All posts by Citizen

Hitler - A Career

From Hitler - A Career

Available on Netflix

Beginning ~ 02:30

"Germany, awake!"

This rallying call was more potent than any politician's catchphrase. It rang out as a cry for salvation.

"Germany, awake!"

For a nation in turmoil, its identity shaken after a lost war, the call that brought the promise of a new dawn, united under one symbol, and one man.

The call came from a man who understood the magical power of simple imagery,  a man who liked to descend from the clouds to his people, like some kind of god.

Millions were ready to give unquestioning loyalty to any man who would promise them what they most needed: law and order, a sense of purpose, and, above all, belief in themselves.

Adolph Hitler appeared to millions of Germans as the man who could give them all this. In him, they saw the living proof that the course of history could be bound up with the destiny of one man.

His Minister for Propaganda, Josef Goebbels, expressed it in these words: "Although it may be good to possess power that is based on guns, it is better and more gratifying to win the hearts of the people and to keep them."

Unprecedented and Unlawful: The NSA’s “Upstream” Surveillance - Just Security 20160919

Unprecedented and Unlawful: The NSA’s “Upstream” Surveillance

The FISA Amendments Act of 2008 (FAA) — the statute the government uses to engage in warrantless surveillance of Americans’ international communications — is scheduled to expire in December 2017. In anticipation of the coming legislative debate over reauthorization, Congress has already begun to hold hearings. While Congress must address many problems with the government’s use of this law to surveil and investigate Americans, the government’s use of “Upstream” surveillance to search Internet traffic deserves special attention. Indeed, Congress has never engaged in a meaningful public debate about Upstream surveillance — but it should.

First disclosed as part of the Snowden revelations, Upstream surveillance involves the NSA’s bulk interception and searching of Americans’ international Internet communications — including emails, chats, and web-browsing traffic —  as their communications travel the spine of the Internet between sender and receiver. If you send emails to friends abroad, message family members overseas, or browse websites hosted outside of the United States, the NSA has almost certainly searched through the contents of your communications — and it has done so without a warrant.

The executive branch contends that Upstream surveillance was authorized by the FAA; however, as others have noted, neither the text of the statute nor the legislative history support that claim. Moreover, as former Assistant Attorney General for National Security David Kris recently explained, Upstream raises “challenging” legal questions about the suspicionless searching of Americans’ Internet communications — questions that Congress must address before reauthorizing the FAA.

Because of how it operates, Upstream surveillance represents a new surveillance paradigm, one in which computers constantly scan our communications for information of interest to the government. As the legislative debate gets underway, it’s critical to frame the technological and legal issues that Congress and the public must consider — and to examine far more closely the less-intrusive alternatives available to the government.

Upstream Surveillance: An Overview

As we’ve learned from official government sources and media reports, Upstream surveillance consists of the mass copying and content-searching of Americans’ international Internet communications while those communications are in transit. The surveillance takes place on the Internet “backbone” — the network of high-capacity cables, switches, and routers that carry Americans’ domestic and international Internet communications.  With the compelled assistance of telecommunications providers like AT&T and Verizon, the NSA has installed surveillance equipment at dozens of points along the Internet backbone, allowing the agency to copy and then search vast quantities of Internet traffic as those communications flow past.

The NSA is searching Americans’ international communications for what it calls “selectors.” Selectors are, in essence, keywords. Under the FAA, they are typically email addresses, phone numbers, or other identifiers associated with the government’s targets. While this might sound like a narrow category, the reality is much different, as Jennifer Granick and Jadzia Butler recently explained. That’s because the NSA can target any foreigner located outside the United States who is believed to possess “foreign intelligence information” — including journalists, human rights researchers, and attorneys, not just suspected terrorists or foreign spies. At last count, the NSA was targeting more than 94,000 people, organizations, and groups under the FAA.

In practice, that means the NSA is examining the contents of each communication for the presence of tens of thousands of different search terms that are of interest to the government. And that list continues to grow, as the NSA adds new targets and entirely new categories of selectors to Upstream surveillance. Whenever the NSA finds a communication that contains a “hit” for any one of its many selectors, it stores that communication for the agency’s long-term use and analysis — and it may share those communications with the FBI for use in criminal investigations.

“About” Surveillance

Observers, including the Privacy and Civil Liberties Oversight Board (PCLOB), have singled out one feature of this surveillance as especially controversial: what’s often called “about” surveillance. This term refers to the fact that the government is not only intercepting communications to and from its targets, but is systematically examining the communications of third parties in order to identify those that simply mention a targeted selector. (In other words, the NSA is searching for and collecting communications that are merely “about” its targets.)

“About” surveillance has little precedent. To use a non-digital comparison: It’s as if the NSA sent agents to the U.S. Postal Service’s major processing centers to engage in continuous searches of everyone’s international mail. The agents would open, copy, and read each letter, and would keep a copy of any letter that mentioned specific items of interest — despite the fact that the government had no reason to suspect the letter’s sender or recipient beforehand. In the same way, Upstream involves general searches of Americans’ international Internet communications.

Upstream Surveillance Is Bulk Searching

Although the government frequently contends otherwise, Upstream surveillance is a form of bulk surveillance. To put it plainly, the government is searching the contents of essentially everyone’s communications as they flow through the NSA’s surveillance devices, in order to determine which communications contain the information the NSA seeks. While the government has “targets,” its searches are not limited to those targets’ communications. Rather, in order to locate communications that are to, from, or “about” its targets, the government is first copying and searching Americans’ international communications in bulk.

There is no question that these searches are extraordinarily far-reaching. The leading treatise on national-security surveillance, co-authored by former Assistant Attorney General David Kris, explains that the “NSA’s machines scan the contents of all of the communications passing through the collection point, and the presence of the selector or other signature that justifies the collection is not known until after the scanning is complete.” Likewise, the Foreign Intelligence Surveillance Court (FISC) has made clear that the NSA is searching the full text of every communication flowing through the surveillance devices installed on certain international backbone links.

For technological reasons, Upstream surveillance — at least as it’s conducted today — necessarily ensnares vast quantities of communications. When an individual uses the Internet, whether to browse a webpage or send an email, his computer sends and receives information in the form of data “packets” that are transmitted separately across the Internet backbone. As Charlie Savage recently explained in Power Wars, “when an e-mail is transmitted over the Internet, it is broken apart like a puzzle. Each piece of the puzzle travels independently to a shared destination, where they converge and are reassembled. For this reason, interception equipment on a switch in the middle cannot grab only a target’s e-mail. Instead, the wiretapper has to make a copy of everything.” While the NSA may exclude certain types of irrelevant traffic — like Netflix videos — it can identify the communications it’s seeking only by copying and searching the remaining Internet traffic in bulk.

In court, the Department of Justice has resisted acknowledging the breadth of these bulk searches —preferring to say, euphemistically, that the NSA is “screening” or “filtering” communications. But it’s playing word games. The only way for the NSA to determine whether a communication contains one of its selectors is to search the contents of that communication. At scale, that means the NSA is searching the contents of trillions of Internet communications, without anything resembling a warrant.

Upstream Surveillance Is Unprecedented and Unlawful

Because it involves bulk searches, Upstream surveillance is very different from other forms of surveillance, and it should be debated with that in mind. As the Privacy and Civil Liberties Oversight Board (PCLOB) explained:

Nothing comparable is permitted as a legal matter or possible as a practical matter with respect to analogous but more traditional forms of communication. From a legal standpoint, under the Fourth Amendment the government may not, without a warrant, open and read letters sent through the mail in order to acquire those that contain particular information. Likewise, the government cannot listen to telephone conversations, without probable cause about one of the callers or about the telephone, in order to keep recordings of those conversations that contain particular content.

In short, the Fourth Amendment does not allow the government to conduct a general, suspicionless search in order to locate specific information or evidence. Instead, as the ACLU has explained at length elsewhere, the government is required to have probable cause — and a warrant — before it searches the contents of our communications. Upstream surveillance reverses this logic, using the end results of the NSA’s searches to justify the continuous, bulk review of Americans’ Internet traffic. The ODNI General Counsel has effectively called for rewriting the Fourth Amendment to permit these types of searches — which only underscores how novel and extreme the government’s legal theory really is.

Americans — and Congress — need to be concerned about what it means to have government computers monitoring our communications in real-time. As the PCLOB emphasized, one of the fundamental problems posed by Upstream surveillance is that “it permits the government to acquire communications exclusively between people about whom the government had no prior suspicion, or even knowledge of their existence, based entirely on what is contained within the contents of their communications.” David Krishighlighted a related problem, asking whether the government should be permitted to “review the contents of an unlimited number of e-mails from unrelated parties in its effort to find information ‘about’ the target.”

The PCLOB, in its report, expressed serious concern about Upstream surveillance, finding that the nature and breadth of this surveillance pushed it “close to the line” in terms of lawfulness. At the same time, however, the PCLOB expressed the view that “about” surveillance was unavoidable for technological reasons. While this is the subject for a separate post, that factual claim is doubtful. The NSA could, if it chose, do far more to isolate the communications of its targets based on metadata — such as email addressing information — rather than searching the entire contents of everyone’s communications using selectors. Indeed, “Next Generation Firewall” technology is capable of distinguishing metadata from content across many different types of communications. Moreover, the NSA has already shown that it can implement this capability on the Internet backbone — because its bulk Internet metadata program, which it operated for ten years, required very similar capabilities. Even with these modifications, significant questions about the lawfulness of the surveillance would remain; but there is no question that it would be more protective of Americans’ privacy than today’s Upstream surveillance.

Between now and the sunset of the FAA in December 2017, it is crucial that Congress engage in an informed, public debate about whether it is constitutional — and whether it is prudent — to permit the executive branch to wield this incredibly invasive surveillance tool.

Editor’s note: The authors are staff attorneys with the ACLU’s National Security Project. Last year, the ACLU challenged Upstream surveillance on behalf of a broad group of educational, legal, human rights, and media organizations — including Wikimedia, the operator of one of the most-visited websites in the world — whose communications are swept up by this unprecedented dragnet. In October 2015, a federal district court in the District of Maryland held that the plaintiffs lacked “standing” to bring suit. The case is presently on appeal in the Fourth Circuit.

A Human Rights Response to Government Hacking - Access Now 201609

Excerpt.

Recently we have seen several high-profile examples of governments hacking into consumer devices or accounts for law enforcement or national security purposes. Access Now released a report where we consider government hacking activity from the perspective of international human rights and conclude that based upon its serious interference with the rights to privacy, free expression, and due process, there should be a presumptive prohibition on all government hacking. There has yet to be an international public conversation on the scope, impact, or human rights safeguards for government hacking. The public requires more transparency regarding how governments decide to employ hacking and how and when hacking activity has had unanticipated impacts. Finally, we propose Ten Human Rights Safeguards for Government Hacking in pursuit of surveillance or intelligence gathering. The full report is available at: www.accessnow.org/GovernmentHackingDoc

A HUMAN RIGHTS RESPONSE TO GOVERNMENT HACKING

WHAT IS GOVERNMENT HACKING?

We define hacking as the manipulation of software, data, a computer system, network, or other electronic device without the permission of the person or organization responsible for the device, data, or service or who is ultimately affected by the manipulation.

We consider government hacking in three categories based on the broad goal to be achieved:

  1. Messaging control: Hacking to control the message seen or heard, specifically by a particular target audience. to control a message, to cause damage, or to conduct surveillance.
  2. Causing damage: Hacking to cause some degree of harm to one of any number of target entities.
  3. Commission of surveillance or intelligence gathering: Hacking to compromise the target in order to get information, particularly on an on-going basis.

All government hacking substantially interferes with human rights, including the right to privacy and freedom of expression. While in many ways this interference may be similar to more traditional government activity, the nature of hacking creates new threats to human rights that are greater in both scale and scope. Hacking can provide access to protected information, both stored or in transit, or even while it is being created or drafted. Exploits used in operations can act unpredictably, damaging hardware or software or infecting non-targets and compromising their information. Even when a particular hack is narrowly designed, it can have unexpected and unforeseen impact.

HOW DOES GOVERNMENT HACKING IMPLICATE HUMAN RIGHTS?

Based on analysis of human rights law, we conclude that there must be a presumptive prohibition on all government hacking. In addition, we reason that more information about the history and the extent of government hacking is necessary to determine the full ramifications of the activity.

In the first two categories — messaging control and causing damage — we determine that this presumption cannot be overcome. However, we find that, with robust protections, it may be possible, though still not necessarily advisable, for the government to overcome the presumptive prohibition in the third category, government hacking for surveillance or intelligence gathering. We note that the circumstances under which it could be overcome are both limited and exceptional.

In the context of government hacking for surveillance, Access Now identifies Ten Human Rights Safeguards for Government Hacking, including vulnerability disclosure and oversight, that must both be implemented and complied with to meet that standard. Absent government compliance with all ten safeguards, the presumptive prohibition on hacking remains. In addition, the high threat that government hacking poses to other interests, defined in greater detail in our report, may (and probably should) necessitate additional limitations and prohibitions.

