Эдвард Сноуден - Permanent Record (Young Readers Edition) - How One Man Exposed the Truth about Government Spying and Digital Security

My tunnel was a literal tunnel: an enormous Pearl Harbor–era airplane factory turned NSA facility located under a pineapple field in Kunia, on the island of Oahu, Hawaii. Its official name was the Kunia Regional Security Operations Center.

Lindsay and I had come to Hawaii to start over. To start over yet again.

My doctors had told me that the climate and more relaxed lifestyle in Hawaii might be beneficial for my epilepsy, since lack of sleep was thought to be the leading trigger of the seizures. Also, the move eliminated the driving problem—Maryland law prevented people diagnosed with epilepsy from driving, but Hawaiian law did not. Besides, the tunnel was a pleasant, twenty-minute bike ride to work through sugarcane fields in brilliant sunshine.

I went to work for the NSA early in 2012. The job I’d taken was a significant step down the career ladder, with duties I could at this point perform in my sleep. It was supposed to mean less stress, a lighter burden. I spent the earliest days automating my tasks—writing scripts to do my work for me—so as to free up my time for something more interesting.

Before I go any further, I want to emphasize this: My active searching out of NSA abuses began not with the copying of documents, but with the reading of them. My initial intention was just to confirm the suspicions that I’d first had back in 2009 in Tokyo. Three years later, I was determined to find out if an American system of mass surveillance existed and, if it did, how it functioned. Though I was uncertain about how to conduct this investigation, I was at least sure of this: I had to understand exactly how the system worked before I could decide what, if anything, to do about it.

I wanted to know what the NSA’s surveillance capabilities were exactly, whether and how they extended beyond the agency’s actual surveillance activities, who approved them, who knew about them, and, last but surely not least, how these systems—both technical and institutional—really operated.

Sometimes I’d find a program with a recognizable name but without an explanation of what it did. Other times I’d just find a nameless explanation, with no indication as to whether the capability it described was an active program or an aspirational desire. I was running up against programs within programs. This was the nature of the NSA—by design, the left hand rarely knew what the right hand was doing.

I’m not saying that I made any decisions at that instant. The most important decisions in life are never made that way. They’re made only once you’re finally strong enough to admit to yourself that this is what your conscience has already chosen for you, this is the course that your beliefs have decreed. That was my twenty-ninth birthday present to myself: the awareness that I had entered a tunnel that would narrow my life down toward a single, still-indistinct act.

I got in the regular habit of perusing what the NSA called “readboards.” These are digital bulletin boards that function something like news blogs, featuring the day’s most important and interesting documents—everything an employee has to read to keep current.

My new, low-pressure position gave me as much time to read as I wanted. The scope of my curiosity might have raised a few questions at a prior stage of my career, but now I was the only employee of the Office of Information Sharing. I was the Office of Information Sharing. So my very job was to know what sharable information was out there.

In the hopes of organizing all the documents I wanted to read, I put together a best-of-the-readboards queue. The files quickly began to pile up, until the nice lady who managed the digital storage quotas complained to me about the folder size. Not wanting to erase it or stop adding to it, I decided instead to share it with others. This was the best justification for what I was doing that I could think of, especially because it allowed me to more or less legitimately collect material from a wider range of sources. So, with my boss’s approval, I set about creating an automated readboard—one that edited itself.

Like EPICSHELTER, my automated readboard platform was designed to perpetually scan for new and unique documents in the networks of the NSA, the CIA, and the FBI, as well as others. The idea was that its findings would be made available to every NSA officer. Essentially, it would be a readboard of readboards. It would be run from a server that I alone managed, located just down the hall from me. That server would also store a copy of every document it sourced, making it easy for me to perform the kind of deep interagency searches that the heads of most agencies could only dream of.

I called this system Heartbeat, because it took the pulse of the NSA and of the wider IC. It pulled so many more documents than any human ever could that it immediately became the NSAnet’s most comprehensive readboard.

Early on in its operation I got an email that almost stopped Heartbeat forever. A faraway administrator—apparently the only one in the entire IC who actually bothered to look at his access logs—wanted to know why a system in Hawaii was copying, one by one, every record in his database. He had immediately blocked me, which effectively locked me out, and was demanding an explanation. I told him what I was doing and showed him how to use the internal website that would let him read Heartbeat for himself. Once I gave him access, his wariness instantly turned into curiosity. He could now see that Heartbeat was just doing what it’d been meant to do and was doing it perfectly. He was fascinated. He unblocked me from his repository of records and even offered to help me by circulating information about Heartbeat to his colleagues.

Nearly all of the secret documents that I later disclosed to journalists came to me through Heartbeat. It showed me not just the aims but the abilities of the IC’s mass surveillance system. This is something I want to emphasize: In mid-2012, I was just trying to get a handle on how mass surveillance actually worked. The better you can understand a program’s mechanics, the better you can understand its potential for abuse.

This meant that I wasn’t much interested in the briefing materials—like, for example, what has become perhaps the best-known file I disclosed. It was a slide deck from a 2011 PowerPoint presentation that explained the NSA’s new surveillance approach: “Sniff It All, Know It All, Collect It All, Process It All, Exploit It All, Partner It All.” This was just marketing jargon intended to impress America’s allies: Australia, Canada, New Zealand, and the UK, the primary countries with which the United States shares intelligence. Together with the United States, these countries are known as the Five Eyes.

“Sniff It All” meant finding a data source; “Know It All” meant finding out what that data was; “Collect It All” meant capturing that data; “Process It All” meant analyzing that data for usable intelligence; “Exploit It All” meant using that intelligence to further the agency’s aims; and “Partner It All” meant sharing the new data source with allies. But this document gave me no insight into how the approach was realized technologically.

Much more revealing was a top secret legal demand I found for a private company to turn over its customers’ private information to the federal government. The order made it clear that the NSA had secretly interpreted part of the Patriot Act to mean it could collect all of the metadata coming through American telecoms such as Verizon and AT&T on “an ongoing daily basis.” This included, of course, records of telephone communications between American citizens. That was unconstitutional.

I also found evidence of the NSA using other laws to justify its two most prominent internet surveillance methods: the PRISM program and upstream collection. PRISM enabled the NSA to routinely collect data from Microsoft, Yahoo!, Google, Facebook, and more, including email, photos, video and audio chats, Web-browsing content, search engine queries, and all other data stored on their clouds. Upstream collection, meanwhile, enabled direct collection of data from internet infrastructure—the switches and routers that shunt internet traffic worldwide. Together, PRISM and upstream collection ensured that the world’s information, both stored and in transit, was surveillable.