Some older articles on this weblog that are of current interest:

September 12, 2019

A document about the UKUSA partnership with unknown classification compartments

(Updated: September 13, 2019)

A highly sensitive document about the intelligence sharing relationship between the United States and the United Kingdom reveals the existence of three classification compartments that were previously unknown.

The assessment was declassified in September 2018 after a FOIA request by Privacy International and Yale Law School's Media Freedom & Information Access Clinic (MFIA). The document has no date, but must be from somewhere before the NSA's internal reorganization in the year 2000.


First page of the assessment of the UKUSA relationship
(click to enlarge)



Classification markings

The classification marking at the top of the document reads:

TOP SECRET VRK11 TK AG DC MC
N O F O R N

This rather long and complex marking consists of three separate parts. First there's the actual classification level:

- TOP SECRET
This is the highest level of classified information, which would cause "exceptionally grave damage" to US national security if it were disclosed unauthorized.

Then there are several Sensitive Compartmented Information (SCI) control systems and compartments which further restrict the access to particularly sensitive information:

- VRK11
VRK stands for Very Restricted Knowledge and was a sub-control system to limit access to uniquely sensitive COMINT activities and programs. It contained compartments or categories which had an identifier of one to three alpha numeric characters, so in this case the document contains information from VRK compartment 11.
Shortly before 2004, VRK was succeeded by a new system called Exceptionally Controlled Information (ECI).

- TK
TK stands for TALENT KEYHOLE, which is a combined control system for products of overhead collection systems, such as spy satellites and reconnaissance aircraft.

- AG
Unknown.

- DC
Unknown.

- MC
Unknown. (Update: On Twitter, Bill Robinson said that MC is the abbreviation for MERCURY, a series of satellites for COMINT, SIGINT and ELINT collection, which were operated from Menwith Hill in the UK)

Finally, there's a dissemination marking which adds additional restrictions:

- NOFORN
This stands for No Foreign Nationals and is applied to any information that may not be released to any non-US citizen.

The classification of the document is remarkable and interesting in various ways. Not only because it contains VRK11 and TK information - this applies to some other declassified documents - but because it has three additional markings (AG, MC and DC), which seem to show up here for the first time.

These markings clearly look like abbreviations of code words, but that's also a bit strange because in an overall classification line, code words should be written in full. And if we assume that these markings stand for additional control systems or compartments, it's remarkable to see three that were not known before.






Benefits for the US

Although the term UKUSA is often used for the 5-Eyes partnership between the US, the UK, Canada, Australia and New Zealand, this documents uses the term in its original sense, being the relationship between the signals intelligence agencies of the United States (NSA) and the United Kingdom (GCHQ).

As this is a highly sensitive issue, the document is almost entirely redacted: 11 out of 14 pages are witheld in full, while of the remaining 3 pages also large portions have been redacted. The remaining portions are still interesting however, also because they confirm things we learned from the Snowden-revelations.

The text starts with saying that the UKUSA relationship is of "inestimable value to NSA and cannot be abandoned". But there are some weaknesses and understanding them would make NSA better able to "make some hard decisions about the future of the relationship." These weaknesses are of course redacted, but the main benefits for NSA are still readable:

- A "unique collection from GCHQ conventional sites, freeing US resources". This seems to be about data collection from undersee fiber-optic cables, which NSA also uses and therefore hasn't to invest in its own accesses to these kinds of data streams.


- NSA can also use something from the UK "where the US has none", but what exactly this is, is redacted. However, another declassified document says: "The UK has sites at strategic locations for collection that otherwise would be unavailable to the US." Some GCHQ accesses even exist "solely to satisfy NSA tasking".


- The "compatibility and interoperability of US & UK SIGINT systems" which makes it faster and easier to exchange content data, metadata and end products.


- A "strong analytic workforce, with a capability for independent interpretation of events" which saves US resources by division of efforts.

- An "especially competent cryptanalytic workforce". Another declassified document adds: "GCHQ is NSA's only peer in the field of cryptomathematics and virtually all major advances within the field of cryptography have occurred as a result of our mutual sharing."

- The "pooling of resources on key technical projects during austere fiscal periods" - again financial reasons, showing how much NSA is apparently bothered with money issues despite their annual budget of over 10 billion US dollar in 2013.

- And finally, as the perhaps most important benefit the document says that the UK has "a record of supporting the US as an ally in confronting world problems".


According to another unredacted part of the document, NSA worried about the large numbers of integrees that NSA and GHCQ exchanged, who took on more and more tasks and responsibilities. GCHQ for example wished to place an integree in G2/SA (a unit in the former NSA division responsible for non-communist countries), but this was rejected "as it would give GCHQ insight into certain sensitive operations we do not share."

Another unredacted part makes clear that the Americans were also concerned about the increasing number of electronic communications interfaces between NSA and GCHQ, which had been established "based on a myriad of decisions at various levels within NSA". The question was asked: "Should there be a common NSA position on the number and kind of electronic interfaces between NSA and GCHQ? Should the number be driven by NSA design or by GCHQ needs?"