Government hacking threatens human rights embodied in international documents.

There should be a presumptive prohibition on all government hacking. In any instance where government hacking is for purposes of surveillance or intelligence-gathering, the following ten safeguards must all be in place and actually complied with in order for a government to successfully rebut that presumption.

Government hacking for the purposes of messaging control or causing damage cannot overcome this presumption.

1. Government hacking must be provided for by law, which is both clearly written and publicly available and which specifies the narrow circumstances in which it could be authorized. Government hacking must never occur with either a discriminatory purpose or effect;

2. Government actors must be able to clearly explain why hacking is the least invasive means for getting Protected Information in any case where it is to be authorized and must connect that necessity back to one of the statutory purposes provided. The necessity should be demonstrated for every type of Protected Information that is sought, which must be identified, and every user (and device) targeted. Indiscriminate, or mass, hacking must be prohibited;

3. Government hacking operations must never occur in perpetuity. Authorizations for government hacking must include a plan for concluding the operation. Government hacking operations must be narrowly designed to return only specific types of authorized information from specific targets and to not affect non-target users or broad categories of users. Protected Information returned outside of that for which hacking was necessary should be purged immediately;

4. Applications for government hacking must be sufficiently detailed and approved by a competent judicial authority who is legally and practically independent from the entity requesting the authorization and who has access to sufficient technical expertise to understand the full nature of the application and any likely collateral damage that may result. Hacking should never occur prior to authorization;

5. Government hacking must always provide actual notice to the target of the operation and, when practicable, also to all owners of devices or networks directly impacted by the tool or technique;

6. Agencies conducting government hacking should publish at least annually reports that indicate the extent of government hacking operations, including at a minimum the users impacted, the devices impacted, the length of the operations, and any unexpected consequences of the operation;

7. Government hacking operations must never compel private entities to engage in activity that impacts their own products and services with the intention of undermining digital security;

8. If a government hacking operation exceeds the scope of its authorization, the agency in charge of the authorization should report back to the judicial authority the extent and reason;

9. Extraterritorial government hacking should not occur absent authorization under principles of dual criminality;

10. Agencies conducting government hacking should not stock vulnerabilities and, instead, should disclose vulnerabilities either discovered or purchased unless circumstances weigh heavily against disclosure. Governments should release reports at least annually on the acquisition and disclosure of vulnerabilities. In addition to these safeguards, which represent only what is necessary from a human rights perspective, the judicial authority authorizing hacking activity must consider the entire range of potential harm that could be caused by the operation, particularly the potential harm to cybersecurity as well as incidental harms that could be caused to other users or generally to any segment of the population.

TECH MONEY LURKS BEHIND GOVERNMENT PRIVACY CONFERENCE - The Intercept 20160915

IN JANUARY, ACADEMIC-TURNED-REGULATOR Lorrie Cranor gave a presentation and provided the closing remarks at PrivacyCon, a Federal Trade Commission event intended to “inform policymaking with research,” as she put it. Cranor, the FTC’s chief technologist, neglected to mention that over half of the researchers who presented that day had received financial support from Google — hardly a neutral figure in the debate over privacy. Cranor herself got an “unrestricted gift” of roughly $350,000 from the company, according to her CV.

Virtually none of these ties were disclosed, so Google’s entanglements at PrivacyCon were not just extensive, they were also invisible. The internet powerhouse is keenly interested in influencing a lot of government activity, including antitrust regulation, telecommunications policy, copyright enforcement, online security, and trade pacts, and to advance that goal, has thrown around a lot of money in the nation’s capital. Ties to academia let Google attempt to sway power less directly, by giving money to university and graduate researchers whose work remains largely within academic circles — until it gains the audience of federal policymakers, as at PrivacyCon.

Some research at the event supported Google’s positions. An MIT economist who took Google money, for example, questioned whether the government needed to intervene to further regulate privacy when corporations are sometimes incentivized to do so themselves. Geoffrey Manne, the executive director of a Portland-based legal think tank that relies on funding from Google (and a former Microsoft employee), presented a paper saying that “we need to give some thought to self-help and reputation and competition as solutions” to privacy concerns “before [regulators start] to intervene.” (Manne did not return a request for comment.) Other research presented at PrivacyCon led to conclusions the company would likely dispute.

The problem with Google’s hidden links to the event is not that they should place researchers under automatic suspicion, but rather that the motives of corporate academic benefactors ought to always be suspect. Without prominent disclosure of corporate money in academia, it becomes hard for the consumers of research to raise important questions about its origins and framing.

Google declined to comment on the record for this article.

How Tech Money Flows to Privacy Scholars

Google’s ties to PrivacyCon are pervasive enough to warrant interrogation. As a case study in how pervasive and well-concealed this type of influence has become, PrivacyCon is hard to beat.

Authors of a whopping 13 out of 19 papers presented at the conference and 23 out of 41 speakers have financial ties to Google. Only two papers included disclosure of an ongoing or past financial connection to Google.

Other tech companies are also financially linked to speakers at the event. At least two presenters took money from Microsoft,` while three others are affiliated with a university center funded by Amazon, Facebook, Google, Microsoft, and Twitter.

“Are we getting voices that have never received money from a company like Google?” — Paul Ohm, Georgetown

But Google’s corporate adversaries are helping to shine a spotlight on what their fellow travelers describe as Google’s particularly deep ties to academia. Those ties are a major focus of a new report from an entity called the Google Transparency Project, part of a charitable nonprofit known as the Campaign for Accountability. The Campaign for Accountability, in turn, receives major, undisclosed funding from Google nemesis and business software company Oracle, as well as from the Bill and Melinda Gates Foundation, which was set up by the co-founder and longtime CEO of Google rival Microsoft (the nonprofit says its funding sources have no bearing on its work to expose funding sources). The Intercept, meanwhile, operates with funding from eBay founder Pierre Omidyar. In other words, tech money even pervades the research into everything tech money pervades. But even accepting that, the report does highlight the extent to which Silicon Valley is widening its influence at the intersection of academia and government.Take MIT professor Catherine Tucker, who in one PrivacyCon paper argued against proposed government regulations requiring genetic testing services to obtain a type of written permission known as “informed consent” from patients. Tucker added that such a requirement would deter patients from using the testing services and specifically cited one such service, 23andMe, a firm that Google has invested in repeatedly, mostrecently in October, and whose CEO is the ex-wife of Google co-founder Sergey Brin. Tucker did not disclose in the paper that she has received over $150,000 in grants from Google since 2009, plus another $49,000 from theNet Institute, a think tank funded in part by Google. Contacted by email, Tucker answered that she discloses “nearly two pages of grants from, and consulting work for, a variety of companies and other organizations, on my CV.”

Google has been appreciative of Tucker’s conference work. In a series of emails between Google and George Mason University law professor James Cooper for a 2012 policy conference, first reported by Salon, a Google representative went so far as to personally recommend the marketing professor as someone to invite:

Cooper did not return multiple requests for comment on this story. Reached for comment via email, Cranor replied that she lists “the funder(s) in the acknowledgments of the specific papers that their grant funded,” and that there “have also been press releases about most of the Google funding I received, so everything has been fully disclosed in multiple places.” Cranor added that “all of these grants are made to Carnegie Mellon University for use in my research,” and “I did not receive any of this money personally.” But it is surely worth noting that one of the press releases Cranor references says that “each funded project receives an individual Google sponsor to help develop the research direction and facilitate collaboration between Google and the research team.” Cranor did not reply when asked what role “an individual Google sponsor” has played in her research.

Nick Feamster, a Princeton professor, presented at PrivacyCon on internet-connected household objects and did not disclose that he’s received over $1.5 million in research support from Google. Over email, Feamster told The Intercept that any notion of a conflict “doesn’t even make any sense given the nature of the content we presented,” which included descriptions of security shortcomings in the Nest smart thermostat, owned by Google. “If they were really trying to exert the ‘influence’ that the [report] is trying to suggest, do you think they would have influenced us to do work that actually calls them out on bad privacy practices?”

Many other PrivacyCon speakers, like Omer Tene, an affiliate scholar at Stanford’s Center for Internet and Society, don’t seem ever to have received money from Google; rather, a department or organization they work for is funded in part by Google. On the CIS website, this is made plain:

We are fortunate to enjoy the support of individual and organizational donors, including generous support from Google, Inc. Like all donors to CIS, Google has agreed to provide funds as unrestricted gifts, for which there is no contractual agreement and no promised products, results, or deliverables. To avoid any conflict of interest, CIS avoids litigation if it involves Google. CIS does not accept corporate funding for its network neutrality-related work.

The CIS website also cites Microsoft as a funding source, along with the National Internet Alliance, a telecom lobbying group.

“Neither Google nor any of the other supporters has influenced my work,” Tene told me, referring to his long bibliography on personal data and online privacy.

But support at the institutional level may still influence individual behavior. Cooper, the George Mason staffer who reached out to Google for advice on a privacy conference in the screenshot above, works as the director of the program on economics and privacy at the university’s Law and Economics Center, which has received at least $750,000 from Google, as well as additional funds from Amazon, AT&T, and Chinese internet giant Tencent. A 2015 report in Salon detailed close ties between Google and Cooper, including emails indicating that Google was shopping an op-ed written by Cooper to newspapers, and other messages where Cooper asks Google for help crafting the content of a “symposium on dynamic competition and mergers”:

Cooper also wrote pro-Google academic papers, including this one for the George Mason Law Review entitled “Privacy and Antitrust: Underpants Gnomes, the First Amendment, and Subjectivity,” where he argues that privacy should not be included in any antitrust analysis. Cooper does not disclose Google’s funding of the [Law and Economics Center] in the article. Other pro-Google articles by Cooper, like this one from Main Justice, do include disclosure.

Cooper presented at this year’s PrivacyCon and did not disclose his relationship with Google. Cooper did not return a request for comment.

Among the PrivacyCon presenters who have benefited from non-Google generosity: Carnegie Mellon University’s Alessandro Acquisti and Columbia University’s Roxana Geambasu received $60,000 and $215,000 in Microsoft money, respectively, on top of financial ties to Google. Both co-authored and presented papers on the topic of targeted advertising. Acquisti’s papers, which did not disclose his funding sources, concluded that such marketing was not necessarily to the detriment of users. Geambasu (to her credit) produced data that contradicted Google’s claims about how targeting works and disclosed her financial relationship with the company. She also noted to The Intercept that “all my funding sources are listed in my resume,” located on her website.

The University of California, Berkeley’s International Computer Science Institute, which had an affiliated researcher presenting at PrivacyCon, counts on not just Google for its survival, but Microsoft, Comcast, Cisco, Intel, and Samsung. Two PrivacyCon submissions came out of Columbia’s Data Science Institute, which relies on Yahoo and Cisco. The Center for Democracy and Technology — which employs one PrivacyCon presenter and co-organized a privacy conference with Princeton in May — is made possible not just by Google but also an alphabet of startup and legacy tech money,according to IRS disclosures: Adobe, Airbnb, Amazon, AOL, Apple, all the way down to Twitter and Yahoo. Corporate gifts are often able to keep entire academic units functioning. The CMU CyLab, affiliated with four PrivacyCon presenters, is supported by Facebook, Symantec, and LG, among others.

Narrower Disclosure Standards in Academia

Contacted by The Intercept, academics who took money from tech companies and then spoke at PrivacyCon without disclosure provided responses ranging from flat denials to lengthy rationales. Some of the academics argued that just because their institution or organization keeps the lights on because of Silicon Valley money doesn’t mean they’re beholden to or even aware of these benefactors. But it’s harder to imagine, say, an environmental studies department getting away with floating in Exxon money, or a cancer researcher bankrolled by Phillip Morris. Like radon or noise pollution, invisible biases are something people both overstate and don’t take seriously enough — anyone with whom we disagree must be biased, and we’re loath to admit the possibility of our own.

Serge Egelman, the director of usable security and privacy at Berkeley’s International Computer Science Institute, argued that this is hardly an issue unique to Google:

I am a Google grant recipient, as are literally thousands of other researchers in computer science. Every year, like many other companies who have an interest in advancing basic research (e.g., Cisco, IBM, Comcast, Microsoft, Intel, etc.), Google posts grant solicitations. Grants are made as unrestricted gifts, meaning that Google has no control over how the money is used, and certainly cannot impose any restrictions over what is published or presented. These are grants made to institutions, and not individuals; this has no bearing on my personal income, but means that I can (partially) support a graduate student for a year. Corporate philanthropy is currently filling a gap created by dwindling government support for basic research (though only partially).

He also added that no matter who’s paying the bills, his research is independent and strongly in the public interest:

My own talk was on how Android apps gather sensitive data against users’ wishes, and the ways that the platform could be improved to better support users’ privacy preferences. All of my work in the privacy space is on protecting consumers’ privacy interests and this is the first time anyone has accused me of doing otherwise.

