Mira Hotel lobby By WiNG [CC-BY-SA-3.0], via Wikimedia Commons

Unanswered Questions in NSA Disclosures

Could the real problem be Edward Snowden?

Over the weekend, the source of highly classified NSA documents provided to the Guardian and Washington Post outed himself in a video posted to the former’s website. Edward Snowden told a sobering story, of rising rapidly through the ranks of the intelligence community — from high school drop out to security guard to top adviser — within just a few years. He fled a $200,000-a-year job in Hawaii for Hong Kong, where he posted highly secretive documents exposing a massive surveillance operation on America’s telecom and internet companies.

There’s just one problem: A lot of his story doesn’t add up.

Almost immediately after the first stories were published, other reporters diging into the leaks and into Snowden’s back story highlighted discrepancies and inconsistencies in the narrative. One reporter found a real estate agent who said that Snowden’s house in Hawaii had been empty for weeks before he fled the country on May 20. Booz Allen Hamilton, Snowden’s employer for the three months leading up to his leak, disputed his reported salary, claiming it was 40 percent lower (they did not comment on other aspects of his employment).

The Guardian, which employs fact-checkers, either did not verify these details about Snowden’s story or did not report them. How could it have missed such seemingly basic details? And should this call into question other reporting about Snowden and his leaked documents?

Reports on one exposed program might already have been placed under scrutiny. The Post and Guardian stories at first detailed a massive collection program known as PRISM, but within 24 hours they were quietly edited to remove several false or misleading claims. The initial description of the program said that the NSA had “direct access” to the servers of Google, Apple, Facebook, and other large internet companies. Technology reporter Declan McCullagh investigated that claim and concluded it was untrue.

Later, reporter Marc Ambinder wrote that PRISM is not a secret eavesdropping program but rather a workflow management tool. Reams of public documents point to PRISM being used openly, not for spying on emails but for routine data management. In a 2006 document, posted by the Federation of American Scientists (FAS) and titled “Geospatial Intelligence (GEOINT) Basic Doctrine,” PRISM is defined as follows:

A web-based application that provides users, at the theater level and below, with the ability to conduct Integrated Collection Management (ICM). Integrates all intelligence discipline assets with all theater requirements.

The U.S. Army Field Manual FM-3-55 also describes PRISM as a management tool, not a system for accessing server data:

PRISM, a subsystem of collection management mission application, is a Web-based management and synchronization tool used to maximize the efficiency and effectiveness of theater operations. PRISM creates a collaborative environment for resource managers, collection managers, exploitation managers, and customers.

How could two respected newspapers get such important details wrong? In his account of interacting with Snowden, freelance reporter Barton Gellman says the leaker was in a rush to publish his purloined documents without going through any fact-checking or verification.

To effect his plan, Snowden asked for a guarantee that The Washington Post would publish — within 72 hours — the full text of a PowerPoint presentation describing PRISM, a top-secret surveillance program that gathered intelligence from Microsoft, Facebook, Google and other Silicon Valley giants. He also asked that The Post publish online a cryptographic key that he could use to prove to a foreign embassy that he was the document’s source.

Gellman declined to publish so quickly, and sought comment from the government. In response, Gellman writes, Snowden approached the Guardian to publish that PowerPoint. Upon learning this, Gellman and the Washington Post accelerated their publication process to try to avoid being scooped. Both papers, in their rush, wound up printing misleading stories about PRISM.

Both papers also made an interesting choice: They limited the scope of their reports. The PowerPoint presentation referring to PRISM is supposedly forty-one slides long, but both papers only published four. They have said the remaining thirty-seven could cause grave harm if they were ever published. In his video confessional, Snowden said that he doesn’t want to harm anyone, but that these programs needed to be exposed. If he was demanding full publication, what is in those remaining thirty-seven slides that gave the papers pause even while Snowden wanted them unveiled? Are the papers being overly conservative with their reporting, or does Snowden not fully understand the magnitude of the information he stole?

While some journalistic standards were compromised by Snowden’s moves, his actions also call into question the standards the government employs in the intelligence community. Michael Hayden, the former NSA chief, said on Monday that Snowden’s actions should have alerted people that he was planning to breach information. “It’s a broader culture problem; it’s a vetting problem,” he explained. Systems administrators are empowered with enormous trust; why was someone so open with his disdain for the intelligence community allowed to remain in such a crucial position?

Several people involved in the leak have said Snowden was planning the leak since at least January — two months before he took his job at the NSA. Did Snowden take his job at the NSA planning to steal documents and flee the country? If so, that raises serious questions about the vetting and personnel management within the intelligence community. It also raises doubts about Snowden’s own account of his decision to steal this information, which he claims took form after he began working for the NSA.

Finally, Snowden’s choice of safe haven raises serious questions about his judgment and intentions. “Hong Kong has a reputation for freedom in spite of the People’s Republic of China,” he told the Guardian. “It has a strong tradition of free speech.”

Perhaps it does in comparison to mainland China. But Hong Kong’s speech protections have been eroded steadily ever since Beijing took over its administration in 1997. James Fallows, a writer at The Atlantic who lived for several years in China, was stark in his assessment of the city:

Hong Kong is not a sovereign country. It is part of China — a country that by the libertarian standards Edward Snowden says he cares about is worse, not better, than the United States. China has even more surveillance of its citizens (it has gone very far toward ensuring that it knows the real identity of everyone using the internet); its press is thoroughly government-controlled; it has no legal theory of protection for free speech; and it doesn’t even have national elections. Hong Kong lives a time-limited separate existence, under the “one country, two systems” principle, but in a pinch, it is part of China.

In 2006, Hong Kong passed a surveillance law that makes the programs Snowden leaked seem weak in comparison. The New York Times reported that this law gave “broad authority to the police to conduct covert surveillance, including wiretapping phones, bugging homes and offices and monitoring e-mail.” Furthermore, the paper wrote, the law limited defense lawyers from questioning such surveillance during trials.

Fallows is also correct to say Hong Kong is a part of China. Under Basic Law, Hong Kong’s version of a constitution, a huge amount of power over diplomatic relations and defense issues is held by Beijing. He chose to flee with top secret documents and to leak them the same week Presidents Obama and Xi met to discuss cyber-security issues. In other words, by fleeing to Hong Kong, Snowden placed himself in the hands of the Chinese security services — not a terribly strong position if he was truthful in saying he did not want to sell his information (one Guardian reporter said he has “thousands” of documents) to other governments. It wouldn’t be terribly difficult to arrest him, grab his papers or thumb drive, copy everything, and then go through normal extradition proceedings. It would incur additional harm to U.S. intelligence efforts in China if Snowden’s cache of documents contained operational details of Chinese programs.

Unfortunately, it’s still unclear what will become of Edward Snowden. Reporters in Hong Kong are saying he’s checked out of his hotel and can’t be located. About the only thing we’re seeing now is cause for more questions: Where is he hiding? Is he planning to defect? Why did he really choose to flee to Hong Kong? Is he going to release more documents for publication?

The stakes for the U.S. government are enormous. Snowden had access to extraordinarily sensitive information, and he apparently still has a cache of documents that could expose more programs. Last week’s release of detailed cyberwarfare plans demonstrates how damaging the remaining information could be: It could expose critical defense plans, key infrastructure weaknesses, programs meant to warn of attack, or even key systems meant to safeguard catastrophic failures.

So what will the U.S. government do? It controls so much of what will happen next: the charges Snowden will face; the amount of diplomatic, intelligence, and police work that will go into bringing him back to the U.S. for trial; and, finally, what sort of punishment he will receive for violating so many laws. We are only at the beginning of this story.