Permanent Record(67)
I always enjoyed teaching—certainly more than I ever enjoyed being a student—and in the early days of my disillusionment, toward the end of Japan and through my time at Dell, I had the sense that were I to stay in intelligence work for the rest of my career, the positions in which my principles would be least compromised, and my mind most challenged, would almost certainly be academic. Teaching with JCITA was a way of keeping that door open. It was also a way of keeping up to date—when you’re teaching, you can’t let your students get ahead of you, especially in technology.
This put me in the regular habit of perusing what the NSA called “readboards.” These are digital bulletin boards that function something like news blogs, only the “news” here is the product of classified intelligence activities. Each major NSA site maintains its own, which its local staff updates daily with what they regard as the day’s most important and interesting documents—everything an employee has to read to keep current.
As a holdover from my JCITA lecture preparation, and also, frankly, because I was bored in Hawaii, I got into the habit of checking a number of these boards every day: my own site’s readboard in Hawaii, the readboard of my former posting in Tokyo, and various readboards from Fort Meade. This new low-pressure position gave me as much time to read as I wanted. The scope of my curiosity might have raised a few questions at a prior stage of my career, but now I was the only employee of the Office of Information Sharing—I was the Office of Information Sharing—so my very job was to know what sharable information was out there. Meanwhile, most of my colleagues at the Tunnel spent their breaks streaming Fox News.
In the hopes of organizing all the documents I wanted to read from these various readboards, I put together a personal best-of-the-readboards queue. The files quickly began to pile up, until the nice lady who managed the digital storage quotas complained to me about the folder size. I realized that my personal readboard had become less a daily digest than an archive of sensitive information with relevance far beyond the day’s immediacy. Not wanting to erase it or stop adding to it, which would’ve been a waste, I decided instead to share it with others. This was the best justification for what I was doing that I could think of, especially because it allowed me to more or less legitimately collect material from a wider range of sources. So, with my boss’s approval, I set about creating an automated readboard—one that didn’t rely on anybody posting things to it, but edited itself.
Like EPICSHELTER, my automated readboard platform was designed to perpetually scan for new and unique documents. It did so in a far more comprehensive manner, however, peering beyond NSAnet, the NSA’s network, into the networks of the CIA and the FBI as well as into the Joint Worldwide Intelligence Communications System (JWICS), the Department of Defense’s top-secret intranet. The idea was that its findings would be made available to every NSA officer by comparing their digital identity badges—called PKI certificates—to the classification of the documents, generating a personal readboard customized to their clearances, interests, and office affiliations. Essentially, it would be a readboard of readboards, an individually tailored newsfeed aggregator, bringing each officer all the newest information pertinent to their work, all the documents they had to read to stay current. It would be run from a server that I alone managed, located just down the hall from me. That server would also store a copy of every document it sourced, making it easy for me to perform the kind of deep interagency searches that the heads of most agencies could only dream of.
I called this system Heartbeat, because it took the pulse of the NSA and of the wider IC. The volume of information that crashed through its veins was simply enormous, as it pulled documents from internal sites dedicated to every specialty from updates on the latest cryptographic research projects to minutes of the meetings of the National Security Council. I’d carefully configured it to ingest materials at a slow, constant pace, so as not to monopolize the undersea fiber-optic cable tying Hawaii to Fort Meade, but it still pulled so many more documents than any human ever could that it immediately became the NSAnet’s most comprehensive readboard.
Early on in its operation I got an email that almost stopped Heartbeat forever. A faraway administrator—apparently the only one in the entire IC who actually bothered to look at his access logs—wanted to know why a system in Hawaii was copying, one by one, every record in his database. He had immediately blocked me as a precaution, which effectively locked me out, and was demanding an explanation. I told him what I was doing and showed him how to use the internal website that would let him read Heartbeat for himself. His response reminded me of an unusual characteristic of the technologists’ side of the security state: once I gave him access, his wariness instantly turned into curiosity. He might have doubted a person, but he’d never doubt a machine. He could now see that Heartbeat was just doing what it’d been meant to do, and was doing it perfectly. He was fascinated. He unblocked me from his repository of records, and even offered to help me by circulating information about Heartbeat to his colleagues.
Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat. It showed me not just the aims but the abilities of the IC’s mass surveillance system. This is something I want to emphasize: in mid-2012, I was just trying to get a handle on how mass surveillance actually worked. Almost every journalist who later reported on the disclosures was primarily concerned with the targets of surveillance—the efforts to spy on American citizens, for instance, or on the leaders of America’s allies. That is to say, they were more interested in the topics of the surveillance reports than in the system that produced them. I respect that interest, of course, having shared it myself, but my own primary curiosity was still technical in nature. It’s all well and good to read a document or to click through the slides of a PowerPoint presentation to find out what a program is intended to do, but the better you can understand a program’s mechanics, the better you can understand its potential for abuse.