The list of people who spoke at PrivacyCon are some of the most active researchers in the privacy space. They come from the top universities in computer science, which is why it’s no surprise that their institutions have received research funding from many different sources, Google included. The question that you should be asking is, was the research that was presented in the public interest? I think the answer is a resounding yes.

Acquisti, the PrivacyCon presenter from CMU, is a professor affiliated with the university’s CyLab privacy think tank and shared a 2010 $400,000 Google gift with FTC technologist Cranor and fellow CMU professor Norman Sadeh before submitting and presenting two PrivacyCon papers sans disclosure, plus one presentation that included a disclosure. When the gift was given, the New York Times observed that “it is presumably in Google’s interest to promote the development of privacy-handling tools that forestall federal regulation.” Over email, Acquisti argued that disclosure is only necessary when it applies to the specific funding for a body of work being published or presented. That is, once you’ve given the talk or published a paper, your obligation to mention its financing source ends: “It would be highly misleading and incorrect for an author to list in the acknowledgements of an article a funding source that did NOT in fact fund the research activities conducted for and presented in that article.” In fact, Acquisti said, “It would be nearly fraudulent”:

It would be like claiming that funds from a certain source were used to cover a study (e.g. pay for a lab experiment) while they were not; or it would be like claiming that a research proposal was submitted to (and approved by) some grant committee at some agency/institution, whereas in fact that institution never even knew or heard about that research. … This is such a basic tenet in academia.

This line of reasoning came up again and again as I spoke to privacy-oriented researchers and academics — that papers actually should not mention funding directed to the researcher for other projects, even when such disclosure could bear on a conflict of interest, and that, for better or for worse, this deeply narrow standard of disclosure is just the way it is. And besides, it’s not as if researchers who enjoy cash from Google are necessarilyhanding favors back, right?

According to Paul Ohm, a professor of law and director at Georgetown University’s Center on Privacy and Technology, that’s missing the point: The danger of corporate money isn’t just clear-cut corruption, but subconscious calculus among academics about their research topics and conclusions and invisible influence that funding might cause. Ohm said he continually worries about “the corrupting influence of corporate money in scholarship” among his peers.

“I think privacy law is so poorly defined,” Ohm told The Intercept, “and we have so few clear rules for the road, that people who practice in privacy law rely on academics more than they do in most areas of the law, because of that it really has become a corporate strategy to interact with academics a lot.”

It’s exactly this threat that a disclosure is meant to counter — not an admission of any wrongdoing but a warning that it’s possible the work in question was compromised in some way, however slight. A disclosure isn’t a stop sign so much as one suggesting caution. That’s why Ohm thinks it’s wise for PrivacyCon (and the infinite stream of other academic conferences) to err on the side of too much disclosure — he goes as far as to say organizers should consider donor source diversity in a “code of conduct.”

“Let’s try to make sure we have at least one voice on every panel that didn’t take money,” Ohm said. “Are we getting voices that have never received money from a company like Google?” And ultimately, why not disclose? Egelman, from UC Berkeley’s International Computer Science Institute, told me he thought extra disclosures wouldn’t be a good way for “researchers [to] use valuable conference time.” Ohm disagrees: “I don’t think it’s difficult at the beginning of your talk to say, ‘I took funding in the broader research project of which this a part.’” In other words: Have you taken money from Google? Are you presenting to a room filled with regulators on a topic about which you cannot speak without the existence of Google at least looming overhead? It would serve your audience — and you — to spend 10 seconds on a disclosure. “Disclosure would have been great,” Ohm said of PrivacyCon. “Recent disclosure would have been great. Disclosure of related funding would have been great.” Apparently, only two other researchers agreed.

Hans-Christian Ströbele - Obama should pardon Edward Snowden

Hans-Christian Ströbele

Green party member of the German Bundestag

Hans-Christian Ströbele

Snowden could be awarded the Nobel Peace Prize, which would bestow him a certain degree of immunity in the US

When I met Edward Snowden in Moscow in October 2013, he told me that he would eventually like to live in a country where democracy and the rule of law are respected. I can think of two ways to make that happen.

First, President Obama could pardon Snowden at the end of his last term, in the way other outgoing presidents have done in the past. Second, Snowden could be awarded the Nobel peace prize, which would bestow him a certain degree of immunity in the US even if he isn’t pardoned: during the cold war, for example, we saw that Soviet Union was unwilling to prosecute people who had been awarded with such an internationally recognised honour.

The key to both of these solutions doesn’t lie in our hands, but there is something we all can do. Like Oliver Stone’s new film, we can try to help emphasize that there is another side to Snowden’s story than the one that prevails in the US media: that this is a man with a lot of integrity, who did a great merit for the civil rights and privacy for the mankind and who knew what he was doing when making a extremely risky decision.

Lawrence Wilkerson - Obama should pardon Edward Snowden, and yet ...

Lawrence Wilkerson

Retired US army colonel and former chief of staff to US secretary of state Colin Powell

lawerence wilkerson

Frankly, I believe that were Snowden to return to the US, he would be treated badly; so much so, that even if he were fully pardoned – and could convince himself that that were truly so – he still would still be treated very badly.

I’m certain that most of the following of Donald Trump would want him in prison for life at best and hanged at worst.

That, sadly, is the nature of our country these days (some would argue we have always been thus and point to all manner of cases from the Salem witch trials to Alger Hiss, to the Rosenbergs, to the San Francisco 49ers quarterback now being shouted down for his refusals with respect to the US national anthem). Snowden’s actions, in many minds, constitute treason. I’m quite certain that most of the following of Donald Trump, for example, would want him in prison for life at best and hanged at worst.

After listening to Snowden on tape and video multiple times, I believe him to be a highly courageous and extremely ethical young man. He just might be the type who could weather such a storm and lead an otherwise productive life, like Daniel Ellsberg has for example. That might make him a martyr to some; but he will remain a villain to many others.

Am I for pardoning him? I would have to know a great deal more about the real impacts of his revelations – not the lies the government tells – before I could formulate my view. None of this truth is about to be forthcoming, so I really cannot make an informed judgment. It’s shameful because I don’t think any reasonable citizen can.

Elgar, T - Why Obama should pardon Edward Snowden - 20160914

I have signed on to the letter asking President Obama to pardon Edward Snowden that was released today.  I know this will be an unpopular position among many of my former colleagues in the national security community.  My reasons for doing so are not fully captured by that letter.  They are different from those who see Snowden simply as a hero and the NSA as the villain.  I have concluded that a pardon for Edward Snowden, even if he does not personally deserve one, is in the broader interests of the nation.

Around the time Edward Snowden got his first job in the intelligence community, I decided to leave my position as an ACLU lawyer in the hope I could make a difference by going inside America’s growing surveillance state.  Surprisingly, senior intelligence officials took a chance on hiring me in a unique new office safeguarding civil liberties and privacy.  I began work in June 2006.

For the next seven years, I worked with a growing team of internal privacy watchdogs inside the intelligence community.  We reviewed the most secret surveillance programs in government, including the major programs that Snowden later leaked.  Our job was to ensure those programs had a firm basis in law and included protections for privacy and civil liberties.  While I am proud of the work we did, it is fair to say that until Snowden stole a trove of top secret documents and gave them to reporters in 2013, we had limited success.  It took a Snowden to spark meaningful change.

The NSA’s operations are essential to national security and to international stability, but it is hard to reconcile them with the values of a free society.  Snowden forced the NSA to become more transparent, more accountable, more protective of privacy—and more effective.  Today, the NSA’s vital surveillance operations are on a sounder footing—both legally and in the eyes of the public—than ever before.

For that, the United States government has reason to say, “Thank you, Edward Snowden.”

The Snowden Reforms

In the last four years, there have been more significant reforms to mass surveillance than we saw in the four decades before the Snowden revelations began.  Not since the post-Watergate reforms of the Ford and Carter administrations has the intelligence community faced such scrutiny.  The NSA has taken painful steps to open up.  The most secret of the government’s secret agencies will never be a model of transparency.  Still, it has never been more transparent than it is today.

Before Snowden, basic information like the number of targets of the NSA’s mass surveillance operations affected by court-ordered surveillance was a closely-guarded secret.  Today, the head of the intelligence community publishes an annual transparency report that provides these and other details.

Before Snowden, the NSA used a secret interpretation of the Patriot Act to amass a nationwide database of American telephone records.  Congress has now replaced this program of bulk collection with an alternative program that leaves the data with telephone companies.

Before Snowden, the secret court that authorizes intelligence surveillance never heard more than the government’s side of the argument. Now, outside lawyers routinely appear to argue the case for privacy.

Before Snowden, there was no written order, directive or policy that gave any consideration to the privacy of foreigners outside the United States.  When intelligence officials asked lawyers like me about privacy, it went without saying that we were talking about American citizens and residents.  Today, for the first time in history, apresidential directive requires privacy rules for surveillance programs that affect foreigners outside the United States.  In an agreement with the European Union, the American government has been forced to adopt new protections for foreign data. In the next few years, the NSA’s partners in the United Kingdom will have to justify the surveillance practices of both countries in court against human rights challenges.

In 2017, Congress will review PRISM—a program leaked by Snowden that allows the NSA to obtain e-mails and other communications from American technology companies.  The law that provides authority for PRISM expires at the end of the year. The law also gives the NSA access to the internet backbone facilities of American telecommunications companies, in a program called “upstream collection.”  Until Snowden leaked details about PRISM and upstream collection, little was known about how the law worked.  Thanks to Snowden, the debate over whether and how these programs should continue will be one in which the public is reasonably well informed – unlike the debates in Congress over the Patriot Act in 2001, 2005, 2009, and 2011, over the Protect America Act in 2007, over the FISA Amendments Act in 2008 and 2012, and over the constitutionality of the FISA Amendments Act in the Supreme Court in 2013.

The NSA’s new transparency about its surveillance operations showed that they were designed not to bring about a dystopian society where privacy would be abolished, but to collect intelligence vital to the national security.  To be sure, Snowden’s trove of documents and the investigations that followed showed some programs were more effective than others.  The same privacy board that reviewed PRISM said that the NSA’s bulk collection of American telephone records had “minimal value.”  The board could find “no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack.”  Still, there has been remarkably little evidence of intentional abuse of the NSA’s sweeping powers for improper purposes unrelated to intelligence.  None was revealed by Snowden.  In response to inquiries from Congress in the fall of 2013, the NSA itself disclosed that itsinspector general had uncovered a dozen incidents over ten years in which analysts used overseas collection to spy on ex-girlfriends.

As a result, the programs Snowden exposed have all survived in some form.  In the case of telephone records, the NSA says that the privacy reforms adopted by Congress have actually resulted “access to a greater volume of call records” than before. Many of the NSA’s other mass surveillance programs also enjoy greater public support and legitimacy than they did before Snowden came along.  As Jack Goldsmith observeswryly, “These are but some of the public services for which the U.S. government has Snowden to thank.”

A Failure of Leadership

Edward Snowden’s actions caused great damage to national security.  They should not have been necessary to achieve the sensible reforms of the past four years.  That they were represents a failure of leadership by the intelligence community and the national security teams of the previous two administrations.  For me, that failure is at least in part a personal one.

As a privacy and civil liberties official inside the intelligence community, and later at the White House, my job was precisely to provide top officials with confidential advice about how to ensure that intelligence programs were protective of our liberties.  In doing so, I made just the sort of arguments that many have said Snowden should have raised internally instead of compromising classified information.  Unlike Snowden, I had direct access to the officials that could have made surveillance reform a reality—and who did so, after the Snowden leaks forced their hand.  There is no way a junior NSA contractor could have accomplished more.

Snowden’s critics argue that he should have made his concerns about privacy known through official channels without disclosing secrets and without breaking the law.  That would have achieved nothing—even in an imaginary world in which the agency had a perfect system for protecting whistleblowers.  Snowden’s concerns were not those of a traditional whistleblower.  Snowden’s complaint was not that the NSA was violating its rules, but that its aggressive pursuit of its mission—even as it largely adhered to its existing rules – posed a serious risk to privacy in the digital age.  If Snowden was wrong about mass surveillance being an “architecture of oppression,” he was certainly right about that, as many government officials have now acknowledged.

There is an inherent tension between the values of a free society and mass surveillance.  For Snowden and his supporters, the answer is easy.  End mass surveillance—which is to say, most of what the NSA does.  Those of us who believe that the NSA’s far-flung operations are essential to national security and global stability have the harder task of keeping mass surveillance under control.

If Snowden deserves our thanks for both this round of surveillance reform and thenext, it is only because the laws and institutions we created to control surveillance had become so obsolete.  Intelligence agencies should not need the shock of massively damaging leak to abandon programs that are not working and refine and improve those that are.  Disclosing details of classified programs should not be the most effective way to force change.

What Do We Do With Snowden?