The UKUSA partnership

The same FOIA request by Privacy International and MFIA also resulted in the declassification of a larger batch of documents related to the US-UK relationship, including ones that date back to the early 1950s and recall the origins of this unique intelligence partnership.

It began with the UKUSA Agreement, which was signed on March 5, 1946 by Col. Patrick Marr-Johnson, British Army General Staff, for and in behalf of the London Signal Intelligence Board (LSIB), and by Lt. Gen. Hoyt S. Vandenberg, GSC, Senior Member, for and in behalf of the State-Army-Navy Communications Board (STANCIB).

Canada had hoped to be a third signatory of the UKUSA Agreement but that didn't happen. Eventually a separate CANUSA agreement between Canada and the United States was "presumably signed in 1949" after the British LSIB saw no objection.*

After a first tripartite conference was held with the Australian Defence Signals Branch (DSB) in September 1953, Appendix J (about the "collaboration with commonwealth countries other than the U.K.") and Annexure J1 of the UKUSA Agreement were revised and these were signed by New Zealand in January 1956 and by Australia in May 1956.

The relationship between these five partner agencies continued to be governed by the original UKUSA agreement from 1946, supplemented by a range of appendices and an array of Memoranda of Understanding (MoU) and Divisions of Effort (DoE). However, NSA was apparently not able to locate, let alone produce, most of these additional documents.

The various kinds of data and intelligence that NSA and GCHQ exchange under the UKUSA partnership are listed in yet another declassified document:


Exchange of intelligence between NSA and GCHQ
(click to enlarge)


In November 1993, the NSA's Deputy Director of Operations (DDO) initiated a review of the UKUSA Exchange Agreement "to include a list of what is not currently exchanged with the British, what we should not exchange in the future, and new things that should be exchanged in the future".

Finally, a document from the Snowden trove says that in the same year, the original bilateral relationships between the US and the individual Second Party countries were turned into a "group (5-EYES) partnership" which in 1998 got a coordinating body called the Joint Executive for SIGINT Operability (JESI).




Links
- Lawfare: Newly Disclosed NSA Documents Shed Further Light on Five Eyes Alliance (March 2019)
- Privacy International: Privacy International v. NSA et al. (US 5EY FOIA)


June 29, 2019

The NSA's regional Cryptologic Centers



For many years, the US National Security Agency (NSA) was identified with its almost iconic dark-glass cube-shaped headquarters building at Fort Meade in Maryland.

Only when Edward Snowden stepped forward in 2013, the public learned that there's also a large NSA facility in Hawaii - which is actually one of four regional centers spread across the United States.

- History of the NSA's Cryptologic Centers

- Cryptologic Centers inside the US: Hawaii - Georgia - Texas - Colorado

- Cryptologic Centers outside the US: Europe - Afghanistan




History of the NSA's Cryptologic Centers

The history of the NSA's regional operation centers is described in the 60th Anniversary Book of the agency from 2012:

"In the 1970s and 1980s, NSA leadership grew concerned over the centralization of functions at Fort Meade. Partially prompted by the need to find adequate space for its personnel and equipment, the Agency began to look at moving some assets away from the Fort Meade area.

In this light, in 1980 a Remote Operating Facility (ROF) at Kunia was established on the Hawaiian island of Oahu. Although living costs were high there, Kunia had the advantage of proximity to the Commander in Chief, Pacific (CINCPAC).

In the late 1980s, the cryptologic leadership began developing the Regional Security Operations Center (RSOC) concept. Proven computer and communications technology allowed NSA to delegate SIGINT authority to these regional centers, thus avoiding an overconcentration in the Washington area.

Under the RSOC doctrine, each center would be "hosted" by one of the military services so that all services could be represented.

In 1995 the centers opened and NSA began to transfer missions to them. The Kunia facility was given a new status as an RSOC.

Over the next decade, the RSOCs evolved from limited operations centers into mini "regional NSAs" in Georgia, Texas, Hawaii and Colorado with the following mission benefits:
• Consolidation of cryptologic operations
• Dispersion of facilities from the Washington, D.C. area
• Capability of serving as alternate communications centers
• Representation of all military services.
The concept of "regional NSAs" was reinforced when NSA suffered a massive computer outage early in 2000, and the RSOCs, as components that could operate independently, picked up the essential missions until NSA was back in full operation. Today all four centers, now known as Cryptologic Centers, are operational, expanding, and provide redundancy in the event of an emergency.



Cryptologic Centers inside the US

Officially acknowledged and listed on the NSA's official website are the four Cryptologic Centers which are located inside the United States. Especially those in Hawaii, Texas and Georgia are fairly large facilities with a few thousand employees each and consisting of both operations and data centers.

The Cryptologic Centers in Hawaii, Texas and Georgia each cover a geographically defined part of the earth, while the Cryptologic Center in Colorado is responsible for air and space based collection systems.


NSA/CSS Hawaii (NSAH)

- Established in 1980 as a Remote Operating Facility (ROF), which was turned into the Kunia Regional Security Operations Center (KRSOC) in 1995 and became a Cryptologic Center in 2005. Initially located in the Kunia Tunnel complex in Honolulu, Hawaii.

