Snowden – Hero or Villain?

Foreign Policy Explained, Ep. 1: Government Surveillance: We’re Being Watched (video): Abby Hall Blanco explains how spying on foreigners has resulted on government surveillance on its own citizens.
What’s Next in the Battle over NSA Surveillance? (video): Trailer for our program on government surveillance.
Can Cops Search Your Cell Phone? (video): Josh Blackman explains why the police aren’t allowed to search your phone without a warrant.

Evan: We’re live. Welcome to Learn Liberty Live. I’m Evan Swarztrauber. Today we’re talking about Snowden. The man, the movie, the legend, his legacy, and what his impact has been on policy and whether the revelations that he put out there have led to any real discussion or changes in the way that we do surveillance. Joining me to discuss this is Julian Sanchez from the Cato Institute. Julian, thanks for joining.
Julian: My pleasure.
Evan: Julian, you’re in a particularly good place to talk about the movie and whether Joseph Gordon-Levitt’s impression was really that well because you’ve actually interviewed Edward Snowden for a surveillance conference that the Cato Institute did. I guess the first question that everyone’s going to ask is, “How well does he do at impersonating Edward Snowden?”
Julian: I think he’s got the voice absolutely nailed. He’s got that weird sort of slightly Kermit-ish undertone, but you know, dropped an octave. I think Levitt gets that right. He’s got the mannerisms pretty close, but not having to spend a ton of time in person with Snowden. Levitt is, I think, very good. He’s probably the best thing about that movie. Yeah, you know, if you love Joseph Gordon-Levitt, it’s worth sort of seeing for that maybe. If you’re sort of interested in a movie about surveillance and Snowden, I’d say, “Watch Laura Poitras’ documentary, Citizenfour, which is really a better film in every possible way.”
Evan: Full disclosure, I have not seen the Snowden movie, the recent one. I saw Citizenfour, which was the documentary that featured real footage of Edward Snowden in Hong Kong. I guess, it would be good to bring people up to speed if they haven’t necessarily been following this closely or it’s been over three years since the disclosure, so there’s been some time. What exactly did Edward Snowden do? Does the movie accurately represent what he did?
Julian: Ha. I’ll do the second first, I’ll say, in part the movie is actually a very strange fusion of stuff that’s pretty accurate and sometimes in detailed ways and sometimes even the stuff that seems very Hollywood is basically based on something accurate. There’s an arc where Snowden is kind of disenchanted with the American intelligence community when the CIA he’s working with in Geneva essentially sets up a potential asset to get busted drunk driving, so that they can then sort of swoop in and recruit him by offering their help. That is something Snowden has really talked about as a motive though it seems like the kind of Oliver Stone invention.
Other things are, as far as I know, totally fabricated and it’s a weird kind of combination because you leave not really being sure, unless you researched it pretty heavily in advance. which bits are dramatization, which bits are accurate representations. I think the weirdest choice is for dramatic reasons they kind of give him this FBI mentor who tracks his career, then at that kind of pivotal point sort of reveals that he’s been spying on Snowden’s girlfriend, which is totally made up and kind of transforms his motivation from something broad and principled to something narrowly personal, which I don’t even think works dramatically.
The real story is of course that Snowden was a contractor with Booz Allen at NSA’s Hawaii facility. The movie goes into some of his earlier career, actually at some length. He was in the army. He was candidate for special forces. He had sort of leg fractures that caused him to be discharged from that, joined up with the intelligence community, worked for the CIA as sort of a tech here and then in Geneva and in Japan, ultimately later to contractor jobs that paid better basically. Pays better to work for a private company, working for the intelligence agency than for the agency itself. Ended up ultimately working for Booz Allen at NSA’s Hawaii facility and I think took the job sort of already knowing that he thought he was going to need to exfiltrate a bunch of documents to try and pass them on to press.
Evan: That’s been a major sticking point for critics of Edward Snowden. He took the job that he eventually stole the documents or whatever verb you want to use, but it was classified information. He broke the law in doing what he did. Critics have said that because he knew he wanted to do that before he took the job that he’s kind of a bad guy, that it was premeditated. This wasn’t some frustration. Maybe that’s an issue in the movie or the movie’s trying to portray him as someone who actually was pro-government, came from a military family, was generally not so skeptical of authority and that he had a change of heart as he saw what went on in the NSA. Whereas maybe some intelligence hawks in Congress would like to just portray him as a traitor, who was always a traitor, and his career arc was designed to get access to the information that he eventually leaked. Is there a disconnect between what we’re hearing in Congress and how the movie portrays Snowden, the man?
Julian: Well, first of all the HPSCI, the House Select Committee on Intelligence, released at least a kind of executive summary of their Snowden report. The really striking thing is this is something they’ve been working on for two years and in the space of three pages, there’s probably more factually dubious stuff in the report than there is in the Oliver Stone movie, which at least is, builds the dramatization.
Evan: The government report has its own problems.
Julian: Yeah, it just claims a bunch of things that are not … this is not a contentious kind of matter of interpretation stuff, just things that are facts you can check and they’re wrong, things like, “Oh, he lied about getting a GED.” You can check that he did.
Evan: Things that don’t even seem relevant.
Julian: Yeah. Right.
Evan: They’re character flaws.
Julian: Right. There are ways that’s kind of assassinating him personally that are not particularly relevant and just gets those things wrong. These are things that are matters of public record. As for the question about taking the job, I don’t know. If you think he would have been justified in doing it while on the job, I don’t know, if he had just decided on the spot that it was necessary to take it out, I don’t know why it makes it worse if he was moving between intelligence jobs and said, “Well, I’m going to take this transfer in part because I think I need to do this.” It seems like your attitude toward that aspect of it sort of reduces to your attitude toward whether what he did was justified.