It makes no sense for the United States government to pursue Snowden like a digital age Inspector Javert while at the same time admitting that his actions strengthened both our civil liberties and our national security.  This is especially true because it was the intelligence community’s own shortcomings that made his reckless leak the only effective way to achieve reform.

If Snowden returned to the United States today, of course, he would have to stand trial for disclosing classification communications intelligence, among other serious crimes.  This will never happen.  Snowden’s lawyers know he would likely be convicted and would face a lengthy prison term.  Under federal sentencing guidelines, an offender with no criminal history who is convicted of disclosing “Top Secret” communications information under 18 U.S.C. § 793(d) faces a prison term in the range of 168-210 months, or 14 to 17.5 years.  See U.S.S.G.M. § 2M3.2.  Snowden might face a considerably longer sentence if convicted of additional charges, or as a result of sentencing enhancements.  Naturally, Snowden prefers to stay abroad.

The law does not allow the public interest defense that Snowden says he wants, nor should it.  Permitting such a defense would encourage copycats.  A Snowden wannabe might hope his lawyer could convince a credulous jury that his leaks also had some positive outcome, even if the benefits were scant.  The Snowden disclosures were a unique watershed event, resulting in historic reforms.  It is highly unlikely a future leak of classified surveillance information would produce such positive change.

While Snowden might be enticed to return if offered a favorable plea agreement, negotiating such a deal would create poor incentives. One idea, favored by the top lawyer for the intelligence community, was for Snowden to plead guilty to a single felony charge and serve three to five years in exchange for his help undoing the damage he caused.  Through his lawyer, Snowden has said he would never plead guilty to a felony.  If a plea deal was ever really on the table, Snowden has less to offer every day, as the information he leaked becomes stale and the intelligence community moves on.  In any event, the Justice Department rightly objects to negotiating plea agreements with fugitives, to avoid giving those who flee prosecution an advantage over those that do not.

The Status Quo

Nevertheless, the status quo is clearly not in American interests.  Snowden’s exile in Russia is a continuing embarrassment.  Snowden has become a potent symbol for privacy and civil liberties, human rights, and an open internet in which surveillance operations are controlled by law.  His presence in Moscow is a gift to Vladimir Putin, allowing the Russian president to cynically pose as a defender of digital human rights.  Every time Snowden makes a virtual appearance before his admirers, the unspoken message is that he has been forced to seek asylum because the United States opposes these values.  The message is no less effective for being false and unfair.

By contrast with a trial or a plea agreement, a pardon is an unreviewable act of discretion by the president.  Presidents have used them not only to correct injustices, but also when the broader interests of the nation outweigh the importance of punishing a crime even where some punishment is clearly deserved.  Gerald Ford pardoned Richard Nixon to help the country move beyond Watergate.  Jimmy Carter pardoned draft dodgers to close the chapter on the Vietnam War.

Pardons are exceedingly rare.  A pardon sets no precedent and so creates no incentives.  Future leakers could not count on one.  Even if Snowden does not deserve a pardon for what former Attorney General Eric Holder called his act of “public service,” we should give him one and move on.  We are the good guys. It is time for the world to know it again.

Timothy H. Edgar is the academic director of law and policy at Brown University's Executive Master in Cybersecurity program, and visiting scholar at Brown University’s Watson Institute for International and Public Affairs. He was the first-ever director of privacy and civil liberties for the White House National Security Staff during President Obama’s first term, focusing on cybersecurity, open government, surveillance and data privacy. Under George W. Bush, Mr. Edgar was the first deputy for civil liberties for the director of national intelligence, from 2006 to 2009. He was the national security counsel for the American Civil Liberties Union from 2001 to 2006. He clerked for Judge Sandra Lynch, United States Court of Appeals for the First Circuit. He is a graduate of Harvard Law School and Dartmouth College.

Canadian government expects another Snowden-level leak, documents say - Toronto Star 20160709

Canadian government expects another Snowden-level leak, documents say - Toronto Star 20160709

Revelations about Five Eyes mass surveillance has “changed the tone” on Internet issues, but Canada wants free and open cyberspace.

It’s not a matter of if there will be another Edward Snowden, it’s a matter of when, according to internal government documents obtained by the Star.

Global Affairs officials warned minister Stéphane Dion in November an event on the scale of Snowden’s disclosures about Internet surveillance is inevitable.

“Incidents similar to the Snowden disclosures and the Sony hack will happen again and we can expect that sudden events will affect international debates on cyberspace,” the document reads.

The briefing note, prepared for Dion in November and obtained under access to information law, suggests that Snowden’s disclosures about Western mass surveillance “altered the tone” of the international discussion on cyberspace.

In 2013 Snowden, a former employee of the U.S. National Security Agency (NSA), pulled back the curtain on mass surveillance online, detailing the capabilities of the “Five Eyes” countries — Canada, the United States, the U.K., Australia and New Zealand — to monitor activity online. His release of classified NSA documents triggered outrage among those who said he put lives at risk, and praise from others who argued he shed light on questionable practices and has forced needed change. He was forced to flee the U.S. and was granted asylum in Russia.

Then in 2014, hackers broke into Sony company computers and released thousands of emails, documents and sensitive personal information. U.S. federal investigators blamed North Korea.

While Canada has long advocated for an open and free Internet, suggestions that the nation’s spy agency the Communications Security Establishment (CSE) has engaged in mass online surveillance have complicated that narrative.

But the documents state Ottawa remains committed to a free Internet — not only from a democratic point of view, but for the potential for Canadian businesses and consumers to access ever-broadening online markets.
“The Internet owes its success to its open design, its global and interconnected nature, and its flexible and inclusive governance structure,” the documents read.

“All states are grappling with how to harness the potential of networked technologies while managing their far-ranging impacts … The goal (for Canada) is to protect human rights and democratic space, recognize legitimate public safety needs, and preserve the openness and dynamism that has brought about such enormous benefit.”

In a statement Saturday, a spokesperson for Global Affairs said the federal government believes that protecting online privacy and supporting human rights go hand in hand.

“Canada is concerned about rising threats emanating from cyberspace, including from repressive governments and their proxies, as well as the growing threats posed by cybercrime and terrorists’ use of the Internet,” wrote spokesperson John Babcock in an email to the Star.

“While addressing cyber threats, we must not legitimize Internet controls that will be used to restrict human rights and freedoms and hinder the free flow of information.”

The Star reported in 2015 that CSE has stepped up their efforts to guard against “insider threats” since Snowden shared an unprecedented trove of intelligence documents with journalist Glenn Greenwald in 2013. The move was also prompted by a Halifax-based Royal Canadian Navy officer, Jeffrey Delisle, who sold secrets to Russia in 2012.

“Following the unauthorized disclosures of Canadian Navy Sub-Lieutenant Jeffrey Delisle and NSA contractor Edward Snowden, CSE has intensified its efforts to tighten already stringent security,” read CSE’s 2013-14 report to the minister of national defence.

The documents note that Canadian media coverage about Internet security has tended to focus on large-scale hacks, such as the 2014 breach at the National Research Council, or the Heartbleed exploit used on the Canada Revenue Agency that same year.

But officials make clear Canada’s interest in the file goes beyond playing defence against malicious actors. The documents note that a number of “authoritarian regimes” are hoping to impose greater control over their citizens’ access to cyberspace.

“Domestically, they employ repression and censorship. Internationally, they lobby for greater state regulation of cyberspace, including calls to bring it under UN control,” the documents read.

“They also seek to rewrite current understandings of international law to shape the international cyber environment to reflect their values and interests. The same states also exploit cyberspace through espionage and theft of sensitive information from government and private sector networks, including those of Canada.”

Officials censored the names of individual countries they accused of such actions, although Ottawa has previously called out China as the hand behind the NRC hack. At the same time, other countries have accused Five Eyes partners of conducting economic espionage of the own.

The documents note that Global Affairs has been involved in a range of activities promoting an open and free internet, including advocating for human rights and freedoms online and committing $8 million over the last decade to promote cyber security in the Americas and Southeast Asia.

Encryption actually protects law-abiding Canadian citizens - Toronto Star 20160710

When it comes to policing and national security, far too often Canadians are asked to let fear trump their rights.

Recently, the front page of the Toronto Star featured the headline, “Encryption creating a barrier for police ...,” potentially convincing some readers that the technology’s only purpose is to aid criminals. Rarely do we see headlines such as, “Encryption protects thousands of Canadians’ credit card information,” or “Encryption enables secure communications for every Canadian.” or even the aspirational, “Canada leads the way in cybersecurity for its citizens.”

Increasingly, when we hear about encryption in the media, or from public safety officials, it’s presented as a danger — something that prevents those whose job it is to keep us safe from fulfilling their role. However, in the vast majority of transactions online by ordinary, law-abiding citizens, encryption is a good thing that makes personal, sensitive data harder to capture and decipher. Indeed, if more data were stored in encrypted form, sensational breaches of privacy — like the one that drove some Ashley Madison users to suicide — could be avoided.

Acknowledging that encryption can be a good thing for society doesn’t erase police concerns about data access; it contextualizes them. We at the Canadian Civil Liberties Association (CCLA) have long been supporters of warrants, the process by which police can go before a judge to demonstrate that their need to intercept a suspect’s private communications is reasonable and proportionate.

While we understand that warrants aren’t helpful if data can’t be decrypted, reports indicate police now have the tools, and are working with technology companies, to gain access to even the most complex of encrypted data. For example, as we learned from the Project Clemenza investigation, police can now decrypt BlackBerry communications and are making extensive use of Stingray technology, which allows for the mass interception of cellphone data.

We also know the FBI has developed a hack to intercept messages on Tor networks, which are designed for secure, private communications. Even the infamous Apple v. FBI case ended with the FBI getting what it wanted.

An increasing lack of public trust, that invasive technologies will be used proportionately by security and law enforcement agencies, is attributed to an excessive attention to privacy rights, encouraged by privacy advocates. What we hear from concerned citizens, however, is not that they prioritize privacy over all else, not that they don’t value security, and not that they don’t appreciate the need for police to use new technologies to deal with new threats.

Rather, they tell us, there is way too much secrecy and way too little accountability surrounding the ways these technologies are used. This is not an invention concocted by privacy advocates, such as CCLA; it’s the result of an increasing disjunction between the stories people hear and their expectations of appropriate conduct in the name of public safety.

For example, when the Communications Security Establishment used information from the free internet service at a major Canadian airport to track the wireless devices of thousands of ordinary airline passengers for days after they left the terminal, many Canadians felt intuitively it was intrusive and wondered if it was illegal. But it wasn’t. That’s the kind of situation that erodes the trust that is fundamentally necessary for the social license law enforcement needs to function effectively.

Another example is the aforementioned Stingray technology, which apparently has been quietly used in Canada for a number of years. Police maintain that secrecy gives them the edge they need against increasingly sophisticated criminals. However, Canadians have legitimate concerns that when a powerful technology is used in secret, it’s impossible to ascertain whether it’s being used wisely and proportionately, and if necessary safeguards are in place.

While it would clearly be more convenient for police to have instant access to all the information they want it wouldn’t ensure crimes are investigated justly, or with respect for the innocent bystanders whose data gets swept up, and that matters too.

A recent survey on Canadian identity, published in October by the national statistics agency found that the Charter of Rights and Freedoms was chosen as Canada’s most important national symbol, with 93 per cent support.

In other words, Canadians consider rights protection to be core to their sense of who we are as a people. Thus, it’s time to stop looking at rights, the technologies that protect them, and people who argue for them, as barriers.

Indeed, it’s time we talked about public safety, new technologies, and reasonable expectations in a way that rebuilds trust and provides a solid foundation for a Canada in which our persons, property and rights all have strong and effective protection.

Dr. Brenda McPhail is the director of the privacy, technology and surveillance project at the Canadian Civil Liberties Association.

Snowden Tried to Tell NSA About Surveillance Concerns, Documents Reveal - VICE 20160606

Snowden Tried to Tell NSA About Surveillance Concerns, Documents Reveal - VICE 20160606

On the morning of May 29, 2014, an overcast Thursday in Washington, DC, the general counsel of the Office of the Director of National Intelligence (ODNI), Robert Litt, wrote an email to high-level officials at the National Security Agency and the White House.

The topic: what to do about Edward Snowden.

Snowden's leaks had first come to light the previous June, when the Guardian's Glenn Greenwald and the Washington Post's Barton Gellman published stories based on highly classified documents provided to them by the former NSA contractor. Now Snowden, who had been demonized by the NSA and the Obama administration for the past year, was publicly claiming something that set off alarm bells at the agency: Before he leaked the documents, Snowden said, he had repeatedly attempted to raise his concerns inside the NSA about its surveillance of US citizens — and the agency had done nothing.

Some on the email thread, such as Rajesh De, the NSA's general counsel, advocated for the public release of a Snowden email from April 2013 in which the former NSA contractor asked questions about the "interpretation of legal authorities" related to the agency's surveillance programs. It was the only evidence the agency found that even came close to verifying Snowden's assertions, and De believed it was weak enough to call Snowden's credibility into question and put the NSA in the clear.

Litt disagreed. "I'm not sure that releasing the email will necessarily prove him a liar," Litt wrote to Caitlin Hayden, then the White House National Security Council spokesperson, along with De and other officials. "It is, I could argue, technically true that [Snowden's] email... 'rais[ed] concerns about the NSA's interpretation of its legal authorities.' As I recall, the email essentially questions a document that Snowden interpreted as claiming that Executive Orders were on a par with statutes. While that is surely not raising the kind of questions that Snowden is trying to suggest he raised, neither does it seem to me that that email is a home run refutation."

Within two hours, however, Litt reversed his position, and later that day, the email was released, accompanied by comment from NSA spokesperson Marci Green Miller: "The email did not raise allegations or concerns about wrongdoing or abuse."

Five days later, another email was sent — this one addressed to NSA director Mike Rogers and copied to 31 other people and one listserv. In it, a senior NSA official apologized to Rogers for not providing him and others with all the details about Snowden's communications with NSA officials regarding his concerns over surveillance.

The NSA, it seemed, had not told the public the whole story about Snowden's contacts with oversight authorities before he became the most celebrated and vilified whistleblower in US history.

Hundreds of internal NSA documents, declassified and released to VICE News in response to our long-running Freedom of Information Act (FOIA) lawsuit, reveal now for the first time that not only was the truth about the "single email" more complex and nuanced than the NSA disclosed to the public, but that Snowden had a face-to-face interaction with one of the people involved in responding to that email. The documents, made up of emails, talking points, and various records — many of them heavily redacted — contain insight into the NSA's interaction with the media, new details about Snowden's work, and an extraordinary behind-the-scenes look at the efforts by the NSA, the White House, and US Senator Dianne Feinstein to discredit Snowden.

The trove of more than 800 pages [pdf at the end of this story], along with several interviews conducted by VICE News, offer unprecedented insight into the NSA during this time of crisis within the agency. And they call into question aspects of the US government's long-running narrative about Snowden's time at the NSA.

* * *

The Obama administration spent the spring of 2014 engaged in highly classified talks centered around three events: Snowden's testimony to European Parliament in March, the release of a 20,000-word April 2014 Vanity Fair story about Snowden, and his first US television interview, with NBC News's Brian Williams, in May.

In all three instances, Snowden insisted that he repeatedly raised concerns while at the NSA, and that his concerns were repeatedly ignored. In his testimony to the European Parliament on March 7, he was asked whether he "exhausted all avenues before taking the decision to go public."

"Yes," he said. "I had reported these clearly problematic programs to more than 10 distinct officials, none of whom took any action to address them. As an employee of a private company rather than a direct employee of the US government"—Snowden had been a contractor with Booz Allen Hamilton when he leaked the documents—"I was not protected by US whistleblower laws, and I would not have been protected from retaliation and legal sanction for revealing classified information about law breaking in accordance with the recommended process."

Four days after Snowden's testimony, the chief of the NSA's counterintelligence investigations division sent an email with the subject line "Snowden Claims" to Richard Ledgett, the deputy director of the NSA and the head of the so-called Media Leaks Task Force established the previous year to investigate Snowden's leaks to journalists. Also copied were Leoinel Kemp Ensor, the NSA's security chief, and other NSA officials.

"As requested we, ADS&CI [the NSA's associate director security & counterintelligence] and FBI, have conducted extensive research into [Snowden's statement to the European Parliament]," the NSA counterintelligence official wrote. "This included a review of all interviews and case material to include all paperwork and interviews collected/conducted with contractors Dell and Booz Allen Hamilton."

In several emails, Snowden, as a systems administrator for Dell in August 2012, provided NSA officials with tech support on FISA templates.

"Our findings are that we have found no evidence in the interviews, email, or chats reviewed that support his claims," the NSA official continued. The official did, however, acknowledge that Snowden had at the very least brought up privacy while at the agency. "Some coworkers reported discussing the Constitution with Snowden, specifically his interpretation of the Constitution as black and white, and others reported discussing general privacy issues as it relates to the Internet."

Because none of the people interviewed by the NSA in the wake of the leaks said that "Snowden mentioned a specific NSA program," and "many" of the people interviewed "affirmed that he never complained about any NSA program," the NSA's counterintelligence chief concluded that these conversations about the Constitution and privacy did not amount to raising concerns about the NSA's spying activities.

That was the basis for the agency's public assertions — including those made by Ledgett during a TED talk later that month — that Snowden never attempted to voice his concerns about the scope of NSA surveillance while at the agency.

* * *

Snowden declined to answer a number of very specific questions for this story. His attorney, Ben Wizner of the ACLU, told VICE News that Snowden is "ambivalent" about discussing the issues raised by the NSA documents because he doesn't trust the NSA's motives for releasing them.

"[Snowden] believes the NSA is still playing games with selective releases, and [he] therefore chooses not to participate in this effort," Wizner said. "He doesn't trust that the intelligence community will operate in good faith."

Due to the review process conducted by the government before releasing requested documents, FOIA releases are "selective" by their very nature. A series of guidelines determines what the government can and can't keep from the public, but ultimately the interpretation of those guidelines can be relatively subjective. It is not a process unique to the NSA.

Related: Here's Every Email the NSA Got After Asking Americans for Tips on How to Protect Privacy

What's remarkable about this FOIA release, however, is that the NSA admitted it removed the metadata in emails related to its discussions about Snowden. In a letter disclosed to VICE News Friday morning following inquiries we made about discrepancies in some of the emails turned over to us, Justice Department attorney Brigham Bowen said, "Due to a technical flaw in an operating system, some timestamps in email headers were unavoidably altered. Another artifact from this technical flaw is that the organizational designators for records from that system have been unavoidably altered to show the current organizations for the individuals in the To/From/CC lines of the header for the overall email, instead of the organizational designators correct at the time the email was sent."

* * *

Snowden's email, which would go on to spark so much debate at the highest levels of government, from the NSA to the Department of Justice (DOJ) to Congress to the White House, was inspired by a question on a training test. The NSA portrayed it as an innocuous question that elicited a direct response when it released the email in 2014. But the declassified documents tell a somewhat different story, with multiple people from different departments becoming involved in formulating an answer.

On April 5, 2013 — a year before the Vanity Fair story came out — Snowden clicked the "email us" link on the internal website of the NSA's Office of General Counsel (OGC) and wrote, "I have a question regarding the mandatory USSID 18 training."

United States Signals Intelligence Directive 18 (USSID 18) encompasses rules by which the NSA is supposed to abide in order to protect the privacy of the communications of people in the United States. Snowden was taking this and other training courses in Maryland while working to transition from a Sysadmin to an analyst position. Referring to a slide from the training program that seemed to indicate federal statutes and presidential Executive Orders (EOs) carry equal legal weight, Snowden wrote, "this does not seem correct, as it seems to imply Executive Orders have the same precedence as law. My understanding is that EOs may be superseded by federal statute, but EOs may not override statute."

(Illustration by Todd Detwiler)

About 20 minutes after Snowden sent the email, an OGC office manager forwarded it to the Signals Intelligence Oversight and Compliance training group — the people who had designed the test.

"OGC received the question below regarding USSID 18 training but I believe this should have gone to your org instead," the office manager wrote. "Can you help with this?" The office manager also cc'd Snowden.

But the next working day, April 8, the email and question were sent right back to the OGC. The woman who did this would later explain to NSA investigators, "Although I felt comfortable answering his question, I thought it was more appropriate for OGC to respond since the authority documents include legalities and the individual wanted them ranked in precedence order." So she forwarded the email to two OGC attorneys who "had recently provided the hierarchy of the authorities" in the training program to which Snowden was referring.

Snowden's email was unusual, the lawyer recalled. Indeed, a Security & Counterintelligence official said in an email a year later that officials had spoken to "the lawyer who responded to Snowden's inquiry and she remembered considering calling Snowden since the inquiry was out of the ordinary. However, she decided not to and instead in her email invites him to call her if he wanted further discussion. She does not recall any actual telephonic contact by Snowden."

When one of the lawyers responded to Snowden that Monday, she cc'd five people: three in the Oversight and Compliance Office (referred to at the agency with the letters SV), as well as two other OGC lawyers.

The lawyer who responded to Snowden explained to him in an email, "Executive Orders (E.O.s) have the 'force and effect of law.' That said, you are correct that E.O.s cannot override a statute." Snowden read this email, then put it in a folder in his inbox.

In a recent interview with VICE News, Litt, who in 2014 had expressed misgivings about the email before reversing himself, said: "To the extent Snowden was saying he raised his concerns internally within NSA, no rational person could read this as being anything other than a question about an unclear single page of training."

Less than six weeks after he sent the email, Snowden would be on a plane to Hong Kong with thousands of highly classified government documents. In a report on the subsequent investigation, a special agent pointed out what Snowden had already done by the time he sent his email.

"It should be noted this is four months after contacting Glenn Greenwald (according to Greenwald) and three months after contacting Laura Poitras (according to Poitras and Greenwald)," the special agent wrote. Poitras is the filmmaker Snowden originally contacted along with Greenwald and Gellman. "So this email is not evidence that he tried to raise concerns about NSA procedures through official channels before turning to the media." It is not clear whether Snowden had yet shared any documents with the journalists.

* * *

In April 2014, the month after he testified before the European Parliament, Snowden again challenged the NSA's public narrative about his failure to raise concerns at the agency. In advance of the publication of the Vanity Fair story, the magazine posted apreview online on April 8. "The NSA... not only knows I raised complaints, but that there is evidence that I made my concerns known to the NSA's lawyers, because I did some of it through e-mail," he said. "I directly challenge the NSA to deny that I contacted NSA oversight and compliance bodies directly via e-mail and that I specifically expressed concerns about their suspect interpretation of the law."

Later that day, someone from the Media Leaks Task Force circulated an email with the subject line, "FYSA: Snowden Allegation in Pending Vanity Fair Article." (FYSA is an acronym for "for your situational awareness.") A day later, Rogers, who had been NSA director for only a week, stated that he favored openness and transparency in the agency's response to Snowden.

"Let's be ready to be very public here," Rogers wrote in an email to Ledgett, De, Ethan Bauman (the director of the NSA's Office of Legislative Affairs), Frances Fleisch (the agency's executive director), and other officials whose names were redacted. "If [Snowden's] claims are factually incorrect and we do not have security concerns with the subject matter we should be very forthright in stating his claims are factually incorrect. I want us to do the coordination ASAP [versus] waiting for an article and then spending three weeks debating our way ahead."

This was easier said than done. On the morning of April 10, a day before the full Vanity Fair article was published, someone at the NSA sent an email to Arlene Grimes in the agency's office of public affairs, cc'ing several other officials, to recommend "the best way forward" in light of Rogers' directive.

"One of the key issues in any response will be the degree of certainty we express on the specific issue of outreach by Snowden to express concerns," the NSA official wrote.

Henceforth, the Media Leaks Task Force's main mission would be to take "more proactive actions to undermine future and recurring false narratives" by Snowden, as one NSA official wrote. The task force could use Snowden's email, the official said, to accomplish that goal by "contacting Vanity Fair BEFORE they publish and let them know that we plan to immediately and publicly challenge that assertion AND make clear that we warned Vanity Fair that the facts are wrong."

To go forward with this plan, the NSA needed two things: Absolute certainty that Snowden had not communicated his concerns, and approval from the DOJ to release the email.

The NSA appeared to have neither.

Emails show that the DOJ preferred that Snowden's email not be publicly released. In addition, some in the NSA believed that additional investigations were necessary to ensure Snowden had not raised concerns.

"We need great certainty about whether or not there is/was additional correspondence before we stake the reputation of the Agency on a counter narrative," a person from the task force replied in an email addressed to counterintelligence, the legislative affairs office, and the office of general counsel on April 9. "I am going to trigger an action for the appropriate organizations to do an e-mail search [redacted] to affirm that there is no further correspondence that could substantiate Snowden's claim."

A little before 6:30 the next morning, someone from the task force sent an email to the chief of the NSA's counterintelligence division.

"One last question that woke me up last night, do you know if [redacted] who received the April [2013] e-mail from Snowden was specifically asked if she received any further correspondence?" the person wrote. "I ask only because there probably isn't anyone checking her e-mail queue since she is now retired. I'm just trying to be as sure as possible we've asked the right people and checked the right places for any potential surprises."

The woman in question was the lawyer at the OGC who had addressed Snowden's email and its query about legal hierarchies. (She had indeed retired from the NSA in the interim.) The counterintelligence chief wrote that the woman had not recalled any interaction when she was questioned by the NSA in the wake of Snowden's leaks, but that he would "triple check."

The counterintelligence chief got in touch with the retired lawyer, and about an hour after their conversation, sent another email.

