Recent History: Snowden Leaks
Back in 2013, Edward Snowden revealed the existence and workings of a global apparatus for mass surveillance. What did he reveal? What does that mean for us today?
Before I get started, I want to be clear about the idea of “conspiracy theories”. Before the Snowden leaks, everyone joked about how the NSA could spy on the internet - or about calling the CIA for a copy after deleting an email by mistake - but the concept of mass surveillance was dismissed by many as a “crazy conspiracy theory”. Snowden cleared that up: The NSA isn’t a conspiracy theory, it’s a government agency. And mass surveillance is a documented historical fact.
Snowden revealed a huge set of surveillance programs that went significantly beyond what most people expected to be going on, but we knew the intelligence agencies had the ability to broadly collect communications before that.
During the cold war, the USA entered into a signals intelligence cooperation agreement with Australia, Canada, New Zealand, and the UK. So that’s the NSA in the US, GCHQ in the UK, etc. This group of co-operating intelligence agencies was called the “Five Eyes”.
The Five Eyes established mechanisms to intercept phone calls, collectively called ECHELON , that effectively allowed them to intercept and record any telephone call anywhere. There were reports of this being used by the NSA to record the telephone calls of a US Senator in 1988.
By 2001 this program was well enough known that the European Parliament released a report describing the ability of the Five Eyes agencies to intercept telephone, fax, email, and other internet traffic globally.
What did Snowden Release?
In 2013, Edward Snowden leaked a large collection of documents (at least 100k documents) describing active Five Eyes (+France) intelligence programs to a group of journalists, who then published a series of articles describing the programs and their implications to the public.
The documents he leaked described a ton of stuff. I’ll only cover a few of them.
PRISM: This program recruited companies to provide the Five Eyes agencies direct access to their servers. The leaked slides mentions Microsoft, Yahoo, Google, Facebook, and Apple. This means that an intelligence analyst can access user data stored by those companies without needing to ask either an employee at the company or a for permission from a court.
The one major web service provider that isn’t in the PRISM collaborator list is Amazon, and there’s been plenty of time since 2012 for the NSA to have gotten them on board too.
The use of data collected through mechanisms like PRISM without a warrant was legally limited in two ways. First, they weren’t supposed to collect data from US citizens unless it was for an investigation of a non-US person - but there was no mechanism to enforce this. Second, any data collected without a warrant wouldn’t be admissible in US court. Unfortunately, US law enforcement broadly uses parallel construction to avoid revealing the use of illegally obtained evidence.
So the NSA can read your Gmail all they want, and if they find something illegal they can forward that to the FBI or local police, but then the law enforcement agency needs to find new legal evidence before they can prosecute. That could just be an “anonymous tip”, leading to a search warrant, leading to getting the email legally, etc.
Another program was Boundless Informant a tool for analyzing communication logs for things like phone calls and emails. To feed this analysis, another leak showed a secret court order demanding that Verizon hand over all call logs to the NSA. Those logs include, for every call: both phone numbers, time, and duration of the call. And if they’re collecting all call logs from a major US provider like Verizon, it seems like the safe bet is to assume that they’re simply collecting all call logs globally.
Another program, XKeyscore, monitors internet traffic. An intelligence analyst can enter in a selector for a target (e.g. an email address) and get access to recordings of internet activity over the last few days by that user as well as the ability to monitor activity by that target in real time. In his memoir, Permanent Record, Snowden describes using this system and being able to watch real-time mouse movement data from targets. This implies to me that the feed from programs like PRISM includes telemetry data - major web sites record all user actions with the excuse of providing data to improve the sites, but that data is also extremely high value for surveillance.
The common defense of all of this would be to assert that we can trust the NSA analysts to use this power for good rather than abusing it. But… it turns out that LOVEINT is a thing, where analysts used these surveillance tools to stalk potential love interests. The fact that such a thing is possible indicates that there were no real limits on the use of these tools, and the fact that it happened destroys any claim that analysts are somehow immune to the temptations of abuse.
The NSA and their Five Eyes partners had, by 2012, built a mass surveillance infrastructure that covered the global phone system and a good portion of the internet. They had direct data feeds from the major companies: phone providers like Verizon, internet backbone providers like AT&T, and cloud service providers including both of today’s major cellphone OS providers: Google and Apple.
Here are some key points:
- Any data sent unencrypted over the internet or made available to any major service provider is probably available to intelligence services.
- If providers like Google built tools for intelligence service access, those same tools are likely available to at least some Google employees. Even if you trust all NSA analysts, do you trust all Apple employees?
- Data collection and analysis tools were good enough in 2012 that the NSA was considering storing 3 day rolling buffers on a meaningful percentage of all internet traffic.
- Nothing in the Snowden leaks indicated that anyone could break well-implemented open source end-to-end encryption.
Based on the Snowden leaks, the NSA seem to care more about “metadata” than “data”. That makes sense. Consider the following two cases:
- Jane Doe called the scheduling line at the local abortion clinic at 3:47pm on Thursday.
- The contents of the call was:
- Jane: I’d like to make an appointment.
- Receptionist: How’s 4pm next Thursday.
- Jane: Great, thanks.
- Receptionist: You’re scheduled, have a nice day.
- Jane: Thanks, bye.
If you could only have the metadata or the data, which tells you more about Jane Doe?
After the Snowden leaks, we know that mass surveillance is happening. We know that major companies have implemented data access tools that they can make accessible to third parties like intelligence agencies.
When we think about things like targeted advertising and user profiling, this is the baseline that we’re starting from. These providers are doing the best they can to identify users, collect as much data as they can, and make that data useful.
Given this background, simple facts get much more sketchy. All real-time notifications for all apps on Android go through central Google servers. Those servers get to see (and therefore record) what app, when, and the text content of the notification itself. When you get a message notification in your preferred app, does the notification include the message text? Does it include the identity of the sender?
More stuff to search up
TURBINE - Why tape over your webcam?
MUSCULAR - The suspenders to go with the PRISM belt.
Next thing to do
Read Snowden’s Memoir, Permanent Record. It’s good.