The Snowden Legacy, part one: What’s changed, really?

By Sean Gallagher

Remember this guy?
Enlarge / Remember this guy?

Digital privacy has come a long way since June 2013. In the five years since documents provided by Edward Snowden became the basis for a series of revelations that tore away a veil of secrecy around broad surveillance programs run by the National Security Agency, there have been shifts in both technology and policy that have changed the center of gravity for personal electronic privacy in the United States and around the world. Sadly, not all of the changes have been positive. And Snowden's true legacy is a lot more complicated than his admirers (or his critics) will admit.

Starting with that first article published by the Guardian that revealed a National Security Agency program gathering millions of phone records from Verizon—which gave the agency access to metadata about phone calls placed by or received by everyone in America—the Snowden leaks exposed the inner workings of the NSA's biggest signals intelligence programs. Coming to light next was the PRISM program, which allowed the NSA, via the FBI, to gain access directly to customer data from nine Internet companies without notifying the customers. And then came Boundless Informant, a tool for visualizing the amount of signals intelligence being collected from each country in the world. By the time the Snowden cache had been largely mined out, hundreds of files—ranging from PowerPoint presentations to dumps of Internal Wikis and Web discussion boards—had been reviewed and revealed by journalists.

"Thanks to Snowden's disclosures, people worldwide were able to engage in an extraordinary and unprecedented debate about government surveillance," the American Civil Liberties Union declared on the fifth anniversary of the Guardian article.

But when examining the situation closely in terms of political and institutional impact, Snowden's leaks have left a mixed legacy. While his efforts to create a dialogue about privacy reached many ears and had a direct and tangible impact on areas of Internet technology that had long been vulnerable to mass surveillance, the tangible changes that followed have been more evolutionary than revolutionary.

In the meantime, the threat to privacy has evolved as well—especially as the mass adoption of smartphones has placed a trackable, network connected device within reach of billions of people on the planet. The Snowden leaks (and other revelations since) have even emboldened other states to engage in more explicit forms of mass surveillance. Seeing a threat from encryption, the US and other members of the Five Eyes group (the United Kingdom, Australia, New Zealand and Canada) have agreed to look at ways to require backdoors to secured communications again.

"Suddenly, everybody knows, and nothing's changed," security technologist and author Bruce Schneier told Ars. "It was never a campaign issue. We tried to make it one. We failed... the subsequent changes are very small."

Today, for good and ill, we live in a world that has clearly been shaped by Snowden's actions—from both a political and technological perspective. So in a special Ars two-part episode this fall, we're looking back on the Snowden leaks: today, we'll examine Snowden's policy impact in terms of how the government has changed its practices, how the leaks impacted the national security community itself, and what the future looks like for whistleblowers. In our second installment coming soon, we'll dive deeper into how Snowden shaped the de facto world of security—focusing on the technical underpinnings of our current networked world, the evolution of the Internet since the revelations, and what it all means for the future of our privacy.

Opening debate

Edward Snowden did not set out to single-handedly change the world. "Snowden's number one goal was to launch a meaningful debate about the appropriate limits of government surveillance authority, and that goal was accomplished," Ben Wizner, director of the ACLU Speech, Privacy, and Technology Project and a member of Snowden's legal team, told Ars. "His biggest fear was that the revelations would be ignored or cynically dismissed, and instead we have a global debate. Now it's obviously the case that in many instances he would have liked to have seen more significant reforms, but that was the secondary goal."

Snowden's supporters saw the massive document dump as a heroic act. His "decision to expose the mass surveillance practices of US and its international intelligence allies has been transformative," said Dr. Gus Hosein, executive director of Privacy International, in a statement on the FISA leak's fifth anniversary. "Despite the ferocious repudiation of his actions by the US and UK governments, his courageous actions were ultimately good for the intelligence agencies themselves, governments, and most importantly the global public. Until Snowden, the idea that Western governments would routinely collect, store, and analyze our personal data sounded like a conspiracy theory to many people. Because surely, mass surveillance isn’t something good, benevolent Western democracies would ever undertake. Snowden blew that idea wide open."

