Wednesday, January 22, 2020

Snowden book

I read Edward Snowden's book, Permanent Record, over the Christmas break. It's an accessible, engaging account of how he got to where he is.

His early education was shaped by the anarchic, liberal, open, collegiate internet of the late 20th century, before it began to be reshaped by commerce and states as the mass surveillance machine it is today. His family were supportive or possibly indulgent of his obsession with the computers and networks of the 1990s.

In school, Snowden hacked the system to avoid homework. Quizzes were worth 25%, tests 35%, term papers 15%, homework 15% and class participation 10%. He figured he could skip both the homework and the term papers and still comfortably pass by acing everything else. Then one of his teachers confronted him, asking why he had not handed in any of previous six homework assignments. Innocently Snowden explained his reasoning to the laughter of his classmates. The teacher complimented the young Snowden on his cleverness and, within 24 hours, changed the system to make homework compulsory. He also took Snowden aside and encouraged him to put his fine brain to more constructive use than avoiding work and to be aware of how records follow us around and the impact on his permanent record.

Snowden's parents broke up. He learned to be independent, went to community college and got a job as tech support for a small business, working out of the business owner's home on the south west edge of Fort Meade. Yes that Fort Meade - home to the NSA. Snowden was at work when the 9/11 attacks happened and everything changed.

He bought hook, line and sinker into the Bush/Cheney 'war on terror':
"It was as if whatever individual politics I'd developed had crashed – the anti-institutional hacker ethos instilled in me online and the apolitical patriotism I'd inherited from my parents, both wiped from my system – and I'd been rebooted as a willing vehicle of vengeance. The sharpest part of the humiliation comes from acknowledging how easy this transformation was, and how readily I welcomed it."
And joined the army.

Coming from family generations of which had served in the Coast Guard, Snowden wanted to serve his country through the branch of the armed services considered by that family to be the "crazy uncles of the military". He aced the entrance exam, went into training for special forces, got injured on exercises and was eased out on administrative separation.

So back went Snowden to community college and decided he could best serve his country through his technical prowess. But to do that he'd need to join the CIA, NSA or other intelligence agency. And to do that he would need security clearance - top secret (TS) and top secret with a Sensitive Compartmented Information (SCI) qualifier. This involved filling out some forms and "sitting around with your feet up and trying not to commit too many crimes while the federal government renders its verdict." As a military veteran of sorts and the product of a multi generational service family, most of whom had the equivalent clearances, he was a good prospect and in due course succeeded. By this time Lindsay Mills had also become part of his life and so closes part 1 of the book.

Part 2 opens with 'The System.' Snowden describes a system as "a bunch of parts that function together as a whole". At the Open University we have a slightly longer definition of a system:
  1. A system is an assembly of components connected together in an organised way.
  2. The components are affected by being in the system and the behaviour of the system is changed if they leave it.
  3. This organised assembly of components does something.
  4. This assembly as a whole has been identified by someone who is interested in it.
Given the systems Snowden was thinking about - the professional civil service his family were steeped in and the computer systems he was obsessed by - his working definition satifices. When it came to computers he was most intrigued by their total functioning, not as individual components but as overarching systems. So the natural inclination was to get into systems administration or systems engineering which is what he did. Sysadmins and systems engineers naturally incline to a craft of understanding how computer systems work and fail and develop the diagnostic processes that go into keeping them running and getting them fixed and retrofitted and improved and renewed. It is not unnatural, then, when working within government (albeit for contractors) for techies to apply to same systems analyst skills to the system of government. Which is also what Snowden did.

We know about the five eyes mass surveillance systems and activities from Snowden's disclosures in 2013, from PRISM to TEMPORA, XKEYSCORE to QUANTUM, TURBULENCE and beyond. Yet, in some ways, the most chilling chapter in the book is "Homo contractus". It essentially outlines the private sector infiltration of the US intelligence services.
"I had hoped to serve my country, but instead I went to work for it. This is not a trivial distinction... government had treated a citizen's service like a compact: it would provide for you and your family, in return for your integrity and the prime years of your life.
But I came into the IC during a different age.
...the sincerity of public service had given way to the greed of the private sector, and the scared compact of the soldier, officer, and career civil servant was being replaced by the unholy bargain of Homo contractus, the primary species of US Government 2.0. This creature was not a sworn servant but a transient worker, whose patriotism was incentivized by a better paycheck and for whom the federal government was less the ultimate authority than the ultimate client.
...for third-millennium hyperpower America to rely on privatized forces for the national defense struck me as strange and vaguely sinister."
Snowden goes on to explain the use of contractors is a con to let the agencies circumvent statutory federal caps on hiring. As contractors are not included in the limits, the agencies can hire as many as they have the budget to pay for. Post 9/11 was a time when no congresscritter was going to go on the record as opposing any resources the intelligence and security agencies declared necessary for the 'war on terror'.

Huge resources got poured into the intelligence agencies for technical surveillance infrastructure and the people to create, develop, deploy and operate it. A large proportion of the people working on this mass surveillance were, like Snowden, technically employed by contractors and sub contractors but working directly for and within the agencies, the CIA and NSA in Snowden's case. Many of those nominally employed by the private sector started out as government employees, as the private companies didn't want to pay someone to wait around for a year or more for their TS/SCI security clearance to come through. Once the clearance was secured they could swap a government job for a better paid private sector job, sometimes doing the same work. Snowden's first job was with the state of Maryland partnered with the NSA opening a new institution called CASL, the Center for Advanced Study of Language.

As the building in which CASL was to be resident was still under construction, he essentially did the work of a night shift security guard. Whilst there and considering his long term career as a federal employee, he was amazed to find few opportunities to work directly for the government. Most of the sysadmin and systems engineering jobs available in government were through "working for a subcontractor for a private company that contracted with another private company that served my country for profit." Given these positions provide "almost universal access to the employer's digital existence", it's surprising to find these circumstances prevailing in the context of security and intelligence.
"In the context of the US government, however, restructuring your intelligence agencies so that your most sensitive systems were being run by somebody who didn't really work for you was what passed for innovation.
The agencies were hiring tech companies to hire kids and then giving them the keys to the kingdom."
Snowden's first contracting gig was for a company called COMSO, subcontracted to hire him by BAE Systems. He worked at CIA headquarters in McLean, Virginia. He had been earning $30k at CASL and asked COMSO for $50k. His nominal "manager" at COMSO talked him up to $62k. Middlemen contractors charged the government the employee's salary plus 3-5%. The higher the salary, the higher the cut.

The actual job at the CIA was both depressing and enlightening. Depressing on the extent of the cynical restructuring of the agency by the Bush administration and the move to a dependency, particularly in relation to modern technical information systems, on external contractors. Enlightening on the extent of the access Snowden got to highly classified material and the insight that gave him into the reach of the CIA and the importance of intelligence operations. It also gave him a hankering to really serve his country by applying for a role in a CIA field office overseas, preferably in a conflict zone. That meant swapping his contractor badge for a government employee badge, swearing an oath to defend and uphold the US Constitution and going back to school.

The techie in the CIA field office or embassy is responsible for every piece of kit in the building, from computers to heaters, encryption devices to locks. For security reasons no embassy will employ local contractors on even routine maintenance. The tech guy and there are not usually that many of them does everything. That's what the 6 months schooling before deployment was for.

Conditions at the CIA Warrenton Training Center ("the Hill") were less than ideal and whilst there, Snowden got his first taste of what reporting problems up the chain of command led to i.e. no addressing of the problem and a marking of the card of the whistleblower. Instead of getting his preferred deployment to a war zone to actively live out his heart on a sleeve patriotism, he was sent to Geneva for his first overseas tour of duty.