- Currently located in the Joseph J. Rochefort building, a $ 358 million and 250,000 square-foot complex near Wahiawa in Honolulu that was opened in January 2012.

- Hosted by the US Navy.

- About 3300 military and civilian employees.

- Area of responsibility: the Pacific Rim and Far East, Southeast and Southwest Asia.

- Supports the Indo-Pacific Command of the US Armed Forces.

- SIGAD: USJ-750

- See also: Wikipedia - Cryptome - Cryptome - CBS News


The Joseph J. Rochefort Building of NSA/CSS Hawaii in Honolulu, Hawaii (2019)
(still from CBS News - click to enlarge)



NSA/CSS Georgia (NSAG)

- Established in 1995 as the Ft Gordon Regional Security Operations Center (GRSOC) and turned into a Cryptologic Center in 2005. Initially located at Fort Gordon in Augusta, Georgia.

- Currently located in the John Whitelaw building, a $ 286 million and 604,000 square foot complex that was opened in March 2012.

- Hosted by the US Army

- Some 4000 employees

- Area of responsibility: Europe, North Africa, the Middle East, the Near East and the Persian Gulf.

- Supports the European Command and the Central Command of the US Armed Forces

- NSAG also includes the alternate National Security Operations Center (NSOC, project DECKPIN) which serves as a back-up for the NSOC at NSA headquarters.

- SIGADs: USN-18 and USJ-800

- See also: Wikipedia - Cryptome - SIDtoday


The John Whitelaw Building of NSA/CSS Georgia at Fort Gordon (2012)
(photo: NSA - click to enlarge)



NSA/CSS Texas (NSAT)

- Established in 1995 as the Medina Regional Security Operations Center (MRSOC) and turned into a Cryptologic Center in 2005. Initially located on the Medina Annex of Lackland Air Force Base near San Antonio, Texas.

- In 2005, the NSA acquired a former Sony chip fabrication plant in the Northwest Side of San Antonio for $ 30.5 million and invested as much as $ 300 million to transform the 470,000 square feet complex into the current Texas Cryptologic Center (TCC).

- Hosted by the US Air Force.

- Probably some 6000 military and civilian employees.

- Area of responsibility: Middle and South America, the Caribbean and the Atlantic littoral of Africa.

- Supports the Southern Command and the Central Command of the US Armed Forces.

- SIGADs: USN-26 and USJ-783

- See also: Wikipedia - Cryptome - Cryptome


NSA's Cryptologic Center in San Antonio, Texas (2013)
(photo: William Luther - click to enlarge)



NSA/CSS Colorado (NSAC)

- Established around 2002 as the Denver Security Operations Center (DSOC) and turned into a Cryptologic Center in 2005.

- Initially located in temporary buildings at the Aerospace Data Facility at Buckley Air Force Base in Aurora, near Denver, Colorado. In 2012, a new $ 141 million building was planned to provide space for 850 NSA employees .

- NSA's primary production center for Weapons and Space (W&S) targets and Technical Signals Intelligence (TechSIGINT).

- Co-located with the joint NSA-NRO Overhead Collection Management Center (OCMC) which manages spy planes and spy satellites.

- SIGAD: USJ-751

- See also: Wikipedia - SIDtoday - SIDtoday


The Aerospace Data Facility at Buckley Air Force Base in Aurora, Colorado
(click to enlarge)


Shore support

According to a document from the Snowden cache, the Cryptologic Centers in Hawaii, Texas and Georgia also have a Fleet Information Operation Centre (FIOC), each of which include a Maritime Cryptologic Integration Centre (MCIC).

These MCICs are responsible for so-called cryptologic shore support: providing technical SIGINT information to cryptologic teams embarked in mobile sea, air and land units. A fourth MCIC is based at RAF Digby in Lincolnshire in the United Kingdom.


Cyber defense

The Cryptologic Centers not only process and analyze collected data, but also include a regional NSA/CSS Threat Operations Center (NTOC). These combine the NSA's Signals Intelligence (SIGINT) and Information Assurance (IA) missions in order to detect cyber threats against vital computer networks of the US Defense Department.

It was at the NTOC of the Cryptologic Center in Hawaii that Snowden had his last and only analytical job as an infrastructure analyst tracking Chinese hackers.


Hacking operations

As described in several editions of the internal newsletter SIDtoday, the NSA's hacking division TAO started to conduct Computer Network Exploitation (CNE) operations also from the cryptologic centers, first in 2004 in Hawaii, followed in 2006 by Texas and Georgia. In 2008, NSA/CSS Texas had some 60 TAO operators, a number that was planned to rise to 270 in 2015.



The TAO hacking unit at the NSA/CSS Texas Cryptologic Center
(source: NSA Texas presentation - click to enlarge)



Cryptologic Centers outside the US

Not officially acknowledged are the Cryptologic Centers which are located outside the United States. From the Snowden revelations we know the existance of the following two centers, which are much smaller than those inside the US and also process and disseminate data and information from the NSA's Second and Third Party partners.