I think if … The most on point criticism to my mind, the one that I think has some merit to it is that while another of the factual issues in the House report that came out is that Snowden almost certainly did not take anywhere near, I think 1.4 million is the number they like to use. They way that calculate that is to say, “What is the maximum number of files he conceivably could have accessed and then assume he took everything.” There’s just no reason to think based on anyone’s estimate who’s actually had access to the cache, that he took anything near that amount, that it’s thousands or maybe tens of thousands of documents.
Evan: There’s two issues that we’ve kind of come full circle. When Snowden first revealed, in 2013, the big, the major bombshell that first dropped in June was that major telecom’s wireless carriers in America, AT&T, Verizon, and others were cooperating with the NSA. The NSA was basically collecting phone records on virtually all Americans. There didn’t seem to be much targeting. It was bulk-
Julian: There was no targeting. It was definitely a request for all domestic and international call records, not recordings and calls of course, but the records of the call of the kind that show up on the phone bill.
Evan: Yeah. The duration, who you were calling, that kind of thing, which can be very revealing about a person’s life, even if you don’t have the content of the call or the text message. That set off a big debate about the man himself because there was of course, there was a debate in the media, “Is he a traitor? Is this right?” Blah, blah, blah. Then after he got asylum in Russia for awhile, that allowed for an actual debate about policy and what he revealed, but now we’re back to the movie, right?
Julian: Right?
Evan: We’ve kind of gone from analyzing Snowden as a character, to what he did and now that the movie is out, this question about himself keeps coming up again. The movie paints him in a, certainly a favorable light as compared to folks on the intelligence committee or war hawks who might be saying that he is a traitor.
One major sticking point here is what was the method he used to disclose what he disclosed? He took documents and gave them to journalists. Now many critics of his say, “He should have been a whistle blower, in the proper sense. He should have gone to Congress. He should have gone to his superiors.” What do you think about that idea that the way he did what he did matters and was there a better way for him to do what he did?
Julian: I’ll at least close the loop on the reason I brought up the volume of documents. The one criticism I think is somewhat meritorious and has some weight to it is that, I think you can fairly say, “He took,” I think, “documents concerning programs that,” I think, “[inaudible 00:09:53] obvious legitimate concerns about because, well, because we changed the law in response to what we [inaudible 00:09:59] disclosed.” There’s other stuff I think is maybe in a grey-er area, but I think the additional transparency is certainly beneficial. There’s questions about its appropriateness, whether or not you ultimately think it was illegal.
Then there’s just a huge amount of other stuff that may be illegal, but relevant to the extent it affects the privacy of ordinary civilians around the world, who are not protected by U.S. law, but a lot of other stuff involving hacking foreign hostile governments that, I think, it’s fair to say that there wasn’t a reason to take that. What he basically says is, “I didn’t certainly have the luxury of figuring out what was going to be relevant to understanding the big picture, so I took … ” It’s basically the NSA’s excuse, which is, “I took a larger aperture, no I opened the aperture, took more stuff under assuming the journalists would sort through it later.”
Evan: Yeah. That was Snowden’s justification was that we could trust people like Glen Greenwall, that they intercept, like Laura Poitras and others to decide what was important and what was not. Now folks in the intelligence community will of course say, “A journalist is in no way qualified to be determining what is important for national security and what is not and that it was dangerous of him to use them as the filter because they’re not in a position to do that.” What do you think about that?
Julian: I think on the whole, they’ve been pretty good. There are things I have seen, at least very briefly slipped through, un-redacted in documents that have been posted that I sometimes notified the reporter and said, “Did you mean to include this?” They went, “Whoops” and pulled it. There’s other stuff … Some of the stuff Jacob Appelbaum chose to publish with Der Speigel, I thought-
Evan: The German paper, yeah.
Julian: Yeah, was probably a bad call and shouldn’t have been published. On the whole I think they’ve actually been quite good. The easy contrast here is with the sort of the WikiLeaks, Julian Assange strategy of take all you can get and then dump it without any kind of filtering and even-
Evan: Which could arguably more dangerous.
Julian: Right. Well, I think certainly … I think almost inargueably more dangerous because there’s no sense of looking in a case by case way to say, “Well, look, is there a public interest in this disclosure that outweighs whatever harm it might do?” In that case you’ve had just sensitive personal information and information about people in Afghanistan who may have worked with the American military, people’s sexual conduct in countries where being gay is a capital crime. I think in terms of the method by which you chose disclosure, I think there has, on the whole, been a pretty responsible approach to that. He apparently insisted on, with all of the journalists he gave access to those files.
Evan: Interestingly you’ve had members of Congress say that he put American lives at risk through the disclosures. You have kind of said that other than a handful of instances, it’s been largely a responsible effort to disclose what the public needs to know, what the public doesn’t need to know, without jeopardizing American lives. There’s this big issue about whistle blowers. The Obama Administration has claimed to be the most transparent in history, yet the Obama Administration, when it comes to prosecuting whistle blowers and journalists is-
Julian: Gone after more folks under the Espionage Act than every other administration combined.
Evan: It’s pretty bad and so that gets to this notion that he should have done it differently and maybe in June of 2013, he did the best that he could. There was just no better option.
Julian: I think the relevant thing there is to look, and I think he, himself, would say this, is that he looked at the example of folks like Thomas Tamm, who was a source for the James Risen and Eric Lichtblau. He [inaudible 00:13:48] wireless wire tapping back in 2005 that sort of reignited the NSA debate pre-Snowden. Looked at the example of someone like Thomas Drake, who really had his career totally destroyed, was prosecuted, ultimately, I think, plead to some kind of misdemeanor or misusing a government computer. No one even alleged Tom Drake had shared anything super sensitive. It was that he had gone to the Baltimore Sun with essentially information about, nominally classified, but nothing that you can argue will cost anyone his life, about essentially waste and spending tax money on programs that didn’t protect privacy and didn’t work very well.