But even if the ends seemed indisputably good, not every security-watcher believes in the means. Klon Kitchen, the Heritage Foundation's senior research fellow for Technology, National Security and Science Policy, acknowledged that Snowden's "illegal disclosures significantly elevated public debate on the intrinsic tensions between liberty and security," but he believes there are "far more responsible ways" to initiate that conversation.

"Edward Snowden is no hero," Kitchen told Ars. "Any positive effects that may have emerged following his treachery are overshadowed by the great costs to our nation’s security."

Peeling back the veil

Snowden's very first leaked document, the Foreign Intelligence Surveillance Court (FISC) order to Verizon mandating the turnover of "telephony metadata" to the FBI and the NSA, has inarguably had the greatest impact on US policy and legislation. Even many critics of Snowden admit that the NSA's Telephone Records Program, conducted under Section 215 of the USA PATRIOT Act, was a major intrusion into the privacy of American citizens and was an abuse of the FISC orders.

"Pre-Snowden, the government was collecting billions of call records probably on a daily basis," said Mark Rumold, senior staff attorney at the Electronic Frontier Foundation. "They were doing it entirely in secret, with some limited oversight from the FISC. But subsequent disclosures have shown the government was repeatedly violating the rules FISC put in place. And most members of Congress didn't have a clue that the program was going on."

But that program wasn't entirely unknown prior to Snowden's FISC document leak. There had been public reporting on the 215 program, including a report by USA Today in May of 2006 (though the newspaper was forced to retract portions of the story pertaining to the sources of the data collected by the NSA). And even before that, there were legal efforts to expose NSA surveillance, including an EFF lawsuit in January of 2006 against AT&T over the NSA's network surveillance. That case was eventually dismissed after Congress gave AT&T and other telecom companies retroactive immunity under the FISA Amendments Act of 2008; similar lawsuits floundered, too.

"So people knew about this program, but for whatever reason it didn't resonate with the public in the same way that it did in 2013," EFF's Rumold said. "Maybe there's some difference that you could attribute to the leaking of an actual court document, but the government could have said, 'No, that's not a real document,' or they could have refused to confirm or deny. They could have done the same thing they did in 2006. So there was something about the time when the Snowden documents came out that the public had a greater appetite, or maybe just a bigger awareness, of the privacy problems that were going on."

"Snowden ended up proving things rather than bringing it to light," as Mark Zaid, a prominent national security attorney who frequently handles whistleblower cases, put it. "There were lawsuits that people were trying to bring that got defeated because of standing, and the FISC document gave them standing."

"As a result of the disclosures," ACLU's Wizner explained, "we had standing to press our claims, and we actually got a federal court to declare the most sweeping domestic surveillance program in US history to be illegal."

The disclosure of the FISC document itself created a surge in attention to other FISC-related lawsuits, the EFF's Rumold told Ars. "To just give you an example, in terms of FISC opinions, in May of 2013 we had filed a motion in the FISC as part of a lawsuit against the Department of Justice to try to get a FISC opinion disclosed, and I couldn't get anyone in the press or the public to care about this lawsuit. Then the Snowden leaks started in early June, and by July people were dying to hear about this case and get updates. It was impressive to see the turnaround in the public on it, but also I think there was a marked shift from the government, too, about whether or not it could continue to have this absolute wall of secrecy about its foreign intelligence authority."

Prior to the Snowden leak, "there were like three or four FISC opinions that had ever been released," he continued. "And now there are probably over a hundred at this point that have been disclosed. So it's night and day, the difference. It's still not perfect but it's been a substantial shift. And I think greater disclosure about FISC opinions, greater disclosure and transparency about the government's general use of its surveillance authorities has led to changes around the margins for some of the other foreign intelligence surveillance programs."

In response to all this, the Office of the Director of National Intelligence became more public about its oversight operations, for instance. Notably, the ODNI launched IC On The Record, a Tumblr page dedicated to publishing information on surveillance programs and their oversight. "Clearly, the US Intelligence Community is more transparent now," said Paul Rosenzweig, senior fellow at the R Street Institute (a libertarian public policy research organization in Washington, DC). "Six years ago, the idea that the IC would be posting on Tumblr would have been, 'What, are you kidding me?' That's a good thing, in that it makes our government more transparent and accountable."

