Tag Archives: Laura Poitras

Snowden's Chronicler Reveals Her Own Life Under Surveillance - Wired 20160204

Snowden's Chronicler Reveals Her Own Life Under Surveillance - Wired 20160204

Laura Poitras has a talent for disappearing. In her early documentaries like My Country, My Country and The Oath, her camera seems to float invisibly in rooms where subjects carry on intimate conversations as if they’re not being observed. Even in Citizenfour, the Oscar-winning film that tracks her personal journey from first contact with Edward Snowden to releasing his top secret NSA leaks to the world, she rarely offers a word of narration. She appears in that film exactly once, caught as if by accident in the mirror of Snowden’s Hong Kong hotel room.

Now, with the opening of her multi-media solo exhibit, Astro Noise, at New York’s Whitney Museum of American Art this week, Snowden’s chronicler has finally turned her lens onto herself. And she’s given us a glimpse into one of the darkest stretches of her life, when she wasn’t yet the revelator of modern American surveillance but instead its target.

The exhibit is vast and unsettling, ranging from films to documents that can be viewed only through wooden slits to a video expanse of Yemeni sky which visitors are invited to lie beneath. But the most personal parts of the show are documents that lay bare how excruciating life was for Poitras as a target of government surveillance—and how her subsequent paranoia made her the ideal collaborator in Snowden’s mission to expose America’s surveillance state. First, she’s installed a wall of papers that she received in response to an ongoing Freedom of Information lawsuit the Electronic Frontier Foundation filed on her behalf against the FBI. The documents definitively show why Poitras was tracked and repeatedly searched at the US border for years, and even that she was the subject of a grand jury investigation. And second, a book she’s publishing to accompany the exhibit includes her journal from the height of that surveillance, recording her first-person experience of becoming a spying subject, along with her inner monologue as she first corresponded with the secret NSA leaker she then knew only as “Citizenfour.”

Poitras says she initially intended to use only a few quotes from her journal in that book. But as she was transcribing it, she “realized that it was a primary source document about navigating a certain reality,” she says. The finished book, which includes a biographical piece by Guantanamo detainee Lakhdar Boumediene, a photo collection from Ai Weiwei, and a short essay by Snowden on using radio waves from stars to generate random data for encryption, is subtitled “A Survival Guide for Living Under Total Surveillance.” It will be published widely on February 23.

“I’ve asked people for a long time to reveal a lot in my films,” Poitras says. But telling her own story, even in limited glimpses, “provides a concrete example of how the process works we don’t usually see.”

That process, for Poitras, is the experience of being unwittingly ingested into the American surveillance system.

On the Government’s Radar
Poitras has long suspected that her targeting began after she filmed an Iraqi family in Baghdad for the documentary My Country, My Country. Now she’s sure, because the documents released by her Freedom of Information Act request prove it. During a 2004 ambush by Iraqi insurgents in which an American soldier died and several others were injured, she came out onto the roof of the family’s home to film them as they watched events unfolding on the street below. She shot for a total of eight minutes and 16 seconds. The resulting footage, which she shows in the Whitney exhibit, reveals nothing related to either American or insurgent military positions.

“Those eight minutes changed my life, though I didn’t know it at the time,” she says in an audio narration that plays around the documents in her exhibition. “After returning to the United States I was placed on a government watchlist and detained and searched every time I crossed the US border. It took me ten years to find out why.”

A Whitney Museum visitor looking at a selection of Poitras’ FOIAed documents framed in a collection of light boxes. ANDY GREENBERG
The heavily redacted documents show that the US Army Criminal Investigation Command requested in 2006 that the FBI investigate Poitras as a possible “U.S. media representative … involved with anti-coalition forces.” According to the FBI file, a member of the Oregon National Guard serving in Iraq identified Poitras and “a local [Iraqi] leader”—the father of the family that would become the subject of her film. The soldier, whose name was redacted, questioned Poitras at the time, and reported that she “became significantly nervous” and denied filming from the roof. He later told the Army investigators that he “strongly believed”—but without apparent evidence—“POITRAS had prior knowledge of the ambush and had the means to report it to U.S. Forces; however, she purposely did not report it so she could film the attack for her documentary.”

One page shown in the Whitney exhibit reveals that the New York field office of the FBI was tracking Poitras’ home addresses, and Poitras believes the reference to a “detective” working with the FBI indicates the New York Police Department may have also been involved. By 2007, the documents reveal that there was a grand jury investigation proceeding on whether to indict her for unnamed crimes—multiple subpoenas sought information about her from redacted sources. (Poitras says that the twelve pages she published in the Whitney exhibition are only a selection of 800 documents she’s received in her FOIA lawsuit, which is ongoing.)

Being Constantly Watched

Private as ever, Poitras declined to detail to WIRED exactly how she experienced that federal investigation in the years that followed. But flash forward to late 2012, and the surveillance targeting Poitras had transformed her into a nervous wreck. In the book, she shares a diary she kept during her time living in Berlin, in which she describes feeling constantly watched, entirely robbed of privacy. “I haven’t written in over a year for fear these words are not private,” are the journal’s first words. “That nothing in my life can be kept private.”

She sleeps badly, plagued with nightmares about the American government. She reads Cory Doctorow’s Homeland and re-reads 1984, finding too many parallels with her own life. She notes her computer glitching and “going pink” during her interviews with NSA whistleblower William Binney, and that it tells her its hard drive is full despite seeming to have 16 gigabytes free. Eventually she moves to a new apartment that she attempts to keep “off the radar” by avoiding all cell phones and only accessing the Internet over the anonymity software Tor.

When Snowden contacts her in January of 2013, Poitras has lived with the specter of spying long enough that she initially wonders if he might be part of a plan to entrap her or her contacts like Julian Assange or Jacob Appelbaum, an activist and Tor developer. “Is C4 a trap?” she asks herself, using an abbreviation of Snowden’s codename. “Will he put me in prison?”

Even once she decides he’s a legitimate source, the pressure threatens to overwhelm her. The stress becomes visceral: She writes that she feels like she’s “underwater” and that she can hear the blood rushing through her body. “I am battling with my nervous system,” she writes. “It doesn’t let me rest or sleep. Eye twitches, clenched throat, and now literally waiting to be raided.”

Finally she decides to meet Snowden and to publish his top secret leaks, despite her fears of both the risks to him and to herself. Both the journal and the documents she obtained from the government show how her own targeting helped to galvanize her resolve to expose the apparatus of surveillance. “He is prepared for the consequences of the disclosure,” she writes, then admits: “I really don’t want to become the story.”

In the end, Poitras has not only escaped the arrest or indictment she feared, but has become a kind of privacy folk hero: Her work has helped to noticeably shift the world’s view of government spying, led to legislation, and won both a Pulitzer and an Academy Award. But if her ultimate fear was to “become the story,” her latest revelations show that’s a fate she can no longer escape–and one she’s come to accept.

Poitras’ Astro Noise exhibit runs from February 5 until May 1 at the Whitney Museum of American Art, and the accompanying book will be published on February 23.

NSA/GCHQ: The HACIENDA Program for Internet Colonization - 20140815

NSA/GCHQ: The HACIENDA Program for Internet Colonization

New classified documents show country wide port scans and active mapping of vulnerable net systems by intelligence agencies. This showcases the request of the agencies to colonize the net. There is some technical remedy, proven by an new RFC - but only to a certain extent.

NSA/GCHQ: The HACIENDA Program for Internet Colonization

Since the early days of TCP, port scanning has been used by computer saboteurs to locate vulnerable systems. In a new set of top secret documents seen by Heise, it is revealed that in 2009, the British spy agency GCHQ made port scans a "standard tool" to be applied against entire nations (Figure 1, see the picture gallery). Twenty-seven countries are listed as targets of the HACIENDA program in the presentation (Figure 2), which comes with a promotional offer: readers desiring to do reconnaissance against another country need simply send an e-mail (Figure 3).

The HACIENDA Programm

The documents do not spell out details for a review process or the need to justify such an action. It should also be noted that the ability to port-scan an entire country is hardly wild fantasy; in 2013, a port scanner called Zmap was implemented that can scan the entire IPv4 address space in less than one hour using a single PC. [3] The massive use of this technology can thus make any server anywhere, large or small, a target for criminal state computer saboteurs.

