Friday, May 30, 2014
The Snowden Saga Begins with Glenn Greenwald
The world has grown quiet on the Snowden affair, but it is also fair to say that legislation is working its way forward and new tools are been deployed, all driven by the clear light of what is clearly full disclosure.
I also know how to end the whole problem and that insight driven through others will slowly slam the surveillance door shut. It will still take most of five years of course.
In the meantime here is the story of the early days of Snowden setting up key reporters to receive his data dump. He was not making silly mistakes while he did this either.
Good Germans and Good Americans always face a special hell when they do what they and we know is right. Let us struggle to be kinder and forgiving when this happens. Sometimes motives are less clear, but here they are unassailable. It was F**k you, you are not going down this road because it is wrong.
The Snowden Saga Begins: “I Have Been to the Darkest Corners of Government, and What They Fear Is Light”
On December 1, 2012, I received my first communication from Edward Snowden, although I had no idea at the time that it was from him.
The contact came in the form of an email from someone calling himself Cincinnatus, a reference to Lucius Quinctius Cincinnatus, the Roman farmer who, in the fifth century BC, was appointed dictator of Rome to defend the city against attack. He is most remembered for what he did after vanquishing Rome’s enemies: he immediately and voluntarily gave up political power and returned to farming life. Hailed as a “model of civic virtue,” Cincinnatus has become a symbol of the use of political power in the public interest and the worth of limiting or even relinquishing individual power for the greater good.
The email began: “The security of people’s communications is very important to me,” and its stated purpose was to urge me to begin using PGP encryption so that “Cincinnatus” could communicate things in which, he said, he was certain I would be interested. Invented in 1991, PGP stands for “pretty good privacy.” It has been developed into a sophisticated tool to shield email and other forms of online communications from surveillance and hacking.
In this email, “Cincinnatus” said he had searched everywhere for my PGP “public key,” a unique code set that allows people to receive encrypted email, but could not find it. From this, he concluded that I was not using the program and told me, “That puts anyone who communicates with you at risk. I’m not arguing that every communication you are involved in be encrypted, but you should at least provide communicants with that option.”
“Cincinnatus” then referenced the sex scandal of General David Petraeus, whose career-ending extramarital affair with journalist Paula Broadwell was discovered when investigators found Google emails between the two. Had Petraeus encrypted his messages before handing them over to Gmail or storing them in his drafts folder, he wrote, investigators would not have been able to read them. “Encryption matters, and it is not just for spies and philanderers.”
“There are people out there you would like to hear from,” he added, “but they will never be able to contact you without knowing their messages cannot be read in transit.” Then he offered to help me install the program. He signed off: “Thank you. C.”
Using encryption software was something I had long intended to do. I had been writing for years about WikiLeaks, whistleblowers, the hacktivist collective known as Anonymous, and had also communicated with people inside the U.S. national security establishment. Most of them are concerned about the security of their communications and preventing unwanted monitoring. But the program is complicated, especially for someone who had very little skill in programming and computers, like me. So it was one of those things I had never gotten around to doing.
C.’s email did not move me to action. Because I had become known for covering stories the rest of the media often ignores, I frequently hear from all sorts of people offering me a “huge story,” and it usually turns out to be nothing. And at any given moment I am usually working on more stories than I can handle. So I need something concrete to make me drop what I’m doing in order to pursue a new lead.
Three days later, I heard from C. again, asking me to confirm receipt of the first email. This time I replied quickly. “I got this and am going to work on it. I don’t have a PGP code, and don’t know how to do that, but I will try to find someone who can help me.”
C. replied later that day with a clear, step-by-step guide to PGP: Encryption for Dummies, in essence. At the end of the instructions, he said these were just “the barest basics.” If I couldn’t find anyone to walk me through the system, he added, “let me know. I can facilitate contact with people who understand crypto almost anywhere in the world.”
This email ended with more a pointed sign-off: “Cryptographically yours, Cincinnatus.”
Despite my intentions, I did nothing, consumed as I was at the time with other stories, and still unconvinced that C. had anything worthwhile to say.
