This month Bart Gellman ’82 discusses his work on the Edward Snowden disclosures, the subject of his new book, Dark Mirror: Edward Snowden and the American Surveillance State. Gellman discusses the drama that unfolded around receiving and publishing the news about the NSA’s unlawful surveillance of Americans, and weighs in on his opinion of Snowden and tips for how to keep your data safe.
Carrie Compton: Hello and welcome to the PAWcast, a monthly interview podcast by Princeton Alumni Weekly. I’m your host, Carrie Compton. Today I’m speaking with world-class journalist Barton Gellman, from the Class of 1982. Bart a staff writer at The Atlantic and a senior fellow with the Century Foundation. He’s an investigative journalist who’s won three Pulitzer Prizes covering some of the biggest stories of the 21st century including 9/11, Vice President Dick Cheney’s influence on national security, and the NSA leaks that came from Edward Snowden.
Gellman, who is a former visiting lecturer and author in residence at Princeton, has recently released a new book, Dark Mirror: Edward Snowden and the American Surveillance State, which recounts his experiences reporting on the cache of files provided to him by Snowden, and what those revelations reveal about America’s pervasive surveillance techniques.
CC: Bart Gellman, thank you so much for joining me today.
BART GELLMAN: My pleasure.
CC: So your book starts with how you were brought into the Edward Snowden saga. You were familiar with a filmmaker named Laura Poitras — am I saying that right?
CC: Poitras — who reaches out and tells you she’s been contacted by someone in the NSA with bombshell revelations. Tell me what happens next.
BG: She knew her source only by an anonymous handle — “Verax” — which meant “truth-teller” in Latin. And my first impression was, “Oh, God, not another one of these — a deluded, intelligence leak” — because I have had many, many of those in the course of my career. But this one had an air of plausibility about him, and he seemed sane, just on first impression. So she kept talking to him, and so did I.
Both of us were concerned about whether this person was for real, whether it was some sort of provocation — someone trying to plant a false story, someone who mistakenly believed that something ordinary was a scandal, someone who wasn’t even really a member of the intelligence community — we didn’t know what it was going to be. But over the course of many back and forths, we became more and more convinced that he was who he said he was. And eventually he told us his name.
CC: Yeah. And when you received the documents he wanted to share with you, tell us about what that package sort of looked like, and what you found in it.
BG: So in Dark Mirror I tell this story — and, sort of, you know, practically following along in real time — you get a complete behind the scenes of my conversations with Snowden and what happened, because they were all — they all were captured in transcript. So you can see exactly what was said by whom and when. And at first we were expecting one document, and we got one document.
The next day, we got this enormous pile of documents, and they were all classified above top secret — they were top secret with handling caveats, sensitive compartmented information, code words, and so on. And, honestly, it freaked me out. It was, you know — it was way beyond what one person could process and handle. And how was I going to authenticate all of that material? How would I tell whether it was an actual document or a fake? How would I tell whether the document was accurate, even if it was authentic?
One of the first things I did was I made a count of the files — which was surprisingly hard to do — and it turned out the number was north of 50,000. Most of them way more than one page, and I just didn’t know how to handle all that.
CC: How did you know what in there was incendiary? How did you tease that out?
BG: For a while, it wasn’t very systematic. I was just going through files, and either by file name or the name of the folder they were in, or sometimes at random, I would open up and skim the first page and see whether it was something that I thought I should put aside to look at again soon, or maybe later — I started having a more sophisticated sense of the files.
The first document he had sent on its own, and I had agreed that I would write about that one first, if I thought it was newsworthy — that was the program called PRISM, under which the NSA obtained the content of internet communications from the big companies like Google and Facebook and Microsoft, and Yahoo. This was a story that anyone could understand, because everyone had an account at one of these places. And Snowden thought that this would give ordinary citizens a sense of what’s at stake.
CC: Right. So here you are, you’re sitting on the biggest story of the decade. But you had a difficult time finding a place to publish it. That’s something that is a sort of interesting paradox in the publishing world that puts such a high value on sensational stories. So talk about that part of the journey and how you sort of had to assume a bit of legal risk on your own just to have this truth see the light of day.