In Geneva, Snowden got a front seat view of the changing intelligence world and the pivot of the CIA from human intelligence (HUMINT) to cyberintelligence (SIGNINT & COMSEC), not that the former was abandoned but became proportionately less prevalent.
" In Geneva... America was busy creating a network that would eventually take on a life and mission of its own and wreak havoc on the lives of its creators – mine very much included.
The CIA station in the American embassy in Geneva was one of the prime laboratories of this decades long experiment. This city... lay at the intersection of EU and international fibre-optic networks, and happened to fall just within the shadow of key communications satellites"
Following Geneva, he moved to Tokyo to work in his "dream job" for the NSA but again, technically, as a better paid contractor in the private sector, an employee of Perot Systems which was then taken over by Dell.

In Tokyo, communications interception was the primary mission. In Toykyo, Snowden's early work was to link the NSA and CIA systems. In Tokyo, he discovered the NSA were vastly technologically superior to the CIA and vastly more laissez faire about security. In Tokyo, he created a much more effective storage system for the NSA, called EPICSHELTER. In Tokyo, his mind boggled at the scale and reach of China's mass surveillance and censorship systems. In Tokyo, he first realised "the power of being the only one in the room with a sense not just of how one system functioned internally, but of how it functioned together with multiple systems—or didn't." In Tokyo, he began to become disturbed at US mass surveillance, even as he was creating, developing and operating elements of the systems involved. In Tokyo, he initially sated his concerns by assuring himself he was working for the good guys.

In Tokyo, he became aware senior intelligence and security community insiders had serious concerns over the Bush administration's unchecked expansion of warrantless mass surveillance. In Tokyo he accidentally got access to the classified version of the Report on the President's Surveillance Program, (PSP) filed in an 'Exceptionally Controlled Information' (ECI) compartment. Full classification TOP SECRET//STLW//HCS/COMINT//ORCON/NOFORN. Through the PSP report he learned of STELLARWIND, the NSA's general and indiscriminate, bulk collection of electronic communications. In Tokyo, he began to understand the political sophistry underpinning mass surveillance, such as the now ubiquitous claim that collected communications could only be considered to be legally "obtained" or "acquired" if a member of the agencies searched for or found them. Collected communications would not be legally acquired but would, nevertheless, be available for search and retrieval, in post hoc fishing expeditions, in perpetuity. In Tokyo, it dawned on him that the Obama administration had no intention seeking reparations for systemic illegalities or undoing any of the deployment of mass surveillance infrastructure undertaken by their predecessors.

By 2011, Snowden was back in the US, still employed by Dell, building cloud systems for the CIA. He was also getting stressed and depressed at the mass surveillance of the state; and not just willing but enthusiastic compliance and buy in of friends and the general public into commercial systems of mass surveillance. The stress led to illness, including epilepsy and he eventually took sick leave to recuperate. His next move, in 2012, was to Hawaii, still with Dell, a step down in terms of responsibilities, to facilitate his ongoing recuperation but now working for the NSA again. He was now the NSA's Microsoft Sharepoint administrator in Hawaii. Lowly in the organisational food chain but, as a manager of document management and "reader in chief", this provided the access privileges to gather comprehensive evidence on his nascent concerns from Tokyo, about US mass surveillance.

Having automated much of his formal work responsibilities he set about his task of surveying the extent of the NSA's surveillance capabilities, running into the standard security services secrecy, obfuscation, compartmentalisation, misdirection, bureaucratic code and all the other institutional processes available for keeping information from the light. He decided to automate this process too, with the approval of his boss, setting up a kind of RSS reader system on steroids. This not only scanned for or linked to documents but copied them. Snowden called it Heartbeat and gave intelligence services staff access to a personalised reader that collected classified intelligence documents (from NSA, CIA, FBI and Deparment of Defense) according to each individual's security clearance.