European Cryptologic Center (ECC)

- Established in April 2004 as the European Security Center (ESC) and turned into the European Security Operations Center (ESOC) in July 2006. In May 2011 it became a Cryptologic Center and got its own NTOC.

- Initially located at the Dagger Complex of the US Army outside Griesheim, near Darmstadt in Germany.

- In 2016, the ECC moved to the newly built $ 91 million Consolidated Intelligence Center (CIC) with a $ 30.4 million Information Processing Center (IPC) at the Lucius D. Clay Barracks near Wiesbaden in Germany.

- Hosted by the US Army Intelligence and Security Command (INSCOM).

- Some 240 military and civilian personnel (in 2011).

- Operations focused at counter-terrorism and supporting military operations in the Middle East and North Africa (MENA).

- Supports the European Command and the Africa Command of the US Armed Forces.

- SIGADs: USM-44 (ESC) and USJ-753

- See also: Wikipedia - Electrospaces.net


The European Cryptologic Center (ECC) near Griesheim in Germany (2014)
(Photo: AP - click to enlarge)



Afghanistan Regional Operations Cryptologic Center (A-ROCC)

- Established in October 2009 and fully operational in the Winter of 2010.

- Located in 17,000 square-foot office spaces at Area 82 of Bagram Airfield near Kabul in Afghanistan.

- Over 250 employees, 120 of whom linguists (in 2009), including personnel from all countries participating in the Afghanistan SIGINT Coalition (AFSC).

- Supports US and Coalition forces throughout Afghanistan.

- See also: SIDtoday - The Intercept


The buildings of the A-ROCC at Area 82 of Bagram Airfield near Kabul (2010)
(source: GCHQ presentation - click to enlarge)


There may be other, smaller Remote Operations Cryptologic Centers (ROCCs) as before the large A-ROCC was established there was a ROCC in place since 2005 mainly supporting the Regional Command-East of ISAF.



May 17, 2019

Daniel Hale arrested for being the source of The Drone Papers

(Updated: May 21, 2019)

Since the start of the Snowden revelations in June 2013, there have been more than 25 publications based upon classified documents provided by other leakers than former NSA contractor Edward Snowden.

Now, former intelligence analyst Daniel E. Hale has been identified as the source of six of these non-Snowden leaks. He was arrested on May 9 and charged with providing classified documents to the website The Intercept.

The case is highly remarkable, first because the FBI already found out Hale's identity almost five years ago and did not even arrest him when The Intercept published The Drone Papers in October 2015. Secondly, Hale did just as little to stay out of the picture: he featured in a documentary around the time the FBI raided his home.



Some of the slides and documents which Daniel Hale leaked to The Intercept
The abbreviations in the center slide are explained here
(click to enlarge)



Intelligence career


Daniel Everette Hale was born in 1987, is now 31 years old and living in Nashville, Tennessee. Despite his ideological disagreements with the military, he joined the US Air Force in July 2009 out of desperation because he was homeless. At the Air Force, he became a language analyst and was assigned to work at the National Security Agency (NSA) from December 2011 to May 2013.

From March to August 2012, Hale was deployed as an intelligence analyst in support of a task force of the Joint Special Operations Command (JSOC) at Bagram Airfield in Afghanistan, where he was mainly responsible for identifying and tracking targets for the drone program. He left the Air Force in July 2013.

From December 2013 to August 2014, he worked for the defense contractor Leidos (formerly SAIC), for which he was assigned to the National Geospatial-Intelligence Agency (NGA), which derives intelligence from geographical data and aerial and satellite imagery. There, Daniel Hale worked as a political geography analyst, for which he held a Top Secret/SCI clearance, just like for his previous job.



The 1.8 billion US dollar headquarters building for the ca. 16,000 employees of
the National Geospatial-Intelligence Agency in Fort Belvoir, Virginia
(photo: Marc Barnes/U.S. Army Corps of Engineers)


Contact with Scahill


Already in April 2013, almost two months before the start of the Snowden revelations, Hale used his unclassified work computer at the NSA to search for information on Jeremy Scahill, who then worked for Amy Goodman's news program Democracy Now!. In October 2013, Scahill would join Glenn Greenwald and Laura Poitras to establish the investigative website The Intercept.

On April 29, Hale attended a presentation of Scahill's book "Dirty Wars: The World Is a Battlefield" about the drone killings program under president Obama. The next day, Hale used his Top Secret NSA computer to search for classified information about people and issues about which Scahill wrote, according to the indictment.

Investigators had been able to retrieve Hale's text messages and found one which he sent to a close friend in May 2013, which read: " [Scahill] wants me to tell my story about working with drones at the opening screening of his documentary about the war and the use of drones."

On June 8, Hale was again present at a book presentation, where he was seen and recorded on video (see below) sitting right next to Scahill. In the next months they contacted eachother by phone and by e-mail.

Although Hale had already used his classified work computer for searching about related topics, there are no indications that he was already planning to steal and leak classified documents, at least before September 2013, when Scahill asked him to set up a Jabber account for encrypted chat conversations.