BG: Well, it took two tries. I was a former employee of The Washington Post — I had spent most of my career there. But I had left the Post almost three years earlier, and I was freelancing and thinking about a book project and writing stories — most frequently, at that time, for Time magazine. And I really liked the editors there, and I thought Time would be a good place to write about some of these stories. And I went to them and said, “I have a line on a story about a classified document, and I think that we should put some of that document online to accompany the story. I want to know whether the magazine is prepared to do that.” And, as it turned out, it was not.
The editors were interested, but the business side of the magazine was afraid of trouble with the government and was afraid of an expensive legal battle. And they put up enough obstacles that it became clear to me that Time just wasn’t going to be the place for this story. And at that point I decided to go back to my old haunts at The Washington Post, where there was a brand-new editor who didn’t know me, and I didn’t know him. And there was an enormous amount of trust that had to be established very quickly.
CC: And so The Washington Post was willing to go into this legal fray, right alongside with you?
BG: Well, I reconstruct this early meeting, and it’s actually funny, a bit, at my expense, because I came in there with this long list of preposterous demands. I mean, I said, “I have this spooky story about a classified program, but in order to write about it, there are things that we’re going to have to hold back also. There are some things in this document that I don’t think should see the light of day, and we’re going to have to protect this classified material. We’re going to need to have computers with their networking hardware pulled out, and a big safe in a locked room with no windows, and we’re going to have to use encryption.”
And the editor just kind of stared at me (laughter), and eventually said, “OK.” (laughter) And I had thought by then I was going to be thrown out. And I said, “OK.” (laughter) They said, “OK. We want the story, we can live with your conditions. Let’s talk about it.” So only then did I actually show him the document and explain to him what the story meant, as far as I understood it. And the Post went a step further than that, because I asked him right after that if I could pull him aside and talk to him about something else outside of the group of people he had in the room with him. So only the lawyer came with us.
We walked into an empty office across the hall, and I held out a hard drive, and I said, “It’s possible there could be more than one story — more than one document. I’d like you to keep this safe for me.” And just as I said that, the lawyer cut in and said, “Marty” — he’s talking to Marty Baron, the editor of the paper — “Marty, I can’t advise you to do that.” And I was crestfallen. I thought this meant that the Post was not going to put itself at risk, the Post was not going to be fully onboard with this story. And there were a lot of risks that I was asking him to assume, in part so that I could share them with someone more powerful. And the lawyer said that, but then he didn’t say anything more. He didn’t argue the point, he didn’t paint a picture of terrible trouble to come. He was sending a signal to Marty, that “you’re about to cross a line.” But he wasn’t actually trying to throw his body in front of that train.
And Marty looked at him, and looked at me, and said, “I’m doing it.” And he took the hard drive, and he did keep it safe. And that saved me a lot of lost nights of sleep, because I was worried, at that point, that federal authorities were going to come descend on my home and my place of work and take all the notes from me.
CC: Right. And the information itself was illegal for you to be — to be in your possession. Isn’t that correct?
BG: Well, under a black-and-white reading of the Espionage Act — which has never been tested, with respect to journalists — it would be illegal for me to possess it, to copy it, to destroy it, or to give it to anyone else. So I was kind of in a bind. (laughs) I wasn’t supposed to have this at all.
CC: Right. So, for anybody who wasn’t paying attention back then, why don’t you lay out some of the big, topline disclosures that came out of Snowden’s information.
BG: So the first major story was that the NSA was collecting call-data records — meaning a list of telephone calls — from substantially every American. It was collecting a record of who called whom, and when, and how long they talked, and other things like that that are called “metadata,” without collecting the words spoken on the calls. And it was doing this — it was attempting to do this for the entire U.S. population, whether you were calling overseas or next door. And it was using these lists — using this data — to draw social graphs that connected us to all of our social circles. It’s an enormously revealing, intimate picture of someone that you can get, just by looking at all the phone calls, and all the people that you talk to, and all the people they talk to, and so forth.
The next big story was the PRISM story that I mentioned already, in which the NSA was on a scale of hundreds of thousands going to Google and Facebook and Yahoo and Microsoft, AOL, and several others, and it was saying, “Here’s a list of 100,000 people. I want all the information you have about them — every email they’ve written, every document they’ve shared, every live chat, every photo, and so on — videos.” And then there started to be stories about operations that took place overseas.