Evan: Bad things happen to the guy who’s revealing relatively mundane information.
Julian: Right.
Evan: In his mind that’s a reference point. He’s thinking, “What I’m about to do is a hell of a lot worse, from a legal perspective. If Tom Drake got a lot of crap for the thing that he did, I’m probably not going to do well.”
Julian: Right. His sense was that the whistle blower protections provided a cosmetic valve, but that it was going to end up in practice to be very difficult to disclose anything even to Congress and actually expect any kind of result. There’s a couple strands going on there. One is just the question of incentives and the heft of the intelligence community. It seems like you come forward with a concern and at most legislative would come in for a classified briefing and be assured everything was on the up and up. If you look at the kinds of things that the intelligence committee members were saying right after that first Snowden story broke, the Verizon bulk telephone metadata story, they were repeating things they thought to be true, so talking points from the intelligence community about how this had disrupted dozens of terror plots. It became apparent very quickly and was confirmed at great length in a report by the Privacy and Civil Liberties Oversight Board sometime later that just was not true at all. In fact you really couldn’t find any case where the program had been important.
Evan: Yeah. There’s issues of the Constitution and civil liberties, but there’s a lot of Americans, who all they want to know is do the programs work.
Julian: Right.
Evan: They care less about whether their rights are being violated and more about the effectiveness of the program. We’ll get into some policy questions now. I wanted to just remind our audience that we love to get your questions. If you’re watching this, you’re on Facebook and you can easily post in the comment section, a question. Feel free to do so. I’m going to try to get to all of them.
One quick issue, we talk about whistle blowers not necessarily having the right channels. Recently the R Street Institute, Electronic Frontier Foundation, FreedomWorks, and Demand Progress, that’s a bipartisan coalition of advocacy groups in this space, they proposed some reforms to the way that that House Committee works. The HPSCI, it’s D.C. jargon for House Permanent Select Committee on Intelligence.
If those reforms went through, one of the important ones for Snowden would be that each member of Congress, all 435 and then probably senators too, I imagine, could take in a whistle blower. That would essentially mean that if you’re someone like Snowden, you can walk into a Congressional office, close the door and you have some level of protection from that moment to say some things.
Julian: Then you have to stay in the office permanently, like Assange …
Evan: Yeah, you can never leave. It’s like Assange in Ecuador, the Ecuadorian Embassy in London. You just can never leave. No. I assure you that I’m sure the report recommended a mechanism for leaving the office, but there’s just one example of whistle blower reform that might make a difference in this administration and might have made a difference to Snowden three years ago.
Julian: I think that’s right. I think all those recommendations are basically sound, although I think fundamentally at some point, they’re just may not be a substitute for public disclosure. The basic theory of representative democracy is we elect people to make the choices on our behalf. If we don’t think they’re doing a good job or we don’t approve of the choices they’re making, we pick a different flavor a couple years hence. That fundamentally doesn’t work if the decisions they’re making are themselves not visible to the public. If at the end of the day your belief about some secret information you have is, “Well, maybe my superiors have convinced representatives that this is something they should accept,” I think the people would not feel that way if they knew and would push their representatives to change their attitude. In this area, unlike the rest of politics, they just haven’t had an opportunity to express that preference and correct their representatives.
I don’t know if there is a package reform where it ultimately becomes avoidable that sometimes people think I need to bypass these and go directly to the court of public opinion, but I think it’s not any kind of stretch to say, “Had he been less fearful of the life destroying use of the Espionage Act, that other whistle blowers are seeing, or if he thought there was a place where he was likely to get a reasonable hearing, if there was a prospect for change through those other mechanisms, we might have seen a different approach to this.”
Evan: Yeah. Given the movie and nearing the end of Obama’s term as President, there’s now a campaign to pardon Edward Snowden. Snowden, himself, has been saying the campaign is not so much about him, but about future whistle blowers. People might come down one way or another. There are certainly interesting things, like the Washington Post, which won a Pulitzer Prize, using the Snowden leaks, published an editorial, saying he should be prosecuted. That was a funny one because people were saying, “You benefited directly from this. You’re a journalistic entity, so you of all organizations should appreciate the value of whistle blowers and the value of potentially someone breaking the law in order to reveal other law breaking.” You’ve got that. You’ve got the Washington Post saying, “He should be prosecuted.” Based on Obama’s record, it’s hard to see him pardoning Edward Snowden. There’s a lot of political pressures not to do stuff like that.
Julian: I think the pardon Snowden campaign is a function of the recognition of something you mentioned earlier, which is the debate over this stuff tends to go very quickly to Snowden, the person, partly because you can do “patriot or traitor” on cable news in five minute increments and you can talk about it very passionately without necessarily knowing much about what he did.
Evan: Yeah. We were going to do that, but they said this would have been a more interesting discussion.
Julian: The debate about bulk collection of metadata or targeted exploitation or any of the other tools these agents are using is technical and complicated. It’s technically complicated, legally complicated. It’s hard to keep all the code words straight, so it’s always easier and more dramatic to have a personal discussion. I think a lot of advocacy groups recognized, “Well, if we want to keep these surveillance issues and issues of transparency and whistle blower protections in the spotlight, the media-friendly hook for that is a pardon Snowden campaign at a time with the release of the movie.” They’re not delusional at the ACLU. They understand as well as anyone else that Snowden has about as much chance of being pardoned by Obama as Charlie Mason, but it’s a good way to keep the issues in the spotlight.