The volume of documents Heartbeat collected was enormous and although Snowden could see it all, beyond the capacity of a single human being to review. Nevertheless, it was through Heartbeat that he learned about Upstream (direct collection of bulk data live from private sector communications infrastructure) and PRISM (bulk data handed over by private sector actors like Google, Apple, Microsoft, Facebook and Amazon etc. and overseen, theoretically, by the Foreign Intelligence Surveillance Court, FISC). He learned of TURBULENCE, a collection of black servers hard wired into telecommunications companies' infrastructure, running internet traffic through filtering tools like TURMOIL to flag suspicious communications; and TURBINE which routs communications to the NSA, where other algorithms decide which malware to deposit (via QUANTUM) on the source computer, in order that the potential threat can be monitored.

Snowden began to become indignant at the intelligence community's blatant flouting of the US Bill of Rights, particularly the fourth amendment protections against search and seizure and also the White House, the courts' and congress's complicity in this. He was particularly incensed when the US Supreme Court decided to wash their hands of the issues in February 2013, when the Court decided, 5-4, that the American Civil Liberties Union (ACLU) and their client, Amnesty International, did not have standing to challenge the constitutionality of the warrantless wiretapping program. (Substantively, the ACLU and Amnesty were challenging the Foreign Intelligence Surveillance Act Amendments Act 2008 (FISAA). FISAA is the law that makes the act of being a foreigner a sufficient reason to be a target of US law enforcement and intelligence services.)

He had, by then, decided to blow the whistle on the whole shebang. The ACLU case and embryonic mass surveillance enabling laws in the UK (the snoopers' charter which eventually got passed as the Investigatory Powers Act 2016) and Australia (multiple bills) only hardened that resolve.

Chapters 21 and 22 extol the virtues of whistleblowing and Snowden's perspective on the fourth estate but I'll leave the reader to peruse those for themselves.

Before he blew the whistle, however, he wanted one last job, not just administering or reading about mass surveillance tools but actually using them, particularly XKEYSCORE, the NSA's incredibly powerful intelligence search engine. A position opened up at the National Threat Operations Center (NTOC), one "of the few offices in Hawaii with truly unfettered access to XKEYSCORE", through Booz Allen Hamilton. Snowden secured it and so began his education in the coal face abuses of US intelligence systems. The shock was palpable.
"Seeing them made me realize how insulated my position at the systems level had been from the ground zero of immediate damage. I could only imagine the level of insulation of the agency's directorship or, for that matter, the US president."
Snowden had already smuggled the documents he intended to pass to journalists out of the NSA on SD and micro SD cards. The flight to Hong Kong and handing over of those documents to Laura Poitras, Glenn Greenwald and Ewen MacAskill, his escape, aided by Wikileaks's Sarah Harrison, to and entrapment in Russia when the US revoked his passport, has been well documented in the Guardian, the Washington Post and Poitras's documentary, CitizenFour.

The chapter on Moscow in the book is thin on detail and only outlines the discussions Snowden and Harrison had with an intelligence official on the day they arrived, noting also thereafter they spent 40 days and nights at the airport. During that time he applied, unsuccessfully, to 27 countries for political asylum. He concludes the chapter suggesting the Russians gave him asylum because they were fed up with the media scrum at the airport.

The penultimate chapter of the book details extracts from the diary of Snowden's partner, Lindsay Mills, in the aftermath of his disappearance to Hong Kong. She is a powerful presence and positive force in his life and it would have been nice to hear more from her. Mills and Snowden were married in Russia in 2017.

The final chapter is largely a whistlestop tour of the legacy of Snowden's revelations from his perspective - global awareness of mass surveillance, some positive legal developments like ACLU v Clapper in the US and the GDPR in the EU, some important developments in encryption like HTTPS, Secure Drop, Signal and generally more end to end encryption. But if we were concerned to avoid living in a surveillance society, it's too late, we're already there. State and commercial surveillance systems are more powerful and pervasive than ever and getting worse. They will require structural solutions - legal, technical, economic, environmental, individual & societal - pressures brought to bear to bring them under democratic control.