Democrats. But the Democrats on the intelligence committee tended to vote for it. Among them were committee veteran Jane Harman and her predecessor, now the House speaker, Nancy Pelosi. It seemed she had overcome her earlier reservations.

In the Senate, the bill passed by a comfortable 69–28 margin. All 29 dissenters were Democrats. But what was notable were Democrats aligning with the NSA. One was Dianne Feinstein, who would become the intelligence committee chairwoman the following year. Another was Jay Rockefeller, who held the position at the time – and who had denounced the same surveillance activities when the Times exposed them.

A third was the liberal hope of the early 21st century, a first-term senator from Illinois and constitutional law professor. Barack Obama, in a 2007 stump speech for his nascent presidential campaign, had pledged, ‘No more illegal wiretapping of American citizens. No more National Security Letters to spy on American citizens who are not suspected of a crime. No more tracking citizens who do no more than protest a misguided war. No more ignoring the law when it is inconvenient.’

Obama, the Democratic nomination in sight, and from there the presidency, voted for the FAA on 9 July 2008.

With the passage of the FAA, political controversy over warrantless surveillance became marginal, the preoccupation of those already invested in one outcome or another. Periodically throughout the Obama administration, surveillance votes would occur – as with the renewal of the Patriot Act and the FAA itself – but relatively few paid attention. Obama paid no political price for any of the bulk surveillance activities he presided over.

One reason for that was that the FAA vote largely returned the veil of secrecy to the NSA’s bulk collection activities. While a few obsessives knew the name STELLAR WIND, there was no public proof that the NSA was secretly hoarding the phone metadata of every American. There was no public proof that the NSA had entered into sweeping arrangements with every significant internet service provider, under a program that was getting off the ground called PRISM.

There was, however, a warning. In 2011, in an interview with WIRED reporter Spencer Ackerman – who would soon become the Guardian’s national security editor – and in a floor speech shortly before a critical vote on the Patriot Act, Senator Ron Wyden, an Oregon Democrat who sat on the intelligence committee, obliquely said that the government had a secret interpretation of the Patriot Act that was so different from what the text of the law said that it amounted to a new law – one that Congress had not voted to approve.

‘We’re getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says,’ Wyden said. ‘When you’ve got that kind of a gap, you’re going to have a problem on your hands.’ If the American people saw the discrepancy, he added, they would be astonished – and horrified. But Wyden, sworn to protect classified information, refused to say exactly what he meant.

Despite all the suspicions and the arcane controversies, the developing facts about the country’s biggest and most intrusive domestic and international surveillance programs were thus kept from the American public in whose name they were being carried out. When Edward Snowden got on a plane for Hong Kong in 2013, the material he held on his laptops was highly explosive.