Evan: Yeah. It’s difficult to separate the man from what he did. We’re going to try to do that in this interview. Before we move on from the movie, we’ve got a question from Joel [Deal 00:22:00]. What was the largest fabrication in the Snowden movie? Joel, thanks for the question.
Julian: I don’t know if it was the …
Evan: Rephrase. What was your favorite fabrication?
Julian: I think the most significant one is the one where they have his, it’s not Peter Stormare. It’s like Oliver Stone said, “Get Peter Stormare” and they said, “He’s not available.” He said, “Okay. Well, get me someone who looks like Peter Stormare, but cheaper,” who plays his CIA mentor throughout the movie. Then at the end there’s this weird scene where he has this kind of epileptic seizure. He really is epileptic and then has what at first seems like a hallucination or a dream sequence, but then is treated as totally real, where he’s having this teleconference with his mentor who’s telling him, “Don’t worry. I’ve been reading your girlfriend’s email and she’s not cheating on you.”
Evan: That seems very Oliver Stone.
Julian: Yeah. Then he decides that they’ve got to flee. There were a lot of tiny code word things are changed. That was the one that leaped out at me as being, in a way to put it, the most significant because the weird thing it does to his motivations. Also the implication that he had help from his colleagues, which he’s always denied and seems like a weird thing to make up. It’s not like they’re going to be prosecuted because of something that they said in a movie, but it’s strange to implicate.
Evan: Yeah. In three years of debating this before the movie came out, I don’t think there was ever a notion that he was aided by anyone. If he were, we would know about it or they’d be in jail or something, so that’s a bizarre-
Julian: There was some discussion about whether people had let him use their passwords improvidently.
Evan: Negligence more so.
Julian: Yeah. I don’t think there was any suggestion that he had a knowing accomplice. They kind of hinted that in the movie without any factual basis that I know of.
Evan: Before we move on to the policy and the reforms that have happened or not happened since Snowden, one more question from the audience about the whistle blower aspect of this. JJ Spano asks, “Is there a conflict of interest for government employees who value internet privacy in a post-Snowden world?” JJ, a great question.
You’re a civil libertarian working at the NSA.
Julian: Yeah. I think the- Oh, I see. Okay, I misunderstood the … No. In a way one of my concerns about the [inaudible 00:24:21] relations is that, of course, they’ve cracked down very hard. It’s not like they were particularly loosey goosey to begin with on contractors and on hiring. One of the things they talk about is though Snowden had an EFF digital rights sticker on his laptop and now keep an eye out for that as a sign of possible Snowden two. I understand … I wouldn’t want to probably go work for NSA myself, but on the other hand you don’t really want a world in where everyone who cares about civil liberties is weeded out, so the intelligence agencies are populated entirely by people who don’t have sympathies in that direction at all.
Evan: Hawks. Yeah. That’s an interesting one. Me, personally, my favorite moment in the whole Snowden saga was when Edward Snowden re-tweeted me recently. I tweeted something about the FBI’s dumb positions on encryption and thank you, Mr. Snowden, if you’re watching. You made my day and my week. My first thought was, “Wow, this is really cool.” My second thought was, “I’m going to be on a list by the end of the day.” There is that chilling effect and people, in a post-Snowden world, people are always thinking about how they use the internet. Like you said, a government employee who visits EFF’s website too often could be seen in a certain way.
Let’s get on to the aftermath and whether real reform has been achieved. For the first thing that we talked about, the Verizon, AT&T situation, that was really the big story that came out of the Snowden revelations. That was hardly the only NSA program that was revealed, I’ll say, but it was the first one. It was the most egregious, most ridiculous of all of them, so that’s why we focused on it. That was seen as coming out of the U.S.A. Patriot Act.
Now interestingly, one of the coauthors of the Patriot Act said, “That’s not what I meant. That’s not how I meant that law to be interpreted. If I knew that that’s what the NSA was going to do, I would not have written the Patriot Act.” Nonetheless we’ve seen come reform. It came in the form of another acronym, the U.S.A. Freedom Act. These bills always have names that say, “Yay” to freedom, even if one is anti-freedom and the other one is pro-freedom. What did the U.S.A. Freedom Act do and is this real reform that civil libertarians and privacy advocates should be cheering about?
Julian: There was some internal disagreement over that about whether it went far enough. Certainly, I think civil libertarians mostly think it didn’t go far enough, but whether it was an acceptable step in the right direction was, again, largely seen as a response to the bulk telephony Verizon story, which, as you say, I think was the first thing published. It was also, in a way, the easiest one. It was most egregious in terms of scale. It was domestic, totally indiscriminate, seems far out of step with what a normal person’s reading of what the statute allows would be.
Evan: A few judges said, “It violated the fourth amendment.” Then other judges said, “It violated the Patriot Act itself,” so there was all sorts of wrongs.
Julian: Right. There were a number of subsequent legal rulings essentially saying that this was not justified, but the actual substance of it was relatively easy to understand. I don’t know that it was the most worrying thing of all the revelations that came. I think a lot of stuff later got buried just because there’s a certain amount of Snowden fatigue or code word fatigue, so a lot of that later stuff that involved activities outside the U.S. under Executive Order 12333, which is much more permissive, didn’t get the same kind of attention, I think, in part because they think, “Well, it’s outside the U.S., even though on a border-less internet that may not make a huge difference in terms of who’s communications get snarfed up.
Evan: Is that an effectiveness issue because many have argued that one of the reasons the U.S.A. Freedom Act succeeded in this environment we’re in, which still you see ISIS in the news everyday. This is not exactly the most favorable media climate for people like Rand Paul and others who want to reform surveillance. Maybe there was a lull after we pulled out of Iraq, but then things have blown up again. Pun intended. We had the U.S.A. Freedom Act, which was getting rid of an ineffective program. Sweeping up every single communication between Americans, the duration of a call, who you were texting, it just did not stop any attacks and when judges asked the government to prove that it stopped an attack, they could not. Maybe one reason why that reform went through is because that program was demonstrably ineffective.
