Authors: Edward Snowden
The best means we have for keeping our keys safe is called “zero knowledge,” a method that ensures that any data you try to store externally—say, for instance, on a company’s cloud platform—is encrypted by an algorithm running on your device before it is uploaded, and the key is never shared. In the zero knowledge scheme, the keys are in the users’ hands—and only in the users’ hands. No company, no agency, no enemy can touch them.
My key to the NSA’s secrets went beyond zero knowledge: it was a zero-knowledge key consisting of multiple zero-knowledge keys.
Imagine it like this: Let’s say that at the conclusion of my CryptoParty lecture, I stood by the exit as each of the twenty audience members shuffled out. Now, imagine that as each of them passed through the door and into the Honolulu night, I whispered a word into their ear—a single word that no one else could hear, and that they were only allowed to repeat if they were all together, once again, in the same room. Only by bringing back all twenty of these folks and having them repeat their words in the same order in
which I’d originally distributed them could anyone reassemble the complete twenty-word incantation. If just one person forgot their word, or if the order of recitation was in any way different from the order of distribution, no spell would be cast, no magic would happen.
My keys to the drive containing the disclosures resembled this arrangement, with a twist: while I distributed most of the pieces of the incantation, I retained one for myself. Pieces of my magic spell were hidden everywhere, but if I destroyed just the single lone piece that I kept on my person, I would destroy all access to the NSA’s secrets forever.
It’s only in hindsight that I’m able to appreciate just how high my star had risen. I’d gone from being the student who couldn’t speak in class to being the teacher of the language of a new age, from the child of modest, middle-class Beltway parents to the man living the island life and making so much money that it had lost its meaning. In just the seven short years of my career, I’d climbed from maintaining local servers to crafting and implementing globally deployed systems—from graveyard-shift security guard to key master of the puzzle palace.
But there’s always a danger in letting even the most qualified person rise too far, too fast, before they’ve had enough time to get cynical and abandon their idealism. I occupied one of the most unexpectedly omniscient positions in the Intelligence Community—toward the bottom rung of the managerial ladder, but high atop heaven in terms of access. And while this gave me the phenomenal, and frankly undeserved, ability to observe the IC in its grim fullness, it also left me more curious than ever about the one fact I was still finding elusive: the absolute limit of who the agency could turn its gaze against. It was a limit set less in policy or law than
in the ruthless, unyielding capabilities of what I now knew to be a world-spanning machine. Was there anyone this machine could not surveil? Was there anywhere this machine could not go?
The only way to discover the answer was to descend, abandoning my panoptic perch for the narrow vision of an operational role. The NSA employees with the freest access to the rawest forms of intelligence were those who sat in the operator’s chair and typed into their computers the names of the individuals who’d fallen under suspicion, foreigners and US citizens alike. For one reason or another, or for no reason at all, these individuals had become targets of the agency’s closest scrutiny, with the NSA interested in finding out everything about them and their communications. My ultimate destination, I knew, was the exact point of this interface—the exact point where the state cast its eye on the human and the human remained unaware.
The program that enabled this access was called XKEYSCORE, which is perhaps best understood as a search engine that lets an analyst search through all the records of your life. Imagine a kind of Google that instead of showing pages from the public Internet returns results from your private email, your private chats, your private files, everything. Though I’d read enough about the program to understand how it worked, I hadn’t yet used it, and I realized I ought to know more about it. By pursuing XKEYSCORE, I was looking for a personal confirmation of the depths of the NSA’s surveillance intrusions—the kind of confirmation you don’t get from documents but only from direct experience.
One of the few offices in Hawaii with truly unfettered access to XKEYSCORE was the National Threat Operations Center. NTOC worked out of the sparkling but soulless new open-plan office the NSA had formally named the Rochefort Building, after Joseph Rochefort, a legendary World War II–era Naval cryptanalyst who broke Japanese codes. Most employees had taken to calling it the Roach Fort, or simply “the Roach.” At the time I applied for a job there, parts of the Roach were still under construction, and I was
immediately reminded of my first cleared job, with CASL: it was my fate to begin and end my IC career in unfinished buildings.