Rumold agreed that "a change in the government's heart about transparency" was one of the most substantial results of the Snowden disclosures. He called it "a wakeup call for the government that secrecy is not the highest order of value when it comes to intelligence, or when it comes to foreign intelligence surveillance." And going forward, if the government wants to operate a big program like 215 without public notice or more awareness from Capitol Hill, "when they build these massive illegal programs under a veil of secrecy, then there's a resulting backlash that can cause them to lose authority that they might otherwise have gotten," Rumold said.

Page 2

Again, the ACLU's Wizner said that achieving significant change wasn't Snowden's principal goal in the first place. "It was about process," he explained. "[Snowden] was much more focused on democratic accountability than he was on surveillance or privacy. The main motivating force for his disclosures was that the established oversight mechanisms in the US have comprehensively failed."

If that's the case, then Snowden could be comfortably viewed as a success—at least when it comes to causing some introspection by the three branches of government. But the reforms that followed this soul-searching did not significantly change the surveillance equation at large, which Wizner acknowledged. "As far as the reforms themselves, they were, in the US, both historic and inadequate."

The policy impact started with some changes made by the Obama administration, including Presidential Policy Directive 28 (PPD-28). According to a CIA document on signals intelligence (SIGINT) activities policy, PPD-28:

...directs the Intelligence Community (IC) to assess the feasibility of alternatives that would allow the IC to conduct targeted SIGINT collection rather than bulk SIGINT collection. Accordingly, when engaging in SIGINT collection, the Agency should conduct targeted SIGINT collection activities rather than bulk SIGINT collection activities when practicable. SIGINT collection activities should be directed against specific foreign intelligence targets or topics through the use of discriminants (e.g., specific facilities, identifiers, selection terms, etc.) when practicable.

This policy "represented some sort of substantial overhaul of [the government's] SIGINT authorities, to the extent that those new rules actually capped or put limits on the surveillance that they were doing," said the EFF's Rumold. "But it was pretty obscure to outsiders."

One of the things that PPD-28 eventually changed was how parts of the intelligence community ran bulk surveillance of Internet traffic. The NSA conducted those actions under the authority of Section 702 of the FISA Amendments Act of 2008. Post-Snowden, the NSA ended what it called "about" collection—searching the contents of communications for email addresses and other "selectors" rather than just looking for traffic between persons of interest (Rumold described the practice as "one of the most problematic parts of 702 surveillance"). The PPD-28 change made what the ACLU and EFF contend to be an unconstitutional form of surveillance "less unconstitutional," Rumold said.

Somewhat less obscure were the legislative changes that followed—specifically, the USA Freedom Act, which changed the way the NSA runs the FISA 215 program. USA Freedom got the NSA out of the business of directly storing phone records, and the policy now requires the government to obtain records from providers after obtaining an authorization from the FISC.

However, those FISC authorizations can still be fairly broad. Based on the most recent disclosures by the government, about 500 million call records were obtained last year under the mechanisms set forth in the USA Freedom Act. On top of that, Congress left the NSA's other surveillance programs, authorized under section 702, largely intact—in fact, lawmakers re-authorized them for another six years in 2017.

"Snowden's disclosures generated greater Congressional consideration and review, and I see that as a positive, because I think Congress as the legislative branch should be making these decisions," said Rosenzweig. "Some people see that as a negative, because what has happened is Congress has institutionalized a lot of this. They've reviewed this, and they've said, 'No we like the 702 program, and yeah, we'll fiddle around the edges and cut and trim.' But I think anyone who was expecting Snowden's revelations to result in a wholesale de-institutionalization of the intelligence community would be disappointed."

The EFF supported USA Freedom, and Rumold asserted that the law "represents the most substantial check or rollback of intelligence agency authorities that has been passed since FISA."  Still, the organization acknowledges that 500 million call records—regardless of how much duplication of records there was between phone providers—was a substantial number. "I feel very comfortable saying even with that very large number, that it is better than the government itself obtaining billions of records every day," he added.

