Steven Cherry: Hi, this is Steven Cherry for IEEE Spectrum’s “Techwise Conversations.”
This past March we learned some pretty shocking things about domestic surveillance in the United States.
A Wired magazine article by James Bamford described the extent to which U.S. government agencies are now collecting data on their own citizens—so much data that one of them, the National Security Agency, needs a new 1-million-square-foot data center. That’s almost as much floor space as the Empire State Building has on its 108 floors.
Bamford says the NSA is collecting, quote, “billions of e-mail messages and phone calls, whether they originate within the country or overseas. It has created a supercomputer of almost unimaginable speed to look for patterns and unscramble codes. Finally, the agency has begun building a place to store all [that data]” in Utah.
Governmental domestic spying had been largely illegal for three decades, but after 9/11, the NSA, the FBI, and other security agencies have been given—or have simply taken—more and more latitude to assemble databases of a kind the East German Stasi or the Soviet Union’s KGB could only dream of collecting.
That cloud of tyranny casts a shadow on all of us. But it’s the rare cloud that doesn’t have a silver lining.
With the Aurora, Colorado, movie theatre shooting, in which 12 people died, freshly in mind, a July article in the Wall Street Journal asked the question, “Can Data Mining Stop the Killing?”
In other words, with the unprecedented amount of data now available to law enforcement officials, might they not mine it to find actionable patterns of activity, such as lawful but unusual purchases of a gas mask, a load-bearing vest, a ballistic helmet, bullet-resistant leggings, throat protector and groin protectors, tactical gloves, and a Smith & Wesson semiautomatic rifle with a 100-round magazine?
James Bamford is no stranger to IEEE Spectrum and its readers. He’s been a key source for our many reports on the government’s capacities, capabilities, and predilections for spying, and his books are surely among the most widely read by IEEE members, including The Puzzle Palace, the book that first brought the NSA to public consciousness back in the 1980s, and his post-9/11 exposé, Body of Secrets. He joins us by phone.
James, welcome to the podcast.
James Bamford: Well, thanks, Steven. Nice to be here.
Steven Cherry: James, the Wall Street Journal article reports that the Aurora shooter bought weapons, bomb-making equipment, and all that protective gear on the Internet. He bought ammunition from several different websites; when he tried to join a shooting range, he made phone calls and sent e-mails about it. Is this the kind of information that the security agencies like the NSA and law enforcement agencies like the FBI are now collecting on U.S. citizens?
James Bamford: Well, it’s the type of information, but it doesn’t have the qualifications that the NSA normally looks for. Basically, the information that he sent over the Internet through e-mails to get 6000 rounds of ammunition and so forth—there wasn’t any international link to any of that, and that’s usually what NSA looks for, some connection to some international link. So that’s one of the reasons it would have never picked up something like this, because most of the information that NSA is trying to collect has at least one link to it with an international component.
Steven Cherry: And what about the FBI, which would be more interested in a domestic incident that was breaking laws, after all?
James Bamford: Well, the FBI would be interested in it, but the problem is the FBI is prohibited from randomly listening to communications without a warrant. It would have had to have had a tip-off from somebody, maybe the psychiatrist that interviewed him that indicated that he was a danger to people around him, in order for them to get a warrant to eavesdrop on him. What normally would happen—at least what happens in some situations—is the agencies get involved with informal relationships with the manufacturers of weapons. Or in the case of the Secret Service, for example, they have these informal relationships with ink manufacturers or paper manufacturers, so people who buy a large quantity of a particular kind of ink, the kind that’s used for making dollar bills, for example, they will get a tip-off from somebody like that. So normally, it’s a lot less high-tech in terms of getting that information; however, there is always the capability of doing the eavesdropping if they can get a warrant.
Steven Cherry: So, it sounds like almost certainly this fellow James Holmes, who seems to have done the shootings and was arrested for them, he was probably not on the FBI’s radar, literally or figuratively. But nevertheless, you still think these vast troves of information the government is collecting are a threat to the liberty of ordinary Americans. What’s the threat?