In the face of my inaction, C. stepped up his efforts. He produced a 10-minute video entitled.
It was at that point that C., as he later told me, became frustrated. “Here am I,” he thought, “ready to risk my liberty, perhaps even my life, to hand this guy thousands of Top Secret documents from the nation’s most secretive agency -- a leak that will produce dozens if not hundreds of huge journalistic scoops. And he can’t even be bothered to install an encryption program.”
That’s how close I came to blowing off one of the largest and most consequential national security leaks in U.S. history.
The next I heard of any of this was 10 weeks later. On April 18th, I flew from my home in Rio de Janeiro to New York, and saw on landing at JFK Airport, that I had an email from Laura Poitras, the documentary filmmaker. “Any chance you’ll be in the U.S. this coming week?” she wrote. “I’d love to touch base about something, though best to do in person.”
I take seriously any message from Laura Poitras. I replied immediately: “Actually, just got to the U.S. this morning... Where are you?” We arranged a meeting for the next day in the lobby at my hotel and found seats in the restaurant. At Laura’s insistence, we moved tables twice before beginning our conversation to be sure that nobody could hear us. Laura then got down to business. She had an “extremely important and sensitive matter” to discuss, she said, and security was critical.
First, though, Laura asked that I either remove the battery from my cell phone or leave it in my hotel room. “It sounds paranoid,” she said, but the government has the capability to activate cell phones and laptops remotely as eavesdropping devices. I’d heard this before from transparency activists and hackers but tended to write it off as excess caution. After discovering that the battery on my cell phone could not be removed, I took it back to my room, then returned to the restaurant.
Now Laura began to talk. She had received a series of anonymous emails from someone who seemed both honest and serious. He claimed to have access to some extremely secret and incriminating documents about the U.S. government spying on its own citizens and on the rest of the world. He was determined to leak these documents to her and had specifically requested that she work with me on releasing and reporting on them.
Laura then pulled several pages out of her purse from two of the emails sent by the anonymous leaker, and I read them at the table from start to finish. In the second of the emails, the leaker got to the crux of what he viewed as his mission:
The shock of this initial period [after the first revelations] will provide the support needed to build a more equal internet, but this will not work to the advantage of the average person unless science outpaces law. By understanding the mechanisms through which our privacy is violated, we can win here. We can guarantee for all people equal protection against unreasonable search through universal laws, but only if the technical community is willing to face the threat and commit to implementing over-engineered solutions. In the end, we must enforce a principle whereby the only way the powerful may enjoy privacy is when it is the same kind shared by the ordinary: one enforced by the laws of nature, rather than the policies of man.
“He’s real,” I said when I finished reading. “I can’t explain exactly why, but I just feel intuitively that this is serious, that he’s exactly who he says he is.”
“So do I,” Laura replied. “I have very little doubt.”
I instinctively recognized the author’s political passion. I felt a kinship with our correspondent, with his worldview, and with the sense of urgency that was clearly consuming him.
In one of the last passages, Laura’s correspondent wrote that he was completing the final steps necessary to provide us with the documents. He needed another four to six weeks, and we should wait to hear from him.
Three days later, Laura and I met again, and with another email from the anonymous leaker, in which he explained why he was willing to risk his liberty, to subject himself to the high likelihood of a very lengthy prison term, in order to disclose these documents. Now I was even more convinced: our source was for real, but as I told my partner, David Miranda, on the flight home to Brazil, I was determined to put the whole thing out of my mind. “It may not happen. He could change his mind. He could get caught.” David is a person of powerful intuition, and he was weirdly certain. “It’s real. He’s real. It’s going to happen,” he declared. “And it’s going to be huge.”
A message from Laura told me we needed to speak urgently, but only through OTR (off-the-record) chat, an encrypted instrument for talking online securely.
Her news was startling: we might have to travel to Hong Kong immediately to meet our source. I had assumed that our anonymous source was in Maryland or northern Virginia. What was someone with access to top-secret U.S. government documents doing in Hong Kong? What did Hong Kong have to do with any of this?