Then there are some that are a little bit murkier. You bring up Executive Order 12333. There’s Section 702 of the Foreign Intelligence Surveillance Act. These are programs that more involved foreign surveillance, which I think people are, Americans are going to be less annoyed about. When they’re spying on me and I’m an American and I’m innocent, that annoys me. When they see foreign surveillance they’re less skeptical, but you said, “The internet is border-less.” Is there such a thing as purely foreign surveillance or are Americans always going to be wrapped up in any surveillance effort whether it’s here or abroad?
Julian: There is, in a sense … if you do targeted surveillance, you can have foreign targets who are almost exclusively talking to other people abroad.
Evan: That’s 12333, right? This was an executive order signed by Ronald Regan that allows surveillance on foreign to foreign communication, so ostensibly an American is not involved.
Julian: We need to actually distinguish two sense of foreign, right? There’s surveillance that’s foreign in the sense that it is conducted outside the U.S. If it’s conducted outside the U.S., so not on U.S. soil and does not deliberately target any particular American, that’s 12333 surveillance. Congress is not really involved. It’s purely governed by executive order.
Evan: It happens over there.
Julian: Right. It happens over there. A lot of surveillance under 12333, for example, there’s a program called Muscular that involved-
Evan: What a great name for a surveillance program, Muscular.
Julian: Yes. That involved vacuuming up information from the data links between the overseas servers of companies, like Microsoft and Google. This is one of the things that apparently made the folks at those companies the most enraged because they thought they were cooperating with the government and handing over data, after maybe negotiating about what the right process was and what kind of data should be available. They thought they were in a kind of relationship where they understood how much cooperation they were giving.
Evan: They thought it was above board.
Julian: Right. Then they realized, “Well, no. They’ve actually been breaking into our property overseas and stealing the data that they weren’t getting through the front door.” Obviously lots of data that affects U.S. persons or pertains to U.S. persons, but because it happens outside the U.S., 12333. There’s genuine Constitutional questions about how far Congress can regulate totally foreign surveillance, during war time.
Evan: War time, these days, is all the time.
Julian: Now FISA and particularly section 702 of the FISA Amendments Act, which was passed in 2008, which was really an attempt to put on legal footing the broad program of surveillance, Stellar Wind, that had been launched by President Bush shortly after 9/11. Almost everything that we debate now is one of the pieces of Stellar Wind that got farmed off into a different legal authority when either the DOJ lawyers of the companies started getting skittish about doing something purely on a note from the President.
Evan: That’s been a concern among privacy advocates that when you have reforms like U.S.A. Freedom Act or other reforms that say, “Under this legal authority, you can’t do this,” that that doesn’t mean that the practice is necessarily coming to an end. What happens is the administration gets some lawyers, DOJ, whoever it is and say, “Well, actually we can do the exact same thing under a different authority.” Now you’ve just moved the goal post and privacy advocates have yet another legal authority to reform. That might happen in situations where we’re dealing with foreign surveillance, but just getting back to the effectiveness situation, the bulk collection of Americans’ data was not effective in stopping terrorist attacks. Now basically the only difference is the companies hold the data and they have to be served a warrant to give it up. It’s not like the government-
Julian: Slightly different than that.
Evan: Oh, okay.
Julian: Let me try and do a quick …
Evan: In a post-U.S.A. Freedom world, government needs my phone records. What do they have to do to get them?
Julian: The central thing U.S.A. Freedom did was not actually just under the 215 Business Records Authority that was used for the telephone metadata, but-
Evan: That was in the Patriot Act.
Julian: It was from the Patriot Act, but it actually made the same change to three authorities that had been expanded by the Patriot Act. National security letters, which are issued by essentially any special agent in charge of an FBA field office, don’t require judicial approval, can be used for a list, basically, of specific types of records, but it’s a pretty broad list.
Evan: I’ve joked that this is essentially an FBI officer wants information. They go to the water cooler and they say, “Hey, buddy. Can you sign this?” That’s about the level of oversight that is being … It’s like asking your coworker …
Julian: Nominally there’s a process, but it, yeah, we know from inspector general investigations that very often that was not followed. It was, in fact, routinely sort of flouted.
Evan: Journalists have complained about that because they say they’re getting these letters and it makes them …
Julian: They’ve apparently used NSL’s to get phone records of reporters and, as part of leak investigations, without the kind of elevated scrutiny that requests like that are supposed to get, for first amendment reasons. That authority and then an authority called 214, that’s really about the real time interception of metadata …
Evan: That would be, I’m on the phone and the government wants to find out who I’m talking to?
Julian: Getting the dialing information in real time or more practically now probably they want to look in real time at what websites you’re visiting or how you’re opening a chat connection with, without necessarily looking at the contents of the communication. Then 215, all of those authorities had been modified by the Patriot Act to say, “Essentially where previously you could get certain kinds of data showing that the target, the person whose records you were getting was reasonably believed to be a foreign agent.” The Patriot Act changed that across all those authorities to, “The records are relevant,” which essentially means that standard is so low that it effectively means the agent says, “I think it would be useful for some reason to have this information.”
Evan: Yeah. That’s a pretty low bar.
Julian: It’s not supposed to be so low that you can say, “I want 350 million Americans’ phone records because somewhere in there will be something I find interesting.” It was low enough that they felt like they could read it that way without too great a stretch.
