Permanent Record

by Edward Snowden

By redefining the terms “acquire” and “obtain”—from describing the act of data being entered into a database, to describing the act of a person (or, more likely, an algorithm) querying that database and getting a “hit” or “return” at any conceivable point in the future—the US government was developing the capacity of an eternal law-enforcement agency.

The NSA calls this “metadata.” The term’s prefix, “meta,” which traditionally is translated as “above” or “beyond,” is here used in the sense of “about”: metadata is data about data. It is, more accurately, data that is made by data—a cluster of tags and markers that allow data to be useful. The most direct way of thinking about metadata, however, is as “activity data,” all the records of all the things you do on your devices and all the things your devices do on their own.

The majority of American Internet users lived their entire digital lives on email, social media, and e-commerce platforms owned by an imperial triumvirate of companies (Google, Facebook, and Amazon), and the American IC was seeking to take advantage of that fact by obtaining access to their networks—both through direct orders that were kept secret from the public, and clandestine subversion efforts that were kept secret from the companies themselves. Our user data was turning vast profits for the companies, and the government pilfered it for free.

Joint Counterintelligence Training Academy (JCITA) and its parent agency, the Defense Intelligence Agency (DIA).

NSAnet, the NSA’s network,

Joint Worldwide Intelligence Communications System (JWICS), the Department of Defense’s top-secret intranet.

I called this system Heartbeat, because it took the pulse of the NSA and of the wider IC. The volume of information that crashed through its veins was simply enormous, as it pulled documents from internal sites dedicated to every specialty

Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat.

NSA’s new surveillance posture as a matter of six protocols: “Sniff It All, Know It All, Collect It All, Process It All, Exploit It All, Partner It All.” This was just PR speak, marketing jargon. It was intended to impress America’s allies: Australia, Canada, New Zealand, and the UK, the primary countries with which the United States shares intelligence.

“Sniff It All” meant finding a data source; “Know It All” meant finding out what that data was; “Collect It All” meant capturing that data; “Process It All” meant analyzing that data for usable intelligence; “Exploit It All” meant using that intelligence to further the agency’s aims; and “Partner It All” meant sharing the new data source with allies.

This legislation was being used by the NSA to justify

its two most prominent Internet surveillance methods: the PRISM program and upstream collection. PRISM enabled the NSA to routinely collect data from Microsoft, Yahoo!, Google, Facebook, Paltalk, YouTube, Skype, AOL, and Apple, including email, photos, video and audio chats, Web-browsing content, search engine queries, and all other data stored on their clouds, transforming the companies into witting coconspirators. Upstream collection, meanwhile, was arguably even more invasive. It enabled the routine capturing of data directly from private-sector Internet infrastructure—the switches and routers that shunt Internet traffic worldwide, via the satellites in orbit and the high-capacity fiber-optic cables that run under the ocean. This collection was managed by the NSA’s Special Sources Operations unit, which built secret wiretapping equipment and embedded it inside the corporate facilities of obliging Internet service providers around the world.

You open a Web browser, type in a URL, and hit Enter. The URL is, in effect, a request, and this request goes out in search of its destination server. Somewhere in the midst of its travels, however, before your request gets to that server, it will have to pass through TURBULENCE, one of the NSA’s most powerful weapons.

TURMOIL, handles “passive collection,”

TURBINE, is in charge of “active collection”—that is, actively tampering with the users.

If TURMOIL flags your traffic as suspicious, it tips it over to TURBINE, which diverts your

request to the NSA’s servers.

The Foreign Intelligence Surveillance Court (FISC), which oversees intelligence surveillance within the United States, is a specialized body that meets in secret and hears only from the government.

The constitutional system only functions as a whole if and when each of its three branches works as intended. When all three don’t just fail, but fail deliberately and with coordination, the result is a culture of impunity. I realized that I was crazy to have imagined that the Supreme Court, or Congress, or President Obama, seeking to distance his administration from President George W. Bush’s, would ever hold the IC legally responsible—for anything. It was time to face the fact that the IC believed themselves above the law, and given how broken the process was, they were right.

terminated the command of Commodore Hopkins, ordered the Treasury

by unanimous consent enacted America’s first whistleblower protection law. This law declared it “the duty of all persons in the service of the United States, as well as all other inhabitants thereof, to give the earliest information to Congress or any other proper authority of any misconduct, frauds, or misdemeanors committed by any officers or persons in the service of these states, which may come to their knowledge.”

My superiors were not only aware of what the agency was doing, they were actively directing it—they were complicit.

every language, including English, demonstrates its culture’s relationship to

power by how it chooses to define the act of disclosure.

A “whistleblower,” in my definition, is a person who through hard experience has concluded that their life inside an institution has become incompatible with the principles developed in—and the loyalty owed to—the greater society outside it, to which that institution should be accountable.

Instead, I was resolved to bring to light a single, all-encompassing fact: that my government had developed and deployed a global system of mass surveillance without the knowledge or consent of its citizenry.

Ira “Gus” Hunt, the chief technology officer of the CIA.

NSA’s UK partner, the Government Communications Headquarters, or GCHQ, which was setting up dragnets like OPTICNERVE, a program that saved a snapshot every five minutes from the cameras of people video-chatting on platforms like Yahoo Messenger, and PHOTONTORPEDO, which grabbed the IP addresses of MSN Messenger users.)

SD cards—the acronym stands for Secure Digital. Actually, I went for the mini- and micro-SD cards.

The size of SD cards, however, has one downside: they’re extremely slow to write.

SCIF—a Sensitive Compartmented Information Facility,

Although the deleted file disappears from view, it is rarely gone.

XKEYSCORE, which is perhaps best understood as a search engine that lets an analyst search through all the records of your life.

National Threat Operations Center. NTOC

Tailored Access Operations (TAO) division. This was the NSA unit responsible for remotely hacking into the computers of people whom analysts had selected as targets

NTOC’s main job, by contrast, was to monitor and frustrate the activity of the TAO’s foreign equivalents.

NTOC had a position open through a contractor job at Booz Allen Hamilton, a job they euphemistically described as “infrastructure analyst.”

an interface that allows you to type in pretty much anyone’s address, telephone number, or IP address, and then basically go through the recent history of their online activity.

The grounds for suspicion were often poorly documented, if they were documented at all, and the connections could be incredibly tenuous—“believed to be potentially associated with” and then the name of some international organization that

could be anything from a telecommunications standards body to UNICEF to something you might actually agree is menacing.

Congress passed the USA Freedom Act, which amended Section 215 to explicitly prohibit the bulk collection of Americans’ phone records.

Apple adopted strong default encryption for its iPhones and iPads, and Google followed suit for its Android products and Chromebooks. But perhaps the most important private-sector change occurred when businesses throughout the world set about

switching their website platforms, replacing http (Hypertext Transfer Protocol) with the encrypted https (the S signifies security), which helps prevent third-party interception of Web traffic. The year 2016 was a landmark in tech history, the first year since the invention of the Internet that more Web traffic was encrypted than unencrypted.

SecureDrop (originally coded by the late Aaron Swartz), an open-source submission system that allows media organizations to securely accept documents from anonymous whistleblowers and other sources. Today, SecureDrop is available in ten languages and used by more than seventy media organizations around the world, including the New York Times, the Washington Post, the Guardian, and the New Yorker.

the law is country-specific, whereas technology is not. Every nation has its own legal code but the same computer code.

In the US, data is usually regarded as the property of whoever collects it. But the EU posits data as the property of the person it represents, which allows it to treat our data subjecthood as deserving of civil liberties protections.