The global impact

Snowden critics, and even some more sympathetic with his cause, continue to question whether those changes justify the scope of Snowden's document dump. In addition to revealing domestic programs of questionable legality, critics contend, Snowden exposed foreign intelligence operations that were legal and within the NSA's charter—an exposure that has strained relationships with allies and may have damaged intelligence collection.

"You need to distinguish between his releases on the domestic surveillance programs and everything else," said Mark Zaid. "If he had only released the Verizon FISA order," Zaid suggested, Snowden would have likely had just as much of an impact on domestic surveillance. "He'd be here in the US, and probably be in the US working for Google or Amazon, and writing a book."

Instead, Zaid believes Snowden caused more harm than good. "He didn't need to do everything he did. He stole data on legal overseas intelligence programs—some that were our allies', some that were shut down. We lost certain platforms and certain relationships. People aren't sharing like they used to."

Snowden's disclosures have had a tangible impact on privacy policy overseas. In a May 25 Washington Post editorial, Georgetown University's Abraham Newman and Nikhil Kalyanpur asserted that the European Union's General Data Privacy Regulation (GDPR) might never have happened without the Snowden revelations. The regulation sets huge penalties for companies associated with data disclosures, and it went into effect in May. Already, GDPR has led to more than $8 billion in lawsuits against Google and Facebook, as well as the blocking of access to some websites from Europe and the shutdown of some services (including Klout).

The overseas backlash that followed Snowden's disclosures, Rosenzweig said, "enhanced the dissonance" between the US and Europe on data privacy and other issues surrounding the Internet. "He has contributed to a trend that I think in the end is fundamentally bad for the network itself and for freedom, which is, making friends fight with each other," Rosenzweig claimed. "We should be uniting and fighting the authoritarians who are going to try to create a hypercontrolled Internet."

Internet restrictions have become most severe in the countries that were targeted by US intelligence. Brazil and Russia passed "data sovereignty" laws requiring all Internet services store user data within Russia (China has enacted similar regulations). Russia has censored social media and messaging apps that have failed to comply or provide access to data and messages. And China passed new cybersecurity regulations that have forced information technology vendors to turn over source code for all software and firmware for "vetting."

The results of these and other changes have had a tangible impact on US cloud services companies. The Internet Technology and Innovation Foundation initially estimated that the backlash over US Internet surveillance would cost US cloud companies between $21.5 billion and $35 billion by 2016; in a 2015 study, the ITIF said that costs would far exceed that. Other studies suggested the impact would be much less, but it remains hard to put a precise number on the economic impact outside of other factors. Still, the shifts in regulation and Europe's efforts to move away from some US cloud providers certainly left a mark.

Intangibles of national security and whistleblowing

As much as the Snowden revelations failed to significantly move the needle on US surveillance, "Snowden's documents didn't change anyone else's behavior, either," said The Heritage Foundation's Kitchen. "There has been a significant escalation of electronic espionage across the world, with the adversaries the US was trying to keep an eye on drawing heavily from the NSA's own, now public, playbook." That, plus the uproar amongst allies over the surveillance program information being leaked, Kitchen asserted, "arguably had a damaging effect on US intelligence operations overseas—damage that cannot be easily quantified."

"It hurt diplomatic affairs and intelligence operations overseas," Zaid said of the Snowden documents disclosed so far. "I can't point to specific damage—we don't know if someone died as a result. But if we learned now that someone died five days after the release, does that really change the equation? I have problems with anyone who makes the black and white argument, 'Did anyone die?'"

Other leaks, including the likely state-directed Shadow Brokers dump of NSA surveillance tools and the WikiLeaks publication of content from the CIA's internal surveillance tool development team, may or may not have happened without Snowden. But these subsequent leaks have resulted in much more tangible damage. President Trump himself has done damage to relationships as well, as he did with his disclosure of Israeli intelligence to Russia's ambassador and foreign minister last year.