And, at first, a lot of people thought, “What do these have to do with us? We’re sitting here in America. What do we care what the NSA intercepts overseas?” But what I was able to show, with a few of my colleagues, was that overseas operations collected an enormous amount of information about Americans, because the internet doesn’t follow sovereign boundaries. If you make a call from Philadelphia to New York, it is very likely that it’s going to — it could be routed somewhere else. If you send an email from, you know, one side of your house to another, it’s probably going to be copied and stored in Singapore, because Google has a data center there, and it backs up and load balances — it’s internet traffic all around the world. So these overseas operations were, as the NSA calls it, “incidentally” picking up a lot of American content. And the U.S. had not grappled with this feature of the modern surveillance state.
CC: Right. Let’s talk about Edward Snowden. People like to paint him in very black and white terms — “whistleblower,” “traitor.” How do you talk about him?
BG: I see him as someone who saw behavior, and who saw operations that he thought were wrong, and he didn’t think he should stay silent about them. I don’t like the term “whistleblower,” especially, because it’s defined in law to be someone who discloses waste, fraud, and abuse. And there are lots of really important public policy questions that don’t fall under those categories. For example, is the U.S. government spying on its own people in ways that it’s keeping secret from them? I mean, the title of Dark Mirror is taken from the idea of a one-way mirror — that they’re watching you, but you can’t watch them and see what they’re doing. And there had been boundaries drawn between the intelligence community and the American people. And those changed after 9/11 in ways that were kept secret from us, and in ways that we were actively mislead about.
So, for example, in 2009, the FBI reported to Congress that it had only used this one controversial power to collect business records in secret. It had only used this 21 times in the whole year, so it was proportionate, and narrowly used, and nothing to worry about. Well, it turned out that 12 of those 21 was all it took to get a trillion telephone records representing, you know, every call made by Americans. And so was it a lie? No. I mean, they really — they did use it 21 times. But anyone would regard that as being a lie in spirit, you know. I say if your teenage daughter admits she had a party in the house while you were gone, but, don’t worry, she only invited 21 people, but it turned out a trillion teenagers showed up, you would feel misled. You would not take that as OK.
So Snowden wanted to disclose those things. Whether he’s a hero or a traitor, I’m not interested in that debate, especially, except to say that, on a technical matter, no one has even made the case — according to the definition of “traitor” — that he’s a traitor. “A treason,” according to the Constitution, “shall consist only of making war against the United States, or giving aid and comfort to an enemy that is in conflict with the United States.” And there’s no evidence whatsoever that Snowden worked with, worked for, wanted to benefit any foreign power. He was trying to enable a public debate in this country. Whether he broke a law is also not especially in question. He certainly broke laws to do this and would acknowledge as much.
CC: Speaking of a foreign enemy, what do you make of the fact that he has wound up in Russia?
BG: So he didn’t aim for Russia. He was trying to change planes there. He was en route to Ecuador. He had to change planes in Russia, Havana, and Venezuela. Shortly after he left Hong Kong — just basically as he left Hong Kong — the U.S. government canceled his passport, so that by the time he reached Moscow to change planes and presented his credentials at passport control, they were invalid, and the Russians wouldn’t let him travel.
So he then spends several weeks at the airport, working through his status. The Russians give him temporary, and then permanent, diplomatic asylum. And so he’s living there, against his own choice. It is, probably, fortunate for him that he’s there, because there are very few places in the world where he would be safe from American extradition. But that was not his intent.
CC: So what are some changes that came about as a result of your reporting?
BG: Well there have been a lot of things that changed, and a lot of things that didn’t. The program to collect all of the telephone records was canceled. At first it was rewritten and constrained, and the NSA wasn’t allowed to collect the records itself, but the telephone companies maintained them in a database that the NSA could access under certain, specific conditions. And then that authority lapsed. The NSA said it didn’t need it anymore after all. And so that program is gone.
There are many changes in the tech sector that have made it more difficult for the NSA to do some of the bulk surveillance — the mass surveillance — that it was doing. The NSA likes to go to overseas choke points of the internet and of the global telecom system and just sort of take in the whole volume and sift through it and then keep the parts that it likes. And doing that is much harder now, because when you go to a website now, it’s almost certainly going to have a little padlock in the browser bar, and it’s going to be an https internet address — and the “s” stands for “secure.” That was not the case when Snowden made his disclosures. And what the “secure” means is that the connection between your computer or your phone and the company’s server — whether it’s Google or Facebook or whatever else — is encrypted and can’t be intercepted en route.