James Bamford: Well, the threat is that so much communication today gets at the heart of what people actually think about. If you look back 20 or 30 years, if somebody wanted to monitor some kind of communication, all they’re really getting is the phone that’s hanging in your kitchen or something like that—maybe your office phone and an occasional fax or something like that—so there really wasn’t that much damage the NSA could do. Today, NSA has not only the capability, but it does eavesdrop on phone calls, e-mail, data searches—if you’re looking through the Internet, if you’re doing a Google search—all that are records that are available to NSA if they want to eavesdrop on it. And once you start eavesdropping on everybody’s form of communication today, from cellphones to tweets to e-mails to Google searches, then you’re basically getting into a person’s mind. You know exactly what they’re thinking of every minute of the day if they’re always on the phone or on the e-mail or looking through Google searches, and that’s much more dangerous. And that’s what the NSA has developed its capability for. In addition to that, if you’re trying to protect yourself with encryption, as I wrote in the article in Wired, they’re developing this enormous—the largest and most powerful computer on earth down in Oak Ridge, Tennessee, to break encryption.
Steven Cherry: Yeah, I wanted to get to that. One of your key sources for the article was William Binney, a former NSA cryptomathematician-turned-whistleblower. You quoted him as saying, “We are that far from being a turnkey totalitarian state.” Maybe tell us about Binney—and what did he mean by a “turnkey totalitarian state”?
James Bamford: Well, Bill Binney’s a very interesting person. He worked for NSA for almost 40 years, and he rose to an extremely high position: He was the person who basically designed and implemented the NSA’s worldwide eavesdropping system. He left soon after 9/11, when he discovered that system that he developed was being turned inward on the American public. In other words, the system that he designed to eavesdrop on people in foreign countries around the world was now being turned domestically to eavesdrop on U.S. citizens, and that’s when he decided to leave the NSA after all those years and turn his back on the agency he’d spent his entire life at. So I was very lucky that he was willing to talk to me all about the system and how the NSA’s eavesdropping turned domestic and what its implications are for eavesdropping on U.S. citizens.
Steven Cherry: And tell us about his fear of the turnkey totalitarian state.
James Bamford: Well, what he had said was the agency had come—and he separated his fingers by about an inch—“this far” from a turnkey totalitarian state. And what he meant by that was that the system is now in place—it’s a system he created—where if somebody was to basically flip a switch, all that technology that he created and all that technology that’s now locked into the American communications system can be used in a totalitarian way. In other words, in the way George Orwell wrote about in 1984, where you have a society where the government is eavesdropping on everybody’s communications and there’s no privacy left. It hadn’t reached that point when he left; they had put the system in place, and they had begun eavesdropping domestically illegally for the first time, or actually for the first time since the Nixon administration. But the system is there now, and anybody that wants—if a president wants to do the same thing that President Bush wanted, to go against the law, to secretly eavesdrop on American citizens—it’s there to do.
Steven Cherry: Yeah. And I guess at the heart of that switch that would be pushed is some software written by a company called Narus. What does Narus do, and why is it so troubling?
James Bamford: Well, Narus is this strange little company. It’s now owned by Boeing, and it’s a company that was formed in Israel, basically, and then transported to the United States. And its job is basically to create software that has the ability to do what’s known as “deep packet inspection.” In other words, as these very powerful communications links—these fiber optics links where all this Internet and all these communications are passing through—the software has the ability to search through that data as it’s going by at the speed of light and look for whatever information the agency is interested in: a telephone number, an e-mail address, something in the text of an e-mail, a particular word or phrase, or a name, a location. So basically, these are pieces of hardware and software that are planted into the U.S. communication system—for example, in San Francisco, in a secret room within the AT&T’s large, 10-story switch there, for example—so that the information that passes through AT&T’s switch is searched by the Narus equipment, and whatever has been preprogrammed into the system to weed out and send to NSA is plucked and sent on its way to NSA.
Steven Cherry: Yeah, we’ve reported on Narus several times. In fact, I think Spectrum was the first to shine a light on Narus’s software; a few years ago, two of Narus’s engineers wrote a feature for us describing how some of that sophisticated software works. Without trying to speak for them, I think they would say that they’re a software provider and how the software is used, by the U.S. government or any other government—and they do sell to other governments as well—or anybody else, a corporation, is a very separate thing from the software. How do you answer that?
James Bamford: You’re saying they just supply the software, and they walk out the door, and that’s the end of it?
Steven Cherry: Right.
