NSA Surveillance: Q&A with reporter Barton Gellman

Jul 15, 2014

Barton Gellman has been investigating and reporting on NSA surveillance operations. His most recent reporting revealed that ordinary Internet users, American and non-American, far outnumber legally targeted foreigners in intercepted communications.

For more background, check out Bart's debrief: How 160,000 intercepted communications led to our latest NSA story

Hi. Ready to go with our live chat on the NSA and other (sort of related) things on your mind. Fire away.

How many of the major US tech companies that were 'back-doored' by the NSA have announced the removal of these connections publicly?

I think you're referring to our story about NSA breaking into the Google and Yahoo cloud links -- the private connections between, say, a Google data center in Ireland and in Singapore. There's no back door to remove, exactly. The response is for the companies to encrypt those links, so that breaking into them does not give the NSA anything intelligible to read. Google, Yahoo and Microsoft have announced plans to encrypt their cloud links. Google is farthest along.

What do you say to those who suggest that journalists who publish classified documents should be punished under the espionage act? How do you think the Obama administration has handled cases involving whistleblowers?

The Espionage Act is written so broadly that under some readings it could forbid publication of national security secrets (as opposed to giving or selling them to an enemy state). It has never been applied that way because our political and legal culture, across nearly 100 years of U.S. history, have judged that too damaging to the workings of our democracy. (There's also some doubt that so broad a reading of the Espionage Act would pass constitutional scrutiny.) There are two core interests here: self-defense and self-government. We do not allow the government to put a stamp on something and use its compulsive power to forbid any citizen to speak of it. Insiders with clearances face civil and criminal sanctions, but I never signed an agreement to keep the government's secrets. Those are held on the people's behalf, and there are times I believe it justified -- even essential -- to make them public. I've thought and written a lot about this. For more, see a pair of lectures I gave at Princeton.


How do you compare the way you reported on the Snowden documents with the reporting of Glen Greenwald?

I don't. Our work speaks for itself, and I'm the last person who should be asked to judge the work of a competitor.

China and Russia do more SIGINT than the NSA does. Why aren't those human rights violators also reported by you?

I doubt that is true. They do a great deal of surveillance, with an emphasis on controlling domestic dissent that is absent in the files about the NSA, but they don't have the resources and global infrastrucure of the NSA and its partners in the UK, Canada, Australia and New Zealand. I'm not writing about other countries now for two reasons: (1) I don't have documents about them and (2) I do have a rich trove of information about the relationship of the US government to its own citizens, as well as to others around the world. Holding our own government to account for the use of its power is, in my view, the highest mission of a U.S. news organization.

can you explain the difference between PINWALE and XKEYSCORE?

This may be down in the weeds for some readers but I'll answer. NSA systems are technically and operationally complex, so this will be somewhat simplified. PINWALE has been (though it's gradually being replaced) the NSA's principal repository and front-end search tool for internet content, mostly text, that has already been collected. XKEYSCORE is a globally distributed system for "tasking" and coordinating new collection of signals intelligence.

What is your relationship like with him these days? Any insight into what he thinks of the reporting on these documents?

We're in regular contact. I went to visit him late last year. I won't speak for him, in the newspaper or here, so you'll have to rely on what he has said about the coverage. What I can say is that he has not tried in any way to tell me what to write, what not to write, or when.

What is you view of the Cryptome threat to mass release the Snowden docs?

Cryptome.org is a useful site, predating Wikileaks, for original documents that somebody -- a company, a government -- wants to keep secret. John Young, who runs it, posted some mysterious tweets suggesting that the full Snowden cache would be released this month. It later became clear that he hopes this will happen but that he does not have the documents. Yesterday he threatened to sue me (and others who have the documents) if we do not release them all. Snowden did not want that, and even if he did I would not be the one to do it. As I note in the lectures I linked above, I believe there are legitimate and illegitimate secrets. I have seen plenty in the Snowden archive that I would not make public. 

What was most striking to you about the 160,000 documents you looked through?

I thought I knew a good bit about NSA surveillance. It was a major subject, filling two chapters, of my last book. (Warning: book plug. Angler: The Cheney Vice Presidency) I have been surprised at the global scale, and of course some of the gee-whiz NSA techniques. But the biggest surprise is how much surveillance the NSA does of US citizens and green card holders. We're not "targets," as the law defines the term, but there's a huge volume of foreseeable "incidental" collection. The NSA keeps all that and searches it, and the CIA and FBI have access too. No one has had a chance to debate that because the facts were all classified. I have put a good deal of my own reporting effort into shedding light there. My latest blog post explains more. 