"Spoke with [redacted] at home," the chief wrote. "She said no telephonic contact after the email. Also confirmed that Snowden did not reply to her response which matches what we see in the email. Our review of his email did not turn up any additional emails that match the description in the [Vanity Fair] article. I truly believe we have the right one. I have asked DOJ to call me so we can discuss the release issue [of the email]. I have heard that [redacted] is not happy that I am talking to DOJ, but I am not too concerned with that right now."

"Thanks," the task force official replied. "I'll visit you when they put you in prison for talking to DOJ."

Bauman sent an email on the afternoon of April 10 to David Grannis, then the staff director for the Senate Intelligence Committee, and other congressional staffers alerting them to the pending Vanity Fair article. Bauman also provided them with a redacted copy of the Snowden email.

On April 11, Vanity Fair released its story. That afternoon, Ledgett sent an email to Teresa Shea, the director of signals intelligence — or SIGINT, which is responsible for decoding electronic communications — and a number of officials whose names were redacted. (Later that year, Shea left the NSA after BuzzFeed reported that she and her husband ran a SIGINT "contracting and consulting" business out of their house in what appeared to be a conflict of interest with her official NSA duties.) The email, with the subject line, "Vanity Fair Article With Fugitive – May Cause Additional Work," said "the much anticipated Vanity Fair article with the fugitive is out.... Probably the most concerning issue in the article is the fugitives [sic] assertion that he raised complaints with NSA lawyers and oversight and compliance personnel."

(Illustration by Todd Detwiler)

The scramble in the lead-up to the article's publication to make certain Snowden hadn't logged his concerns within the agency is especially notable in light of one fact: Ledgett had already said unequivocally that Snowden hadn't raised any formal concerns — and he had said it in the article itself, having been interviewed well in advance of its publication. He added that if Snowden made his concerns known to anyone personally, they had not stepped forward to alert the NSA during the agency's subsequent internal investigation.

The article, and Snowden's assertion in it that he had repeatedly made his concerns known in email, was the catalyst for VICE News' initial FOIA request, filed the same day the preview was released. But the assertion did not prompt widespread coverage in the media, which may have given NSA officials the impression that the agency could move on.

"The good news is that this article has not received any bounce and there have been no media queries today," Grimes wrote on the afternoon of April 10.

Grimes spoke six weeks too soon.

* * *

On the morning of May 23, 2014, Matthew Cole, then an investigative reporter with NBC News, sent an email to NSA public affairs. He wished to alert them to NBC's exclusive on-camera interview with Snowden, which would be his first with a US television network. (The interview had first been revealed by the Washington Post a day earlier.)

"As you may have seen, NBC News will be airing a long interview with Edward Snowden," Cole wrote in an email addressed to NSA spokesperson Vanee Vines and ODNI spokesperson Shawn Turner. "Given that he makes plenty of claims in the interview, I have the enviable job of checking the veracity of said claims. Is it possible to discuss by phone at your earliest convenience?"

Vines asked him to put what he needed in writing.

"Let's start with this one, but I will still need to have a follow up phone conversation," Cole responded. "Can the NSA and/or DNI confirm or deny that Mr. Snowden sent emails to the NSA's OGC or any other internal/agency legal compliance body? NBC News is aware that in the past NSA has denied that they can find any such emails."

The same day, Cole submitted a short FOIA request to the NSA, asking for "any and all emails, documents, or any other form of communication" between Snowden and any legal authorities within the agency. Although VICE News and a number of other media outlets had already filed FOIA requests for the same documents, the NSA now began to discuss taking quick action because of the pending broadcast of NBC's interview.

Vines was part of the team that had spent several weeks dealing with identical claims Snowden had made to Vanity Fair a month earlier, so she was well aware of the existence of Snowden's lone email. But she was coy with Cole.

"What do you mean? An email about *what*?" Vines wrote to him before repeating an NSA statement from December 2013 saying that investigations found no evidence that Snowden ever brought up his concerns.

Cole responded by asking for the documents again, "based on more detailed claims in our interview."

Vines immediately forwarded the exchange to De, the NSA's general counsel.

"[With] its story done, NBC is asking us to fact-check. Incredible," Vines wrote. "We'll get more info soon from the producer. In the meantime, there's apparently a fresh claim about email the leaker [Snowden] allegedly sent to OGC or a compliance official."

De, a staunch advocate for releasing Snowden's email, informed Vines that the NSA had already been speaking to the White House about Snowden's claims. He asked Vines to see if she could ferret out additional details from Cole about the interview.

Later that day, Feinstein, the chairwoman of the Senate Intelligence Committee, sent word over to the NSA that she expected a "forceful NSA response" to Snowden's claims.

"You can help temper expectations by making clear [to Feinstein] that we were not aware of this story before it was publicly advertised and until yesterday had not been contacted to respond to any issues," the person wrote. "We have not been and don't expect to be given much if any detail beyond the public 'teaser.' We can only crystal ball so much, especially when the protagonist is not bound by facts or the truth."

Vines sent out a "situational awareness" email alerting NSA officials that NBC News had an "'agreement'/relationship with Mr GlennG [Glenn Greenwald]. It has been working w/him on stories in recent months." A separate email was sent by another NSA official to Fleisch and others at the agency that said Greenwald, Poitras, and Greenwald's husband, David Miranda, "may also be involved in the broadcast." Fleisch then informed Rogers, Ledgett, and Elizabeth Brooks, the agency's chief of staff, about the pending broadcast; intense discussions were held to determine how the agency, and the Obama administration, would respond.

The following morning, De sent someone at NSA an email with the subject line "NBC/email."

"I need very senior confirmation [Kemp/Moultrie) [a reference to the NSA's director of security and Ron Moultrie, then the NSA's deputy SIGINT director] that all possible steps have been taken to ensure there are no other emails from [Snowden] to OGC," De wrote.

Those assurances apparently could not be provided — even though the agency had publicly been saying over the course of a year that no other relevant communications from Snowden existed.

(Illustration by Todd Detwiler)

"Raj, if you are looking for 100% assurance there isn't possibly any correspondence that may have been overlooked I can't give you that," an NSA official, whose name was redacted, wrote in response to De. "If you asked me if I think we've done responsible, reasonable and thoughtful searches I would say 'yes' and would put my name behind sharing the e-mail as 'the only thing we've found that has any relationship to [Snowden's] allegation. Give [sic] Snowden's track record for truth telling we should be prepared that he could produce falsified e-mails and claim he sent them. The burden then falls to us to prove he didn't (you know how that will end)."

That morning, Hayden, the National Security Council spokesperson, sent an email to Vines, Stuart Evans at the DOJ, and Litt at the ODNI, which is entirely redacted. At about the same time, De emailed someone asking, "Why is DOJ weighing in on our obligations under privacy act," an indication that Justice was interfering in the NSA's decision to release Snowden's email.

"I have no idea," the person responded to De.

In the early evening of May 24, Rogers suggested that the NSA finally release Snowden's email, which Rogers mistakenly said Snowden had addressed to the agency's Inspector General (IG).

"I'd love to share the specifics of the only e-mail we have that [Snowden] sent to the IG which asked a very broad question on the hierarchy of law vs the direction in regulation and other publications and which never mentioned privacy concerns once," Rogers wrote.

An NSA official offered up several options for dealing with NBC News, only one of which was left unredacted: "Option 1 – Engage NBC in dialog before their program airs about our factual understanding (a single outreach [from Snowden] noted, barely relevant to his claims."

That's the option Rogers chose.

Vines then sent a note about whether the NSA should release Snowden's "ONE email to NSA OGC (and OGC's response to his very benign question." Included on the correspondence were officials from the NSA, the DOJ, and the White House. Vines noted that a number of news organizations had filed FOIA requests for any emails in which Snowden raised concerns, and if the NSA were to release the single email the agency said it found, it would need to be released "to all."

Several responses by Hayden, De, and Litt followed and continued throughout the weekend; Hayden appeared to have enormous influence over whether the NSA could release the email.

On Tuesday, May 27, a day before NBC aired the first part of its interview, Cole emailed Vines and asked her to respond to seven very specific questions about Snowden and his work, though none touched on whether Snowden raised concerns at the agency.

Vines forwarded the email to officials but didn't respond to Cole's queries.

It appears that during the weeklong exchange between officials at the NSA, DOJ, ODNI, and White House, someone went above Cole's head and reached out to executives at NBC. In an email Vines sent to Hayden on May 28, she said that Cole once again contacted her seeking a response to his inquiries.

The NSA's release of a 2013 email to employees marks the first official confirmation that Snowden had also worked with the CIA.

"Matthew Cole, the 'investigative producer', assigned to NBC's project, again asked... about the e-mail today," Vines wrote. "I'm guessing that execs above him have not filled him in."

Hayden's reply was redacted, but it appears that NBC was informed about the email, possibly by Hayden. In another email on May 28 to Vines, De, and other senior White House and DOJ officials, Hayden said NBC contacted her and asked "whether our search was just of e-mails to OGC or also to the Compliance Office. Can folks confirm?"

"EVERYTHING email and registry wise was checked," someone whose name was redacted responded.

That evening, NBC News aired the first part of its interview with Snowden, which included his claims that he raised concerns and complaints about NSA surveillance programs before he made off in May 2013 with thousands of classified documents.

"We should release the Snowden email ASAP," De wrote in an email late that evening to Ledgett and another person whose name was redacted.

Unlike the Vanity Fair story, the NBC News report generated widespread media interest. Just before midnight on May 28, Vines sent a "situational awareness" email to Hayden, De, and others.

"Reuters is now pounding the pavement over the email issue," she wrote. "[Brian] Williams clearly said multiple sources confirmed at least 1 email" that Snowden had sent raising his concerns.

Vines had been hoping the NSA could immediately respond to the claims by releasing the email, thereby undercutting Snowden. Hayden, however, said the administration would not be able to resolve that question "tonight." Hayden added that she saw "relatively little Twitter discussion on the interview."

By the following morning, the NSA was hastily arranging to have the email released. The agency prepared a rough Q&A for officials there and at the White House and DOJ focusing on questions to which they would have to be prepared to respond, such as: "What is the training and awareness provided to gov't and contractor employees about reporting activities they perceive to be inconsistent with law or ethics?... Did we receive correspondence from Edward Snowden about his concerns?... How was our search for any correspondence from him conducted?... Is it possible there is correspondence we overlooked, didn't record?"

Also on the morning of May 29, Litt, in an email sent to high-level officials at the NSA, White House, and DOJ, shared a communication he received from Grannis, the staff director for Feinstein at the Intelligence Committee, about Snowden's email:

FYI received the attached from David Grannis, which I believe may reflect conversations he had with others as well.

Is there any reason not to make public the one email that NSA/FBI have located between Snowden and NSA people involving a legal question? That email is certainly not what Snowden described in the interview.... The only reason that I can see not to release the email exchange is if people are concerned that there are other emails out there, so I suppose that is a question of how confident are people in their ability to search old records. That shouldn't be too difficult.

(By the way, Sen. Feinstein spoke last week to [White House Chief of Staff] Denis McDonough and [Obama's counterterrorism adviser] Lisa Monaco about this very thing, having been tipped off it would be part of the interview. I followed up with NSA OLA [Office of Legislative Affairs] to make sure there was a response in place. I haven't seen anything yet.)

De appeared to be exasperated.

"OK. I seem to be the only one who thinks we should do something, so I will back off if everyone disagrees," he replied.

"Raj: This is still an active discussion," Hayden responded.

De, who has since left NSA, did not respond to requests for comment.

About three hours before Snowden's email was publicly released — and while Hayden, De, Litt, and the NSA's public affairs team continued to debate the merits of the release — a special agent assigned to the NSA's counterintelligence division sent an email to other counterintelligence officials about additional Snowden emails found within divisions at the NSA Snowden said he had contacted with his concerns.

There were about 30 emails discovered from the security office that Snowden either sent or received. The special agent said many of them were "blast emails" from a redacted source to an email list to which Snowden belonged. There was an email thread asking Snowden to call and discuss an issue he was having with his access card. And there was a thread in which Snowden wrote that his girlfriend had been invited to apole dancing competition in China; presumably, he queried security officials about whether they could attend.

They were "counseled against... going," according to the special agent.

A special agent assigned to NSA counterintelligence provides a breakdown of emails the NSA said it found from offices Snowden said he contacted.

The special agent said there weren't any emails that Snowden sent or received from the Office of Inspector General. But there were seven emails discovered in the OGC, five of which were "regarding the ability to open certain documents."

"Strictly a technical trouble shooting email thread," the special agent wrote.

The confidence that the NSA would soon display publicly that it discovered only one email was not reflective of what was taking place behind the scenes. De was still looking for assurances that it was the only communication from Snowden — but no one could confidently say there weren't other emails that had been overlooked.

"I would encourage you to work with your staff to give yourself confidence that requests of your folks to check for records are/were sufficiently robust to underpin your personal level of confidence," someone at the NSA said in an email to De hours before Snowden's email was released. "l am not in any way suggesting that people did not take the requests seriously — they did, but they did so under time pressure."