The list of targeted services includes ubiquitous public services such as HTTP and FTP, as well as common administrative protocols such as SSH (Secure SHell protocol – used for remote access to systems) and SNMP (Simple Network Management Protocol – used for network administration) (Figure 4). Given that in the meantime, port scanning tools like Zmap have been developed which allow anyone to do comprehensive scans, it is not the technology used that is shocking, but rather the gargantuan scale and pervasiveness of the operation. The next section gives background on how port-mapping tools work and what information is gained by using them, making it clear what becomes possible when a state actor uses them at scale.

Background: The TCP Three-Way Handshake

The most commonly-used protocol on the Internet is TCP | the Transmission Control Protocol. Every time an email is sent or a web page is browsed, TCP is the protocol that is used to move data reliably between clients and servers. Port-mapping tools take advantage of a structural problem in TCP in order to determine what services are running on a system. Since the early days of TCP, port scanning has been used by attackers to locate vulnerable systems. Whenever a TCP client wants to communicate with a TCP server, the two parties perform what is called a TCP three-way handshake. The flawed design of this handshake is the foundation for port mapping tools, as during the handshake, the server leaks information about the availability of a service without checking the client's authorization.

Figure 5 illustrates the sequence of TCP packets which are sent to establish a connection. The establishment of the connection works as follows: the host which wants to initiate a connection first sends out a TCP SYN ("synchronize") packet. If the destination host accepts the connection request, it sends a SYN/ACK ("synchronize/acknowledge") packet. After receiving a positive reply, the initiating host sends out an ACK ("acknowledge") packet, which finalizes the TCP three-way handshake. This TCP three-way handshake allows an adversary to easily determine if some TCP service is offered at a given port by a host on the Internet: if the TCP port is closed, the server reacts differently to the TCP SYN packet (Figure 6), sending a RST ("reset") packet instead of the SYN/ACK it would send were the port open. Thus, an adversary can easily map Internet services by considering the differences in the server's replies in the packet flows depicted in Figure 5 and Figure 6 respectively.

The Enemy Online

In addition to simple port scans, GCHQ also downloads so-called banners and other readily available information (Figure 4). A banner is text sent by some applications when connecting to an associated port; this often indicates system and application information, including version and other information useful when looking for vulnerable services. Doing reconnaissance at the massive scale revealed in the documents demonstrates that the goal is to perform active collection and map vulnerable services ubiquitiously, not to go after specific targets.

By preparing for attacks against services offered via SSH and SNMP, the spy agency targets critical infrastructure such as systems used for network operations. As shown in the past with the penetration of Belgacom and Stellar, when an employee's computer system or network credentials may be useful, those systems and people are targeted and attacked.
The database resulting from the scans is then shared with other spy agencies of the Five Eyes spying club (Figure 7), which includes the United States, Canada, United Kingdom, Australia and New Zealand. MAILORDER is described in the documents as a secure transport protocol used between the Five Eyes spy agencies to exchange collected data.

Every device a target

The process of scanning entire countries and looking for vulnerable network infrastructure to exploit is consistent with the meta-goal of "Mastering the Internet", which is also the name of a GCHQ cable-tapping program: these spy agencies try to attack every possible system they can, presumably as it might provide access to further systems. Systems may be attacked simply because they might eventually create a path towards a valuable espionage target, even without actionable information indicating this will ever be the case.

Using this logic, every device is a target for colonization, as each successfully exploited target is theoretically useful as a means to infiltrating another possible target. Port scanning and downloading banners to identify which software is operating on the target system is merely the first step of the attack (Figure 8). Top secret documents from the NSA seen by Heise demonstrate that the involved spy agencies follow the common methodology of online organized crime (Figure 9): reconnaissance (Figure 10) is followed by infection (Figure 11), command and control (Figure 12), and exfiltration (Figure 13). The NSA presentation makes it clear that the agency embraces the mindset of criminals. In the slides, they discuss techniques and then show screenshots of their own tools to support this criminal process (Figure 14, 15 and 16).

Internet Colonization

The NSA is known to be interested in 0-day attacks, which are attacks exploiting largely unknown vulnerabilities for which no patch is available. Once an adversary armed with 0-day attacks has discovered that a vulnerable service is running on a system, defense becomes virtually impossible. Firewalls are unlikely to offer sufficient protection, whether because administrators need remote access or because spy agencies have already infiltrated the local network (siehe: Barton Gellman and Ashkan Soltani. Nsa infiltrates links to yahoo, google data centers worldwide, snowden documents say. The Washington Post, October 2013). Furthermore, adding additional equipment, such as firewalls administered via SNMP, into an internal network may also open up new vulnerabilities.

Figure 8 points to a particular role that HACIENDA plays in the spy club's infrastructure, namely the expansion of their covert infrastructure. The top secret documents seen by Heise describe the LANDMARK program, a program by the Canadian spy agency CSEC which is used to expand covert infrastructure (Figure 17).

The covert infrastructure includes so-called Operational Relay Boxes (ORBs), which are used to hide the location of the attacker when the Five Eyes launch exploits against targets or steal data (Figure 18). Several times a year, the spy club tries to take control of as many machines as possible, as long as they are abroad. For example, in February 2010 twentyfour spies located over 3000 potential ORBs in a single work day (Figure 19). However, going over the port scan results provided by HACIENDA was considered too laborous (Figure 20), so they programmed their OLYMPIA system to automate the process (Figure 21). As a result, the spies brag that they can now locate vulnerable devices in a subnet in less than five minutes (Figure 22).

The Canadians are not the only ones using HACIENDA to locate machines to compromise and turn into ORBs. At GCHQ, the hunt for ORBs is organized as part of the MUGSHOT program (Figure 23). The GCHQ has also automated the process and claims significant improvements in accuracy due to the automation (Figure 24). Again the information obtained from HACIENDA plays a prominent role (Figure 25). A key point is that with MUGSHOT the GCHQ integrates results from active scans (HACIENDA) as well as passive monitoring (Figure 26), to "understand everything important about all machines on the Internet".

Thus, system and network administrators now face the threat of industrial espionage, sabotage and human rights violations created by nation-state ad- versaries indiscriminately attacking network infrastructure and breaking into services. Such an adversary needs little reason for an attack beyond gaining access and is supported by a multi-billion dollar budget, immunity from prosecu- tion, and compelled collaboration by companies from Five Eyes countries. As a result, every system or network administrator needs to worry about protecting his system against this unprecedented threat level. In particular, citizens of countries outside of the Five Eyes have, as a result of these programs, greatly reduced security, privacy, integrity and resilience capabilities.

Spy agencies are using their powers to commandeer Internet systems for power projection. Their actions follow the standard template of cyber-criminal behav- ior, using reconnaissance through active and passive port scanning to identify potential victims. Given this serious threat, system administrators need to improve their defensive posture and, in particular, reduce the visibility of non- public services. Patching services does not help against 0-day attacks, and firewalls may not be applicable or suffcient. In the second part of our article, we will introduce another option for system administrators to make non-public system administration services less visible for reconnaissance operations. By standardizing such techniques, the Internet community may be able to dampen the ability of security services to master the Internet.

In this article, we will describe a new port knocking variant that uses the nation-state adversary model, and thus offers some protections against the HACIENDA program, thereby possibly stopping the spy agencies at the reconnaissance stage.

While defending against undisclosed vulnerabilities in public services is rather difficult, minimizing one's visible footprint and thus one's attack surface for administrative services is much easier. Port knocking [9] is a well-known method for making TCP servers less visible on the Internet. The basic idea is to make a TCP server not respond (positively) to a TCP SYN request unless a particular "knock" packet has been received first. This can be helpful for security, as an attacker who cannot establish a TCP connection also cannot really attack the TCP server.

