American technology grants GCHQ the legal loophole necessary to gather domestic information. Furthermore, the revision reveals how important Microsoft, Yahoo and Google are to the American government. The trio account for an outstanding 98% of PRISM data intake. Gellman reiterates that participating companies are “immunized” from legal fallout but adds Congress consented via the Protect America Act of 2007 and FISA Amendments Act of 2008.
Aside from the pivotal whitewashing—no longer was “a person’s movements and contacts over time” monitored, only “foreign targets’” activities, and technology companies didn’t “participate knowingly” but instead were merely “essential to PRISM operations”—the most noticeable change in the article is the amount of direct quotes. It is evident that most whom Gellman initially attempted to contact had become willing to be put on hold in order to provide an official statement to the Post.
For the sake of customer morale, a handful of the listed Internet businesses flatly denied any knowledge of a covert data exchange with the federal government. Others blatantly proclaimed no such program was in place. Speaking on behalf of Apple, Steve Dowling announced, “We have never heard of PRISM”32 while the chief security officer for Facebook, Joe Sullivan, declared, “We do not provide any government organization with direct access to Facebook servers,”33 despite the PRISM slide which includes the phrase, “Collection directly from the servers of.” Judiciously and highly intuitively, Gellman accepts some of the company spokespeople’s claims to ignorance. Innocuously inserted in his newest revision is the addendum, “In another classified report obtained by the Post, the arrangement is described as allowing ‘collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,’ rather than directly to company servers.” Gellman expected violent reactions from the article and kept some documents in reserve to have a counterargument readily available. He admits the Internet representatives might not know their servers were open to the FBI’s Data Intercept Technology Unit. The information is then relayed to the NSA through a contracted intermediary such as BAH.
Gellman also makes another distinction between the two enterprises. FISC-ordered telecoms filter their data prior to submission. They do not submit subscriber names or the contents of the conversations. By leaving a backdoor open for the NSA, the Internet companies’ captured data is unedited. Senator Udall calls attention to this distinction: “As it is written, there is nothing to prohibit the intelligence community from searching through a pile of communications, which may have been incidentally or accidentally been collected without a warrant, to deliberately search for the phone calls or e-mails of specific Americans.” Ironically when Senator Wyden asked how many people this affected, Inspector General Charles McCullough III stated that reporting the figure would constitute a privacy violation.34
Even Director of National Intelligence James Clapper had something to say to Gellman. In a statement issued “late Thursday,” Clapper informed the Post that “numerous inaccuracies” resided in the parallel PRISM reports but “did not specify” what they were. Clapper was already at the end of his tether in the midst of what was becoming a strenuous time for the NSA.
Greenwald was met with the same pressures but refused to retract his steadfast assertions of direct access. It appeared Greenwald was standing on principle or being stubborn. It seemed The Washington Post had gone the way of The New York Times by willfully redacting claims made less than 24 hours before. Gellman’s quiet and therefore implied admission of guilt created more questions than it answered. Does domestic spying in fact occur? After June 5, the answer seemed to be an irrefutable “yes,” and therefore it does not follow that the American intelligence community would settle for only a portion of the available data. It was unclear why telecoms were being forced to submit while the Internet companies were not. This ambiguity allowed for the possibility that the online businesses’ assertions of ignorance about PRISM were true. Perhaps these public entities were unaware they were providing information because, in fact, the American government was hacking into U.S. communication lines. Pandora’s Box was open. What people didn’t know or expect was that it was Gellman’s turn to attempt to be clever.
Gellman’s motivation for revision was subtly, coyly staring everyone in the face. Greenwald’s refusal to change a word and The Guardian not publishing a redaction could have been dismissed as orneriness if Gellman had done one thing. A team of Post journalists had worked at breakneck speed to issue a major revision in less than 15 hours. Yet, despite the softening of the language and a few retractions that Internet companies were providing direct access, the first half of Gellman’s opening sentence remained untouched. The independent clause, “The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies” continued to sit on the page. It simply refused to budge.
Greenwald and Gellman were aware that even if promised legal impunity, no Internet company would voluntarily agree to hand over data. This would leave the firms liable to public backlash for having freely violated their customer’s privacy should it ever become known. Both journalists exploited this simple fact because they needed something in order to definitively prove their claims: the Internet companies’ FISC orders.
If Snowden had possessed an FISC blanket order forcing even one Internet company to comply, the news sources would have included it in their reports. Because they didn’t have proof, the journalists knew if they deliberately misinterpreted the meaning of the PRISM slides, the firms would be obligated to absolve themselves of responsibility. In so doing, they would simultaneously incriminate the government in the process.
