Эдвард Сноуден - Permanent Record (Young Readers Edition) - How One Man Exposed the Truth about Government Spying and Digital Security

In other words, I wasn’t getting the SRD posting I’d so coveted.

This was their gotcha, their retaliation. No one besides me—and I mean no one—had put down SRD, or any other active combat situation for that matter, as their first or second or even third choice on their dream sheets. Everyone else had prioritized all sweet European vacation-stations with windmills and bicycles, where you rarely hear explosions.

Almost perversely, they now gave me one of these assignments. They gave me Geneva. They punished me by giving me what I’d never asked for, but what everybody else had wanted.

Mary Shelley’s Frankenstein , written in 1818, is largely set in Geneva, the bustling, neat, clean, clockwork-organized Swiss city where I now made my home. I read it at night during the long, lonely months I spent by myself before Lindsay moved over to join me, stretched out on a bare mattress in the living room of the comically fancy, comically vast, but still almost entirely unfurnished apartment that the embassy was paying for.

In the Intelligence Community, the “Frankenstein effect” is widely cited: situations in which decisions intended to advance American interests end up harming them irreparably. In Geneva, in the same landscape where Mary Shelley’s monster ran amok, America was busy creating a network that would eventually take on a life and mission of its own and wreak havoc on the lives of its creators—mine very much included. The CIA station in the American embassy in Geneva was one of the prime European laboratories of this decades-long experiment.

The CIA is the primary American intelligence agency dedicated to HUMINT (human intelligence), or covert intelligence gathering by means of interpersonal contact—person to person, face-to-face. In other words, when you think of traditional undercover spy missions in movies, you’re thinking of HUMINT (with lots of embellishment, of course). This differs from SIGINT (signals intelligence), or covert intelligence gathering by means of intercepted communications. Though the COs (case officers) who specialized in HUMINT had a general distrust of digital technology, they certainly understood how useful it could be.

To serve as a technical field officer among these people was to be as much a cultural ambassador as an expert adviser. On Monday, a CO might ask my advice on how to set up a covert online communications channel with a potential turncoat they were afraid to spook. On Tuesday, another CO might introduce me to someone they’d say was a “specialist” in from Washington—though this was in fact the same CO from the day before, now testing out a disguise that I’m still embarrassed to say I didn’t suspect in the least, though I suppose that was the point. On Wednesday, I might be asked how best to destroy after transmitting (the technological version of burn after reading) a disc of customer records that a CO had managed to purchase from a crooked Swisscom employee. On Thursday, I might have to write up and transmit security violation reports on COs, documenting minor infractions like forgetting to lock the door to a vault when they’d gone to the bathroom. (I once had to write up myself for exactly the same mistake.) Come Friday, the chief of operations might call me into his office and ask me if, “hypothetically speaking,” headquarters could send over an infected thumb drive that could be used by “someone” to hack the computers used by delegates to the United Nations, whose main building was just up the street. Did I think there was much of a chance of this “someone” being caught?

I didn’t, and they weren’t.

During my time in the field, the field was rapidly changing. The agency was increasingly adamant that COs enter the new millennium, and technical field officers like myself were tasked with helping them do that in addition to all of our other duties. We put them online, and they put up with us.

The notoriously slow and meticulous methods of traditional spycraft certainly had their successes. But with the world’s deepest secrets now stored on computers, which were more often than not connected to the open internet, it was only logical that America’s intelligence agencies would want to use those very same connections to steal them.

Before the advent of the internet, if an agency wanted to gain access to a target’s computer, it had to recruit a person, or what spies call an “asset,” who had physical access to it. But this new world of “digital network intelligence” meant that physical access was almost never required. An agent now could just send the target a message, such as an email, with attachments or links that unleashed malware (an evil program) that would allow the agency to surveil not just the target’s computer but its entire network. Given this innovation, the CIA’s HUMINT would be dedicated to the identification of targets of interest, and SIGINT would take care of the rest.

That, at least, was the hope. But as intelligence increasingly became “cyberintelligence,” old concerns also had to be updated to the new medium of the internet. For example: how to research a target while remaining anonymous online.

Normally when you go online, your request for any website travels from your computer more or less directly to the server that hosts your final destination—the website you’re trying to visit. At every stop along the way, however, your request cheerfully announces exactly where on the internet it came from and exactly where on the internet it’s going, thanks to identifiers called source and destination headers, which you can think of as the address information on a postcard. Because of these headers, your internet browsing can easily be identified as yours by, among others, webmasters, network administrators, and foreign intelligence services.

It may be hard to believe, but the agency at the time had no good answer for what a case officer should do to remain anonymous online. Formally, the way this ridiculous procedure was supposed to work was that someone back in McLean would go online from a specific computer terminal and set up a fake origin for a query before sending it to Google. If anyone tried to look into who had run that particular search, all they would find would be a fake business located somewhere in America that the CIA used as cover. I can say with absolute certainty that the process was ineffective, onerous, and expensive.

During my stint in Geneva, whenever a CO would ask me if there was a safer, faster, and all-around more efficient way to do this, I introduced them to Tor.

Tor is free and open-source software that, if used carefully, allows its users to browse online with the closest thing to perfect anonymity. Its protocols were developed by the US Naval Research Laboratory throughout the mid-1990s, and in 2003 it was released to the public. Tor operates on a cooperative community model, relying on tech-savvy volunteers all over the globe who run their own Tor servers out of their basements, attics, and garages.

For me, Tor was a life changer, bringing me back to the internet of my childhood by giving me just the slightest taste of freedom from being observed.

None of this is meant to imply that the agency wasn’t still doing some significant HUMINT, in the same manner in which it had always done so. Even I got involved, though my most memorable operation was a failure. Geneva was the first and only time in my intelligence career in which I made the personal acquaintance of a “target.”

I met the man at an embassy party. The embassy had lots of those. The COs always went, and sometimes they would bring me along. As a technologist, I found it incredibly easy to defend my cover. The moment someone asked me what I did, and I responded with the four words “I work in IT,” their interest in me was over.