The Snowden revelations, which started 10 years ago today, exposed a vast, far-reaching, and complex system of surveillance capabilities built and operated by intelligence agencies, primarily the National Security Agency (NSA) and its partners known as the Five Eyes. These revelations had a profound impact on public understanding of government surveillance, privacy rights, and the balance between national security and civil liberties.
The documents and subsequent discussions in the cyber security community were a formative moment both personally and professionally as it completely transformed my world view and understanding of geopolitics. It fueled my interest in cyber security and my research interests of cyber security topics that intersect with national security and foreign policy.
The first set of documents published by The Guardian detailed how a top-secret court order forced US telecommunication providers to hand over phone records to the government. The bulk collection of phone metadata which was made possible by Section 215 of the FISA Act sparked public outcry and legal challenges which ultimately culminated in reforms.
The documents provided unprecedented insight into the surveillance capabilities of the Five Eyes intelligence alliance, consisting of the United States, the United Kingdom, Canada, Australia, and New Zealand. The revelations revealed the extensive collaboration among these nations in conducting mass surveillance activities. The documents exposed the existence of global surveillance programs, such as PRISM and XKeyscore, which involved the interception and collection of vast amounts of internet communications data. This included access to major tech companies, telecommunications networks, and undersea fiber optic cables, enabling the Five Eyes to monitor a significant portion of global communications.
XKeyscore is one of the key programs developed by the NSA to enable mass surveillance, it is designed to collect, store, and analyze vast amounts of global internet data, including emails, online chats, browsing histories, and other types of online communications. The program operates by intercepting and filtering network traffic through a network of global data collection points, allowing NSA analysts to search and retrieve information based on specific search queries and so called “selectors”. It enables widespread surveillance on individuals and organizations around the world. It can target both foreign and domestic communications, with access to data from multiple sources, including major internet service providers. Based on 2013 documents, XKeyscore had 750 servers around the world and each inspection point could process 125 GB of data per second.
A diagram showing the Xkeyscore interception points around the world
These documents also shed light on the close cooperation and information sharing among the Five Eyes countries. The intelligence agencies involved collaborated in collecting and analyzing data, allowing for the sharing of resources, expertise, and surveillance techniques. The scope of this cooperation extended beyond counterterrorism efforts, encompassing economic and political espionage as well. The documents revealed a level of coordination and integration among the Five Eyes nations that had previously been unknown to the public.
Snowden’s disclosures also shed light on the international scope of surveillance, revealing that intelligence agencies, including the NSA, were engaged in widespread monitoring of foreign governments, institutions, and even friendly nations. The revelations strained diplomatic relations between the United States and several countries, raising concerns about sovereignty and the trustworthiness of international partnerships.
The release of the Snowden documents had a significant impact on the field of cybersecurity, prompting both individuals and organizations to reassess their practices and enhance their security measures. For the first time in its 21 year history, Defcon asked the federal government to stay away from the event. The revelations exposed the extent of government surveillance capabilities, raising awareness about the vulnerabilities in digital communication systems and the potential for abuse of power.
Many US government officials were highly critical of Snowden’s actions and argued that the disclosures harmed the intelligence gathering capabilities and therefore jeopardizing the safety of the nation and its citizens. They argued that Snowden could have used the appropriate channels however independent reviews of such channels have found that they are not well equipped to handle such disclosures.
At a Senate Intelligence committee hearing in March 2012, the Director of the NSA, General Keith Alexander was asked if the NSA knew how many Americans had their electronic communications collected or reviewed to which Alexander responded that they did not. At another hearing of the Senate intelligence committee in March 2013, Senator Ron Wyden asked the Director of National Intelligence, James Clapper: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”, “No sir,” replied Clapper. If the high ranking intelligence members were lying under oath to congress, what could any whistleblower protection system have done to remedy the situation?
The US government claims that the surveillance is necessary for national security to prevent terrorist attacks. The war on terror narrative told by the US government is substantially misleading. A 300-page report compiled by an independent White House review panel in 2013 has found that the NSA has never stopped a single terrorist attack
.
What has happened since the 2013 disclosures?
End-to-End Encryption
The Snowden revelations sparked a shift in cybersecurity policies and practices. One of the immediate effects of the Snowden documents was the widespread adoption of encryption technologies. The revelations highlighted the need for individuals and organizations to protect their communications from unauthorized surveillance. As a response, encryption became more prevalent, with end-to-end encryption becoming a standard feature in popular messaging apps.
End-to-end encryption ensures secure communication between two parties by encrypting the content of the messages, making it unreadable to anyone other than the intended recipients. With end-to-end encryption, data is encrypted on the sender’s device and can only be decrypted by the recipient’s device, guaranteeing confidentiality and privacy throughout the transmission.
WhatsApp implemented end-to-end encryption which was based on the Signal messaging protocol. As end-to-end encryption has grown in popularity, many governments around the world are trying to implement content scanning capabilities to enable them to read messages that are sent over end-to-end encrypted channels.
Internet Encryption
The Let’s Encrypt project was started by 2 Mozilla employees before becoming an official non-profit certificate authority in 2013. The project gained momentum after the Snowden revelations as companies raced to implement HTTPS. Let’s Encrypt gained popularity and market share through its innovative approach to web encryption. It revolutionized access to SSL / TLS by offering free and automated SSL/TLS certificates which made it accessible to a broad range of users. Its user-friendly interface and automated certificate issuance eliminated the technical barriers that previously hindered widespread adoption of HTTPS.
Thanks to Let’s Encrypt and other industry initiatives, over 95% of the internet is encrypted today.
Cyber Security Relationships
The industry was kicked into high gear after the revelations and has led to significant evolution and transformation. The revelations changed the way that many approached certain topics and served as a wake up call to address vulnerabilities and the potential for abuse. As a result, there was a surge in cybersecurity investments, research, and technological advancements. Organizations, both public and private, have made substantial efforts to bolster their cybersecurity capabilities, implementing robust encryption methods, multifactor authentication, and intrusion detection systems.
Legal Reforms
The Electronic Frontier Foundation (EFF) and other organizations have sued the US Federal Government over the illegal and unconstitutional surveillance programs. The flagship lawsuit from the EFF is Jewel v. NSA which was filed in 2008 before the Snowden revelations. In 2020, a US Court ruled that the surveillance programs that Snowden revealed were illegal.
In 2015, the USA FREEDOM Act was enacted, which amended Section 215 to end the bulk collection of domestic phone metadata. The act required telecommunications companies to retain their records and allowed the government to request specific information with court approval. Additionally, it introduced measures to increase transparency and accountability, requiring the government to disclose more information about its surveillance activities.
