Marc Ambinder

Deep State excerpt: Why the NSA keeps everything so secret

If Bill the Plumber knows how the NSA intercepts communications, then Michelle the Terrorist will likely also know — and change her communication methods accordingly

This is an excerpt from Deep State: Inside the Government Secrecy Industry, by Marc Ambinder and D.B. Grady. Over the next few weeks, we'll be running a series of NSA-related excerpts from the book here on The Compass.


A dozen years after 9/11, former NSA director Michael Hayden, now retired, remains accessible. He answers questions sent to his AOL email address. "Can the UK task the U.S. with listening to British citizens? Can the U.S. task the Brits with collecting on U.S. citizens?"

"Absolutely not," he replies.

"Does the NSA maintain a database of potential political undesirables in the event of martial law in the U.S.?"

"An urban legend," he says.

Did the NSA illegally eavesdrop on American citizens?

Though the intelligence community esteems Hayden — indeed, it's hard to find someone he has worked with who will speak ill of him even in private — in public he becomes quite defensive about the special programs. Of course, he cannot be too defensive, because he can't present a defense. The program, discontinued and then revived under the FISA Amendments Act of 2008, is ongoing and has expanded beyond what even he envisioned for it. It remains Top Secret and compartmentalized as SI, or "Special Intelligence." If that wasn't enough, the program is stovepiped into a special compartment whose name itself is classified.

The basic reasoning behind such draconian secrecy measures is that if Bill the Plumber knows roughly how the NSA intercepts communications originating within the United States, then Michelle the Terrorist will likely also know this and change her communication methods accordingly. The United States, collectively, will then find it harder to figure out where the bad gals and guys are. So far as national security arguments go, this one is fairly basic. Still, it's not inherently persuasive, being predicated on a condition that there are terrorists who assume the U.S. government doesn't have a method of listening to telephone calls or reading emails.

That said, when the New York Times printed details of the NSA surveillance program in 2005 — whatever one's feelings about the special programs and their legality — there is evidence that the bad guys weren't making these assumptions. The Times bowed to White House pressure to sit on the story for a year but reversed course shortly before the publication of a book by one of the story's lead reporters. Though the Times story itself did not contain any details that intelligence officials could later tie to any American lives placed in jeopardy — and indeed, the NSA thanked the Times in private for its discretion, while publicly flailing it — the percussive effect led to a disclosure that made it harder for the NSA to perform basic functions: that American companies were cooperating with the NSA, mostly by providing them with reams of data about foreign communications that happened to touch (or "transit through") an American wire. "This, by far, was the worst disclosure," Hayden said in an interview. "It actively stopped collection that no one anywhere had any problem with."

Ironically, the first public confirmation that President Bush had authorized the acquisition of information from these domestic junctions came courtesy of Bob Graham of Florida, chairman of the Senate Select Committee on Intelligence, who mentioned it to the Washington Post after the Times first reported the domestic terminal portion of the story. Graham had been told about the cooperative arrangement between the government and the telecoms in October 2002. Not long after that the NSA and the telecoms had figured out how to sift through reams of metadata in real time. Earlier that summer, the NSA had started to set up splitters at key telecom network nodes across the country, including one in San Francisco that was exposed by a whistleblower.

The special programs (of which the Terrorist Surveillance Program is a part) reside at the intersection of two very complicated and overlapping bodies of law, each with its own language and legislative history. Laws circumscribing the practice of domestic law enforcement and statutes proscribing the country's flexibility to respond to existential military threats are not always reconcilable — nor were they designed to be. Where laws governing domestic law enforcement tend to minimize powers and focus on the traditional balance of self-government and security, the larger body of national security laws often justifies its own existence with the need to give the executive branch a normative foundation for extraordinary actions.

The NSA operates collection platforms in more than 50 countries and uses airplanes and submarines, ships and satellites, specially modified trucks, and cleverly disguised antennas. It has managed to break the cryptographic systems of most of its targets and prides itself on sending first-rate product to the president of the United States.

Inside the United States, the NSA's collection is regulated by FISA, passed in 1978 to provide a legal framework for intercepting communications related to foreign intelligence or terrorism where one party is inside the United States and might be considered a "U.S. person."

Three bits of terminology: The NSA "collects on" someone, with the preposition indicating the broad scope of the verb. Think of a rake pushing leaves into a bin. The NSA intercepts a very small percentage of the communications it collects. At NSA, to "intercept" is to introduce to the collection process an analyst, who examines a leaf that has appeared in his or her computer bin. (An analyst could use computer software to assist here, but the basic distinction the NSA makes is that the actual interception requires intent and specificity on behalf of the interceptor.) A "U.S. person" refers to a U.S. citizen, a legal resident of the United States, or a corporation or business legally chartered inside the United States.