However, traditional port knocking techniques [10] generally do not consider a modern nation-state adversary. Specifically, port scans are not the only method an attacker may use to learn about the existence of a service; if the service is accessed via a network where the adversary is able to sniff the traffic, the adversary may observe the connection and thereby deduce the existence of a service. A nation-state attacker may even be able to observe all traffic from the TCP client and perform man-in-the-middle attacks on traffic originating from the client. In particular, with compromised routers in the infrastructure, it is possible to execute a man-in-the-middle attack to take over a TCP connection just after the initial TCP handshake has been completed. An advanced attacker in control of routers may also try to identify the use of insufficiently stealthy port knocks by detecting unusual patterns in network traffic. However, it may still be safe to assume this adversary does not flag a standard TCP handshake as suspicious, as this is way too common.

TCP Stealth

TCP Stealth is an IETF draft (Julian Kirsch, Christian Grothoff, Jacob Appelbaum, and Holger Kenn: Tcp stealth, August 2014. IETF draft) which describes an easily-deployed and stealthy port knocking variant. TCP Stealth embeds the authorization token in the TCP ISN, and enables applications to add payload protections. As a result, TCP Stealth is hard to detect on the network as the traffic is indistinguishable from an ordinary 3-way TCP handshake, and man-in-the-middle attacks as well as replay attacks are mitigated by the payload protections. TCP Stealth works with IPv4 and IPv6.

TCP Stealth is useful for any service with a user group that is so small that it is practical to share a passphrase with all members. Examples include administrative SSH or FTP access to servers, Tor Bridges, personal POP3/IMAP(S) servers and friend-to-friend Peer-to-Peer overlay networks. The easiest way to use TCP Stealth is with operating system support. TCP Stealth is available for Linux systems using the Knock patch (siehe: Julian Kirsch. Knock, August 2014).. For kernels that include this patch, TCP Stealth support can be added to applications via a simple setsockopt() call, or by pre-loading the libnockify shared library and setting the respective environment variables.

Installation

As the mainline Linux currently does not yet offer support for Knock, the kernel of the machine which should be using Knock needs to be patched. Patching the kernel is straightforward:

1. First, obtain the sources of the desired kernel version from https://www. kernel.org if you intend to use a vanilla running kernel. Note that many distributions make adaptations to the kernel and therefore provide custom kernel sources, so one might want to check for the customized kernel sources.

2. Once the kernel sources are available, download the appropriate Knock patch from https://gnunet.org/knock. Note that if you intend to run a kernel version which is not explicitly listed on the Knock website, the best option is to try out the patches of the closest version provided.

3. Change to the directory where the kernel sources reside (replace the <your-version>-part according to your selection of the kernel- and the patch-version) and apply the patches (you can f ind more information on how to apply and revert patches on the kernel source in the kernel.org archives):

$ cd linux-<your-version>/

~/linux $ patch -p1 < /path/to/knock/patch/tcp_stealth_<your-version>.diff

4. Get the configuration of the currently running kernel. There are two widely used methods which can be used interchangeably:

(a) Debianoids maintain a copy of the kernel configuration parameters in the /boot directory. You can copy the config to your current kernel sources using the following command:

~/linux $ cp /boot/config-$(uname -r) .config

(b) Many other distributions compile the kernel with the possibility to read the running kernel's configuration from the /proc/ file system:

~/linux $ zcat /proc/config.gz > .config

(c) If none of the cases above applies for your distribution, you can try to use the default kernel configuration by entering

~/linux $ make defconfig

However, do not expect a convincing kernel to result from this in terms of performance and stability.

5. Choose the defaults for all configuration parameters which are not in your current configuration. A different kernel version might introduce new compile configuration options:

~/linux $ yes "" | make oldconfig

6. Enable Knock in your current configuration by selecting Networking Support > Networking Options > TCP/IP networking > TCP: Stealth TCP socket support in the inter-active menu:

~/linux $ make menuconfig

7. The kernel is now ready for compilation. Enter

~/linux $ make bzImage && make modules

to compile the kernel and all additional modules. Be prepared for the fact that this step can take a long time. If you have a machine with more than one processor core, you can adjust the number of build threads using the -j option to both make commands.

8. If compilation succeeds, install the new kernel and all modules. Afterwards, automatically create a new initramdisk for your newly compiled kernel. If you have sudo installed, enter

~/linux $ sudo make modules_install && sudo make install

otherwise enter the these commands into a root prompt leaving out both sudos.

9. Reboot the machine and instruct your boot manager to boot into the new kernel. You now have a Knock aware machine.

Knock can be used without having to modify the source code of the program. This can be useful in cases where the source code is not available or when inserting the needed libc calls is infeasible (for example due to restrictions imposed by the application logic).

In order to use Knock in existing applications, a dynamic library libknockify is provided. The basic usage of the libknockify shared object to enable Knock for program example program is as follows:

KNOCK_SECRET="shared secret"

KNOCK_INTLEN=42

LD_PRELOAD=./libknockify.so

./example_program

Afterwards, if the application example program communicates via TCP, libknockify will set the respective socket options to enable the use of Knock in the kernel. In the example, the shared secret is derived from the text "shared secret", and the content integrity protection is limited to the first 42 bytes of payload in the TCP stream. If the KNOCK INTLEN variable is not set, content integrity protection is disabled.

Application developers can integrate support for TCP Stealth directly into their code. This has the advantage that it is possible to control which TCP connections have TCP Stealth enabled, and it might further improve usability. To enable basic port knocking with a Knock-enabled kernel, the application only needs to perform a single setsockopt() call after creating the TCP socket:

char secret[64] = "This is my magic ID.";

setsockopt (sock, TCP_STEALTH, secret, sizeof (secret));

For content integrity protection, TCP clients need to additionally specify the first bytes of the payload that will be transmitted in a second setsockopt() call before invoking connect():

char payload[4] = "1234";

setsockopt(sock, IPPROTO_TCP, TCP_STEALTH_INTEGRITY, payload, sizeof(payload));

connect (sock, ...);

write (sock, payload, sizeof (payload));

Servers expecting content integrity protection merely need a second setsockopt() call to specify the number of bytes that are expected to be protected by TCP Stealth:

int payload_len = 4;

setsockopt(sock, IPPROTO_TCP, TCP_STEALTH_INTEGRITY_LEN,payload_len, sizeof(payload_len));

Limitations

Nowadays, most end-user devices access the Internet from behind a gateway router which performs network address translation (NAT). While TCP Stealth was designed to avoid the use of information that is commonly altered by NAT devices, some NAT devices modify TCP timestamps and ISNs and may thus interfere with the port knocking mechanism.

Table 1: Changes made to the ISN by middle-boxes dependent on the destination port as measured by Honda et al. (Michio Honda, Yoshifumi Nishida, Costin Raiciu, Adam Greenhalgh, Mark Handley, and Hideyuki Tokuda. Is it still possible to extend tcpß In Procee- dings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC '11, pages 181{194, New York, NY, USA, 2011. ACM.)
Vergrößern Table 1: Changes made to the ISN by middle-boxes dependent on the destination port as measured by Honda et al. (Michio Honda, Yoshifumi Nishida, Costin Raiciu, Adam Greenhalgh, Mark Handley, and Hideyuki Tokuda. Is it still possible to extend tcpß In Procee- dings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC '11, pages 181{194, New York, NY, USA, 2011. ACM.)

Table 1 summarizes experiments by Honda et al. showing how common ISN modification by NAT devices is in practice. In terms of security, TCP Stealth is limited to the 32 bits of the TCP ISN field; hence, a persistent adversary may still succeed by luck or brute force. However, we believe that TCP Stealth will provide adequate protections against indiscriminate attackers performing untargeted attacks (such as HACIENDA). Moving administrative services to non-standard ports can further decrease the chance of accidental discovery by active port scanners.

While the use of integrity protection with TCP Stealth is technically optional, port knocking without integrity protections offers little security against an adversary that observes network traffic and hijacks connections after the initial TCP handshake. Thus, future network protocols should be designed to exchange key material at the beginning of the first TCP packet. Sadly, this is not the case for SSH, which instead exposes a banner with version information to an attacker well before the cryptographic handshake. Hence, design flaws in the SSH protocol currently require the use of an additional obfuscation patch [2] to effectively use TCP Stealth integrity protections with SSH.

Summary

Technical solutions such as TCP Stealth are one way for administrators to harden their systems by protecting internal TCP services against the attacks by criminals, be they private, commercially motivated or state parties. However, as Linus Neumann of the CCC recently stated in an OpEd for Heise, it may not be possible to win the race in the long run solely through technical means. Without the necessary political will to legally protect, promote and fund secure communication systems, this one-sided battle will continue | and users will lose. Neumann underlined that secure communication systems were possible, but that governments are much more concerned about loss of control than about hardened (and less controllable) networks. Much more political work lays ahead; however, operating system vendors and administrators can improve the situation today by deploying modern security solutions.

Doctorow, Cory - Snowden intelligence docs reveal UK spooks' malware checklist - Boing Boing 20160202

Doctorow, Cory - Snowden intelligence docs reveal UK spooks' malware checklist - Boing Boing 20160202

Boing Boing is proud to publish two original documents disclosed by Edward Snowden, in connection with "Sherlock Holmes and the Adventure of the Extraordinary Rendition," a short story written for Laura Poitras's Astro Noise exhibition, which runs at NYC's Whitney Museum of Modern Art from Feb 5 to May 1, 2016.

“I’d tell you, but I’d have to kill you.” This is what I shout at the TV (or the Youtube window) whenever I see a surveillance boss explain why none of his methods, or his mission, can be subjected to scrutiny. I write about surveillance, counter surveillance, and civil liberties, and have spent a fair bit of time in company with both the grunts and the generals of the surveillance industry, and I can always tell when one of these moments is coming up, the flinty-eyed look of someone about to play Jason Bourne.

The stories we tell ourselves are the secret pivots on which our lives turn. So when Laura Poitras approached me to write a piece for the Astro Noise book -- to accompany her show at the Whitney -- and offered me access to the Snowden archive for the purpose, I jumped at the opportunity.

Fortuitously, the Astro Noise offer coincided perfectly with another offer, from Laurie King and Leslie Klinger. Laurie is a bestselling Holmes writer; Les is the lawyer who won the lawsuit that put Sherlock Holmes in the public domain, firmly and unequivocally. Since their legal victory, they've been putting together unauthorized Sherlock anthologies, and did I want to write one for "Echoes of Holmes," the next one in line?

The two projects coincided perfectly. Holmes, after all, is the master of HUMINT, (human intelligence), the business of following people around, getting information from snitches, dressing up in putty noses and fake beards... Meanwhile, his smarter brother Mycroft is a corpulent, sedentary presence in the stories, the master of SIGINT (signals intelligence), a node through which all the intelligence of the nation flows, waiting to be pieced together by Mycroft and his enormous intellect. The Mycroft-Sherlock dynamic perfectly embodies the fraternal rivalry between SIGINT and HUMINT: Sherlock chases all around town dressed like an old beggar woman or similar ruse, catches his man and hands him over to Scotland Yard, and then reports in to Mycroft, who interrupts him before he can get a word out, arching an eyebrow and saying, "I expect you found that it was the Bohemian stable-hand all along, working for those American Freemasons who were after the Sultan's pearls, was it not?"

In 2014, I watched Jennifer Gibson from the eminent prisoners’ rights group Reprieve talking about her group's project to conduct a census of those killed by US drone strikes in Yemen and Pakistan. The CIA conducts these strikes, using SIGINT to identify mobile phones belonging to likely targets and dispatch killer drones to annihilate anything in their vicinity. As former NSA and CIA director Michael Hayden once confessed: "We kill people based on metadata."

But the CIA does not specialize in SIGINT (that's the NSA's job). For most of its existence, the CIA was known as a HUMINT agency, the masters of disguise and infiltration..

That was the old CIA. The new CIA is just another SIGINT agency. Signals Intelligence isn’t just an intelligence methodology, it’s a great business. SIGINT means huge procurements -- servers, administrators, electricity, data-centers, cooling -- while HUMINT involves sending a lot of your friends into harm's way, potentially never to return.

We are indeed in the “golden age of SIGINT”. Despite security services' claims that terrorists are "going dark" with unbreakable encryption, the spooks have done much to wiretap the whole Internet.

The UK spy agency GCHQ really tipped their hand when they called their flagship surveillance program "Mastering the Internet." Not "Mastering Cybercrime," not "Mastering Our Enemies." Mastering the *Internet* -- the very same Internet that everyone uses, from the UK's allies in the Five Eyes nations to the UK Parliament to Britons themselves. Similarly, a cursory glance at the logo for the NSA’s Special Source Operations -- the fiber-tapping specialists at the NSA -- tells the whole story.

These mass surveillance programs would likely not have withstood public scrutiny. If the NSA’s decision to launch SSO had been attended by a nightly news broadcast featuring that logo, it would have been laughed out of the room. The program depended on the NSA telling its story to itself, and not to the rest of us. The dotcom boom would have been a very different affair if the major legislative debate of the day had been over whether to allow the surveillance agencies of Western governments to monitor all the fiber cables, and harvest every click and keystroke they can legally lay claim to, parcel it into arbitrary categories like “metadata” and “content” to decide what to retain indefinitely, and to run unaccountable algorithms on that data to ascribe secret guilt.

As a result, the entire surveillance project has been undertaken in secrecy, within the bubble of people who already think that surveillance is the answer to virtually any question. The surveillance industry is a mushroom, grown in dark places, and it has sent out spores into every corner of the Internet, which have sprouted their own surveillance regimes. While this was happening, something important was happening to the Internet: as William Gibson wrote in 2007's "Spook Country, "cyberspace is everting" -- turning inside out. Computers aren’t just the things in our bags in the trunks of our cars. Today, our cars are computers. This is why Volkswagen was able to design a car that sensed when it was undergoing regulatory inspection and changed its behavior to sneak through tests. Our implanted defibrillators are computers, which is why Dick Cheney had the wireless interface turned off on his defibrillator prior to its implantation. Everything is a networked computer.

Those networked devices are an attack surface that is available to the NSA and GCHQ's adversaries -- primarily other governments, as well as non-government actors with political ambitions -- and to garden variety criminals. Blackmailers, voyeurs, identity thieves and antisocial trolls routinely seize control over innocents' computers and attack them in every conceivable way. Like the CIA and its drones, they often don't know who their victims are: they find an exploit, write a script to find as many potential victims as possible, and harvest them.

For those who are high-value targets, this lurking insecurity is even more of a risk -- witness the recent takeover of the personal email accounts of US Director of National Intelligence James Clapper by a group of self-described teenagers who previously took over CIA Director John Brennan's email account.

This is the moment when the security services could shine. We need cyber defense and we need it badly. But for the security services to shine, they'd have to spend all their time patching up the leaky boat of networked security, while their major project for a decade and more has been to discover weaknesses in the network and its end-points and expand them, adding vulnerabilities that they can weaponize against their adversaries -- leaving these vulnerabilities wide open for their adversaries to use in attacking us.

The NSA and GCHQ have weaponized flaws in router operating systems, rather than telling the vendors about these flaws, leaving the world’s electronic infrastructure vulnerable to attack by the NSA and GCHQ’s adversaries. Our spies hack core routers and their adversaries' infrastructure, but they have made themselves reliant upon the continuing fragility and insecurity of the architectures common to enemy and ally alike, when they could have been making us all more secure by figuring out how to harden them.

The mission of making it as hard as possible for the enemy to attack us is in irreconcilable tension with the mission of making it as easy as possible for our security services to attack their adversaries.

There isn't a Bad Guy Internet and a Good Guy Internet. There's no Bad Guy Operating System and Good Guy Operating System. When GCHQ discovers something breakable in a computer system that Iranians depend upon, they've also discovered something amiss that Britons rely upon. GCHQ can't keep that gap in Iran's armor intact without leaving an equally large gap open in our own armor.

For my Sherlock story, I wanted to explore what it means to have a security methodology that was all attack, and precious little defense, particularly one that proceeded in secret, without any accountability or even argument from people who thought you were doing it all wrong.


The Documents

Though I reviewed dozens of unpublished documents from the Snowden archive in writing my story, I relied upon three documents, two of which we are releasing today.