But the Snowden leaks are still an obstacle, Rosenzweig contends. "One of the fundamental rules of the intelligence business is 'everything counts,'" he said. "They're all like elephants, they never forget. For the Israelis, the Trump disclosure of their intelligence to Russia is layered on top of the Snowden disclosures, and the CIA inability to keep its secrets, and Shadow Brokers—all of it, balanced atop their need for America's support. But all of this from Snowden forward is increasingly portraying us as an unreliable partner."

One of the major contentions of Snowden's critics in the national security world is that his leak and the earlier WikiLeaks documents dump facilitated by Chelsea Manning have inspired the host of leaks that followed. Zaid, who has worked with whistleblowers in the past, contends that "every time we have someone like Snowden or Manning, it makes it more difficult for whistleblowers to come forward," particularly through legitimate channels.

"The impact of Snowden was that the agencies have clamped down and become far more paranoid of what used to be viewed as everyday conduct," Zaid said. "It's now viewed through a different lens."

Not everyone feels this way; the ACLU's Wizner disagreed, for instance. "I wouldn't say it's become better or worse—it's always been terrible for national security whistleblowers," he asserted. "If you're trying to tell someone that intelligence programs are illegal, it's always been close to impossible to do that internally."

Wizner does acknowledge that Snowden may have inspired some to follow his lead and go outside the system. "In the documentary CitizenfourGlenn Greenwald and filmmaker Laura Poitras inform Snowden that they have another source that was inspired by him," acknowledged Wizner. "But other than that, it's impossible to know unless people come forward and say that their whistleblowing and leaking to the press was inspired by Snowden in some way. What I would say is now more than ever, we need more people to follow this example of putting their own security at risk in order to save democracy from real threats."

HBO puts old eps of Last Week Tonight with John Oliver on YouTube, FYI.

Was this trip really necessary?

No matter your perspective on Snowden's impact, there's perhaps a more recent reason why this five-year anniversary has not been a bigger deal and clearer moment for communal reflection. Talking to industry experts for this story, it's clear many feel the intelligence community's morale and credibility has been complicated more by damage inflicted within the last two years by the current president of the United States.

"Honestly, I think what President Trump is doing now—bashing the IC, and the claims about the 'Deep State'—are doing more to undermine the public's perception of the Intelligence Community than the disclosures did," said EFF's Rumold. "I think the real takeaway is that there are a lot of problems in the intel community and with foreign intelligence surveillance, and Trump is exploiting those problems for his own political ends without actually caring about the substance of the problem."

On the other hand, R Street's Rosenzweig believes that Snowden's disclosures "have actually enabled Trump" in terms of opening the door for the president's frequent derisions of intelligence community professionals. So five years after Snowden first made news, it's hard to say whether anything he did on its own has created lasting awareness from the general public about government surveillance and personal privacy.

Opinions Ars heard were mixed on this ultimate question. Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, believes Snowden has left an indelible mark. "Snowden is going to be something most Americans are going to have an opinion on, or know something about," he said. "So it may be one of the key ways they understand our national conversation about cybersecurity, and maybe leaking, and how the US is now technically a surveillance state—sucks to say, but it is." 

Rosenzweig is less sure. While "some portion of America" is now more aware of privacy concerns and issues, he believes the extent of that awareness-raising has been somewhat overstated. "The main group of people who've been energized are kind of activists, who were sort of energized already," he said. "They just got a little more institutionalized and got more excited." Still, Rosenzweig acknowledged that "generally, there's a net average increase among citizens' privacy awareness, so that's a plus."

Zaid is even less optimistic. "Having looked at this five years later, I don't think the American people care about this issue," he said. "I think most people never understood what Snowden revealed."

That perspective seemed to be held up by John Oliver's interview with Snowden—and in particular, the videos he showed Snowden of people on the street in the US who struggled to recall anything about him. Considering how our privacy issues have shifted in the past few years because of things like the Facebook/Cambridge Analytica scandal and other corporate mishandling and misuse of personal data, maybe it's true that concerns about government surveillance have ultimately taken a back-burner in Americans' collective memory.