Before the Terrorist Surveillance Program went live, the system was designed to work something like this: When the FBI or CIA developed information about foreign espionage or terrorist plots that tied legitimately bad people to U.S. persons (citizens, corporations, charities), the government, through the Justice Department's Office of Intelligence Policy and Review, applied for a FISA warrant. This allowed the NSA to collect all electronic communications that directly emanated from, or were directed to, that specific U.S. person — so long as one side of the conversation was known to be overseas.

In practice, the process went like this: If an NSA analyst decided that one party of a conversation she was about to monitor (or had just intercepted) might be inside the United States, she would have to convince her superior that there was probable cause to believe that the person inside the United States was connected to the foreign intelligence purpose that the analyst was tasked with collecting on. The superior would go the NSA general counsel, who could veto the request. If the general counsel approved, however, a packet of materials would be created for the Justice Department to review. Again, Justice could say no, but if they said yes, they (that is, Justice) would have to draft a document demonstrating probable cause for the duty judge on the FISC. This process could be done quickly, but often was not, and certainly couldn't be scaled sufficiently so that potentially urgent situations could be approved. Even accepting that FISA allowed for orderless interceptions in emergencies, the bottleneck of processing applications would be significant. The government was required to have probable cause to believe that the person overseas was a member of, or significantly associated with, a foreign government or terrorist entity. Also, intention mattered. The primary purpose of surveillance had to be to gather foreign intelligence.

What the special programs did, from a 30,000-foot level, was remove the multiple layers of lawyers. Analysts could decide for themselves whether probable cause existed to intercept a communication. Their work was subject to regular review by the inspector general of the NSA, who would sample target folders to see if the analyst's operational standard of probable cause met hers. The special programs allowed the NSA to determine much more quickly whether a flashing dot somewhere in the world was worth paying attention to or could be safely ignored. It allowed the NSA to directly acquire a raw feed from telecoms — AT&T, BellSouth, and Verizon — and merge it with data collected from a number of other sources (email servers, most of which were based in U.S. credit bureaus; credit card companies; passport records) — to identify the U.S.-based target of a foreign communicator with ties to terrorism, or, in some cases, to identify the foreign-based communicator based on a live intercept. The telecoms provided bulk data in the form of CDRs — Call Detail Records, which included the destination number, the duration of the call, and the location of the call (a home switch, a cell tower, an IP address). The NSA and the telecoms widened secure data channels already constructed for the purpose of allowing law enforcement to monitor to-and-from telephone information in real time — a requirement of the Communications Assistance for Law Enforcement Act.

There was quite a bit the agency could monitor in real time. Based on a scrap of paper collected somewhere overseas with a U.S. phone number on it, the NSA could figure out what other numbers that number called and even determine whether any of those domestic-terminal numbers were in contact with numbers associated with others on the watch list. (This form of analysis is called Community of Interest collection.) To be clear, at this stage of the process the NSA is not actively intercepting communications. It is collecting and analyzing metadata to determine whose communications to intercept. The equipment the NSA reportedly used at the telecom switches (the places where internet traffic gets routed from one company's system to another) allowed them, in theory, to query email traffic for content. The NSA insists that performing such semantic analysis on content was not done until the target was established.

Coming next: Why did the NSA refuse to use a cheaper program that could have better protected civil liberties?

More Deep State excerpts:


Why are U.S. troops still in Somalia?
An illustrated collage of U.S. troops, Somalia's outline, and palm trees
In depth

Why are U.S. troops still in Somalia?

Trump's extradition dilemma
Sign outside Manhattan courthouse
Behind the scenes

Trump's extradition dilemma

Wyoming judge blocks abortion ban, citing anti-ObamaCare amendment
Abortion rights protest in Jackson Hole, Wyoming
Unintended consequences

Wyoming judge blocks abortion ban, citing anti-ObamaCare amendment

Courts order Trump lawyer to hand over records in classified files probe
Donald Trump's legal team
Crime-Fraud Exception

Courts order Trump lawyer to hand over records in classified files probe

Most Popular

DeSantis' no good, very bad week
Ron DeSantis at a podium
Behind the scenes

DeSantis' no good, very bad week

Russia's spring Ukraine offensive may be winding down amid heavy losses
Ukrainian tank fires near Bakhmut

Russia's spring Ukraine offensive may be winding down amid heavy losses

CDC warns of deadly fungus in U.S. health facilities
Candida auris.
sounds like a show we know ...

CDC warns of deadly fungus in U.S. health facilities