First, there's the crux of my Sherlock story, drawn from a March 2010 GCHQ document titled "What's the worst that could happen?" marked "TOP SECRET STRAP 1." This is a kind of checklist for spies who are seeking permission to infect their adversaries' computers or networks with malicious software.

It's a surprising document in many regards. The first thing that caught my eye about it is the quality of the prose. Most of the GCHQ documents I've reviewed read like they were written by management consultants, dry and anodyne in a way that makes even the famously tortured prose of the military seem juicy by comparison. The story the authors of those documents are telling themselves is called something like, “Serious grownups, doing serious work, seriously.”

"What's the worst..." reads like the transcript of a lecture by a fascinating and seasoned mentor, someone who's seen all the pitfalls and wants to help you, their protege, navigate this tricky piece of the intel business without shooting yourself in the foot.

It even tells a kind of story: we have partners who help us with our malware implantation. Are they going to help us with that business in the future if their names get splashed all over the papers? Remember, there are clever people like you working for foreign governments -- they're going to try and catch us out! Imagine what might happen if one of our good friends got blamed for what we did -- or blamed us for it! Let's not forget the exploits themselves: our brilliant researchers quietly beaver away, finding the defects that the best and the brightest programmers at, say, Apple and Microsoft have left behind in their code: if you get caught, the companies will patch the vulnerabilities and we will lose the use of them forever.

On it goes in this vein, for three pages, until the very last point:

“Who will have direct access to the data resulting from the operation and do we have any control over this? Could anyone take action on it without our agreement, eg could we be enabling the US to conduct a detention op which we would not consider permissible?”

That's where the whole thing comes to something of a screeching halt. We're not talking about Tom Clancy net-wars fantasies anymore -- now we're into the realm of something that must haunt every man and woman of good will and integrity who works in the spy agencies: the possibility that a colleague or ally, operating without oversight or consequence, might descend into barbarism based on something you did.

Reading this, I thought of the Canadian officials who incorrectly told US authorities that Maher Arar, a Canadian citizen of Syrian origin who was suspected of being connected to Al Qaeda.

Arar was detained by the United States Immigration and Naturalization Service (INS) during a stopover in New York on his way home from a family vacation in Tunis. The Americans, acting on incomplete intelligence from the Canadian Royal Canadian Mounted Police (RCMP), deported Arar to Syria, a country he had not visited since his move to Canada, and which does permit the renunciation of citizenship.

Arar claims he was tortured during his imprisonment which lasted almost a year, and bombarded with questions from his torturers that seemed to originate with the US security services. Finally, the Syrian government decided that Arar was innocent of any terrorist connections and let him go home to Canada. The US authorities refused to participate in the hearings on the Arar affair and the DHS has kept his family on the no-fly list.


Why did Syrian officials let him go? "Why shouldn't we leave him to go? We thought that would be a gesture of good will towards Canada, which is a friendly nation. For Syria, second, we could not substantiate any of the allegations against him." He added that the Syrian government now considers Arar completely innocent.

Is this what the unnamed author of this good-natured GCHQ document meant by "a detention op which we would not consider permissible?" The Canadian intelligence services apparently told their US counterparts early on that they'd been mistaken about Arar, but when a service operates with impunity, in secret, it gets to steamroller on, without letting facts get in the way, refusing to acknowledge its errors.

The security services are a system with a powerful accelerator and inadequate brakes. They’ve rebranded “terrorism” as an existential risk to civilization (rather than a lurid type of crime). The War on Terror is a lock that opens all doors. As innumerable DEA agents have discovered, the hint that the drug-runner you’re chasing may be funding terror is a talisman that clears away red-tape, checks and balances, and oversight.

The story of terrorism is that it must be stopped at all costs, that there are no limits when it comes to the capture and punishment of terrorists. The story of people under suspicion of terrorism, therefore, is the story of people to whom no mercy is due, and of whom all cunning must be assumed.

Within the security apparatus, identification as a potential terrorist is a life sentence, a “FAIR GAME” sign taped to the back of your shirt, until you successfully negotiate a kafka-esque thicket of secretive procedures and kangaroo courts. What story must the author of this document have been telling themself when they wrote that final clause, thinking of someone telling himself the DIE HARD story, using GCHQ’s data to assign someone fair game status for the rest of their life?

Holmes stories are perfectly suited to this kind of problem. From "A Scandal in Bohemia" to "A Study in Scarlet," to "The Man With the Twisted Lip," Holmes's clients often present at his doorstep wracked with guilt or anxiety about the consequences of their actions. Often as not, Holmes's solution to their problems involves not just unraveling the mystery, but presenting a clever way for the moral question to be resolved as well.

The next document is the "HIMR Data Mining Research Problem Book," a fascinating scholarly paper on the methods by which the massive data-streams from the deep fiber taps can be parsed out into identifiable, individual parcels, combining data from home computers, phones, and work computers.

It was written by researchers from the Heilbronn Institute for Mathematical Research in Bristol, a ”partnership between the UK Government Communications Headquarters and the University of Bristol.” Staff spend half their time working on public research, the other half is given over to secret projects for the government.

The Problem Book is a foundational document in the Snowden archive, written in clear prose that makes few assumptions about the reader’s existing knowledge. It likewise makes few ethical assertions about its work, striking a kind of academic posture in which something is ”good” if it does some task efficiently, regardless of the task. It spells out the boundaries on what is and is not ”metadata” without critical scrutiny, and dryly observes that ”cyber” is a talisman -- reminiscent of ”terrorist” -- that can be used to conjure up operating capital, even when all the other government agencies are having their budgets cut.

The UK government has recognized the critical importance of cyber to our strategic position: in the Comprehensive Spending Review of 2010, it allocated a significant amount of new money to cyber, at a time when almost everything else was cut. Much of this investment will be entrusted to GCHQ, and in return it is imperative for us to use that money for the UK’s advantage.

Some of the problems in this book look at ways of leveraging GCHQ’s passive SIGINT capabilities to give us a cyber edge, but researchers should always be on the look-out for opportunities to advance the cyber agenda.

The story the Problem Book tells is of scholars who’ve been tasked with a chewy problem: sieving usable intelligence out of the firehoses that GCHQ has arogated to itself with its fiber optic taps.

Somewhere in that data, they are told, must be signatures that uniquely identify terrorists. It’s a Big Data problem, and the Problem Book, dating to 2010, is very much a creature of the first rush of Big Data hype.

For the researchers, the problem is that their adversaries are no longer identifiable by their national affiliation. The UK government can’t keep on top of its enemies by identifying the bad countries and then spying on their officials, spies and military. Now the bad guys could be anyone. The nation-state problem was figuring out how to spy on your enemies. The new problem is figuring out which people to spy on.

"It is important to bear in mind that other states (..) are not bound by the same legal framework and ideas of necessity and proportionality that we impose on ourselves. Moreover, there are many other malicious actors in cyberspace, including criminals and hackers (sometimes motivated by ideology, sometimes just doing it for fun, and sometimes tied more or less closely to a nation state). We certainly cannot ignore these non-state actors".

The problem with this is that once you accept this framing, and note the happy coincidence that your paymasters just happen to have found a way to spy on everyone, the conclusion is obvious: just mine all of the data, from everyone to everyone, and use an algorithm to figure out who’s guilty.

The bad guys have a Modus Operandi, as anyone who’s watched a cop show knows. Find the MO, turn it into a data fingerprint, and you can just sort the firehose’s output into ”terrorist-ish” and ”unterrorist-ish.”

Once you accept this premise, then it’s equally obvious that the whole methodology has to be kept from scrutiny. If you’re depending on three ”tells” as indicators of terrorist planning, the terrorists will figure out how to plan their attacks without doing those three things.

This even has a name: Goodhart's law. "When a measure becomes a target, it ceases to be a good measure." Google started out by gauging a web page’s importance by counting the number of links they could find to it. This worked well before they told people what they were doing. Once getting a page ranked by Google became important, unscrupulous people set up dummy sites (“link-farms”) with lots of links pointing at their pages.

The San Bernardino shootings re-opened the discussion on this problem. When small groups of people independently plan atrocities that don’t require complicated or unusual steps to plan and set up, what kind of data massaging will surface them before it’s too late?

Much of the paper deals with supervised machine learning, a significant area of research and dispute today. Machine learning is used in "predictive policing" systems to send cops to neighborhoods where crime is predicted to be ripening, allegedly without bias. In reality, of course, the training data for these systems comes from the human-directed activity of the police before the system was set up. If the police stop-and-frisk all the brown people they find in poor neighborhoods, then that's where they'll find most of the crime. Feed those arrest records to a supervised machine algorithm and ask it where the crime will be and it will send your officers back to the places where they're already focusing their efforts: in other words, "predictive policing" is great at predicting what the police will do, but has dubious utility in predicting crime itself.

The part of the document I was most interested in was the section on reading and making sense of network graphs. They are the kind of thing you’d use in a PowerPoint slide when you want to represent an abstraction like "the Internet". Network graphs tell you a lot about the structures of organizations, about the relative power relationships between them. If the boss usually communicates to their top lieutenants after being contacted by a trusted advisor, then getting to that advisor is a great way to move the whole organization, whether you're a spy or a sales rep.

The ability of data-miners to walk the social and network graphs of their targets, to trace the "information cascades" (that is, to watch who takes orders from whom) and to spot anomalies in the network and zero in on them, is an important piece of the debate on "going dark." If spies can look at who talks to whom, and when, and deduce organizational structure and upcoming actions, then the ability to read the content of messages -- which may be masked by cryptography -- is hardly the make-or-break for fighting their adversaries.

This is crucial to the debate on surveillance. In the 1990s, there was a seminal debate over whether to prohibit civilian access to working cryptography, a debate that was won decisively for the side of unfettered access to privacy tools. Today, that debate has been renewed. David Cameron was re-elected to the UK Prime Minister's office after promising to ban strong crypto, and the UK government has just introduced a proposed cryptographic standard designed to be broken by spies.

The rubric for these measures is that spies have lost the ability to listen in on their targets, and with it, their ability to thwart attacks. But as the casebook demonstrates, a spy's-eye view on the Internet affords enormous insight into the activities of whole populations -- including high-value terrorism suspects.

The Problem Book sets up the Mycroftian counterpoint to Sherlock's human intelligence -- human and humane, focused on the particulars of each person in his stories.

Sherlock describes Mycroft as an all-knowing savant:

The conclusions of every department are passed to him, and he is the central exchange, the clearinghouse, which makes out the balance. All other men are specialists, but his specialism is omniscience.

While Sherlock is energized by his intellectual curiosity, his final actions are governed by moral consequences and empathy. Mycroft functions with the moral vacuum of a software: tell him to identify anomalies and he'll do it, regardless of why he's been asked or what happens next. Mycroft is a Big Data algorithm in human form.

The final document I relied upon in the story is one we won't be publishing today: an intercepted transcript of a jihadi chat room This document isn't being released because there were many people in that chat room, having what they thought was an off-the-record conversation with their friends. Though some of them were espousing extreme ideology, mostly they were doing exactly what my friends and I did when I was a teenager: mouthing off, talking about our love lives, telling dirty jokes, talking big.

These kids were funny, rude, silly, and sweet -- they were lovelorn and fighting with their parents. I went to school with kids like these. I was one of them. If you were to judge me and my friends based on our conversations like these, it would be difficult to tell us apart from these children. We all talked a big game, we all fretted about military adventurism, we all cursed the generals who decided that civilian losses are acceptable in the pursuit of their personal goals. I still curse those generals, for whatever it's worth. I read reams of these chat transcripts and I am mystified at their value to national security. These children hold some foolish beliefs, but they're not engaged in anything more sinister than big talk and trash talk.

Most people -- including most people like these kids -- are not terrorists. You can tell, because we're not all dead. An indiscriminate surveillance dragnet will harvest far more big talkers than bad guys. Mass surveillance is a recipe for creating an endless stream of Arars, and each Arar serves as inspiration for more junior jihadis.

In my fiction, I've always tried to link together real world subjects of social and technological interest with storytelling that tries to get into the way that the coming changes will make us feel. Many readers have accused me of predicting the future because I've written stories about mass surveillance and whistleblowers.

But the truth is that before Snowden, there was Wikileaks and Chelsea Manning, and Bill Binney and Thomas Drake before them, and Mark Klein before them. Mass surveillance has been an open secret since the first GW Bush administration, and informed speculation about where it was going was more a matter of paying attention to the newspaper than peering into a crystal ball.

Writing a Sherlock Holmes story from unpublished leaks was a novel experience, though, one that tied together my activist, journalist and fiction writing practices in a way that was both challenging and invigorating. In some ways, it represented a constraint, because once I had the nitty-gritty details of surveillance to hand, I couldn't make up new ones to suit the story. But it was also tremendous freedom, because the mass surveillance regimes of the NSA and GCHQ are so obviously ill-considered and prone to disastrous error that the story practically writes itself.

I worry about "cybersecurity," I really do. I know that kids can do crazy things. But in the absence of accountability and independent scrutiny, the security services have turned cyberspace into a battleground where they lob weapons at one another over our heads, and we don't get a say in the matter. Long after this round of the war on terror is behind us, we'll still be contending with increasingly small computers woven into our lives in increasingly intimate, life-or-death ways. The parochial needs of spies and the corporations that supply them mustn't trump the need for a resilient electronic nervous system for the twenty first century.

Astro Noise: A Survival Guide for Living Under Total Surveillance, edited by Laura Poitras, features my story "Sherlock Holmes and the Adventure of the Extraordinary Rendition," as well as contributions from Dave Eggers, Ai Weiwei, former Guantanamo Bay detainee Lakhdar Boumediene, Kate Crawford, and Edward Snowden.

The Astro Noise exhibition is on at New York City's Whitney Museum from February 5 to May 1, 2016.

Oscar-winning documentarian Laura Poitras is emerging, carefully, into the spotlight - Vogue 20160127

Oscar-winning documentarian Laura Poitras is emerging, carefully, into the spotlight - Vogue 20160127

Laura Poitras
Laura Poitras in her New York studio.

The sky over Yemen at 1:30 a.m. is dark and still, a vault of deep blackness brushed with a faint smattering of stars. Sprawled on an office chair beneath it, the filmmaker Laura Poitras stares upward, taking in the view.

Yemen’s a complicated place, a flash point in America’s war on terror and currently in the throes of a devastating civil war. Poitras lived there for a while, in a small apartment in the middle of Sana’a, the capital city, filming her 2010 documentary, The Oath. She’d spent much of her adult life in New York, but after 9/11, as so many artists and journalists examined what the attacks had done to America, Poitras picked up her camera and set off to explore what 9/11—or, more accurately, America’s response to it—was doing to the rest of the world. Her work has taken her to Iraq, to Guantánamo Bay, and perhaps most famously to Hong Kong in 2013, where she spent eight tense days holed up in a hotel room with Edward Snowden, filming him up close and in real time as he went from an anonymous computer nerd to the world’s most wanted fugitive. Her filmCitizenfour swept the awards season last year, culminating in an Oscar win.

Poitras is once again in New York, having moved back to the city after several years basing herself out of Berlin. We’re in her studio, a few blocks from the Hudson River, peering at the sky in Yemen. It’s a sunny afternoon, but the window shades have been drawn against the light, so that a live video feed from Sana’a can be projected clearly onto a ceiling-mounted screen. Dressed casually in a black cotton shirt, jeans, and sneakers, Poitras, who is 51, leans back in her chair. The sky-cam is an experiment. She is putting together her first major art exhibition, which will occupy the top floor of the Whitney Museum of American Art beginning this month. The exhibit includes a number of short films but is primarily a series of immersive installations, designed almost as a walk-through narrative about the world post 9/11. One idea is to project onto the museum’s ceiling overhead views from parts of the world where the U.S. drone program is active. “I’m interested in going back to these themes of the war on terror,” Poitras says. “What does it mean? How can we understand it on more human terms?”

Laura Poitras Anarchist: Satellite Feed With Doppler Track (Intercepted May 28, 2009)
An image of intercepted satellite data from Poitras’s Whitney show. Laura Poitras, Anarchist: Satellite Feed With Doppler Track (Intercepted May 28, 2009), (detail), 2016. Inkjet print. Photo: © Laura Poitras/Praxis Films, New York / Courtesy of the artist

The studio is a large concrete-floored room filled primarily with computer equipment. In a cluttered corner, sitting on a file cabinet, is a bronze BAFTA Award looking as if nobody has given it a second thought. Pretty much everyone I speak with about Poitras tells me that she is a seven-day-a-week worker, someone who is both too humble and too driven to pause and survey her achievements, which in addition to her raft of film awards includes a Pulitzer Prize and a MacArthur “genius grant.” “I’m pretty obsessive,” Poitras says, referring to her marathon workweeks and myriad projects, “but these are good problems to have.”

Poitras feels strongly that the U.S. government, through a number of secretive anti-terror programs and a lack of Congressional oversight, has done more to breed the kind of anti-American sentiment that fuels terrorism than to squelch it. “I really think that the war on terror makes us less safe,” she tells me. “Look at something like ISIS. ISIS emerged out of the power vacuum that we created in the Iraq War.” She cites as evidence everything from the use of torture at Guantánamo to the top-secret drone assassination program that’s put unmanned, buzzing aircraft in the skies over places like Yemen, Pakistan, and Somalia. “It creates a completely unstable world,” she says.

A lot of people think, Oh, the Snowden story is a great story that any journalist would want to get ahold of. But it didn’t feel that way then. I was seriously scared LAURA POITRAS

Her work could be seen as attempting, again and again, to redirect the American gaze. Her film My Country, My Country offered a stirring look at the life of an Iraqi doctor running for political office in Baghdad. The Oath told parallel stories of a former jihadist living freely in Yemen while his brother-in-law languished in Guantánamo. Lately she’s focused on drones. Drone strikes aimed at terrorists, Poitras will tell you, have killed scores of civilians. The first day I meet Poitras in October, the Intercept, the online media organization she founded in 2014 with journalists Glenn Greenwald and Jeremy Scahill, has just published an explosive series of stories about the U.S. drone program. Among its chief revelations is a leaked military review showing that nearly 90 percent of people killed in drone strikes in Afghanistan were “not the intended target.” And while Scahill is out making the rounds on cable talk shows, while Greenwald offers a stream of spitfire outrage on Twitter, Poitras is attempting to hit a deeper vein—that of human empathy. In putting video of Yemen on the ceiling of the Whitney Museum, she’s quietly inviting Americans to consider skies that are not their own.

“Artists have always dealt with the critical issues of their time,” says the Whitney’s director, Adam Weinberg. “And Laura Poitras knows the issues firsthand.” She’s titled the exhibition “Astro Noise,” which is also the nickname Edward Snowden gave to the massive file of leaked documents he sent her in 2013, which landed in her life with the force of a meteor. Weinberg predicts that the exhibition will serve as a lightning rod for public discourse. “You’ll have people on one end of the spectrum who’ll say it’s not radical enough,” he says, “and another side feeling like it’s an incredible breach of national security.”

Later that evening, Poitras sits in a low-lit Japanese restaurant in SoHo, sipping a green-tea mojito and mulling over all that’s happened in the last two years. “To be quite honest, I don’t think I’ve taken the time to take a breath,” she says. She seems a bit stunned, like a diver who’s only just surfaced. “In retrospect, a lot of people think, Oh, the Snowden story is a great story that any journalist would want to get ahold of,” she says. “But it didn’t feel that way then. I was seriously scared.”

Poitras has flowing dark hair and gray-green eyes that are wide and watchful. In conversation, she’s thoughtful and earnest, laughing often but never appearing fully relaxed. The restaurant is dim enough that, tucked into a corner, she’s hardly visible. Which, it would seem, is how she likes it. Poitras is a dialed-down presence in any room, soft-spoken and unshowy, almost invariably dressed in black. Twice now, I’ve attended premieres of her films—crowded, celebratory affairs meant to be all about her—and each time she seemed deliberately to get lost in the crowd. “With my work, being under the radar is sort of a good thing,” she tells me.

There’s a distinct irony to this, of course. These days, there’s little chance of her staying under the radar. If she was once a respected but little-known documentarian, Poitras—post-Snowden—has become a powerful force in both film and news media. Through the Intercept, she recently launched a bold new outlet that funds and posts short-form documentaries (“visual journalism” is how she refers to it), called “Field of Vision.” At the New York Film Festival in late September, she previewed her next film project, Asylum, which has been edited into thirteen short episodes and chronicles the plight of controversial WikiLeaks founder Julian Assange, whom Poitras has been filming off and on since 2011.

All the while, she continues to work with a small team of journalists, divining information from the seemingly inexhaustible Snowden archive. “I still feel an intense obligation to report on it,” Poitras says, adding that there’s pressure to handle the material responsibly, to weigh which government secrets are important for the public to know and which are best left undisclosed. Her colleague Glenn Greenwald—whose reporting from Hong Kong introduced the world to NSA spying—says that the archive represents “both a massive opportunity but also a very heavy burden” for Poitras, adding that “Laura is one of the most creative, passionate, intense, and complicated people I’ve ever met.” And while Greenwald is verbose and comfortable in the spotlight, Poitras seems bent on keeping a lower profile. “She has this profound regard for art and its ability to enlighten and move people,” he says. “She channels all of that into her filmmaking rather than into polemics or words.”

Laura Poitras
Poitras’s exhibition at the Whitney Museum, “Astro Noise,” opens February 5. Pictured, the filmmaker capturing footage of the construction of an NSA data repository in 2011. Photo: Conor Provenzano / Courtesy of Whitney Museum of American Art

When she was a child growing up in an affluent suburb of Boston, Poitras says, she was quiet and serious, interested in art at an early age. Her father was a computer programmer at a hospital, her mother a registered nurse. She attended a private school that emphasized student-led learning. “There was a lot of unstructured time, which allowed me to develop my senses creatively,” she says. As a teen, she often escaped into the city to see live music (David Bowie, Talking Heads) and movies (A Clockwork Orange, Taxi Driver) at art houses.

By the time she was twelve, she had fallen in love with cooking. After finishing high school, she worked for a number of years as a sous-chef in prominent French restaurants—first in Boston, then in San Francisco. “I loved the challenge,” she says now. “I loved the creativity. I loved the fact that every day you had to make something new.” It was also, she adds, good training for the quick-paced, high-stress filmmaking she would later do. In her free time, she took classes at the San Francisco Art Institute, drawn to experimental, avant-garde film. Eventually, she relocated to New York, studying political theory and media studies at the New School. Nowadays, Poitras enjoys eating a great meal but doesn’t often cook herself, finding it too stressful. “I go into work mode,” she says with a laugh. “I take it too seriously. It’s not relaxing at all.”

Poitras was 35 years old when she embarked on her first long-form documentary, collaborating with a filmmaker named Linda Goode Bryant on Flag Wars, which followed a conflict over gentrification in a traditionally African-American neighborhood of Columbus, Ohio. The film aired on PBS in 2003 and was nominated for an Emmy. More important, it was a revelation for Poitras about what she wanted to do with her life. “It was a very profound experience,” she says. “I learned that I actually love filming people, being with them for these long periods of time, in moments of uncertainty, not knowing what will happen.”

She and Goode Bryant were in the midst of editing Flag Wars when the September 11 attacks took place. Poitras was living on 101st Street and remembers walking in the morning to work, unaware of what was happening. Her first inkling came when she passed a homeless person on the street, who looked at her and said, “The world is ending.” She was moved by the outpouring of compassion that flowed through the city. “It was actually a very profound time to be in New York,” she says. But later, as the drumbeat for the Iraq war picked up, she felt the stirrings of genuine alarm. “I had a real sense that we were moving in a direction that was really dangerous,” she says. “That was when I realized I wanted to say something about it.”

In her films, Poitras is mostly invisible, dedicated to the let-it-happen style of cinema vérité. Her steeliness behind the camera is legendary. Diane Weyermann, executive vice president for documentaries at Participant Media and one of the producers on Citizenfour, remembers seeing My Country, My Country, which received an Academy Award nomination. Poitras had moved herself to Baghdad in the summer of 2004, as the insurgency was beginning, spending much of her time in the home of Dr. Riyadh al-Adhadh, who is profiled in the film, and in the homes of other Iraqis. “There’s this moment when she’s filming and a bomb goes off—an explosion,” says Weyermann. “And the camera doesn’t move. The people in the kitchen all jump up and run, but Laura doesn’t. It was that moment, that scene, that made me understand what a singular talent she is.”

Snowden also recognized Poitras’s grit. He contacted her after seeing a short documentary she’d made about William Binney, a whistle-blower who left the NSA in 2001. She was one of few journalists well versed in digital security at the time. For reasons she didn’t understand, Poitras had been put on a terrorism-related watch list by the U.S. government. Over the course of several years, she was detained and questioned more than 40 times at airports, having her notes photocopied and at one point, a laptop confiscated, which led her to start securing her communications and eventually to move from New York to Berlin, where she felt less compromised.

When a message arrived from an anonymous source calling himself Citizen Four, she worried it was a trap. “I had immediate ‘alert’ instincts,” Poitras says now. “I thought, This is dangerous. And it was.”

She and Snowden corresponded with mutual caution for several months. Knowing the stakes were high, she limited contact with friends, moved to a new apartment, and stopped carrying a cell phone, knowing it could be used to track her location. She played out different scenarios in her head, including one in which she went to jail in order to protect her then-anonymous source. The anxiety was crushing. Her eyes twitched; her throat felt clenched. She did yoga to try to stay calm. “I’m battling with my nervous system,” she wrote in her journal at the time. “It doesn’t let me rest or sleep.”

Earlier that day, Poitras allowed me to read excerpts of the journal she kept in Berlin, which she has decided, after some hesitation, to publish in the catalog accompanying the Whitney exhibition. The journal entries reveal both a churning intellect (“What is this film really about? It might be about the courage to resist power . . . ”), bouts of what seems like depression (“I don’t feel good or grounded. I’m off-balance”), and a mounting sense of paranoia.

The decision to publish the journal feels significant. Poitras is unswervingly guarded when it comes to her private life. She will speak animatedly about films she loves (the documentary Man on Wire, the HBO miniseries The Jinx), artists who’ve inspired her (American photographer Trevor Paglen), or books that have given her insight (George Orwell’s 1984). But pose any sort of question about her life outside of work, and you are likely to be met with a gentle smackdown, usually in the form of “I’d rather not say.”

Our conversation begins to take on a kind of comic push-pull as Poitras declines to give details, even when the details—it seems to me—are harmless. She won’t tell me which part of Berlin she lived in, whether her journal was a bound or spiral notebook, whether she wrote in it with pen. She doesn’t want to discuss her family, her relationship status, or what she does in her free time. “I’ve never talked about my private life,” she says. “I feel like that’s private.” After this comes a long silence.

Perhaps this is the residue of being surveilled. Perhaps it’s an inbred cautiousness—a deep, protective impulse that’s kept her safe and productive through years of working in high-risk environments. Poitras tells me she doesn’t much enjoy being well known. “I don’t love it when someone comes up to me in a coffee shop,” she says, almost sheepishly. She also recognizes that there’s something “ungenerous,” as she puts it, in being a filmmaker who finds her way into the inner sanctum of other people’s lives, but insists on keeping prying outsiders out of her own. Nonetheless, the line holds.

“I feel bad,” she says finally, acknowledging all the things she won’t tell me.

“I feel bad, too,” I say, acknowledging all the things I want to know.

Poitras assumes that she’s still “of interest” to intelligence agencies. She recently sued the federal government to obtain records of her various detentions at airports, receiving 800-plus pages, some of which she intends to hang on the walls of the Whitney. Reading the documents, she discovered that a secret grand jury was convened in 2007 to investigate her on charges of conspiracy, stemming from a day in Iraq when U.S. soldiers spotted Poitras on a Baghdad rooftop holding a camera and apparently deemed it suspicious. (Poitras says any suggestion she abetted Iraqi insurgents is spurious.) “That was definitely shocking,” she says. It’s unclear what the grand jury’s ultimate findings were, but she’s no longer hassled at airports. She’s also relaxed her guard enough to start carrying an iPhone. Happy to be back in New York, she often meets friends for dinner and turns up regularly at documentary-film premieres and art openings. It all seems to be part of the post-Snowden resurfacing. When I ask if it feels good to have a cell phone again, Poitras laughs. “No, but it feels practical,” she says. “I mean, for a long time, I was very hard to reach.”

As the backstory to the Snowden affair has grown more public, Poitras has taken on the glimmer of an icon. The latest season of the TV show Homeland, for example, is set in Berlin and features hackers, government agents, top-secret leaked documents, and a hard-driving journalist named Laura. Everyone from theWall Street Journal to The New York Times has noted the parallel to Poitras. When I mention this to her, she flares her eyelids as if to say, “Can you believe it?” but offers no comment.

“It’s gotten surreal,” says Brenda Coughlin, a producer at Poitras’s film company who’s working closely with her on the Whitney exhibition. “Her life has changed dramatically, and I think that’s weird for her.” Last year, during a visit to Hong Kong, Poitras stayed at the Mira Hotel, where she first filmed Snowden. Stepping onto an elevator one day, she bumped into actor Zachary Quinto and a Hollywood film crew working on the Oliver Stone version of the Snowden story, due out this spring, featuring Joseph Gordon-Levitt as Snowden, Quinto as Greenwald, and Melissa Leo playing the role of Poitras. (Poitras is not involved with the film.)

Hollywood remains a strange kind of otherworld. Several colleagues told me stories of Poitras doing red-carpet interviews at awards shows, patiently enduring questions about her wardrobe while also talking, in the least obnoxious way possible, about civil liberties. “It’s always a contradictory experience,” Poitras says with a laugh. “I’ve been nominated twice now [for Academy Awards], both times for films about dark and depressing events. And then you have to get all dressed up and go.” Her go-to designer, she adds, is German Annette Görtz. Poitras accepted her Oscar last year with a nervous, gracious dignity, thanking her many collaborators but also taking the opportunity to remind the audience that Snowden’s revelations exposed what she sees as not just “a threat to our privacy but to our democracy itself.”

She and her Citizenfour crew then practically closed down the Vanity Fair after-party. The mood was celebratory, but what she felt, more than anything, was relief. “There were so many potential bad outcomes for so many people,” she says now. “It was pretty extraordinary that this was the outcome.” Coughlin recalls sitting on a couch at 4:00 a.m. next to Poitras and her Oscar. “I turned to her and had a kind of ‘Holy shit’ moment, like, ‘Look at where you are. You could have been in jail, or you could be at the Vanity Fair Oscar party!’ ”

Despite the hubbub and occasional glitz of the last year, Poitras remains solidly devoted to documentary filmmaking. “It’s a way to express who people are and also bigger things—what situation they are in—and that’s really powerful,” she says. “I love it. Like, I really, really love it.” She seems wistful, recalling how working onFlag Wars initially seized hold of her. “It was a surprise. I’d just assumed that as an artist or a creative person, I would always work in a solitary way.”

In the time I spend with Poitras, this moment would strike me as the most touching. All these years later, she still seems genuinely surprised by what she’s found in herself. She’s an inward person who has thrust herself outward into the world, perhaps against her nature. It’s a stretch, maybe a painful one, but inside that stretch is Poitras’s particular genius—the solitary artist who plants herself in the center of unfolding history. “I’m a different person, holding a camera. I’m normally pretty shy. I don’t actually love to travel,” she tells me. “But I love doing this work. And when I’m doing work, I have to put those things aside.”

We are done with our drinks. It’s a Friday evening, and the restaurant is now crowded. Poitras picks up the two tote bags she’s brought from her studio, stuffed with work she plans to tackle over the weekend. “I love weekends,” she says. “They’re quiet. I can think. I get so much done.” It’s the most revealing disclosure she’s made about her personal life yet. Outside, dusk has fallen. Before we part ways, I ask Poitras which direction she’s heading, what neighborhood she lives in. She gives me a friendly hug and then a last, enigmatic smile. “I’d rather not say,” she says. “I hope you’ll understand.” And as she heads off to someplace I’ll never know, I realize that I do.