Answers would only come from the source himself. He was upset by the pace of things thus far, and it was critical that I speak to him directly, to assure him and placate his growing concerns. Within an hour, I received an email from Verax@******. means “truth teller” in Latin. The subject line read, “Need to talk.”
“I’ve been working on a major project with a mutual friend of ours,” the email began. “You recently had to decline short-term travel to meet with me. You need to be involved in this story,” he wrote. “Is there any way we can talk on short notice? I understand you don’t have much in the way of secure infrastructure, but I’ll work around what you have.” He suggested that we speak via OTR and provided his user name.
My computer sounded a bell-like chime, signaling that the source had signed on. Slightly nervous, I clicked on his name and typed “hello.” He answered, and I found myself speaking directly to someone who I assumed had, at that point, revealed a number of secret documents about U.S. surveillance programs and who wanted to reveal more.
“I’m willing to do what I have to do to report this,” I said. The source -- whose name, place of employment, age, and all other attributes were still unknown to me -- asked if I would come to Hong Kong to meet him. I did not ask why he was there; I wanted to avoid appearing to be fishing for information and I assumed his situation was delicate. Whatever else was true, I knew that this person had resolved to carry out what the U.S. government would consider a very serious crime.
“Of course I’ll come to Hong Kong,” I said.
We spoke online that day for two hours, talking at length about his goal. I knew from the emails Laura had shown me that he felt compelled to tell the world about the massive spying apparatus the U.S. government was secretly building. But what did he hope to achieve?
“I want to spark a worldwide debate about privacy, Internet freedom, and the dangers of state surveillance,” he said. “I’m not afraid of what will happen to me. I’ve accepted that my life will likely be over from my doing this. I’m at peace with that. I know it’s the right thing to do.” He then said something startling: “I want to identify myself as the person behind these disclosures. I believe I have an obligation to explain why I’m doing this and what I hope to achieve.” He told me he had written a document that he wanted to post on the Internet when he outed himself as the source, a pro-privacy, anti-surveillance manifesto for people around the world to sign, showing that there was global support for protecting privacy.
“I only have one fear in doing all of this,” he said, which is “that people will see these documents and shrug, that they’ll say, ‘We assumed this was happening and don’t care.’ The only thing I’m worried about is that I’ll do all this to my life for nothing.”
“I seriously doubt that will happen,” I assured him, but I wasn’t convinced I really believed that. I knew from my years of writing about NSA abuses that it can be hard to generate serious concern about secret state surveillance.
This felt different, but before I took off for Hong Kong, I wanted to see some documents so that I understood the types of disclosures the source was prepared to make.
I then spent a couple of days online as the source walked me through, step by step, how to install and use the programs I would need to see the documents.
I kept apologizing for my lack of proficiency, for having to take hours of his time to teach me the most basic aspects of secure communication. “No worries,” he said, “most of this makes little sense. And I have a lot of free time right now.”
Once the programs were all in place, I received a file containing roughly twenty-five documents: “Just a very small taste: the tip of the tip of the iceberg,” he tantalizingly explained.
I unzipped the file, saw the list of documents, and randomly clicked on one of them. At the top of the page in red letters, a code appeared: “TOP SECRET//COMINT/NO FORN/.”
This meant the document had been legally designated top secret, pertained to communications intelligence (COMINT), and was not for distribution to foreign nationals, including international organizations or coalition partners (NO FORN). There it was with incontrovertible clarity: a highly confidential communication from the NSA, one of the most secretive agencies in the world’s most powerful government. Nothing of this significance had ever been leaked from the NSA, not in all the six-decade history of the agency. I now had a couple dozen such items in my possession. And the person I had spent hours chatting with over the last two days had many, many more to give me.
As Laura and I arrived at JFK Airport to board a Cathay Pacific flight to Hong Kong, Laura pulled a thumb drive out of her backpack. “Guess what this is?” she asked with a look of intense seriousness.
“The documents,” she said. “All of them.”