Evan: That gets into the issue where the authors of the Patriot Act, or at least Jim Sensenbrenner was saying, “When I wrote this thing, I did not tell you that you can get 300 million Americans’ phone records at all. That was not there and you … ”
Julian: Semi hilarious that I testified before Sensenbrenner’s committee a few years before the Snowden stuff on Section 215. We had a kind of, I’d say somewhat obstreperous interaction where he clearly thought that it was ridiculous that I was raising concerns about this. He said, “We modified this. We made it very narrow. Is nothing good enough for you? What are you worried they’re going to do?”
Evan: You damn privacy advocates. You’re never happy.
Julian: He thought it was unreasonable and that they had crafted something very narrow and balanced. I was thinking too small. I thought, “Well, you could imagine them deciding a whole city’s phone records, so they can find some cell they’re looking for might be relevant if they could get a court to believe that.” It was interesting because he flipped on that I think [inaudible 00:36:34] because he really believed that the authority they passed had been pretty narrow.
The change that was made by U.S.A. Freedom was to require in all of these cases, a specific selector, the idea there being it’s … The standard is still are the records relevant to an investigation, but the idea was but now you have to specify those records with something akin to a phone number, an account holder, an address, a credit card, whatever it is, you’ve got to have a specific identifier, so you’re saying, “These are the records I want.” It can’t be something like an area code or a city.
Evan: That’s getting back to police work. This is the idea that you should, if you’re going to employ these tools of electronic surveillance that can be very powerful and very intrusive, that at least one safeguard we can hope for and put into law potentially is that have some idea of who you’re looking for. Go out, stake something out, interview some people, whatever it is, do some good old fashion police work and then once you’ve figured out that there’s something worth looking for, then go to Verizon and say, “Here’s the phone number and I need everything.”
Julian: The irony is that what all the independent reviews of that telephony program ultimately showed was it’s not that it never came up with anything that might have been useful, churning through all these social connections between targets, it’s that basically every time they found something of any use, it was something the FBI had already found the traditional way. That is, they’d say, “Well, thank you, but we’re already getting the metadata for that number through a traditional targeted court order. We didn’t need a bulk database to do that.”
One of the things I think that comes out of some of the reporting on the relationship between the agencies and the early years of the War on Terror is you do very often find FBI officials complaining about sometimes it’s called Pizza Hut Leagues that they would get fed all this stuff that came out of the data mining or the bulk databases and realized that, “Well, you’ve got us chasing down the Pizza Hut that these three guys called.” This is actually so in, Michael Hayden, the former NSA director’s recently released memoir there’s some sort of back and forth snark about that.”Well, we thought, we trusted the FBI to do their own research.” You get an interesting picture of the dynamic between those agencies.
The big change in terms of the substance is essentially to make it very difficult for them to do similar bulked collection domestically, doesn’t necessarily prevent them from doing it overseas because that’s 12333, but there’s a lot of kinds of records that in practice are not overseas, even in the border-less world, so we have to do it domestically and, right, requires them to have a modicum of particularity in what they’re getting. The model now is instead of just searching this bulk database that they keep, they go to the FISA court, get a not a warrant, but an individual order or at least a specific order. It may have a lot of numbers or accounts on it, but the court actually looks at the factual basis for saying, “We think these records are relevant.” Then they can take the order to the phone company. That’s I think a significant change.
Some people say, “Well, you’ve just changed where the database is.” The phone company has those records anyway. There’s no universe where the phone company has no record of you made a phone call.
Evan: The incentives are different, right? The government doesn’t necessarily have, other than things like the fourth amendment and the Constitution, which are routinely ignored anyway, other than those what are the incentives for government to protect our data? Not many, whereas Verizon, AT&T, at least they’re private companies. They have customers. There’re four major nationwide carriers. People can switch carriers if they want to. They can even be bribed to, someone’s going to pay their cancellation fees. At least these companies now, they have an incentive to protect their customers’ data unless they are needed for a good reason.
Julian: They’re subject to a general … The government at least is checking the companies if they’re misusing people’s data or lying about what they’re doing with the data.
Evan: There’s an extra layer of protection now in a post-U.S.A. Freedom world.
Julian: I also think it does matter that it is not all in one place. I think in terms of the practical effect of large data stores, it does make a big difference. This is hwy they wanted it all in one place. It does make a big difference whether you essentially have the entire data is that you can extrapolate much more when you can see not just an individual’s behavior. This isn’t how the NSA says they were using it, but having the ability to say, “All right. What is the entire pool of behavior look like? Then how does your behavior change? Then when I call you, when I call one contact, how does that person’s behavior change? Do they suddenly call someone else?” Having everything in one place gives you a much more invasive and comprehensive picture of people’s behavior, especially if you have also, of course, the ability to combine that with other data sets.
Evan: Yeah. One of the concerns is not necessarily what they would do with this data for counter-terrorism, but what does the government do with all this data twenty years from now under a different …? One of the really interesting things that Snowden did was some of the non-policy effects of his disclosures and I’ll remind our audience that we’d love to get some more questions. Attitudes about the United States, about surveillance, about our government, about tech companies and our products, they’ve changed in a post-Snowden world. I’d like to point out that we are by far not the worst offender in the world, when it comes to surveillance.
Julian: Oh God no. Right.
Evan: We’ve spent forty minutes talking about what the United States does on surveillance because of Edward Snowden and because of the movie, but let’s not kid ourselves. Even the kangaroo courts we have and even the loose oversight we sometimes have here is more than you’ll see in other countries. Yet because of what Snowden did and there was this huge focus on the United States, much of the debate focuses on us. In Europe you see countries like France in the wake of the Paris attacks passing surveillance bills at the eleventh hour, total authority. The U.K. doesn’t have a particularly great track record. You have Russia and China which are on a completely other category. Yet we still have to talk about how our surveillance practices affect foreigners because of these revelations.
That program, Section 702, I think most Americans realize we need some type of foreign surveillance. There are foreign threats. There are other governments who want to do us harm. There are terrorists who want to do us harm.