Rogers was informed via email by someone at the NSA whose name was redacted that the plan, which was based on "dialog with the White House," called for White House press secretary Jay Carney to read a prepared statement and indicate that the one email Snowden wrote, "the same benign email that you and I discussed," would be released later in the day.

Carney was scheduled to give his daily press briefing at 12:30pm and would read a statement the NSA sent over characterizing Snowden's email. He would also be prepared to answer questions, if any were asked, about how the NSA planned to respond to Cole's FOIA request.

Vines said she intended to contact Cole and other journalists and would provide them with the email and the NSA's statement. Yet even as Carney's briefing was taking place, NSA officials were still trying to locate additional correspondence.

In the two years since the email was released, the NSA has not walked back its insistence that Snowden failed to raise concerns internally.

* * *

The NSA, of course, had not waited for Snowden's public comments in the spring of 2014 to start looking at his emails and investigating him. They started shortly after he leaked the documents in 2013.

On June 10, 2013, one day after Snowden revealed that he was the source of the leak in a video interview posted on the Guardian's website, the NSA sent an email out to its workforce seeking information from employees who'd had contact with Snowden. The email identified Snowden as a "current NSA contractor and former CIA affiliate"; the NSA's release of this email to VICE News marks the first official confirmation that Snowden had also worked with the CIA.

The email the NSA sent to its workforce the day after Snowden revealed himself. In it, the NSA identifies Snowden as a former CIA affiliate.

In a declaration filed last year in US District Court in response to our FOIA lawsuit, the NSA's director of Policy and Records, David Sherman, said that after Snowden leaked details about NSA surveillance programs, the agency collected and searched each and every email Snowden sent.

During a hearing in the case, Justice Department attorney Steve Bressler told US District Court Judge Ketanji Brown Jackson that "there were many searches very carefully conducted by human beings. These were manual 'eyeball on every email' searches conducted by people."

"My staff searched for any records expressing concern about NSA programs by reviewing each individual email in context to see if it was responsive," Sherman said.

The NSA defined a "concern" as a "worried feeling or state of anxiety about NSA programs rather than bringing up for discussion or consideration a matter of interest or importance." How the NSA applied that narrow definition of "raising concerns" to the emails they reviewed isn't clear.

* * *

Though the NSA publicly expressed confidence it would have found among all of Snowden's emails ones that more directly involved his concerns with domestic spying, it appears the agency did not obtain all of Snowden's emails. On April 10, 2014, a member of the media leaks task force asked the chief of the Counterintelligence Division whether "we had a clean capture of all of his work e-mail related to high-side [classified] email — to include any engagement with his Booz chain?"

The response notes that "we have his [Top Secret] NSANet email and his UNCLASSIFIED NSA.gov email," but is followed by several redactions, one quite long.

In June, the chief of staff of the Associate Directorate for Security and Counter Intelligence corrected a document for accuracy to clarify they had "reviewed all of the email and NSANet social media posts authored by Edward Snowden which we have been able to obtain," seemingly suggesting they were not confident they had obtained them all. Yet several other emails suggest NSA officials were confident they had gotten everything from Snowden's "final acts in government."

The same chief of staff also admitted, "it remains possible that unrecorded verbal communication existed between Snowden and one of the offices he cites, but we have not located any individual who remembers any such hypothetical conversations."

As it would turn out, more communications were located. But a person or people at the agency withheld these details, which contained important context about Snowden's correspondence, from the media — and initially even from Rogers.

* * *

About an hour after the email was released, and a few hours after Carney said only one piece of correspondence from Snowden had been located, a member of the Media Leaks Task Force sent an email to a dozen people and offices at the NSA saying the Office of Director of Compliance "reminded us of some other 'interactions' with Snowden that may need to be considered."

"[Redacted] dug this one out of the SSCT files for us.... It displays 2-3 additional contacts with the SV [Oversight and Compliance] contingent that we need to consider... but they do not appear to have any 'alarm' or 'concern' for illegal pr [program] questionable activities on the part NSA," the email said.

The emails found included the one that had been released, a "personal exchange" with an Oversight and Compliance official Snowden had when he "appeared at her desk with concerns about 'trick questions' in the test he was taking being the reason why he failed the test." And the technical email exchanges related to a FISA "document template" in August 2012 while he served as a systems administrator with Dell. (FISA, or the Foreign Intelligence Surveillance Act, dictates a legal framework for wiretapping and other surveillance.)

The task force "does not see these as items that show his 'concerns'... but they do show interaction with the Compliance elements [that Snowden said he had and which the NSA denied] for NSA, albeit administrative in nature," the email said.

About 10 minutes later, a special agent from NSA's counterintelligence investigations division replied and said, remarkably, that they were unaware that Snowden had a verbal discussion with compliance.

"The in person contact is news to me, but again, not an actual complaint about the law or authorities (just that we use trick questions in our tests)," the special agent wrote.

An NSA counterintelligence investigations official reveals in an email, nearly one year after Snowden's leaks, that they were unaware Snowden had an in-person discussion about his concerns.

Forty-five minutes later came another reply, this one from the chief of the signals intelligence directorate's strategic communications team, a lieutenant colonel in the US Army, who asked his NSA colleagues to do a bit of soul-searching, and perhaps admit that they should shift their focus away from trying to hold Snowden accountable and instead focus on repairing the NSA's "brand."

"The contentions by the fugitive that he had umbrage with programs are not apparent, in any fashion, in these communications," the lieutenant colonel wrote.

The lieutenant colonel went on to say that the type of test Snowden had been taking when he asked about legal hierarchies was a standard one given to junior analysts or someone new to working signals intelligence at the National Threat Operations Center (NTOC). This, he argued, proved that Snowden was not working in a senior capacity at the NSA.

"Complaints about fairness/trick questions are something that I saw junior analysts in NTOC (and I had about 8 of them on my team in 20 months) would pose — these were all his and positional peers: young enlisted Troops, interns, and new hires," the officer wrote. "Nobody that has taken this test several times, or worked on things [redacted] for more than a couple of years would make such complaints."

Despite the discovery that Snowden had additional contacts with other divisions within the NSA — which the agency did not inform the media about, and which officials did not disclose to Rogers — a decision was made not to make mention of it in a final Q&A document prepared for the White House.

"There are obviously lots of contacts Snowden had with folks in various organizations of NSA while he was in access," wrote the NSA's deputy associate general counsel for administrative law and ethics in an email later on the afternoon of May 29, 2014. "So long as the Q and A remain fashioned about correspondence regarding 'his concerns' — i.e. reporting of violations; questions of lawfulness, etc... then it seems like the planned approach will still be accurate."

Later that day, Rogers sent an email to several officials and the public affairs office stating that the NSA should be proactive and transparent with the public "as long as we don't endanger any follow-on legal action."

"SEN Feinstein adding her thoughts to the public would be of value to the public I believe," Rogers said.

In a statement Feinstein posted to her website that afternoon, she noted that she was the one who had released the email and that the NSA told her committee it found no other "relevant communications from Snowden... in email or any other form," which turned out to be untrue. The email, her statement said, "poses a question about the relative authority of laws and executive orders — it does not register concerns about NSA's intelligence activities, as was suggested by Snowden in an NBC interview this week."

Shortly after the email was released, the Washington Post's Barton Gellman published an interview with Snowden, who responded to the release of the email by saying it was "incomplete."

It "does not include my correspondence with the Signals Intelligence Directorate's Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities — such as breaking into the back-haul communications of major US internet companies — are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations," Snowden said.

Snowden's statement resulted in a barrage of media inquiries to the Office of Public Affairs and dozens of FOIA requests seeking any additional material showing that he raised concerns. However, the NSA refused to entertain any additional questions, instead providing reporters with a copy of their prepared statement and the sole email.

A day after Snowden's email was released, the public affairs office asked the OGC to clear a statement to be sent to the NSA workforce. Grimes, one of the public affairs officials, explained in an email that "several questions" were submitted to the media leaks internal communications website since Snowden's NBC News interview had been broadcast two days earlier. The message to the workforce contained the prepared statement Carney read at the White House briefing along with a statement directed to NSA employees.

"We understand the frustration many must feel," a draft copy of the statement said. "Please understand we are making every effort to ensure that NSA continues to be transparent with the public while protecting sources and methods and the integrity of the investigation."

That evening, a special agent with the NSA's counterintelligence investigations wrote an email to others at counterintelligence, whose names were redacted:

"It's going to need to be crystal clear that we denied having correspondence containing any complaints, not that we denied having any correspondence period."

* * *

There were reasons to doubt the completeness of the NSA's search for Snowden's emails within an hour of the NSA's release of Snowden's one email.

At 1:13pm on the day the email was released, someone in OGC identified a new version of the OGC contact, which appears to have been missed because OGC (like Oversight and Compliance) alerted the counterintelligence people — not the Media Leaks Task Force — about the contact after Snowden came forward. By 3pm, those responding had found two more details they hadn't known before, including that the compliance woman had had a face-to-face interaction with Snowden, and that he had provided help to a compliance person having technical issues.

While the efforts on both the document search and the Q&A document continued, on June 3 it took on new urgency. Elizabeth Brooks, the NSA chief of staff, started doing a "review of the thoroughness of the check for material which may represent outreach by Edward Snowden to officials at NSA along the lines of what he claimed."

Multiple people offered to help, sending email threads from the previous days and weeks. By the end of the day, a senior member of the Media Leaks Task Force apologized to Rogers that he or she hadn't adequately informed him — and the 31 other people receiving the mail — about Snowden's interactions.

"I, as the accountable NSA official for Media Disclosures issues, accept responsibility for the representation that the only engagement we have uncovered is a single web platform e-mail engagement with an attorney in the NSA Office of General Counsel," the person wrote, taking responsibility for leaving NSA leadership "insufficiently informed about this matter," and promising "to correct for that going forward."

The first page of the apology email sent to Rogers and cc'd to more than 30 others.

The email went on to explain what days of searches had discovered were in fact three interactions between Snowden and the Oversight and Compliance Office: the emailed question the training person received and then sent back to OGC; a face-to-face interaction with another training person; and Snowden offering assistance troubleshooting a problem with a document template while working for Dell in 2012.

The email includes a passage that describes the process NSA used to assess whether Snowden had raised concerns.

"Through interviews, research and solicitations for information in support of investigative and other requirements we have accumulated a set of data which represents our best, most authoritative capture of encounters initiated by Edward Snowden which may have some bearing on the investigation, media disclosures or his claims," the apology explained. "We cannot affirm with 100% certainty that this is a complete set of information, that would be impossible to achieve, but it is a body of knowledge upon which we can and have drawn some defendable conclusions."

The apology then reviews Snowden's claims, and concludes, in part, "no examples have been found that rise to the level of his claims." The apology is a remarkable example of accountability, but it still doesn't tell the whole story.

When the NSA first released Snowden's email, it suggested his question was simple and the answer straightforward. This was superficially true; does the NSA have to follow the laws passed by Congress — a set of laws generally called the Foreign Intelligence Surveillance Act — or can a presidential executive order, which for the intelligence community would be Executive Order 12333 (it governs intelligence activities), override that family of laws? OGC told Snowden that NSA has to follow the laws passed by Congress.

But the General Counsel's office and Oversight and Compliance had actually just been collaborating on the subject of Snowden's question as part of a revision to the training course. "Two of the OGC attorneys had recently provided the hierarchy of the authorities during the OVSC1800 [USSID 18] course development meetings," the Oversight and Compliance training woman said a year later while explaining why she sent the question back to OGC to answer. Perhaps for that reason, the two departments engaged in a discussion about who would answer it; six or seven people got involved in the response.

Then there was the in-person contact with Snowden. As the Oversight and Compliance training woman described in an email written a year later, he "appeared at the side of my desk in the Oversight and Compliance training area... shortly after lunch time." Snowden did not introduce himself, but "seemed upset and proceeded to say that he had tried to take" the basic course introducing Section 702 "and that he had failed. He then commented that he felt we had trick questions throughout the course content that made him fail." Once she gave him "canned answers" to his questions, "he seemed to have calmed down" but said "he still thought the questions tricked the students."

That may well have been what the exchange seemed like to the woman, though it is unlikely Snowden, who six weeks later would walk out of the NSA with thumb drives full of NSA secrets, was agonizing over failing an open-book test.

After fixing an obvious error in her description of the exchange she provided a year later, the Oversight and Compliance training woman said it would have happened "during the timeframe between 5-12 April 2013." That means the exchange occurred within a week — and possibly on one of the same days as — the discussions about how to respond to Snowden's emailed question to OGC, a question that was characterized as unusual. The training woman said Snowden did not introduce himself, which means she wouldn't have known he was the same person whose question she had sent back to OGC; nothing in her explanation reveals how she came to understand it was Snowden. But the NSA's records show OGC received complaints from Snowden about at least two different training programs within days, and that he knew they were speaking to each other about his question. In its internal assessment of Snowden's communications with the agency, however, the NSA treats these as two separate incidents.

