The acting intelligence community inspector general, Thomas Monheim, has been asked to investigate claims that Edward Snowden, while working as a contractor for the National Security Agency, was able to search a classified database for the private emails of a senior member of Congress.
Rep. Anna Eshoo, Democrat of California, requested the investigation based on statements attributed to Snowden in a book by former Washington Post reporter Barton Gellman released in May. Eshoo says that NSA Director Paul Nakasone dodged questions last month when asked whether NSA analysts have ever used a powerful surveillance tool to retrieve emails belonging to members of Congress and Supreme Court justices.
What’s more, Nakasone did not address whether any technical safeguards exist to prevent analysts from accessing the emails of justices and officials without express legal permission.
Gellman, who won a Pulitzer Prize for his reporting on NSA secret surveillance in 2014, is one of only a handful of reporters to work directly with Snowden. Snowden fled to Hong Kong and then Moscow in 2013 after leaking to reporters potentially millions of documents describing NSA’s methods of electronic surveillance, domestically and abroad.
In Gellman’s new book, Dark Mirror: Edward Snowden and the American Surveillance State, Snowden claims to have once used an NSA targeting interface known as “XKeyscore” to target an email address belonging to the office of Nancy Pelosi, who was then House minority leader. According to the book, Snowden did so only as a “proof of concept” to demonstrate the ease with which the NSA’s tools could be turned on anyone, regardless of their station.
In 2014, German researchers affiliated with the Tor Project reported that XKeyscore’s source code appeared to especially target individuals who displayed an interest online in privacy-enhancing software. The NSA has described the data-retrieval system as a “lawful foreign signals intelligence collection system.” Snowden has described XKeyscore as allowing NSA analysts to “wiretap anyone” whose email address is known.
In August, Eshoo sent a series of questions about the allegations raised by Gellman’s book to Nakasone and Director of National Intelligence John Ratcliffe. She wrote that Snowden had claimed at one point to have “wiretapped the internet communications of Congress’ current Gang of Eight and the Supreme Court.” This turned out to be untrue, she wrote, but—as explained in the book—only because Snowden could not easily find their private email addresses. (“Gang of Eight” refers to the leaders of both parties from both the Senate and House as well as the chairs and ranking members of both the Senate and House Select Committees on Intelligence.)
“The surveillance of Congressional and judicial communications by the executive branch seriously threatens the separation of powers principles of our Constitution,” Eshoo wrote. “While no Member of Congress, Supreme Cout Justice, or any other individual is above the law, their communications, like those of all Americans, should only be collected by the government pursuant to a specific warrant authorized by an independent court as part of a criminal or intelligence investigation.”
Gellman recalls that Snowden’s claim arrived first in a message conveyed to him and Laura Poitras, the filmmaker in whom Snowden confided along with then-Guardian reporter Glenn Greenwald, in 2013. In what Gellman calls an “antisurveillance manifesto,” Snowden describes his attempt to prove the “NSA surveillance apparatus could be turned against anyone.” Snowden then claims, according to Gellman, that he “wiretapped the internet communications of Congress’ Gang of Eight and the Supreme Court.”
Gellman notes that neither Poitras nor Greenwald, whom he says could not have simply overlooked the claim, ever wrote or said anything about it publicly; likely, he assumes, because Snowden provided scant details and zero evidence to support it. Snowden’s reluctance to discuss the matter grew into a “point of tension” between him and Gellman. In October 2013, Snowden told Gellman he believed the intercepts could be used to “criminalize” his disclosures.
The following year, Snowden wrote in an email to Gellman: “The NSA has access to the complete, comprehensive records of our private lives going back for years; the scary part is any high school drop-out can wake up in the morning and decide they’re going to walk out the door with copies of Nancy Pelosi’s emails, and unless they send them to the Washington Post, nobody’s ever going to know.”
Gellman said he pressed Snowden about the intercepts in 2015 during a visit to Moscow. Federal investigators, he said, had refuted Snowden’s claim that he could, on his own, input search terms into XKeyscore’s interface.
Snowden finally said he had “overstated it a little bit,” and that what he had actually done was run a search on an email address for the office of then-House Minority Leader Nancy Pelosi. “Nothing of special interest came back,” Gellman wrote. Snowden goes on to explain that he didn’t know the private email addresses of the Supreme Court justices or any members of Congress. The search he ran with XKeyscore was meant instead as a “proof of concept,” he said, to demonstrate that with those addresses, collecting the private emails of America’s leaders would be a cinch.
In response to Eshoo’s letter, Nakasone wrote he was “not surprised” that Snowden had “disregarded the laws, regulations and implementing procedures that protect the privacy of American citizens, Members of Congress, lawful permanent residents, and other categories of U.S. persons.” The NSA, he wrote, “strictly adheres to the rule of law and has a robust program to investigate and report incidents of non-compliance.”
Added Nakasone: “In general, the law forbids elements of the Intelligence Community, including the NSA, from directing electronic surveillance against any U.S. person unless the Foreign Intelligence Surveillance Court has determined that there is probable cause to believe the U.S. person is an agent of a foreign power.”
Nakasone also pointed to the “Gates procedures,” a brief set of guidelines established in 1992 by former CIA Director Robert Gates, which describe the intelligence community’s policy regarding the “retention and dissemination” of “Congressional identity information.” It further describes who is involved in making decisions around notifying members of Congress if their names have been “unmasked” in an intelligence product.
In a previously unreported letter to Monheim this month requesting an investigation, Eshoo writes that Nakasone’s reference to the Gates procedures failed to answer her questions; namely, how many times over the last decade has an intelligence analyst searched a classified database for communications or metadata related to email addresses belonging to members of Congress or those related to the Supreme Court.
Eshoo also inquired as to whether any “technical safeguards” actually exist, beyond those which are procedural, to prevent an analyst or contractor from running searches without express legal authorization—a question that Nakasone did not directly answer.
In an email, Eshoo said that Nakasone had merely “pointed to policies that govern sharing congressional communications within the Executive Branch,” adding: “Those policies do not address the fact that congressional communications should not be collected, and the [intelligence community] needs technical safeguards to ensure this is the case.”
This month, Eshoo urged Rules Committee leaders to consider updating House rules to expand multi-factor authentication requirements and establish a working group to combat surveillance of congressional communications.
“This is a serious matter that goes to the heart of our system of government, which is comprised of three co-equal branches,” she told Gizmodo. “One having the ability to spy on another is highly problematic to the constitutional principle of separation of powers. ”