What makes something a "legitimate secret"? I mean, I know national security concerns, but what is it that signals to you something is or is not over the line?

Sorry to refer again to my Princeton lectures, but this question really does call for a longer answer. Generally speaking, I report on something when it raises a substantial question of public policy or legal interpretation -- should the US government be allowed to do this, as far as its own laws or citizens are concerned. When the targets are hostile entities and I would destroy the operations by disclosing them, I don't. 

Here's a thought experiment. Deliberately exaggerated, but not completely different in kind from the things I'm holding back.


Suppose the files reveal an NSA operation that has planted thought-reading earrings on the mistress of the Martian emperor and discovered his evil plans to conquer Earth. If I published that I think most readers would say (1) that's amazing - I didn't know NSA could do that, (2) I'm sure glad NSA is doing that and (3) it's too bad you revealed it because now the NSA can't do it any more.

Apparently a NIST advisory panel is telling the agency it cannot trust the NSA (my paraphrase of this: http://www.nist.gov/public_affairs/releases/crypto-review-071414.cfm). Is that news as remarkable as it seems? One agency dissing the other?

It is indeed remarkable, and a strong indicator of the betrayal felt by the National Institute of Standards and Technology. NIST's job -- and by the way, the job of NSA's Information Assurance Directorate -- is to set standards that protect the American people. In this case, we're talking about encryption standards. Strong evidence emerged that the NSA, in its consulting role, deliberately introduced weaknesses into the encryption that protects our financial, medical and other information on the Internet and elsewhere. NIST is not as inclined as it once was to take advice from the NSA next time.

What sort of relationship do they have in regards to security and why do you think that many of their current & former employees refuse to eFile their returns?

I have no evidence of any relationship between IRS and NSA. Nor do I have data on eFile rates on tax returns. I am very, very cautious about digital security, but for what it's worth I used eFile for my own returns.

How do you reconcile personally profiting (future books,etc) off of Snowden docs when he's basically sacrificed his life?

I'm baffled by the personal-profit critique. I'm a journalist and author. I make my living by finding things out and writing about them. That's my profit, I guess. The Snowden story is sui generis, in the volume and sensitivity of the materials he gave me, but not different in kind from what I have done as a writer focused on government, politics and national security for more than 20 years.

Whatever happened to the NSA's stringent prohibition against collection of information on "US Persons"? Is that entirely gone now? When exactly did it change Collection?

NSA and other intelligence agencies may "target" US persons (citizens, green card holders and companies) with an individual warrant from a surveillance judge or, in rare circumstances, with a finding by the Attorney General. It has always collected some U.S. information "incidentally." If you're listening to target X, you may get his conversations with an American he talks to. What changed is that Congress granted huge new latitude for the NSA to do this in high volumes from U.S. access points (Section 702 of the FISA Amendments Act of 2008) and by policy the NSA began to use far more aggressive techniques overseas, where it is bound only by Executive Order 12333. Congress and the courts do not supervise those operations.

William Binney recently asserted that NSA is recording all our phone calls, storing the recordings for 30 days, and transcribing many thousands of them. Does any of your reporting confirm this?

I don't have evidence to support or rebut that. I have reported that the NSA is recording every conversation in another country and storing them for 30 days. That sweeps in a substantial number of Americans, but nothing even close to a majority.

Is reporting a story like this like reporting Watergate in terms of the levels you have to go to to keep it secret and access sources and such? What are you allowed to tell us about how it actually works to report a story like this? Also, did you ever feel like you might get in trouble for reporting it or is it all to protect the sources?

I think I can fairly say that The Post and I have never taken greater precautions to protect the security of our reporting materials. We now know more than we did before about the nature of the digital threat, not only from US agencies but from hackers and sophisticated intelligence agencies abroad. The security measures are a big tax on our time, because they're designed to make access inconvenient and to keep sensitive stuff off networks, but that's what we need to do for basically three reasons: (1) prevent a breach that would threaten harm to genuine US national security interests, (2) prevent a breach of the privacy of the people who have been surveilled and whose conversations are in the files I possess, and (3) protect our confidential reporting sources and plans. 

Trouble can come in a number of forms. I'm aware of specific efforts to hack into my computers, including at least one by a foreign government. There are also hard legal questions in our work, and we're thinking them through to stay on the right side of the line.