Gellman was trying to force a semantic argument. He admitted in his revision he knew what actually took place. An NSA analyst would submit a data request to the FBI. The FBI in turn would pull the information from servers at contracted locations. He knew this because Snowden knew this but needed the companies to admit it. Gellman anticipated and accepted the claims by the Internet companies’ spokespeople that servers were not directly accessed. Facebook said, “We do not provide any government organization with direct access to Facebook servers.” Apple’s response was almost verbatim: “We do not provide any government agency with direct access to our servers.” Yahoo followed the cookie-cutter pattern: “We do not provide the government with direct access to our servers, systems, or network.”35 This was true. Greenwald pointed out that the PRISM program is run with the assistance of the companies. After FISC orders were distributed, analogous to AT&T’s Room 641A in San Francisco where beam splitters provide the NSA open access to the telecoms’ fiber-optic lines, Internet firms had set up dropboxes to which the government has access.36 In the Times’ words, “[T]he companies were essentially asked to erect a locked mailbox and give the government the key.”37 It came down to the definition of terms. The access in question wasn’t technically direct, but it was unequivocally free. In the event the NSA wanted a live feed, all it had to do was ask. Greenwald’s choice of “obtained direct access” was the most accurate assessment of the situation.
Having perhaps learned their lesson the day before, members of Congress were notably silent. This may have been due to a White House directive. The surveillance issue had attracted enough attention for the president to formally address it. He did so on June 7 at the Fairmont Hotel in San Jose, California, hours before entering a summit with China’s president. Obama stated the PRISM program “does not apply to U.S. citizens and it does not apply to people living in the United States” before paradoxically adding, “I think it’s important to recognize that you can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience.”38 He echoes the legislation within Section 702 of FISA (which was reauthorized under the Obama administration in December 2012 after having been expanded by Bush four years before). The statute refuses any data request of an American citizen in or outside the United States. Under
this law, an application is brought before FISC judges to determine if “targeting” and “minimization” requirements have been met (the latter process ensures there is a 51 percent or greater likelihood the target is not American). Upon approval, an order is then issued.
If the Internet companies were merely submitting data upon receipt of a subpoena, there would have been no story to report. It was logical for Greenwald and Gellman to assume that since the government went to great lengths to gerrymander access to telecommunications providers’ call data, it had done the same with the treasure trove of information the Internet offered. This idea had its own validity but PRISM’s existence all but declared this was taking place. What made the notion even more plausible were the dropboxes. If court orders demanded data, the Internet providers could merely extract and present it. There would be no need for the U.S. government to pay the companies millions of dollars to set up “secure portals.”39 Microsoft, Facebook and Yahoo affirmed they had built the requested data facilities.40 This indicated a blanket FISC order existed. Yet it was still unclear whether the Internet providers were depositing data after receiving individual FISC orders—in the firms’ terms, National Security Letters (NSL)—or whether the intelligence community had full, unfettered access to the dropboxes which were duplicating all incoming data.
Gellman believed he had the U.S. government in a corner. At any moment Washington would bow to the Internet companies’ pressure to let them release the paperwork that forced them to turn over data. The message from the companies was clear: “Either let us regain the confidence of the consumer before our stocks plummet, or the next election cycle will be sparsely funded.” It was a good plan and almost worked.
NSLs would prove blanket access hadn’t been granted and Section 702 was being followed. The next week Microsoft41 and Facebook42 presented transparency reports for the second half of 2012, but they were accompanied by an asterisk: The government would only allow the information to be made public if the data lumped together all other requests from local, state and federal law enforcement agencies. To further obfuscate the issue, totals were rounded to the nearest 1,000. Microsoft showed a minimum average of 32 requests per day, affecting user accounts every six minutes. The following week Yahoo43 and Apple44 would report the first half of 2013. PalTalk and AOL didn’t even bother to appease their clients, because it was futile. The implication was apparent. Without permission to publish the individual court order or letters and no way to prove to customers the aggregated data wasn’t fabricated or merely the number of times the government had dipped into a company’s dropbox, Greenwald and Gellman’s claims could not be successfully refuted. But they had not been conclusively proven either. Though the argument was in their favor, Greenwald and Gellman still needed to establish they were right.
Gellman was no Greenwald when it came to journalistic blackmail. Washington had been unwilling to take another direct hit after the Verizon fiasco. Internet companies adamantly objected. They could only watch as people uninstalled Yahoo toolbars, turned off Skype, deactivated Facebook accounts and transferred Gmail files to email providers with reputations for privacy. Questions continued to linger.
Though The Electronic Privacy Information Center had released data showing applications had indeed been presented to the FISC, the report didn’t ease tensions or fill in any blanks. The requests had been rubber stamped. Only two of 8,591 appeals had been rejected between 2008 and 2012.45 (A single rejection out of 1,789 requests had taken place in 2012.)46 This does not mean that out of nearly a quarter of a billion American Internet users, only five per day were being investigated. Under 702, once an application has been approved, additional names and Internet services can be added without further authorization. This is undoubtedly when contact chaining commences. An approved order remains open for one year.