Julian: Let’s actually specify, I don’t think we actually specified what’s 702. We’ve said it a bunch of times, but I don’t think we have explained what it is.
Evan: What is that program?
Julian: When I said everything fell out of Stellar Wind, Stellar Wind was originally a program that involved warrant-less collection of telephone metadata, internet metadata, telephone content, conversations, and internet content, emails and chats.
Evan: It was a lot of stuff.
Julian: Essentially it was broken up like the mystical artifact in a bad sci-fi movie and scattered across different legal authorities. Section 215 is where the telephone metadata part went. Section 214, the real time authority was where the internet component went. Then the content stuff, they couldn’t really squeeze into anything, so that ended up taking the form of Section 702 of the FISA Amendments Act of 2008. This is unlike 12333 because it’s domestic surveillance in the sense that it happens in the U.S. It’s not, they’re in a foreign country with a tap on a foreign line, but they’re going to Google. They’re going to Microsoft and requesting access to their data either stored or real time data, but targeting a foreigner. “We think this is a foreign person’s email account that we’re asking about.”
Evan: I guess the three categories, just so viewers are keeping up with us, when we talked about U.S.A. Freedom that was domestic program, domestic surveillance. You’ve got 12333, which involves us conducting surveillance in another country and the physical surveillance is happening there. We have people there. We have an office there doing something. Then we’ve got this middle situation where, Section 702, where we’re targeting people in other countries, but the companies are American maybe and the people doing it are in the United States. That’s what makes it different.
Julian: Right. 702 is, on face, it’s a general warrant, which is the thing that gave rise to the fourth amendment and one of really the things that spurred the American Revolution was the idea of these warrants that didn’t specify a target or a place to search, but gave plenary authority to go rifling through whatever seemed appropriate in search of evidence of wrongdoing. This was constrained in the sense that the target still has to be foreign. You can’t just look through anyone’s email or internet communications, but it’s still a single authority, a single order. The court looks at not individual targets, but broad procedures that are going to be used to choose targets and limit access to the data once it’s sucked in. Then once the court approves those procedures, you’ve got basically one mega-warrant under which they target, at last count, about 95 thousand foreign people. Of course because foreigners talk to Americans occasionally …
Evan: Border-less internet.
Julian: You get an enormous amount of American communications sucked in as well, so I think it still fits pretty cleanly within the idea of a general warrant in that whoever the target is, you’re still conducting searches of Americans’ communications in pretty large numbers without warrants. Maybe it’s not 95 thousand, but you probably end up with a very large number.
There was one particular type of 702 surveillance that the FISA court, at one point estimated was, because of some problems with the way they’d configured it, pulling in about 56 thousand completely domestic communications every year, meaning not an American talking to a foreigner, but an American talking to an American, which you’re not supposed to do at all under that authority. They, in theory, fixed that up, but I think it’s easy to extrapolate that you’re still ultimately talking about a huge amount of American data. That’s something that was not really addressed by U.S.A. Freedom.
U.S.A. Freedom really targeted those other three authorities that were about metadata, about records and said, “You can’t do that in bulk domestically anymore.” It actually also had some important transparency stuff that was tacked on and said, “Certain kinds of data has to be reported. The FISA court should appoint a amicus to argue the case for civil liberties.
Evan: Like a public advocate.
Julian: Yeah. In cases that involved some new interpretation of the law and they’ve chosen a panel of very good experts to act in that role, but didn’t really touch a lot of these other authorities. 702 is the authority that governs prism surveillance, which is surveillance directly with the help of companies like Google and Yahoo and then upstream surveillance, which is, again, still targeting a foreigner, but instead of getting it from the end point, from Google, they’re essentially sucking it live off the pipe as it comes in. The rationale there is there’s a lot of data that might be going from an email provider in Yemen to one in Pakistan, but is passing through the U.S. and is never going to land here. It’s not going to sit here for more than a second as it passes through the switches. The only way to get that is to be scanning everything on the pipe and pulling that in.
One of the issues folks have with that is that it’s not necessarily great at distinguishing between a selector that shows up in a header and something that shows up in the body, which is to say, to give you a concrete example that means maybe they’re trying to target a bad guy at jihad.com, who they think is outside the U.S. If that selector, that address shows up in the body of an email because someone forwarded it or for whatever reason, we’re saying, “Do you know that guy at that address?” that triggers it too, so that stuff gets sucked in too. They’re supposed to be pretty good at filtering out stuff that has both end points in the U.S., but again, of course, they’re pulling in then as a result, an enormous amount of content that is, refers to the target in some way maybe, but is not actually either from or to the target.
Evan: Just to recap some of these programs we’ve talked about and the reforms, then we’ve got a couple audience questions to wrap up the show, but the original offender, the bulk collection of Americans’ phone data, that was ended by the U.S.A. Freedom Act. Then we’ve got these other authorities, one the 12333, which would require executive action. Then you’ve got Section 702 as you mentioned, which expires in December of 2017 and we’ve seen the expiration dates on laws like this are sometimes the only opportunity for reform, so expect a big push from certain organizations in the privacy space as we near December of 2017 because there’s going to be a big push to reform that practice as well.
Julian: The push on that is primarily on two things. One of the issues there is it was sort of easy to get rid of the bulk telephony program because despite all the reflexive defense of it, ultimately it became pretty clear that it wasn’t doing any good. They could let that one go and wouldn’t really be any worse off from an operational perspective. 702, I think, could probably be constrained significantly without hampering its effectiveness.
Evan: It’s still an important program.
Julian: There’s not much … They’re getting useful information out of that that would be difficult to get otherwise.