Have you seen any indication that the NSA is collecting voice recordings (from automated telephone systems used by banks and other large businesses) to track and monitor citizens? Thanks

Not specifically. But under the PRISM program at home, and others overseas, it does collect stored content from computer servers wherever it finds them. So it's certainly possible. Again, it does not "target" US persons for that collection, but in some cases it could get a lot of them "incidentally." We don't know nearly enough about the way that boundary works, and I think it may be the most neglected public policy question in the ongoing debate.

How have the Snowden revelations and NSA Surveillance impacted investigative journalism? -Samantha Libby (The Committee to Protect Journalists)

I could read that question several ways. The Snowden case has led to a crackdown on normal reporter-official conversations, even about non-classified matters. I have been pretty zealous about digital security for years, but the revelations have persuaded more journalists to learn those tools and practices. At the same time they have made clear that it is very, very hard to keep a source confidential if the government puts real resources into finding out the source of a leak. So that has been a deterrent. Right now I think it's hard to say which is the greater force -- the empowerment of sources to obtain and transfer information securely to journalists or the government's ability to crack down.

There has been speculation that there is a new leaker or leakers at NSA. Are secret documents or information emerging from the agency post-Snowden? What do you believe?

There have been stories published in Germany that are not attributed to Snowden, and that do not have the byline of any journalist who received documents from Snowden. I suspect they come from a different source, but I have no hard information to confirm that.

Maybe I am misplaced in my thinking - but I just don't care that they are doing this. I sort of expected it actually. What reactions are you getting? I guess my feeling is - if I am not doing anything wrong - what do I care what they look at.

I'm not here to tell you what to think or care about. I'll mention some considerations. Information is power. The US government (and US companies) now learn more about us than anyone has ever known about anyone, and secrecy prevents us from learning what they do. That puts us, in effect, behind a one way mirror. As a citizen who wants to hold my government to account, I find that troubling. 

I am not saying that the government is abusing the power it has accrued. Sometimes the scandal is what's legal, especially if lawmakers and citizens had no reasonable opportunity to learn what the executive branch believed it was authorized to do. But abuse is not far behind us in our history. Spying on enemies was one of the Articles of Impeachment against Nixon, and the FBI's Hoover died in the lifetime of many people still living. 

I don't know whether I've ever met someone who truly has nothing to hide. If you think that's you, post a link to everything on your phone, your computer, your email accounts and your web browsing and purchasing history. And even if you have no secrets, you're probably in possession of the secrets of others -- the friend who is going to leave her husband, or wants to find a new job, or just got diagnosed with something she does not want people to know about. Privacy is relational. We may tell things to our friends we don't tell our parents or our kids, and so on. I want control of my own secrets, personal and professional. That's the bottom line.

You say abuses that concern american citizens are legitimate, and disclosures about "hostile enteties" are off limits. Is there anything in between for you, or it always ok, if it's about foreign targets only?

The decisions are more complicated than I can put in a line or two, or even in the lectures I linked above. They're extremely fact-specific. The hardest ones combine a serious question of public policy with significant potential harms of disclosure. Some of those involve surveillance of foreigners as well as of Americans. I'm not saying "anything goes" as long as there is no one with a US passport involved.

If you had evidence that a public official was being spied on by the NSA would you report on it without their approval. For instance, if 2008 Senator Obama was being spied on.

Easy case. Yes.

Has the support you receive from the management of the Post changed since Jeff Bezos bought the paper? Some worry that Amazon, his main property, has partnered with the CIA on lucrative projects.

I'm not in the inner circles. I'm not even a WP employee. I was for 21 years, resigned in 2010 and came back on temporary contract for the NSA story. So I have no fear of retribution for criticizing Bezos or the way the WP is run. And with all that said, I see nothing but good happening in the newsroom right now. I can't say how much of that comes from the new resources provided by Bezos and how much from the leadership of Marty Baron, the executive editor.

Are the tools to use encryption still at a point where it is a barrier to communicate without fear of being spied on?

There's a good tutorial here, but encryption is still too hard to use. So are the tools of anonymity, which are just as important. On the other hand, with an investment of a few hours' effort, most ordinary computer users can do it. I encourage that.

I've gone overtime, and I'm afraid I have to stop. I left some good questions unanswered, but for the record I didn't see any challenge or criticism that I chose to ignore. Kind of expected more of them, frankly. 

To anyone who has new information for me: please use the secure contacts I provide in my Twitter profile, on the left side of the page. Bye for now.

In This Chat
Barton Gellman
Barton Gellman writes for The Post's national staff. He has contributed to three Pulitzer Prizes for The Washington Post, most recently the 2014 Pulitzer Prize for Public Service.
Recent Chats
  • Next: