The smiley-face revelation deeply threatened Google’s business around the world—along with that of Facebook, Apple, and every other corporate symbol of America’s newest form of soft power. The note suggested Google was being unwittingly hacked by the US government, but in a world where trust in institutions is in increasingly short supply, Google and the other tech giants couldn’t help but appear complicit. Customers in Germany or Japan would suspect that American companies were secretly turning over their data to the NSA. (That assumption was not entirely wrong: if served an order from the Foreign Intelligence Surveillance Court, Google and the other big communications providers had no choice but to comply.) And governments around the world could use these Snowden revelations to make the case that the American firms were inherently untrustworthy and should be regulated or barred from their countries.
“We are not in a good place,” Eric Schmidt, Google’s then chief executive told me soon after the Snowden disclosures. But as Schmidt himself conceded, Google’s relationship with the US government was complicated—a lot more complicated than Brandon Downey’s outburst might suggest.
* * *
—
The burden of solving the immediate problem—locking up Google’s systems and convincing customers around the world that their data were not being piped straight to Fort Meade—fell to Eric Grosse, the amiable head of Google’s security efforts. With pale eyes and gradually graying hair, Grosse looked more like a bespectacled suburban dad than one of Silicon Valley’s key players, but his Stanford computer science PhD and hobby of piloting his own high-winged plane, gave him Valley credibility.
By the time my colleague Nicole Perlroth and I arrived at Grosse’s office on the edge of the Google campus in early summer 2014, he was deeply engaged in figuring out how to block every pathway the NSA could carve into the tech giant’s networks. In the open cubicles that looked out on the old air base, Moffett Field, in the heart of what is now Silicon Valley—the remnant of a pre–World War II age when the airplane was remaking global power—Grosse and his team of engineers were working day and night to NSA-proof the Google systems.
The project, Grosse said, had actually begun long before they saw the smiley-face diagram. As early as 2008, Google had been investing in consortiums that laid undersea cables. But sharing had its risks: The company was not fully in control of who else had access to the cables, and there was always the risk that Google’s traffic could be thrown off the lines during an emergency, leaving its users without access to their data. Less than a decade later, Google had undertaken a multibillion-dollar effort to put down its own fiber-optic lines across the Atlantic and the Pacific so that it could control the speed and reliability of information that flowed between its servers and its users.
In addition to laying its own cables, Google had also decided, before the Snowden revelations, to roll out a program to encrypt all the data that ran between its data centers. But as with the cable laying, the encryption effort was still plodding along when the smiley-face document made it clear that the US government was intent on breaking into Google’s networks. Suddenly, making sure no one else was inside those networks became an urgent priority.
The possibility that an intelligence service could drill into Google’s networks had always been a concern, Grosse told us, but until this document surfaced the threat had seemed theoretical. “Reasonable people could differ on the risk,” he said. The prevailing view among his colleagues before Snowden was that getting into the communications lines between Google servers “would be too costly,” even for the NSA. “Most of the traffic was not sensitive, so huge processing would have to be done to mine any nuggets,” he explained. Who in their right mind would tackle a haystack that big in order to find a few needles?
Yet there were a few security engineers both inside and outside Google, Grosse admitted, who better understood the mind-set of the NSA and thought the agency might be motivated to tackle the haystack. “They had read about Operation Ivy Bells,” he said.
Grosse was referring to the huge US intelligence project in the early 1970s to tap into the Soviet Navy’s undersea cables in the Sea of Okhotsk. At significant risk of discovery, the NSA had dispatched a submarine to wrap a secretly developed twenty-foot-long set of devices around the cables to record all the message traffic. Every month or so divers would slip into the waters, descend four hundred feet, and retrieve the recordings. The operation ran with great success until 1980, when a forty-four-year-old NSA communications specialist with a personal bankruptcy problem walked into the Soviet embassy in Washington and blew its cover.
During its years in operation, Ivy Bells was a complicated operation with significant technical challenges. Overcoming those challenges took help from the tech giant of the time, AT&T’s Bell Laboratories, which considered itself not just an American firm but also a founding member of the intelligence-industrial complex that ultimately won the Cold War. There was no shame in the revelation of the company’s role; the undersea cable in question was used by the Soviet military to communicate with subs carrying ICBMs aimed at American cities. Bell Labs had done what many Americans expected they would do.
But the world had changed in the four decades between the start of Ivy Bells and the operation described in the smiley-face drawing. Google engineers, by and large, hadn’t grown up in a Cold War environment and did not view their role as one of supporting American defense and intelligence partners. In any case, this wasn’t a collaborative effort; the government was breaking into a company’s network and helping itself to the information. And although Google was born an American company, it certainly saw itself as much more of a global citizen than Bell Labs had in its heyday. For the Google engineers sitting in the cubicles surrounding Grosse, their number-one mission was not to uphold American national security but to assure their customers that their information was safe. That included Google’s global customers, not just Americans.
All of a sudden, Grosse recalled, Google’s sense of risk had changed. The NSA had exploited “the last chink in our armor,” he told us as we walked around the Google offices, where some programmers had put up pictures of the NSA headquarters building with slashes through them. The encryption project, “originally operating on a timescale of months,” now had to be “finished on a timescale of weeks.”
He put the program into overdrive. This was just one more skirmish, he understood, in what would be a long-running war between Silicon Valley and the NSA. “No hard feelings,” Grosse said to us as we walked through the security center Google had erected to seal up its vulnerabilities, “but my job is to make their job hard.”
Google soon added a new email-encryption feature to its product line. And, in a pointed jab at the NSA, the code ended with a smiley face.
* * *
—
The Snowden affair kicked off a remarkable era in which American firms, for the first time in post–World War II history, broadly refused to cooperate with the American government. They wrapped some of that refusal in Silicon Valley’s typical libertarian ideology. But their real fear was that any open association with the NSA would prompt customers to wonder whether Washington had bored holes into their products.
Snowden gave allies and adversaries alike grounds for an argument about the dangers of using American technology—the same argument the United States raised regularly about letting Kaspersky antivirus software, designed in Russia, run on American computers, or permitting Chinese firms to sell their cell phones and network equipment in the United States. And the Snowden revelations set the stage for massive conflicts between the powerhouses in the technology world—Google, Apple, Facebook, and Microsoft—and a National Security Agency that had blithely assumed American companies would be on its side, just as Lockheed and Boeing and Raytheon had been during the Cold War.
Google was hardly the only target of the NSA, and the project to get inside its servers was a small p
art of a far broader effort. Months before the Google smiley face emerged, Snowden leaks had revealed the existence of the NSA program code named “PRISM,” in which the NSA siphoned off Internet communications of all types under orders issued by the Foreign Intelligence Surveillance Court. The companies were ordered to stay quiet about the program, and they were paid several million dollars to compensate them for the cost of compliance. Inside the NSA the operation was run by a group known as “Special Source Operations,” which sought to recruit American companies to the cause after the September 11 attacks. Everyone from Microsoft to Yahoo! to Apple to Skype participated, some more reluctantly than others. Government intelligence analysts working around any encryption systems could search the companies’ huge databases of information.
The smiley-face document, combined with the PRISM revelations, suggested the NSA was actually accessing corporate servers two different ways: the court-ordered way, with all its legal oversight, and via a covert effort overseas, for which no court order was needed but much stealth was required.
That distinction was lost on most of the world. To anyone who wasn’t looking deeply, it appeared that Silicon Valley companies were simply opening their doors to the NSA—that they had become an arm of an overbearing US government. The tech companies were quickly forced to make statements distancing themselves. On June 7, the day the Guardian revealed the PRISM program’s access to Facebook, Microsoft, and others, Mark Zuckerberg posted a heated defense: “Facebook is not and has never been part of any program to give the US or any other government direct access to our servers,” he asserted. That same day, Microsoft declared that it complied only “with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data, we don’t participate in it.”
It turned out, though, that other companies did participate in such a program. Snowden documents showed a long history of cooperation between the NSA and the telecommunications giants who controlled what had become the backbone of the Internet. Documents in the trove showed that seventeen AT&T Internet hubs in the United States had installed NSA surveillance equipment; a smaller number of Verizon facilities were similarly equipped. Often, AT&T engineers were among the first to test the government’s new technology. One internal NSA memo, recording a trip that one of the agency’s senior officials took to the company, referred to the firm’s “extreme willingness to help with SIGINT and Cyber missions and the breadth and depth of not only the program’s access” but the “amazing knowledge” of the company’s workforce.
It was a relationship so vital that President Obama sometimes intervened directly with telecommunications executives, calling them personally to ask for help if there was a critical need for information about a terrorist group or if intelligence agencies feared that an attack could be imminent. And the executives, while on the line with the president of the United States, had to essentially ask themselves a hard question: Were they an American company first, or a global one?
“It was the kind of thing you couldn’t say no to,” one chief executive said to me. “You have a president saying lives are on the line.”
But now that chief executive also had to contemplate the dangers of saying yes. After Snowden, the potential cost of cooperating with Washington was a lot higher. Any country that wanted to keep American firms out of their markets could make an easy national-security argument: buy the American equipment, and you were probably buying a “back door” that the NSA installed to tap into those systems.
In the year after the Snowden revelations, I spoke with a number of American executives who crisscrossed Europe and Asia arguing to customers that this wasn’t the case. But they found little traction. “We assume that if a company is based in the United States, there is an understanding with the American intelligence services,” a senior German intelligence official told me one night over dinner in Berlin. “And look at who is supplying the CIA!”
He was referring to Amazon’s $600 million deal to build the CIA’s enormously complex “cloud storage” system. For the agency, the deal was a true revolution—a response to the critique that information in the intelligence agencies was so stuck in “silos” that it was impossible to conduct the kind of data-crunching analysis that would reveal patterns, or plotters. Gradually, the Pentagon started to move in the same direction. Of course, the whole idea of centralizing information in the cloud made many senior American officials exceedingly nervous: If the lesson of 9/11 was that more information needed to be shared, the lesson of Snowden was that centralized systems can yield huge leaks. But the real irony was that as tech firms publicly protested the NSA’s intrusions into their networks—Microsoft, IBM, and AT&T among them—they were privately vying for the hugely profitable business of managing the intelligence community’s data.
* * *
—
Tim Cook, the quiet, almost ascetic chief executive of Apple, rose in the company as a counterweight to Steve Jobs. Jobs was the showman, Cook the understated strategist. Jobs erupted when products didn’t look right or politics limited the ideal technological solution; Cook lacked Jobs’s intuitive sense of what made a product feel distinctly like an Apple product, but what he lacked as a designer he made up for with his considerable geopolitical sensibility. Whereas Jobs was no ideologue and rarely dug deeply into the question of Apple’s place in society, Cook seemed as comfortable making a civil-liberties argument as a technological one.
Perhaps Cook’s social and political intuition was the result of his years growing up in Alabama, where one of his searing memories was of bicycling by a group of Klansmen burning a cross on the lawn of a black family in the town of Robertsdale and yelling at them to stop. “This image was permanently imprinted in my brain and it would change my life forever,” he said in 2013, the same year as the Snowden revelations.
Cook spoke little about his personal life; it was not until he was already running Apple that he began to talk about growing up as a gay teenager in a conservative state. He kept portraits of Robert Kennedy and Martin Luther King Jr.—two heroes from his youth—in his office. So when Obama invited him into the White House—along with Vinton Cerf, one of the founders of the Internet, and Randall Stephenson, the chief executive of AT&T—in late 2013, in an attempt to contain the damage of Snowden’s recent document dump, Cook certainly had views. He already knew where he was headed with Apple’s technology—in exactly the direction that the government did not want him to go.
At the heart of Cook’s dispute with the government was whether it was more important for Apple to secure the data that users keep on their phones, or to assure the FBI and the nation’s intelligence agencies that they could get inside any iPhone. For Cook, this was not a moral dilemma, and it was an even easier business question. He had risen to the top at Apple talking about how one of the company’s fundamental goals was to help Apple users keep their digital lives private. Apple made its money off of hardware and apps, not the ability to sell ads around email services or search engines.
But to Cook’s surprise, he ran into a buzz saw of opposition, not only from the FBI but from Obama himself. The latter was surprising because Cook was one of just a few tech executives with whom Obama had worked up something of a friendship. The two men were about the same age, and on visits to Washington—which Cook made much more frequently than Jobs had done—Cook would sometimes slip into the White House for a quiet meeting with the president, who admitted to something of a fascination with Apple. (His aides guessed that this was because the NSA and the White House Communications Agency insisted they could not make the iPhone secure enough for him to use and left him with a BlackBerry, which he hated.) For his part, Obama seemed in his element on trips to Silicon Valley, where he could wax freely about the future of the American economy and know that he was among his core supporters. Their relationship made the open conflict with Cook, and Obama’s other tech
supporters, over encryption all the more fascinating.
The Snowden revelations forced Cook to take a stand in a battle that had been brewing for years—the FBI’s fight against the growing movement toward personal encryption. Everyone agreed that bank information and certainly classified government files should be encrypted. But the idea that the same could or should be true of every individual’s personal data was relatively new, and it was one that chilled federal law enforcement. The FBI warned that encrypted personal communications were creating a “going-dark” crisis that would keep its agents—along with local police—from tracking terrorists, kidnappers, and spies.
No one embraced this view more fully than James Comey, Obama’s FBI director, who had come to public prominence standing up to the Bush White House when it sought to route around the law and the courts in authorizing a wiretapping program. But Comey was a government lawyer at heart, and in this case he argued that without a court-approved way into Apple’s phones, what most people called a “back door,” the main appliance of our lives was giving ISIS plotters and homegrown terrorists a cheap, secret way to communicate.
That argument struck some as disingenuous. Certainly encrypted communications made it hard to intercept conversations that had previously taken place in the clear. But this ignored the flood of new, Internet-enabled technologies that had given rise to—as more than a few technologists noted—the “golden age of surveillance.” In a world in which one’s car and lost luggage could be tracked electronically, where a Fitbit broadcasts the wearer’s location and people’s watches are connected to the Internet—life is a lot easier for investigators. As one FBI investigator admitted to me: “If you put us in a time machine and took us back ten years, we’d feel like our best tools have been taken away.”
The Perfect Weapon Page 11