Evan: Right. It’s not a completely useless program and that’s why there’s a legitimate debate about, but a couple audience questions just to wrap up the show. Charles [Blatts 00:51:01], thanks for the question, asks, “Julian, are there any practical or effective ways to protect ourselves from domestic government surveillance?”
Julian: There are certainly things you can do and this is where, I think, the usual thing to do is say, “Well, you can use Tor or Tails if you-
Evan: WhatsApp.
Julian: WhatsApp. There’s a lot of applications that can help you. You can use a VPN and you probably want to make sure that they don’t log their own user traffic, but there’s a whole bunch of things you can do to try and anonymize your traffic. In terms of anonymity, Tor or a VPN with good logging practices will help conceal your daily activity. Then using encryption either in email or more realistically in through apps like Signal or WhatsApp. If you want to be super hardcore, there’s an operating system called Tails that’s essentially an amnesiac operating system. You boot it up from a USB stick. It comes with essentially a lot of privacy enhancing tools built into it and then when you shut your computer off and pull the encrypted stick out, it’s wiped and there’s no domestic record or local record left of your activity.
I think any security expert is going to tell you though that counting on individual users to protect their own privacy is just a mistake. It’s like trying to secure your own email server. It’s probably not a good idea.
Evan: What are you referring to? I don’t know.
Julian: A randomly selected example. The significant shift inspired by Snowden is less individual people being more cautious. There’s some of that. Tor has increased enormously in size.
Evan: Pol indicated that 700 million people around the world have done something in response to the Snowden. Now-
Julian: Not clear whether it’s very much or something effective.
Evan: Or whether it works, but at least there are people taking notice and being more mindful of their security.
Julian: Right. Ultimately doing security well is, communication security well is very hard. You probably can’t do it. I probably couldn’t do it without a lot of help. The change that I think matters is companies making choices that don’t require you to be some sort of info-set geek and know how to use Linux and how to configure an email server properly to be able to have secure communication.
Evan: An example of that would be WhatsApp as a messaging app owned by Facebook that has a billion users. They turned on end to end encryption for all of their users without asking people whether they wanted to do it or without some big public debate. They just did it and that’s an action by a company that protects a billion people’s security without them having to lift a finger. That might be the future of this debate. It’s that companies with the technical knowledge and the bull pulpit are going to advocate on behalf of users because users can’t do it themselves.
Last question to wrap up the show, JJ Spano asks, “Where would you direct citizens interested in aiding the cause? What is the most important thing you want Americans to take away from this talk?”
Julian: That’s a hard one. Well, I think we do good work at Cato, so you can see stuff we write about there, myself and my colleagues, Jim Harper and Pat Eddington, who write about these issues.
Evan: I’ll plug Tech Freedom. Tech Freedom does some great work on this issue as well.
Julian: The Electronic Frontier Foundation is a group that is both very active and focused very specifically on these issues. I think they’re probably the most useful resource, both in terms of learning what’s going on. They’re great about doing foyer requests about posting searchable archives of documents if you want to research what’s going on and about translating what’s going on there into human intelligible summaries. If you want to learn about these programs, I think that often they will have the best, legally accurate, but also human intelligible explanation. They’re also very good on stuff like self protection, so to the extent that it is sometimes a good idea for the user to try and move the ball forward themselves there without waiting for companies to do it for us, they have good guides to what kind of tools are out there.
Evan: Snowden’s been an advocate, himself. He did an episode with John Oliver, some basic things you can do to secure your phone. One of the points he’s been making is that while you can sit around and wait for a company to secure your phone or for the government to stop acting poorly, you might have to be a little more proactive than that.
Last thing, what, if there’s … we’ve had a big discussion with a lot of things, what would be the one thing you want to make sure that viewers take away from this talk today?
Julian: We’ve talked a lot about the detail. I think one of the things that the Snowden movie does, they sort of clumsily get across that can get lost in the weeds is the bigger picture motivation here. The bigger picture motivation I think is what would make Snowden burn down a happy life in Hawaii with a good paying job. Backing up from the details of this or that type of collection, we have created a kind of technological environment where we have technology as sort of this amazing tool for liberation, but also for the same reasons, an incredible tool of oppression, at least potentially.
We have ubiquitous now network devices that effectively all our relationships are mediated through. Every conversation I have is either on one of these devices or with it in the room. They’ve got microphones and cameras and they’re on a network permanently and we are … if you look at the capabilities NSA has, both in terms of the bulk data they collect and in terms of things we didn’t talk about like turbine, which is a kind of AI for malware implantation that can at a scale of millions of devices detect a particular target device online and implant malware that will allow it to be taken over and turned into a spy machine.
We have the potential for the creation of something like an eye of Sauron. There’s an intelligence contractor called Palantir, after the big seeing stone in the Lord of the Rings. We’re, in a way, approaching in the foreseeable future, a technological reality where the control of the services we trust to mediate our communications, the interpenetration with intelligence is so complete. Their ability to control the physical infrastructure is so complete and their computing power, their ability to store data and to exploit vulnerabilities so great that you have created a kind of architecture for total monitoring, which I think ultimately means total control.
Evan: Well on that cheery note, with the golden age of surveillance, we’re going to wrap it up. This has been this week’s episode of Learn Liberty Live. My guest has been Julian Sanchez, Senior Fellow at the Cato Institute. Check out his work. You blog at justsecurity, if I remember correctly.
Julian: That’s right.
Evan: Great stuff on surveillance issues, so make sure to check that out. Check out Tech Freedom and the Tech Policy Podcast, where I recently did an episode about HPSCI reform and some of this whistle blower stuff we’ve been talking about. If you’re interested in getting into the cause, just like Julian said, check out the Electronic Frontier Foundation, other groups that are doing some activist work and some educational work on this issue. That’s it for today. Tune in next week.