Permanent Record

Author(s): Edward Snowden
Published: 2019
Roadmap

Overall Thoughts & Roadmap

I didn't know much about Ed Snowden's story before reading this, so I opened this book with few preconceptions. I was pleasantly surprised to find this to be one of the most influential book I've read in a while. It made me reconsider the internet browser I'm using (goodbye, Google chrome), question my reliance on services that store my data on the cloud (Dropbox, GooglePics), and question where power really lies in a world of data...

The book summary is structured as follows:

(1) Snowden's story. This section gives brief (but limited) overview of Snowden's story.

(2) What did the NSA do? This section discusses what Snowden blew the whistle on.

(3) Why should you care? Most people's reaction to NSA surveillance is that they have nothing to hide and so shouldn't be concerned about it. This section gives 4 reasons why you should care.

1. Snowden's Story: From the Beltway to Moscow in Exile

Edward Snowden is known as an American whistleblower who copied and leaked highly classified information from the National Security Agency (NSA) in 2013 when he was a Central Intelligence Agency (CIA) employee and subcontractor.

Family. Born in June 1983 in North Carolina. Many of his family members worked in government - his grandfather was a Coast Guard, his father was also an officer in the Coast Guard, his mother was a clerk at the US district court in Maryland, and his older sister was a lawyer at the Federal Judicial Center. So "working for the government" was pretty much in his blood. They lived near Forte Meade and so government employment was "normal":

I can’t stress this enough, for outsiders: this type of employment was normal. Neighbors to our left worked for the Defense Department; neighbors to the right worked in the Department of Energy and the Department of Commerce. For a while, nearly every girl at school on whom I had a crush had a father in the FBI. Fort Meade was just the place where my mother worked, along with about 125,000 other employees, approximately 40,000 of whom resided on-site, many with their families.

The civil servant status of Snowden's family is important for understanding his political views. He stresses that the funny thing about government employees is that they tend to be apolitical:

My parents were, if not dismissive of politics in general, then certainly dismissive of politicians. To be sure, this dismissal had little in common with the disaffection of nonvoters or partisan disdain. Rather, it was a certain bemused detachment particular to their class, which nobler ages have called the federal civil service or the public sector, but which our own time tends to refer to as the deep state or the shadow government... These civil servants, who stay in their positions even as administrations come and go, work as diligently under Republicans as under Democrats because they ultimately work for the government itself, providing core continuity and stability of rule.

Education. Snowden's parents divorced when he was 13 years old and he and his sister were shipped between their fathers and mother's home. In the early 1990s, Snowden moved with his family to Fort Meade, causing him to miss high school for almost nine months. Ed was disinterested in high school work, preferring to spend time on the one computer at home. Rather than going back to high school, he passed the GED test and took classes at a community college.

Entry to the CIA. 9/11 was the turning point for the US and for Snowden! It was the day he decided he wanted to use his skills to free the US from oppression:

September 12 was the first day of a new era, which America faced with a unified resolve, strengthened by a revived sense of patriotism and the goodwill and sympathy of the world. In retrospect, my country could have done so much with this opportunity. It could have treated terror not as the theological phenomenon it purported to be, but as the crime it was. It could have used this rare moment of solidarity to reinforce democratic values and cultivate resilience in the now-connected global public. Instead, it went to war.

In May 2004, he enlisted in the US Army and became a Special Forces candidate. He didn't complete the training due to physical injuries and was discharged in September 2004.

Following his stint at the army, Snowden meets (his wife) Lindsay online, an artist from Maryland. During this time, he also applies for a job at the CIA and is cleared.

Between 2006 to 2009, Snowden worked for the CIA in Geneva. Here, he got a diplomatic passport and a four-bedroom apartment near Lake Geneva. There's one incident here where a CIA deliberately got a Swiss banker drunk and encouraged him to drive home. When the banker was arrested, the CIA operative offered to help in exchange for the banker being an informant.

In 2009, he begins to work for Dell as a contractee. Dell manages computer systems for multiple government agencies. He was stationed in Tokyo. His primary task was to instruct top officials and military officers on how to defend their networks from Chinese hackers, something that led him to also look into Washington's mass surveillance program.

I was reminded of what is perhaps the fundamental rule of technological progress: if something can be done, it probably will be done, and possibly already has been. There was simply no way for America to have so much information about what the Chinese were doing without having done some of the very same things itself, and I had the sneaking sense while I was looking through all this China material that I was looking at a mirror and seeing a reflection of America. What China was doing publicly to its own citizens, America might be—could be—doing secretly to the world.

In 2011, Snowden returns to Maryland where he spends a year as lead technologist on Dell's CIA account. In 2012, he then moves to NSA's Hawaii's regional operations center which focuses on the electronic monitoring of China and North Korea. It's here that he began copying the documents that he later leaked to journalists.

Whistleblowing. On May 20, 2013, Snowden flew to Hong Kong after leaving his job at an NSA facility in Hawaii. In early June, he revealed thousands of classified NSA documents to journalists.

On June 21, 2013, the justice department charged Snowden of two charges of violating the Espionage Act and theft of government property. The government then revoked his passport. At that time, Snowden was in the process of travelling to Moscow where he discovered that his passport was cancelled. He's been granted right of asylum in Russia and has been living there since.

2. What did the NSA do?

Snowden's disclosures revealed numerous global surveillance programs, many of them run by the NSA and the Five Eyes Intelligence Alliance (Australia, Canada, NZ, UK, US) with the cooperation with telecommunication companies and European governments.

Snowden says that the most prominent internet surveillance methods are the PRISM program and upstream collection. Both of these programs are "justified" by NSA under the FISA Amendment Act. This act allows the NSA to target Americans and any foreigner outside the US deemed likely to communicate foreign intelligence information (this is a broad category that includes journalists, employees, academics, aid workers etc).