In addition to housing almost all of the agency’s Hawaii-based translators and analysts, the Roach also accommodated the local branch of the Tailored Access Operations (TAO) division. This was the NSA unit responsible for remotely hacking into the computers of people whom analysts had selected as targets—the agency’s equivalent of the old burglary teams that once snuck into enemies’ homes to plant bugs and find compromising material. NTOC’s main job, by contrast, was to monitor and frustrate the activity of the TAO’s foreign equivalents. As luck would have it, NTOC had a position open through a contractor job at Booz Allen Hamilton, a job they euphemistically described as “infrastructure analyst.” The role involved using the complete spectrum of the NSA’s mass surveillance tools, including XKEYSCORE, to monitor activity on the “infrastructure” of interest, the Internet.
Though I’d be making slightly more money at Booz, around $120,000 a year, I considered it a demotion—the first of many as I began my final descent, jettisoning my accesses, my clearances, and my agency privileges. I was an engineer who was becoming an analyst who would ultimately become an exile, a target of the very technologies I’d once controlled. From that perspective, this particular fall in prestige seemed pretty minor. From that perspective, everything seemed pretty minor, as the arc of my life bent back toward earth, accelerating toward the point of impact that would end my career, my relationship, my freedom, and possibly my life.
D DECIDED TO
bring my archives out of the country and pass them to the journalists I’d contacted, but before I could even begin to contemplate the logistics of that act I had to go shake some hands. I had to fly east to DC and spend a few weeks meeting and greeting my new bosses and colleagues, who had high hopes for how they might apply my keen understanding of online anonymi
zation to unmask their more clever targets. This was what brought me back home to the Beltway for the very last time, and back to the site of my first encounter with an institution that had lost control: Fort Meade. This time I was arriving as an insider.
The day that marked my coming of age, just over ten tumultuous years earlier, had profoundly changed not just the people who worked at NSA headquarters but the place itself. I first noticed this fact when I got stopped in my rental car trying to turn off Canine Road into one of the agency’s parking lots, which in my memory still howled with panic, ringtones, car horns, and sirens. Since 9/11, all the roads that led to NSA headquarters had been permanently closed to anyone who didn’t possess one of the special IC badges now hanging around my neck.
Whenever I wasn’t glad-handing NTOC leadership at headquarters, I spent my time learning everything I could—“hot-desking” with analysts who worked different programs and different types of targets, so as to be able to teach my fellow team members back in Hawaii the newest ways the agency’s tools might be used. That, at least, was the official explanation of my curiosity, which as always exceeded the requirements and earned the gratitude of the technologically inclined. They, in turn, were as eager as ever to demonstrate the power of the machinery they’d developed, without expressing a single qualm about how that power was applied. While at headquarters, I was also put through a series of tests on the proper use of the system, which were more like regulatory compliance exercises or procedural shields than meaningful instruction. The other analysts told me that since I could take these tests as many times as I had to, I shouldn’t bother learning the rules: “Just click the boxes until you pass.”
The NSA described XKEYSCORE, in the documents I’d later pass on to journalists, as its “widest-ranging” tool, used to search “nearly everything a user does on the Internet.” The technical specs I studied went into more detail as to how exactly this was accomplished—by “packetizing” and “sessionizing,” or cutting up
the data of a user’s online sessions into manageable packets for analysis—but nothing could prepare me for seeing it in action.
It was, simply put, the closest thing to science fiction I’ve ever seen in science fact: an interface that allows you to type in pretty much anyone’s address, telephone number, or IP address, and then basically go through the recent history of their online activity. In some cases you could even play back recordings of their online sessions, so that the screen you’d be looking at was their screen, whatever was on their desktop. You could read their emails, their browser history, their search history, their social media postings, everything. You could set up notifications that would pop up when some person or some device you were interested in became active on the Internet for the day. And you could look through the packets of Internet data to see a person’s search queries appear letter by letter, since so many sites transmitted each character as it was typed. It was like watching an autocomplete, as letters and words flashed across the screen. But the intelligence behind that typing wasn’t artificial but human: this was a humancomplete.
My weeks at Fort Meade, and the short stint I put in at Booz back in Hawaii, were the only times I saw, firsthand, the abuses actually being committed that I’d previously read about in internal documentation. Seeing them made me realize how insulated my position at the systems level had been from the ground zero of immediate damage. I could only imagine the level of insulation of the agency’s directorship or, for that matter, of the US president.
I didn’t type the names of the agency director or the president into XKEYSCORE, but after enough time with the system I realized I could have. Everyone’s communications were in the system—everyone’s. I was initially fearful that if I searched those in the uppermost echelons of state, I’d be caught and fired, or worse. But it was surpassingly simple to disguise a query regarding even the most prominent figure by encoding my search terms in a machine format that looked like gibberish to humans but would be perfectly understandable to XKEYSCORE. If any of the auditors
who were responsible for reviewing the searches ever bothered to look more closely, they would see only a snippet of obfuscated code, while I would be able to scroll through the most personal activities of a Supreme Court justice or a congressperson.
As far as I could tell, none of my new colleagues intended to abuse their powers so grandly, although if they had it’s not like they’d ever mention it. Anyway, when analysts thought about abusing the system, they were far less interested in what it could do for them professionally than in what it could do for them personally. This led to the practice known as LOVEINT, a gross joke on HUMINT and SIGINT and a travesty of intelligence, in which analysts used the agency’s programs to surveil their current and former lovers along with objects of more casual affection—reading their emails, listening in on their phone calls, and stalking them online. NSA employees knew that only the dumbest analysts were ever caught red-handed, and though the law stated that anyone engaging in any type of surveillance for personal use could be locked up for at least a decade, no one in the agency’s history had been sentenced to even a day in prison for the crime. Analysts understood that the government would never publicly prosecute them, because you can’t exactly convict someone of abusing your secret system of mass surveillance if you refuse to admit the existence of the system itself. The obvious costs of such a policy became apparent to me as I sat along the back wall of vault V22 at NSA headquarters with two of the more talented infrastructure analysts, whose workspace was decorated with a seven-foot-tall picture of
’ famous wookie, Chewbacca. I realized, as one of them was explaining to me the details of his targets’ security routines, that intercepted nudes were a kind of informal office currency, because his buddy kept spinning in his chair to interrupt us with a smile, saying, “Check
out,” to which my instructor would invariably reply “Bonus!” or “Nice!” The unspoken transactional rule seemed to be that if you found a naked photo or video of an attractive target—or someone in communication with a target—you
had to show the rest of the boys, at least as long as there weren’t any women around. That was how you knew you could trust each other: you had shared in one another’s crimes.
One thing you come to understand very quickly while using XKEYSCORE is that nearly everyone in the world who’s online has at least two things in common: they have all watched porn at one time or another, and they all store photos and videos of their family. This was true for virtually everyone of every gender, ethnicity, race, and age—from the meanest terrorist to the nicest senior citizen, who might be the meanest terrorist’s grandparent, or parent, or cousin.
It’s the family stuff that got to me the most. I remember this one child in particular, a little boy in Indonesia. Technically, I shouldn’t have been interested in this little boy, but I was, because my employers were interested in his father. I had been reading through the shared targeting folders of a “persona” analyst, meaning someone who typically spent most of their day sifting through artifacts like chat logs and Gmail inboxes and Facebook messages, rather than the more obscure and difficult, typically hacker-generated traffic of the infrastructure analysts.
The boy’s father, like my own father, was an engineer—but unlike my father, this guy wasn’t government- or military-affiliated. He was just a regular academic who’d been caught up in a surveillance dragnet. I can’t even remember how or why he’d come to the agency’s attention, beyond sending a job application to a research university in Iran. The grounds for suspicion were often poorly documented, if they were documented at all, and the connections could be incredibly tenuous—“believed to be potentially associated with” and then the name of some international organization that could be anything from a telecommunications standards body to UNICEF to something you might actually agree is menacing.
Selections from the man’s communications had been sieved out of the stream of Internet traffic and assembled into folders—here was the fatal copy of the résumé sent to the suspect university;
here were his texts; here was his Web browser history; here was the last week or so of his correspondence both sent and received, tagged to IP addresses. Here were the coordinates of a “geo-fence” the analyst had placed around him to track whether he strayed too far from home, or perhaps traveled to the university for his interview.
Then there were his pictures, and a video. He was sitting in front of his computer, as I was sitting in front of mine. Except that in his lap he had a toddler, a boy in a diaper.
The father was trying to read something, but the kid kept shifting around, smacking the keys and giggling. The computer’s internal mic picked up his giggling and there I was, listening to it on my headphones. The father held the boy tighter, and the boy straightened up, and, with his dark crescent eyes, looked directly into the computer’s camera—I couldn’t escape the feeling that he was looking directly at me. Suddenly I realized that I’d been holding my breath. I shut the session, got up from the computer, and left the office for the bathroom in the hall, head down, headphones still on with the cord trailing.