Book presentation at Busboys & Poets in Washington, DC on June 8, 2013,
with Jeremy Scahill (center) and Daniel Hale (right)



Printing classified documents


According to the indictment, Daniel Hale used his classified work computer at the National Geospatial-Intelligence Agency (NGA) to print classified documents for the first time on February 28, 2014 and he continued to do so until August 5, 2014.

In total, he printed 36 documents, including four duplicates. Nine documents were related to his work at NGA, but 23 did not. Hale provided at least 17 of these 23 documents to Scahill and/or The Intercept, which published them in whole or in part between July 2014 and December 2016:




A table from the indictment listing the 23 documents that Daniel Hale
printed at the NGA and were not related to his work.
(click to enlarge)


In an earlier posting on this weblog, I listed 28 revelations at various media platforms, accompanied by one or more leaked documents that were not attributed to Edward Snowden.

Trying to identify their source, I assumed that a then unknown "source nr. 3" was responsible for the documents that were scanned from paper and with a more or less military content:

Source nr. 3 (someone from US military intelligence?)
- NCTC watchlisting guidance
- NCTC terrorist watchlist report
- Ramstein AFB supporting drone operations
- The Drone Papers
- Cellphone surveillance catalogue
- FBI & CBP border intelligence gathering

Comparing the dates of these six publications with those in the table from the indictment leads to the following conclusions:

- Daniel Hale provided the documents for the first five revelations I attributed to Source nr. 3: from the "NCTC watchlisting guidance", which was published by The Intercept on July 23, 2014, to the "Cellphone surveillance catalogue" from December 17, 2015.

- The 14 original documents about "FBI & CBP border intelligence gathering", which I assumed could also have been provided by source nr. 3, are actually not among those that Hale printed out. Therefore, those files have to be leaked by someone else, probably an FBI or CBP employee.

- The indictment lists four unclassified documents (O, P, Q and R) and says these were published in December 2016, but so far no one seemed aware of a similar intelligence or national security revelation in that month.


Clapper's blog

Looking for articles that Jeremy Scahill published in December 2016 led me to a short story about James Clapper's blog called Intercept. It's indeed based upon four unclassified documents, which are again scanned from paper: a screenshot of a blog post from May 29, 2013, handwritten letters to and from Clapper and a few comments on that blog post.

This blog post is just a curiosity compared to the other documents, so it seems the only reason that Hale printed this out, is that the main comment, posted under the nickname "Wormy", is his own. The comment warns against increasing restrictions on civil liberties, with arguments based upon the US Constitution and the Bill of Rights - it reminds of how Snowden usually argues.



The documents leaked by Daniel Hale and published by The Intercept
(click to enlarge)



Raided by the FBI


On August 8, 2014, right after Daniel Hale's assignment at the NGA had ended, the FBI raided his home. This was just three days after he had printed out his last document at the NGA and some two weeks after The Intercept published its first article based upon his material, which means the FBI identified and found him rather quickly.

At his home, FBI agents found a thumb drive with the TOR software and the TAILS operating system, both used for anonymous internet communications. Also found was the unclassified (and unpublished) document T on his computer and one page of document A, which was classified Secret and published in October 2015, on a thumb drive.

Why Hale brought these files in digital form to his home, after having already printed the documents at his work place at the NGA, is not clear, but it was careless and unnecessarily risky.

It is not known how exactly Hale was traced, but a tweet from his lawyer, Jesselyn Radack seems to suggest that The Intercept failed at their source protection. That would be their third time, because NSA linguist Reality Winner and former FBI agent Terry Albury had already been arrested due to The Intercept's sloppyness.

But Daniel Hale was bad at operational security (OPSEC) too and did little to stay out of the picture: already in November 2013 he began speaking out publicly against the government's drone program at the "Ground the Drones" summit organized by Code Pink, where he apologized for his own participation in the program.

In January 2014, Hale also spoke at a rally outside the White House against the Guantanamo Bay prison camp. Again very similar to Snowden, who organized a Crypto Party while he was working for the NSA in Hawaii.

The big difference is that Hale just took a handful of selected documents that he thought were in the public interest, while Snowden (and Manning) acted just like the NSA: "collect before you select."



Featuring in National Bird


And just like Edward Snowden was being recorded on camera when his leaks came out in Laura Poitras' film Citizenfour, Daniel Hale was being interviewed for the drone whistleblower documentary National Bird around the time the FBI raided his home.

In National Bird it's mentioned that Hale was being investigated under the Espionage Act, allegedly because he was seen as a source for information about the drone program. The Intercept had already begun publishing the files he stole at the NGA, but of course Hale did not admit that on camera.

He just pretended that he didn't knew the reason for the investigation: it might had to do with the fact that he had worked for intelligence agencies and that he was politically active, which could have made the government suspicious.

Right after the release of National Bird in February 2016, at least some people must have noticed that Daniel Hale would make a perfect fit for being the source of The Drone Papers, but it seems they all kept quiet.



The full version of the 2016 documentary National Bird with German voice-over



Featuring in Citizenfour


Almost two years before Hale himself could be seen in National Bird, the information he leaked already appeared in Laura Poitras' film Citizenfour, which was released in October 2014. It shows Glenn Greenwald visiting Snowden in Moscow, telling him about a new source and writing the most sensitive details on sheets of paper.

When the camera zoomed in on the notes, it could be seen that the new source provided information about the chain of command for the drone strikes, the fact that their signals are relayed through Ramstein AFB in Germany (which would cause "a huge controversy") and that some 1.2 million people are in one way or another on a government watch list.

When Snowden expressed his concerns about the safety of the source, Greenwald reassured that they were "very careful in handling the source." Maybe they tried during the time Hale was handing over the documents, but given their prior non-secure contacts and Hale's public appearances, it was already too late for a sufficient source protection.



Glenn Greenwald informing Edward Snowden about The Intercept's new source
(still from the documentary film Citizenfour)


Interesting is that just before the scene in the Moscow hotel room, Citizenfour shows Jeremy Scahill talking to Bill Binney, former technical director of the NSA's World Geopolitical and Military Analysis Reporting Group, about how to handle confidential sources.

Binney gives the advice that the best way to talk to such sources is like Bob Woodward and Deep Throat did: meet physically in the basement of a parking garage.

We can assume that Daniel Hale met in a similar way with Scahill to hand over the documents he had printed out at the NGA. It's not clear though whether the conversation with Binney was recorded before or after these meetings, so at least Binney's advice was also meant for any future leakers.


Mission

For the relation between Hale and The Intercept the advice had come too late, and both must have known that, so apperently both were too eager to go along with publishing the files.

For The Intercept, the drone program seems to present the most clear and direct link between the NSA and actual illegal killings - despite the fact that these operations were actually run by the CIA, before Obama tried to transfer them to a military command.

Also, one of the slides leaked by Hale says that drone strikes will only occur when the presence of the target is based upon two forms of intelligence and all parties involved, being the local Task Force, the Geographic Combatant Command, the US Ambassador, the CIA Station Chief and the government of the host nation, have to concur or no strike occurs.

For Daniel Hale it may have become a moral mission to inform the public about the secret details behind the drone program and maybe this was also his way of making up his own involvement in the program during his time in Afghanistan.


Trial

Hale will appear before a judge on May 17. Under the Espionage Act of 1917, which doesn't distinguish between providing information to enemies or to the press, he can be sentenced to up to a maximum of 50 years imprisonment.

At least he has one of the best (and expensive) defense attorneys: Abbe Lowell, who recently represented Trump's son-in-law Jared Kushner(!), and who apparently does Hale's case pro bono.



Links and sources

- Intercepted Podcast: The Espionage Axe: Donald Trump and the War Agianst a Free Press
- Emptywheel: On the Curious Timing of Daniel Everette Hale’s Arrest
- Mint Press News: Another Whistleblower Bites the Dust as The Intercept Adds a Third Notch to Its Burn Belt
- The Washington Post: Former intelligence analyst charged with leaking drone details to news outlet
- Lawfare Blog: German Courts Weigh Legal Responsibility for U.S. Drone Strikes
- Zone d'Intérêt: U.S. Intelligence Support to Find, Fix, Finish Operations
- The Drone Papers: Acronyms, abbreviations, and initialisms


April 27, 2019

The Snowden files: where are they and where should they end up?

(Updated: May 30, 2019)

Last month, The Intercept shut down access to the Snowden documents both for internal and external research. But where are these files in the first place, and what should be their future destination? During a podcast interview last Monday, Snowden himself also commented on this issue.





Screenshot from a Brazilian television report, showing some of the Snowden files
opened in a TrueCrypt window on the laptop of Glenn Greenwald.
(screenshot by koenrh - click to enlarge)
 


The Intercept

The Intercept is a website that was launched in February 2014 by Glenn Greenwald, Laura Poitras and Jeremy Scahill. It was the first digital magazine of First Look Media (FLM), a hybrid for-profit and non-profit media organization set up in October 2013 by eBay-founder Pierre Omidyar.

(Greenwald already came up with the idea for a dedicated website in June 2013 in case that The Guardian would not publish his first Snowden story)

The short-term mission of The Intercept was to "provide a platform and an editorial structure in which to aggressively report on the disclosures provided to us by our source, NSA whistleblower Edward Snowden."

For the long term, The Intercept wants to provide "aggressive and independent adversarial journalism across a wide range of issues, from secrecy, criminal and civil justice abuses and civil liberties violations to media conduct, societal inequality and all forms of financial and political corruption."


External research

For its short-term mission, The Intercept had a special team of several researchers to maintain and examine the Snowden files in a secure way. Initially, documents were only published alongside the articles written by Glenn Greenwald, Jeremy Scahill, Ryan Gallagher and other reporters.

In May 2016, The Intercept also began publishing NSA documents in bulk, starting with all editions of SIDtoday, the internal newsletter of the NSA's Signals Intelligence division, which are available from 2003 to 2012. So far, a total of 1861 editions have been published in seven batches. It's not clear whether this series will be completed.
Update: On May 29, 2019, The Intercept published an eighth and final batch consisting of 287 SIDtoday articles from late 2006, bringing the total to 2148 editions of this newsletter.

Also in may 2016, it was decided to "invite outside journalists, including from foreign media outlets, to work with us to explore the full Snowden archive", to begin with journalists from the French newspaper Le Monde:
"Le Monde worked directly, during several days, in collaboration with The Intercept, on the Edward Snowden archive given to Glenn Greenwald and Laura Poitras: tens of thousands of documents exfiltrated by the former agent from the NSA servers, and safely stored by The Intercept."

As a result of this collaboration, Le Monde published a series of six articles in December 2016, mainly about GCHQ spying operations against Israel and in Africa. It seems there have been no similar collaborations with other foreign journalists.


The decision

With its first mission apparently accomplished, The Intercept will now move forward with its long-term mission: "For five years, the company expended substantional resources to continue to report on the Snowden archive, but The Intercept has now decided to focus on other priorities" - according to First Look Media CEO Michael Bloom.

How this decision was made can be learnt from a reconstruction made by Barrett Brown, which includes a timeline written by Laura Poitras:
On Tuesday March 12, on a phone call with Glenn [Greenwald] and the CFO, I am told that Glenn and Betsy [Reed, editor-in-chief of The Intercept] had decided to shut down the archive because it was no longer of value to The Intercept. This is the first time I am heard about the decision. On the call, Glenn says we should not make this decision public because it would look bad for him and The Intercept. I objected to the decision. I am confident the decision to shut the archive was made to pave to fire/eliminate the research team.

The next day, March 13, Poitras sent an e-mail to Michael Bloom saying she was "sickened" and in a memo she called on the board to review the decision: "This decision and the way it was handled would be a disservice to our source, the risks we’ve all taken, and most importantly, to the public for whom Edward Snowden blew the whistle."

This e-mail was leaked to the news website The Daily Beast, which reported about it the same day. This was likely the way how Edward Snowden heard of it, as in the Motherboard podcast interview from April 22 he said that he learnt about The Intercept's decision from the news.

On March 14, Snowden was called by Laura Poitras: "He had not been informed by Glenn or Betsy about their decision to shut down the archive. I apologize to him."


The reason

Given that firing The Intercept's research team saves only 1.5% of First Look Media's non-profit budget, some people suspected that there may be other reasons for shutting down the Snowden archive. Pierre Omidyar, for example, could have preferred to keep his good relations with the US government.

Michael Bloom however says that the remaining documents aren't interesing enough anymore, and points to the fact that other major media outlets "ceased reporting on it years ago. Many decided that the resources required to continue to work on the archive were not justified by the journalistic value the remaining documents provide, as those documents have aged."

In 2013, The Guardian, The Washington Post and Der Spiegel each had between 10 and 30 reports based upon the NSA files, but that number declined to just a few in 2015 and since 2016 it was basically only The Intercept that continued with new reports, but these were mainly background stories without significant revelations.



Office of First Look Media (FLM) in New York City
(photo: TheMuse.com)
 


Copies of the Snowden files

The actual number of documents that Snowden took away from the NSA is still unclear and disputed. According to the 2016 report from the US House Intelligence Committee, he removed more than 1.5 million documents from two classified networks: NSANet and JWICS.

(Strangely enough, the House Intelligence report says that JWICS stands for "Joint Warfighter Information Computer System" while the actual name of the network is Joint Worldwide Intelligence Communications System)

Glenn Greenwald said that the number of 1.5 million was "pure fabrication" and probably he could agree with former NSA director Keith Alexander who in November 2013 estimated that Snowden had exposed only between 50,000 and 200,000 documents.


Full copies of the files

As far as we know, complete sets of these documents are in the hands of:
- Glenn Greenwald (received from Snowden in Hong Kong)
- Laura Poitras (received from Snowden in Hong Kong)

Greenwald and Poitras agreed that no one other than they would ever have access to the full set of documents. And to "keep media organizations on a leash" they would only provide them with files and information on a story-by-story basis.

Four other people also received copies of the full archive, because on May 10, 2013, so more than a week before he left Hawaii, Snowden had sent backup copies of the NSA files in postal packages to four individuals:
- Jessica Bruder in New York, who had her package hidden by Dale Maharidge in North California
- Trevor Timm of the Freedom of the Press Foundation (of which Snowden became board member in 2014 and president in 2016)
- One person who wants to remain private
- One unknown person

The existence of these packages, which was only revealed in May 2017, confirms the story from late June 2013 about a "doomsday cache" which Glenn Greenwald said was Snowden's Plan B.

According to Greenwald, the people holding the backup files "cannot access them yet because they are highly encrypted and they do not have the passwords." But "if anything happens at all to Edward Snowden, he told me he has arranged for them to get access to the full archives."

During a television interview shortly afterwards, Greenwald said that backup copies might also be somewhere out on the internet, but given Snowden's fear of putting sensitive things online that may have been a slip of the tongue, or deliberately deceiving.

There are also people who have not been in possession of any documents, but who were temporarily granted full access to the whole cache, like James Bamford, The Intercept's research team and some others.



Glenn Greenwald working with the Snowden files outside his house in Rio de Janeiro
(screenshot from a television report by Fantastico)


Partial copies of the files

Besides the complete sets of Snowden files, there are several parties that keep, or have kept partial copies:
- The Guardian (received from Snowden by Ewan MacAskill)
- ProPublica (received from The Guardian)
- The New York Times (received from The Guardian)
- The Washington Post (received from Snowden by Barton Gellman)
- Der Spiegel (received from Laura Poitras)*

Being under threat from the British government, The Guardian rescued their set of documents by providing copies to The New York Times and the investigative journalism platform ProPublica, where they would be better protected under the First Amendment of the US constitution.

The Guardian's own set was eventually physically destroyed in front of GCHQ technicians on July 20, 2013:



Video showing the destruction of the laptop containing The Guardian's Snowden files


The German magazine Der Spiegel published a total of 89 documents from their share of the Snowden trove, including ones that were not disclosed as part of earlier reporting. A first set of 53 documents was released on June 18, 2014 and a second set of another 36 documents on January 17, 2015.

Besides the news outlets with their own partial copies, Greenwald and The Intercept also shared selected documents from the Snowden cache with teams of journalists of more than two dozen media outlets in as many different countries.

> It should be noticed that a range of highly classified NSA documents have been published which came from other sources than Edward Snowden; see: Leaked documents that were not attributed to Snowden.


Protection of the files

In order to protect the Snowden files, only brand new laptops with no connection to the internet are used to search, sort and read them. It's not clear whether the files themselves are also stored on these laptop computers, or only on removable storage devices, like a thumb drive or an SD card.

In a 2013 Brazilian television report, Glenn Greenwald was seen using some thumb drives and a standard SD card while working with the Snowden documents.

In another television report we could even see the screen of Greenwald's laptop with several of the BOUNDLESSINFORMANT documents being opened in a TrueCrypt window. TrueCrypt was a software application used to fully or partially encrypt hard drives and removables drives using the AES, Serpent and Twofish ciphers.

Data on the external hard drive that Greenwald's partner David Miranda was carrying when he was detained at Heathrow Airport in August 2013 was reportedly also encrypted with TrueCrypt.



Glenn Greenwald working with the Snowden files outside his house in Rio de Janeiro
(screenshot from a television report by Fantastico)
 


The future of the files

What can or should happen with the Snowden files? Wikileaks, Cryptome and many others demanded that all the documents should be released to the public. But Snowden did not want an indiscriminate dump like how Manning's files were eventually published on Wikileaks. Instead, he insisted on responsible disclosures by independent journalists.

Accordingly, Glenn Greenwald stressed that the NSA files should "be released in conjunction with careful reporting that puts the documents in context and makes them digestible to the public, and that the welfare and reputations of innocent people be safeguarded."

The reality has actually been somewhat different: in many cases, press reports lacked a proper context, were sensationalist or even misleading because of misinterpretations. And while protecting the reputations of individuals, that of the NSA seemed "fair game".


First Look Media's CEO Michael Bloom hoped "that Glenn and Laura are able to find a new partner - such as an academic institution or research facility - that will continue to report on and publish the documents in the archive consistent with the public interest" and Greenwald tweeted that he was already looking for "the right partner [...] that has the funds to robustly publish."

But money seems not the problem: if there's one place with enough money than it's First Look Media, which was funded by eBay billionaire Omidyar with some 87 million US Dollar between 2013 and 2017 (of which Greenwald earned more than 1.6 million USD from 2014 to 2017).


In the Motherboard interview, Snowden said that "what remains in the archive is stuff that requires much more substantial effort" which would be better for a book. He said that The Intercept wasn't meant for that and that it was up to academic institutions, but they didn't dare because they depend on grants from the federal government.

Snowden also argued that handing over the files to a foreign academic institute was also not an option because then the US government would come up with the accusation of providing classified information to foreigners.

But when it's so hard to find a well-funded institution for further research and responsible publications and the final option of deleting all the files comes closer, it's also not unthinkable that someone will try to "rescue" the archive by putting everything online. After all, there have been other disclosures that were not in accordance with Snowden's intentions.



Links and sources
- Justice Integrity Project: Snowden archives at great risk — As alarming as Assange's arrest
- Barrett Brown: Why The Intercept Really Closed the Snowden Archive
- Tim Shorrock: Why Did Omidyar Shut Down The Intercept’s Snowden Archive? - Part 2 - Part 3
- Bruce Schneier: First Look Media Shutting Down Access to Snowden NSA Archives
- Columbia Journalism Review: The Intercept, a billionaire-funded public charity, cuts back
- The Daily Beast: The Intercept Shuts Down Access to Snowden Trove
- The Intercept: The Intercept is Broadening Access to the Snowden Archive. Here's why