It's been two weeks since the Washington Post and Guardian newspapers began to publish their stories based on leaks and interviews with former NSA contractor, Edward Snowden. The leaks have continued, counterleaks have bubbled up, tech companies have responded, and debate about the man at the center of it all continues to rage.
Three big stories -- one from the AP, one from NPR, and another from the Post -- came out this weekend that mined the details of Snowden's disclosures, refining them with more extensive reporting. The New York Times contributed a deep profile of Snowden himself, who continues to provoke strong reactions, especially after he revealed some details about U.S. spying on China and Russia.
Following, we attempt to bring you up to speed with the most recent disclosures and best reporting on the hurlyburly.
One note before we get to the stories: Snowden's two big disclosures have tended to get conflated. First, Snowden leaked a secret order from the Foreign Intelligence Service Court giving the government broad powers to collect phone call metadata from Verizon Business Services. Senator Dianne Feinstein acknowledged the program and said it had been going on for years. The legal basis for the data collection comes from an interpretation of Section 215 of the Patriot Act, which allows the government to take any "business records" it might want, and because phone calls are considered business transactions between a phone user and a phone network, such information falls under its purview. Civil liberties groups like the ACLU have decried this version of the rules.
Snowden's other big disclosure, published nearly simultaneously in the Guardian and Washington Post, was that the NSA had what was called "direct access" to servers at the big tech companies like Google, Microsoft, Facebook, Apple, and Yahoo through a program called Prism. The tech companies vociferously denied involvement in broad government surveillance of their users. A central problem is that "direct access" could mean a lot of things. Which brings us to our first story.
Putting Snowden's Disclosures in Context
The AP found sources willing to talk about the conception of the Prism program. Tech company sources said that what started as an unstructured mess of information flowing from tech companies to the government after 9/11 turned into a "streamlined, electronic process." That's Prism.
This frenetic, manual process was the forerunner to Prism, the recently revealed highly classified National Security Agency program that seizes records from Internet companies. As laws changed and technology improved, the government and industry moved toward a streamlined, electronic process, which required less time from the companies and provided the government data in a more standard format.
But the report also sought to put Prism's importance in the context of the type of spying that we've known the NSA has done for years: tapping into telecommunications servers that handle a very large percentage of the world's Internet traffic.
In that way, Prism helps justify specific, potentially personal searches. But it's the broader operation on the Internet fiber optics cables that actually captures the data, experts agree.
In other words, the structured data that the NSA gets from searching small numbers of users aids its targeting within the massive amounts of Internet traffic it's hoovering up. And "direct access," in context, was probably intended to mean data from companies themselves as opposed to siphoned from telecom Internet traffic.
The Washington Post had another big story by Barton Gellman documenting how four different NSA programs sprang from the Bush administration's STELLARWIND program. They are called MAINWAY, MARINA, NUCLEON, and PRISM. Gellman spoke with an anonymous "senior intelligence official," who provided some information on what the programs do and what policies regulate their use.
Two of the four collection programs, one each for telephony and the Internet, process trillions of "metadata" records for storage and analysis in systems called MAINWAY and MARINA, respectively. Metadata includes highly revealing information about the times, places, devices and participants in electronic communication, but not its contents. The bulk collection of telephone call records from Verizon Business Services, disclosed this month by the British newspaper the Guardian, is one source of raw intelligence for MAINWAY.
The other two types of collection, which operate on a much smaller scale, are aimed at content. One of them intercepts telephone calls and routes the spoken words to a system called NUCLEON.
For Internet content, the most important source collection is the PRISM project reported on June 6 by The Washington Post and the Guardian. It draws from data held by Google, Yahoo, Microsoft and other Silicon Valley giants, collectively the richest depositories of personal information in history.
So how does PRISM work, technically?
The New York Time's Claire Cain Miller reported that "in some cases, the data is transmitted to the government electronically, using a company's servers." Which makes sense, obviously, but left in question the actual method of transfer. Wired's Kim Zetter reports that, at least at Google, the company transfers files to the government using secure FTP. It's possible that other companies have different ways of getting information to the NSA.
The Tech Companies Respond
The string of events set off by former NSA contractor Edward Snowden has led us to this: Facebook, Microsoft, and Apple have released numbers on how often government officials request their users' data. The companies have released aggregate numbers for how many requests they've received from all levels of government, and the total number of user accounts that has affected.
For the last six months of 2012, Facebook and Microsoft say they've received between 9,000-10,000 and 6,000-7,000 government requests, respectively. Those requests covered 18,000-19,000 Facebook users and 31,000-32,000 Microsoft users. For the six months ended in May, Apple says that it received 4,000-5,000 government requests, which specified 9,000-10,000 accounts or devices.
No matter how you slice them, these numbers show that the data the NSA has requested is relatively limited in scope. For each service, a tiny sliver of users has been targeted.
On the other hand, it's still unclear how many users would ultimately be swept up in these data requests. Imagine that the government wanted to know all a particular users' friends, and then all of those friends' friends. Pew found that the median user's friends of friends network was over 30,000 people strong with some power users reaching over seven million. Go one step farther out and you'd be connecting in massive numbers of users.
Meanwhile, Google and Twitter maintain that the deal their competitors reached with the government on the data releases is a bad one. They want to be able to disaggregate the numbers and release orders differently, including those from the FISA court.
The Details of the NSA's Phone Call Metadata Collection, According to the Government
NPR spoke with a senior administration official who said the Obama administration was mulling declassifying a secret order that spelled out how and when the NSA could collect phone metadata. The key details confirmed in the report were that the NSA only stores metadata for five years and that the NSA says it doesn't use location data, even though it has the legal right to collect it. Procedurally, the administration official said that the standards for reasonable suspicion are approved by a court, but individual queries are not. Rather, there's an auditing program in place.
The senior administration official told NPR that the phone-call records can be kept only for five years and that the NSA does not use that program to keep data that would allow authorities to track where people are located when they're using their phones. The source said even though the NSA may have that power to collect the geolocation data under the law and the secret court's rulings, the NSA does not use it.
To query the huge pools of metadata, authorities say they need to have a reasonable, articulable suspicion of an association with a terrorism organization. That standard is approved by the FISA court but the court does not review each query. Rather, the senior administration official said, the queries are documented and a sample of them is audited by the Justice Department's National Security Division and the Director of National Intelligence.
Who is Edward Snowden?
I can't bring myself to link you to the bloviating about Snowden's position on the hero/"grandiose narcissist"/traitor, but the New York Times had a good, reported profile of Snowden from a friend at his high school, as well as later associates.
His act may have been a spectacular unintended consequence of the leak crackdown itself. It may also have reflected his own considerable ambition, disguised by his early drifting. From Mr. Snowden's friends and his own voluminous Web postings emerges a portrait of a talented young man who did not finish high school but bragged online that employers "fight over me."
Snowden, himself, answered questions in a live chat with The Guardian. Most noteworthy is that he denied having any contact with China, saying he only works with journalists.
Who is General Keith Alexander, the head of the NSA?
James Bamford, perhaps the foremost chronicler of the agency, has a massive Wired cover story out about Alexander, who has become one of the most powerful people in the world, despite his nearly nonexistent public profile.
Inside the government, the general is regarded with a mixture of respect and fear, not unlike J. Edgar Hoover, another security figure whose tenure spanned multiple presidencies. "We jokingly referred to him as Emperor Alexander--with good cause, because whatever Keith wants, Keith gets," says one former senior CIA official who agreed to speak on condition of anonymity. "We would sit back literally in awe of what he was able to get from Congress, from the White House, and at the expense of everybody else."
Could NSA Spying Lead to 'Internet nationalism'?
The Internet is dominated by American companies, who are not operating solely in cybersapce but on American soil. While American citizens may have some protection from NSA spying, the rest of the world's people do not. CNN ran an opinion piece by Canadian political scientist Ronald Deibert, who argued that there will be blowback from the spying revelations. While Google, Facebook, and the rest might have been primarily seen as just Internet companies before, it will be harder to ignore that they're American Internet companies going forward.
The revelations that have emerged will undoubtedly trigger a reaction abroad as policymakers and ordinary users realize the huge disadvantages of their dependence on U.S.-controlled networks in social media, cloud computing, and telecommunications, and of the formidable resources that are deployed by U.S. national security agencies to mine and monitor those networks.