The NSA can break into just about any communication that it wants to, if it targets one person. So it can still surveil almost anybody, but it can’t surveil everybody. It can’t collect en masse the way it was collecting. That’s a big change that was brought about because consumers didn’t like what they were hearing about NSA surveillance, and they demanded more privacy. And the big companies — which had not paid much attention to privacy until then — started competing on that basis, started saying, “We’re more secure and private than the other guy.” Google led the way on that, and others quickly followed.
CC: What hasn’t changed?
BG: Well, I mean, most of what the NSA does is not done under legislative authority. So Congress has nothing to do with it, and the courts have nothing to do with it, it’s based on an executive order from the president. And, essentially, if it takes place overseas, Congress does almost no oversight of it, and the courts have no jurisdiction. And both the Obama and the Trump administrations were deft at avoiding debate about those programs, again, with the argument that they didn’t affect Americans, since they were happening somewhere else. That just isn’t true anymore. But, as a political position, it has largely held up.
CC: So talk to some of the more complacent people who might be listening to this and think, “I’m not a criminal. I really don’t care if the government knows that I ordered a pizza on Wednesday.” What would you say to them about why they should care?
BG: Well, people sometimes like to talk about having nothing to hide. My experience is that almost no one has nothing to hide. And if you looked at it concretely — for example, if I came to your house and said, “Please log on to your email, and let me now spend the next couple of days reading it all,” you would start to feel uncomfortable. And you would start to realize that if someone published these things on the net, and everyone could see them, you would be very sorry for that to happen.
And even if you don’t think you have anything to hide, you’re also the keeper of other people’s secrets. Someone you know has told you that they have a medical condition that they don’t want their boss to know about, that they’re thinking of leaving their spouse, that they’re thinking of leaving their job, that their kid is in big trouble, that their parent is an alcoholic — I mean, any number of things. It’s just life. And privacy is an essential condition for living our lives with freedom. And if you were living in a fully transparent world, it would change your behavior in ways that would very much constrain your life.
CC: Right. And a lot of this comes from our very newly adapted digitized way of life. You have a really great line in the book about how our species could have never accomplished surveillance on this scale at any other point in time, and that things like the Underground Railroad, or even the American Revolution, could not have taken place if there was such a pervasive surveillance state in place, as there is now. So can this genie be put back in the bottle? The government has tasted of the forbidden fruits — can it ever resist the urge to not scoop that stuff up?
BG: Well the government, for reasons of inertia and bureaucratic self-protection — and also for good motives — trying to protect the American people — is never voluntarily going to scale back surveillance. Nobody comes into a job like head of the counterterrorism center or secretary of state or defense or president of the United States and says, “I see I’ve got all these tools to understand what’s happening in the world. I don’t need some of these. I can relinquish these.” They always feel unequal to the immense task that’s before them. And they’re living in a society which has very little tolerance for anything bad happening that they didn’t see coming and couldn’t stop.
And so, with those incentives, it’s going to want to know everything. But that doesn’t mean that we should want to allow it. I mean, if police were allowed to do everything convenient for the solving of crime, then there would be no Fifth Amendment, there would be no Fourth Amendment. There would be no need for search warrants. Police could come into a restaurant where a wallet had been stolen and turn everyone upside-down and shake out their pockets and find out who took the wallet. We don’t allow that, because we think we have other values of personal privacy and security that are intentioned sometimes with the single-minded value of solving every crime. We don’t allow forced confessions. We require a unanimous jury to convict someone of a crime, and it has to be beyond a reasonable doubt, not just a preponderance of the evidence.
We have lots of rules and checks in place, overpowers that are there for good reason — law enforcement is important. And if you gave police everything they wanted, then you would have a police state. And we don’t want that. And so, likewise, we do want to find ways of checking the intelligence community — of forcing it to operate within boundaries. And my book is part of the debate over where those boundaries should be.
CC: In the book, you touch on some of your own digital habits. There are certain habits that you’ve adopted, correct?
BG: I explain in the book, you know, sort of scene by scene, how I became the target of quite sophisticated adversaries trying to hack into my computers, my devices, my accounts. Google notified me with an alert message on the screen that state-sponsored attackers were attempting to compromise my account. I watched my iPad hacked in front of my eyes. It rebooted itself, and discarded its operating system, and began loading a new one. That if I had not been watching it as it happened, I would never have known, and it would have become a quite effective spy device. You know, I learned of an operation by the government of Turkey to try to surveil me. It went on and on.