There's evidence the NSA's training materials and courses at the time had significant errors. A revised Inspector General report on Section 702 of FISA, reissued just days before Snowden returned to Maryland for training on the program in 2013, found that the Standard Operating Procedures (SOPs) posted on the NSA's internal website, purportedly telling analysts how to operate under the FISA Amendments Act passed in 2008, actually referenced a temporary law passed a year earlier, the Protect America Act.

"It is unclear whether some of the guidance is current," the report stated, "because it refers only to the PAA," a law that had expired years before. A key difference between the two laws pertains to whether the NSA can wiretap an American overseas under EO 12333 with approval from the attorney general rather than a judge in a FISA Court. If the SOPs remained on the website when Snowden was training, it would present a clear case in which NSA guidance permitted actions under EO 12333 that were no longer permitted under the law that had been passed in 2008.

Similarly, a key FISA Amendments Act training course (not the one described in the face-to-face exchange, but another one that would become mandatory for analysts) didn't explain "the reasonable belief standard," which refers to how certain an analyst must be that their target was not an American or a foreigner in the US — a key theme of Snowden's disclosures. While some work on both these problems had clearly been completed between the time of the report's initial release and its reissue just days before Snowden showed up in Maryland, both these findings remained open and had been assigned revised target completion dates in the reissued report, suggesting the IG had not yet confirmed they had been fixed.

The issue of whether the presidential Executive Order that the Intelligence Community uses to authorize its overseas activities, EO 12333, can trump the law Congress passed in 1978 to impose limits on spying, has been a simmering issue since DOJ lawyer John Yoo secretly claimed in 2001 that FISA's limits on Executive Branch spying might be an unconstitutional infringement on the president's authority. It has been a public issue since 2006, when the DOJ revealed a theory that the war against al-Qaeda meant the president could override the law passed by Congress, and was a key issue in passage of the FISA Amendments Act in 2008.

It was central to one of Snowden's most inflammatory revelations, documents showing that the NSA was hacking Google overseas, effectively giving itself a way to bypass FISA and access domestically collected data directly. And it was an issue Feinstein and Senator Mark Udall raised in a confirmation hearing months before Feinstein would advocate an assertive response to Snowden's claims in 2014.

* * *

The video of Snowden released by the Guardian on June 9, 2013 may have been what triggered the woman from Oversight and Compliance to recognize that it had been Snowden who approached her at the NSA. The next morning, when she "realized I had contact with him," the first thing she did was try "to pull his training record, but it had already been pulled from the system." She "reported the [face-to-face] contact to my management and considered the issue closed."

If she did so in writing, that document was not released to VICE News. The emails do show that she emailed her supervisors on the other contact she had with Snowden, however; she forwarded the email chains involving the response to Snowden's OGC email, with the first of what may reflect four emails sent at 9:15am.

At 10:02am, the chief of Oversight and Compliance sent Ensor, the NSA's security chief, the third of those email chains, explaining, "Here's another data point on the Snowden situation."

The records turned over to VICE News do not show that the face-to-face exchange with Snowden was written up until April 9, 2014, a year after the exchange, after teasers from the Vanity Fair article revealed Snowden was claiming he "contacted NSA oversight and compliance bodies directly via email and that I specifically expressed concerns about their suspect interpretation of the law."

As noted, the compliance woman's story had to be corrected to match the dates up to when Snowden would have been at Fort Meade. "We received a call from D4 [Office of the Director of Compliance] questioning the dates (11 or 12 Jun) that [redacted] annotated during the discussions on" the Section 702 course, one of the other people in Oversight and Compliance wrote on April 10. She "has modified her dates to reflect 5-12 April 2013."

NSA did not provide a version of the draft of the email with the incorrect date. When the chief of Oversight and Compliance provided a description of all the department's interactions with Snowden to the NSA chief of staff, Elizabeth Brooks, in June 2014, there was no mention of any other paper trail of the exchange, though earlier that same day the deputy chief had stated, generally, that that information had been provided to Ensor on June 10, 2013.

(Illustration by Todd Detwiler)

In the absence of a response from NSA or Snowden, it is impossible to know what to make of this contact, the current version of which appears to have been drafted in response to Snowden's claims. One person who would speak on the record, however, is former NSA official turned whistleblower Thomas Drake. We asked him how the compliance department functioned, though we did not reveal to Drake details of this report. Drake told us, "These are positions that are designed to protect the institution from bad news, even internally. So, you know, 'We'll turn bad news into good news.'"

One thing that is clear, however, is that the apology laying all these details out, written after several days of fact checking at the NSA and document review in June 2014, leaves out at least one key detail — that the OGC email and the face-to-face communication could have happened the same day, making it far more likely they should be treated as parts of the same exchange. More significantly, the apology claims that "in response to the June 2013 Agency All... she provided in writing her account of these engagements." If the timestamps on documents provided to VICE News are correct (something that the NSA has admitted is a problem with this FOIA response), she actually provided her side of at least the OGC contact even before the Agency All email. But there is no record she provided her written account, to either of these exchanges, until a year after the event, a detail — if true — that Rogers should have known.

* * *

Snowden noted in his testimony to European Parliament that there was no safe avenue for contractors like him to raise concerns.

"US whistleblower reform laws were passed as recently as 2012, with the US Whistleblower Protection Enhancement Act, but they specifically chose to exclude intelligence agencies from being covered by the statute," Snowden said. "President Obama also reformed a key executive whistleblower regulation with his 2012 Presidential Policy Directive 19, but it exempted Intelligence Community contractors such as myself. The result was that individuals like me were left with no proper channels."

The NSA's director at the time Snowden left the agency, General Keith Alexander, was apparently unaware whether contractors were covered by whistleblower protection laws. He emailed Ledgett four days after Snowden testified before European Parliament on March 11, 2014.

According to an email he sent, former NSA director Keith Alexander was unaware whether contractors could report whistleblower complaints.

"Rick, I believe there is also a Whistleblower methodology for contractors. Do we have that?" Alexander wrote.

"Sir, it's not the recently enacted Whistleblower Protection Act but there are previous laws that protect contractors. Cc'ing Raj [De, the NSA general counsel], and [redacted] who can provide that info," Ledgett responded.

A person at the NSA whose name was redacted weighed in on another email, telling Alexander:

The Intelligence Community Whistleblower Protection Act of 1998 and Presidential Policy Directive PPD-19 provide a mechanism for both employees and contractors to report alleged wrongdoing. Whistleblowers can report matters of "urgent concern" to the NSA IG [Inspector General, a government organization's internal watchdog] and DoD IG. Whistleblowers, to include contractors, can report matters of "urgent concern" to the intelligence committees after notifying the NSA IG or DoD IG of the intent to do so and obtaining direction from the IG on how to contact the Intelligence Committees. The Whistleblower statute provides an avenue to report concerns related to classified matters without improperly disclosing classified information.

The Q&A document begun just before the release of the email, which started as a rushed attempt to provide more information to the White House — an attempt, De suggested, to "put off" the decision on whether to release Snowden's email — revealed, over the course of many rounds of editing and fact-checking, the limits of what the NSA would claim about its own oversight, Snowden's claimed efforts to raise concerns, and whistleblowing. An early draft aspired to determine "how many cases have been brought to the attention of Agency officials, and how those cases were closed out," but the final document states only that "NSA OIG keeps a record of all inquiries and actions taken."

Early on, it was noted that "technically speaking all reported activity that is found to be a violation of law, directive, or policy requires some corrective action." By the final version, NSA had changed that to read, "Activity that is found to be a violation of law, directive, or policy is thoroughly reviewed to determine corrective action."

By the end of the first day of working on the Q&A, a lawyer had suggested the issues Snowden claimed to care about did not pertain to ethics. "I recommend we drop the word 'ethics' and replace with 'policies' for Question #1. There is no annual 'ethics' training requirement for every employee," the lawyer noted. "In addition, 'ethics' issues are often about use of government resources and the like... not typically violations of the 4th Amendment type concerns."

The changes in the Q&A document also reflect the evolving understanding of Snowden's complaints. On June 3, not long before the apology to Rogers, the security chief of staff changed the characterization of what the email search had found "for purposes of accuracy" to state they had reviewed all of Snowden's emails "which we have been able to obtain."

NSA tried to make the case that Snowden should have known where to voice his concerns thanks to (sometimes mandatory) training that emphasized limits to the NSA's authority, and how to report any violations of those limits. "These specific training courses discuss the limitations of SIGINT authorities and mission operations to include reminders and guidance about who to contact with questions about scope of authorities, and who to contact if there are known or even potential compliance concerns," the Q&A document said.

The Q&A cited a basic training course, "NSA/CSS Intelligence Oversight Training," as the place where most people learn how to report a concern. The document claims, "Most contractors are required to take this course," and asserts Snowden is the kind of person, as a SysAdmin until 2012, and as an analyst trainee in 2013, who would have been required to complete it. But it stops short of asserting that Snowden did so.

The editing process of the Q&A document also indicates that the other means by which Snowden might have learned he could make protected complaints — via the IG himself — were not crystal clear.

The initial drafts of the document overstated the degree to which the NSA's IG invited whistleblowers to report legal violations. It started by claiming, "The NSA OIG [Office of Inspector General] also provides briefings to various NSA training classes, including the new hire orientation class." But on June 3, 2014, the IG's Executive Officer admitted, "Technically we are not quite briefing [that class] yet... still trying to get OIG on schedule."

Similarly, it claimed, "The OIG also issues agency-all messages covering policies and avenues for reporting suspected mismanagement and violations of law, policy, and regulations." But on June 4, the counsel to the Inspector General noted the agency-all messages "aren't as focused as the two [post-Snowden] ones you mention, and we might need to massage the words a little."

As the finished Q&A document makes clear, before Snowden's leaks, the most regular notice on reporting to all NSA employees from the IG pertained only to "waste, fraud, mismanagement of Agency resources, and abuse of authority." After that, in the spring of 2014, the IG sent out a notice stating that NSA/CSS Policy 1-60 "requires that NSA/CSS personnel report to the OIG possible violations of law, rules, or regulations," as well as things like mismanagement. It also cites the Intelligence Community Whistleblower Protection Act (ICWPA).

The Q&A document goes on to describe other reporting mechanisms, and includes one — the Privacy and Civil Liberties Office — that was created in August 2013 as a response to the Snowden leaks.

Thus, while the Q&A document does provide a map of ways in which legal issues might be raised, it's also a map of resources put in place in response to Snowden, an indication that the resources available to Snowden may have been inadequate.

And it's still not clear these policies apply to contractors. Congress is only now debating, in the Intelligence Authorization for next year, requiring the Intelligence Community Inspector General to report "the number of known or suspected reprisals made against covered contractor employees during the five-year period preceding the date of the report," and to evaluate "the usefulness of establishing in law a prohibition on reprisals against covered contractor employees as a means of encouraging such contractors to make protected disclosures."

Even though Litt claimed to be trying to provide more protections for contractors, he had not heard of this provision when asked during our interview. Instead, he offered reasons why the government can't protect contractor whistleblowers. "We are constrained what we can do with contractors," he explained. "We don't have the ability... to modify a contractor's employment relationship with his employer."

* * *

Last weekend, former Attorney General Eric Holder said Snowden's leaks, while illegal, were a public service because they sparked debate about the legality of surveillance programs and resulted in changes.

Senator Ron Wyden, one of the Democratic members of the Senate Intelligence Committee, agreed.

"Senator Wyden certainly believes that protections for intelligence agency whistleblowers need to be much stronger, to prevent retaliation and encourage reporting of serious systemic problems," said Keith Chu, a spokesperson for Wyden, who sits on the Senate Intelligence Committee. "However, in the case of mass surveillance, agency leaders, inspectors general, and the relevant oversight committees were all aware that mass surveillance was happening, but the problem was not fixed until it became public."

The NSA declined to respond to a series of questions VICE News sent the agency. Instead, on the afternoon of June 3, NSA spokesperson Michael Halbig provided VICE News with comments about avenues whistleblowers like Snowden could take to raise concerns about waste, fraud, and abuse. The NSA's statements closely match the language in the Q&A document prepared for the White House, which was turned over in much greater detail as part of the agency's FOIA response.

Perhaps the NSA was hoping to get ahead of VICE News's report. At 11:40pm on June 3, Vines, the NSA spokesperson who clashed with NBC's Matthew Cole and was critical of other journalists' coverage of Snowden, emailed VICE News to say that the 800 documents turned over to us after two years of litigation had been publicly posted to the agency's website.

An NSA cover letter accompanying the release on the website said, "The documents illustrate that, as the Agency reported in May 2014, NSA conducted a thorough search of e-mail and has no records of any e-mail from former NSA contractor Edward Snowden to Agency officials raising concerns about NSA programs."

The letter goes on to say: "[T]he Agency has no record that he submitted complaints to senior NSA leadership — including the NSA Director, Deputy Director, and Executive Director."

It's a denial of claims Snowden never made.