PRISM program: collection from the servers of service providers

This program allows for court-approved direct access to multiple private accounts...! 

PRISM enabled the NSA to routinely collect data from Microsoft, Yahoo!, Google, Facebook, Paltalk, YouTube, Skype, AOL, and Apple, including email, photos, video and audio chats, Web-browsing content, search engine queries, and all other data stored on their clouds, transforming the companies into witting coconspirators.

Upstream collection: direct collection from Internet infrastructure

Snowden says this is even more invasive than PRISM...

Upstream collection, meanwhile, was arguably even more invasive. It enabled the routine capturing of data directly from private-sector Internet infrastructure—the switches and routers that shunt Internet traffic worldwide, via the satellites in orbit and the high-capacity fiber-optic cables that run under the ocean....

How does this collection actually take place?

Imagine yourself sitting at a computer, about to visit a website. You open a Web browser, type in a URL, and hit Enter. The URL is, in effect, a request, and this request goes out in search of its destination server. Somewhere in the midst of its travels, however, before your request gets to that server, it will have to pass through TURBULENCE, one of the NSA’s most powerful weapons...The first, TURMOIL, handles “passive collection,” making a copy of the data coming through. The second, TURBINE, is in charge of “active collection”—that is, actively tampering with the users. You can think of TURMOIL as a guard positioned at an invisible firewall through which Internet traffic must pass. Seeing your request, it checks its metadata for selectors, or criteria, that mark it as deserving of more scrutiny... If TURMOIL flags your traffic as suspicious, it tips it over to TURBINE, which diverts your request to the NSA’s servers. There, algorithms decide which of the agency’s exploits—malware programs—to use against you.

The NSA keeps any data for perpetuity!

The NSA’s conventional wisdom was that there was no point in collecting anything unless they could store it until it was useful, and there was no way to predict when exactly that would be. This rationalization was fuel for the agency’s ultimate dream, which is permanency—to store all of the files it has ever collected or produced for perpetuity, and so create a perfect memory. The permanent record.

3. Why should you care?

I think most people's reaction to this surveillance systems is "well, I have nothing to hide, so I shouldn't worry about it". Perhaps shamefully, this was my initial reaction when I first heard about the Ed Snowden whistleblowing scandal. This book touches on some reasons why you should care.

Reason 1. You generate more data than you think.

Maybe most people don't care about surveillance because they don't understand what surveillance means. Usually, people think of surveillance in terms of content but in fact it's really to do with context. Mass surveillance is to do with context rather than content! In particular, it's to do with metadata.

metadata is data about data. It is, more accurately, data that is made by data—a cluster of tags and markers that allow data to be useful. The most direct way of thinking about metadata, however, is as “activity data,” all the records of all the things you do on your devices and all the things your devices do on their own. Take a phone call, for example: its metadata might include the date and time of the call, the call’s duration, the number from which the call was made, the number being called, and their locations. An email’s metadata might include information about what type of computer it was generated on, where, and when, who the computer belonged to, who sent the email, who received it, where and when it was sent and received, and who if anyone besides the sender and recipient accessed it, and where and when.

But what's so scary about metadata? 

  1. It's the essence of content. There's no way some surveillor would be able to listen to every single phone call in the word. Metadata helps winnow down the field of where surveillors should search for content.
  2. You often produce it unknowingly. (E.g. while you might be able to control what you write in an email, it's much harder to control where you send that email from or where your recipient receives that email from).
  3. You produce it all the time, from the day you're born.

Reason 2. History suggests that mass surveillance can lead to oppression.

Countries that have practised mass surveillance used it to oppress certain groups.

The only two countries I knew of that had previously practiced mass surveillance were those two other major combatants of World War II—one America’s enemy, the other America’s ally. In both Nazi Germany and Soviet Russia, the earliest public indications of that surveillance took the superficially innocuous form of a census, the official enumeration and statistical recording of a population. The First All-Union Census of the Soviet Union, in 1926, had a secondary agenda beyond a simple count: it overtly queried Soviet citizens about their nationality. Its findings convinced the ethnic Russians who comprised the Soviet elite that they were in the minority when compared to the aggregated masses of citizens who claimed a Central Asian heritage, such as Uzbeks, Kazakhs, Tajiks, Turkmen, Georgians, and Armenians. These findings significantly strengthened Stalin’s resolve to eradicate these cultures, by “reeducating” their populations in the deracinating ideology of Marxism-Leninism. The Nazi German census of 1939 took on a similar statistical project, but with the assistance of computer technology. It set out to count the Reich’s population in order to control it and to purge it—mainly of Jews and Roma—before exerting its murderous efforts on populations beyond its borders

Reason 3. Other people you care about might have things to hide.

Our freedoms are interdependent (especially in today's world). Even if you don't have anything to hide, other people might. Disregarding your privacy might put those other people at risk.

Because a citizenry’s freedoms are interdependent, to surrender your own privacy is really to surrender everyone’s. You might choose to give it up out of convenience, or under the popular pretext that privacy is only required by those who have something to hide. But saying that you don’t need or want privacy because you have nothing to hide is to assume that no one should have, or could have, to hide anything—including their immigration status, unemployment history, financial history, and health records. You’re assuming that no one, including yourself, might object to revealing to anyone information about their religious beliefs, political affiliations, and sexual activities, as casually as some choose to reveal their movie and music tastes and reading preferences.

Reason 4. It's a matter of principle and values

Ultimately, saying that you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say. Or that you don’t care about freedom of the press because you don’t like to read. Or that you don’t care about freedom of religion because you don’t believe in God. Or that you don’t care about the freedom to peaceably assemble because...