You know, one of the most creepy moments was when I was reading through some of the NSA documents that Snowden had given me, and I found my own name in the files as a proposed subject of surveillance. And the government had not been happy with some of my stories that disclosed secrets, and requested a Justice Department investigation — a criminal investigation — into how I got those secrets. And so, yes, I’m very careful. I don’t open attachments, I use encrypted messaging for anything that’s sensitive. I mean, I have a long list. I’ve even put a top-10 list on the web of suggested digital privacy.
CC: That was my next question. What are a few things that you’d like to share with people that are really easy fixes that can help them maintain their privacy?
BG: This is a fix that you would want, whether or not you think you’re a high-profile target. It’s so easy to hack people and make money off them these days that everyone is absolutely at risk. So one thing is prosaic: Say yes to software updates. When you get a message saying, you know, you’re not using the latest and greatest operating system, “There’s an update for Adobe, there’s an update for Windows, there’s an update for the next …” — say yes to that. Do it soon, because they’re always closing security holes, often security holes that are in use actively by criminal enterprises out there trying to compromise peoples’ computers.
Use a password manager, something like the app 1Password, which I use myself and favor. There is literally no other way you’re going to have hard, unique passwords for every site. And that’s what you need. You can’t reuse passwords. And I know you are. (laughs) Everyone is.
CC: Oh, you have no idea. (laughs) Yes.
BG: Whereas the password manager fills in all the passwords for you. You don’t have to remember them. And it keeps you much more secure. Don’t put sensitive stuff like your tax returns or your social security number or highly personal information of any kind in email. Email is a postcard: It travels around the internet, open to anyone along the path to see what it says.
Use a secure messenger, like an app called Signal — Signal.org — that lets you send messages or attachments or photos or videos in an encrypted way — that you don’t even notice that it’s happening. But it makes sure that only you and your intended recipient can read it. Those would be my top few.
CC: You write that the indictment against Julian Assange, brought by the Trump administration, could have implications for you. Talk about that.
BG: I said earlier that the Espionage Act has never been tested against a journalist. No journalist at the time I wrote the book had ever been charged for journalism with espionage. What makes the Assange indictment — the superseding indictment — so dangerous is not whether you choose to call him a journalist or not. It’s that the things he’s charged with — at least three of the felony counts are strictly journalistic. He’s charged with espionage by publication — that he received secrets from Chelsea Manning, and that he knew that they were classified, and he published them on the internet for all to see.
Now, if he can be prosecuted for that, then literally so can I. There’s absolutely no reason that you could draw a legal distinction between us. My exposure would be identical. I receive information from confidential sources, and I publish them for everyone to read. If that counts as espionage — it’s never been counted as espionage before in more than 100 years since the act was passed.
But if that counts as espionage, and if it’s not found to be a breach of the First Amendment, which it might well be, then we’ll be living in a very different world. Because we would not know about torture or secret prisons or illegal, warrantless surveillance, or any number of other stories that have been quite important to modern American history. You would not know about those things if it were a crime to publish them. We don’t have an official secrets act here in the states. Our political development has relied on that. And the Trump administration is trying to create one by a back door.
CC: Scary. So the disclosures that you have already published from the Snowden cache — there’s still a lot there. You worked with the government on some things that proved to be a matter of national security, and you held some things back. But I’m curious: Is there a potential that more revelations are still forthcoming?
BG: I don’t right now foresee a time that I will be publishing any more stories from it. A lot of the documents turned out to be purely technical or bureaucratic or budgetary, in ways that I’ve either already explored or I don’t see as newsworthy. And then there are a number of stories in there that would be interesting, but would be directly damaging to U.S. national security. If I were to publish that the U.S. government was able to listen in on this particular terrorist at this particular time, then that channel would be forever closed after that. And if it’s an operation that, by sort of public consensus, anybody, almost anybody, would regard as a valid intelligence target of the United States — illegal nuclear weapons program in a country that has promised not to pursue one — something like that — then I see no reason why I would want to blow an operation like that.
CC: Right. Well thank you so much for joining me today, Bart. I really appreciate it.
BG: Thanks so much for having me.