James Bamford: Well, in one of the books I wrote, I wrote about Narus quite a bit. And there’s other companies like Verint, for example, that does a similar type of thing. And the problem is that some of these companies—and whether Narus is one I don’t know—Verint, for example, got into trouble in Australia; they sold their system to the Australian intelligence system. And I found a confidential document from the Australian government where it said that the Australian law enforcement and intelligence agencies were having difficulty getting into all the data that was being collected by this external company’s software, by Verint’s software. And then they discovered that the information was being accessed by the company from outside the country. So that’s very scary. It’s not very difficult, if a company wants to, to just put one more little tweak into the system, so that they get access to everything passing through the system. And that’s the danger. I mean, that’s very much a danger that you have today, is that the infrastructure that’s out there can be manipulated fairly easily if a company or an individual or somebody that’s not doing the right thing in an agency can do [this].
Steven Cherry: James, after the 1993 first World Trade Center bombing, after the 1998 blowing up of the embassies in East Africa, after the 2000 attack on the U.S.S. Cole in Yemen, the NSA and the CIA still missed 9/11. They missed the shoe bomber and the Christmas bomber; they didn’t successfully protect one of the largest U.S. military bases, Fort Hood; and they couldn’t protect an Arizona congresswoman. Don’t we need for these agencies to be gathering all of this data in order to protect us?
James Bamford: Well, no, because you get into the situation where, where do you draw the line? Now if we had the police once a week going though everybody’s house, searching every drawer and under every bed, you would probably be able to stop at least some crime because people might hide a gun someplace. There’s all kinds of ways you can find to prevent crime. The point is to find a balance between individual rights and privacy and the protection of people. The problem with the NSA wasn’t that they didn’t have the proper access at the time. In one of my books, in The Shadow Factory, I went to a large extent to show what NSA was collecting at the time of 9/11 was more than enough to determine what was going on. They were actually eavesdropping on one of the key hijackers in California at the time of 9/11, so they didn’t have a problem of collecting it either technologically or legally; it was a problem of actually doing the proper analysis and sharing the information. So the argument that we need to get more and more invasive today I don’t think is a legitimate argument. I think it’s just the proper analysis of what you already have is plenty enough to protect people from what’s happening. You’re never going to protect everybody from everything, but I think what they have now is more than what they need.
Steven Cherry: So, it used to be that we were sort of protected in our privacy by the sort of law of large numbers: A few messages were hard to find in the billions of messages that were sent. That’s no longer much protection because of software like Narus’s. We used to rely on cryptography to protect our privacy somewhat, but now the code breakers, as you say, are way ahead of the code makers. And the government is collecting enough information and correlating it in ways that almost read our minds, you say. It’s a pretty bleak picture you paint. Is the 236-year-old cause of liberty in the U.S. lost?
James Bamford: Well, I think people have to start paying attention to these issues, and they don’t seem to be paying attention to it; it’s more following the fearmongers, the people who are always trying to scare people into getting more and more control. And there’s very few people who pay attention to the end result, which is the loss of privacy. I think the European countries are far ahead of the United States in privacy issues, and in the United States it’s the opposite largely because of this whole fearmongering attitude, so that if you’re a congressman or a senator, somebody in government, and a bill comes up to enlarge whatever eavesdropping capability there is or dip more into the privacy, where you’re taking away more privacy, that’s always the preferable course for somebody who’s running for office, rather than voting against it. Because if you vote against it and there’s another terrorist incident, then your opponent is going to come up and say you’re weak on terrorism: You’re responsible for this happening, since you voted against this last bill. So there’s no real constituency out there voting for privacy, and there’s an enormous constituency out there arguing for more and more secrecy and security and surveillance.
Steven Cherry: Well, bleak as things sound, things have been this bleak before, and the U.S. has always recovered because of the work of citizens like yourself. So thanks for doing that, and thanks for joining us today.
James Bamford: Well, thanks for having me, Steven. I appreciate it.
Steven Cherry: We’ve been speaking with security expert and author James Bamford about the U.S. government’s far-reaching and still growing capabilities for domestic spying.
For IEEE Spectrum’s “Techwise Conversations,” I’m Steven Cherry.
Announcer: “Techwise Conversations” is sponsored by National Instruments.
NOTE: Transcripts are created for the convenience of our readers and listeners and may not perfectly match their associated interviews and narratives. The authoritative record of IEEE Spectrum’s audio programming is the audio version.