Loose ends were abundant. The PRISM slide clearly informs an analyst that data is “[c]ollect[ed] directly from the servers.” Yet Gellman included in his revision, “[C]ollection managers [can send] content tasking instructions directly to equipment installed at company-controlled locations.” Even more puzzling is that Google admitted compliance with PRISM but, unlike its Internet peers, does not use a dropbox to deliver information. It either transports by hand or transfers data over an encrypted FTP channel.47 There was no subsequent explanation why the NSA permits this form of electronic (and much less expensive) transport for one company but the other eight firms were bound to dropboxes. The reports either fail to explore or barely mention whether domestic communication providers were being obligated to release data they had access to as a result of business arrangements with foreign providers or if U.S. law applied to an American company’s overseas servers. This is important because a Texan’s email may travel to Europe to reach a friend in Florida. Servers do not take the shortest route but the cheapest.48 Google operates in Europe, Asia and South America.49
Greenwald didn’t have to change a word of his article because he knew he was right. Gellman tried extortion because he lacked something Greenwald had when presenting his Verizon exposé: proof. But Greenwald was aware it had been a trying time for the American government. He opted to give Washington a thematic intermission before producing conclusive evidence the U.S. government was spying on its citizens.
Within hours of the Post rewrite and just before President Obama was to host his Chinese equivalent—newly elected Xi Jinping—at Rancho Mirage, California, to discuss alleged cyberattacks emanating out of the People’s Republic, The Guardian released, “Obama orders US to draw up overseas target list for cyber-attacks.”50
The article presents an unpublished Presidential Policy Directive issued in October 2012.51 The document instructs the secretary of defense, director of national intelligence and head of the CIA to create a list of overseas targets of “national importance” for possible cyberattacks. The purpose of the tentative attacks is not heightened defense, retaliatory action or even as a pre-emptive measure. It is to “advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.” Dauntingly the commander in chief also humors domestic targeting but specifies such theoretical operations cannot be carried out unless he has issued his consent or there is a national emergency, whereby various departments are authorized to act autonomously. Likewise the 18-page manuscript states cyberattacks are to conform to U.S. and international law unless they are overridden by presidential approval.
The order tells its recipients to remain mindful of the possible consequences: loss of life, property damage, retaliatory responses, injury to international trade and regressive foreign policy impact. Greenwald acknowledges a history of debate precedes the directive. Security researchers and academes have frequently voiced concern over the possibility that offensive cyber initiatives may result in full-scale warfare if collateral damages are heavy enough.
Greenwald quotes an unnamed intelligence insider as stating that the president’s pending cyber grievance with China is hypocritical. A month after the directive’s April deadline expired and less than half a year after the Pentagon greenlit expansion of American’s Cyber Command Unit, the U.S. government reported on what could easily be interpreted as retaliatory hacking by China into the Pentagon’s military programs. Obama was already entering the informal summit with China holding, in the words of the Director of the National Computer Network Emergency Response Technical Team/Coordination Center of China Huang Chengqing, “mountains of data” documenting previous American attacks.52 The timeline of American cyber aggression toward the Asian superpower is unspecified, but Obama’s order was an update of a 2004 National Security Presidential Directive. In only a few days, Snowden would provide evidence that China’s attacks had emanated from the clandestine offices of the American government.
At the end of the two-day conference, pundits criticized Obama for skirting around the subject of international cyberattacks. Though China refused
to deny it had hacked combat aircraft and ship designs atop missile defense systems (Huang merely muttered that if the U.S. wanted to keep such documents secret, it shouldn’t put them online), America was contending with its Eastern competitor being aware that almost three-million Chinese computers had been hacked by 4,062 U.S.-based computer servers.53 They deliberately spoke in ambiguous umbrella terms and shied away from particulars. The two leaders agreed they had “similar concerns” over an issue that is a “doubled-edged sword.” Jinping let the American president escort the conversation over to mutual disapproval of North Korea’s continued nuclear development and the topic of global warming.54
Intermission was over. Greenwald didn’t have time to see if the American government would take the bait from the Internet companies’ demands for transparency. It was time to prove to the American people they were being watched.
On Saturday, June 8, Greenwald hit hard with “Boundless Informant: the NSA’s secret tool to track global surveillance data.”55 This exposé is relatively short compared to his previous three articles, because the data speaks for itself. The report opens with the news agency declaring it has irrefutable proof the NSA is recording American communications. Accompanied by a screenshot, four slides and an unclassified but in-house user guide for analysts, Greenwald introduces the top secret program Boundless Informant, a tool that summarizes and reports the NSA’s metadata collection records and history.
The crux of the article focuses upon a color-coded heat map of the world produced by Boundless Informant. It shows how much data had been collected from each country during March 2013. Condemningly, the United States is presented in a median color after having nearly three billion pieces of data extracted. The program offers an analyst the option of reviewing a particular nation’s recorded volume and can break it down into categorical types of surveilled information.
The Edward Snowden Affair Page 8
