Of Edward Snowden and Reality Winner

The whistleblower/traitor (take your pick) Edward Snowden is again much in the news with the publication of his autobiography/apologia Permanent Record this week. As you may recall, Snowden is a former CIA contractor employee who in May 2013 fled first to Hong Kong and then to Moscow where he sought and received asylum after copying and releasing to journalists thousands of highly classified NSA documents. These documents included evidence that NSA was indeed doing mass surveillance of Americans by collecting metadata on telephone calls, contrary to what NSA’s Director, James Clapper, had told congress. For an excellent overview of both the book and the controversy, see Jill Lepore’s recent New Yorker article here.

Snowden’s book gives his version of why he did what he did and how he ended up in what appears to be fairly comfortable exile in Moscow. He presents himself as a patriotic citizen who was so disturbed by secret US government spying on Americans that he was compelled to expose the truth. But as Lepore points out, he didn’t just stumble on the evidence, but rather he spent months actively looking for it. “Snowden has claimed that he alerted more than ten officials at the N.S.A. about his discovery and expressed his alarm. He has provided no support for this claim. The N.S.A. says he reported his concerns to no one… The classified documents Snowden released to the press contained a good deal more than evidence of the surveillance of American citizens; they included, for instance, a 2006 memo detailing the N.S.A.’s monitoring of the telephone conversations of thirty-five unnamed world leaders, which led the German Chancellor, Angela Merkel, to charge the Obama Administration with tapping her phone, causing a diplomatic uproar.”

Snowden doesn’t remark on the obvious irony of a self-proclaimed champion of civil liberties seeking the protection of a country that has for centuries operated the world’s most pervasive and oppressive domestic surveillance apparatus. Well, any port in a storm, right?

It’s worth contrasting Snowden’s situation with that of Reality Winner, the ironically-named former Air Force linguist and intel specialist, who after her military discharge also went to work for an NSA contractor in Georgia. While working there, she came across an NSA report about a Russian attempt to access American election infrastructure through a private software company. According to the report, Russian intelligence sent phishing emails to the company that provides election support to eight states. obtained log-in credentials, and sent emails infected with malware to over 100 election officials, days before the election. On May 9, 2017, the day when Trump fired James Comey, Winner anonymously mailed a physical printout of the document to The Intercept, which then provided NSA with a photocopy to verify its validity and, after making a few redactions, published it. You can read the published version here. 

Based on metadata contained in the scanned copy of the report that The Intercept provided to NSA, the FBI was quickly able to narrow down who had printed it out, and arrested Winner within days–before Intercept had even published the report. She quickly confessed (though later sought to have the confession suppressed on the grounds that she had not been Mirandized), and was jailed without bond for a year. Eventually, she plead guilty to one felony count of “unauthorized transmission of national defense information”, and on August 23, 2018 she was sentenced to 5 years and 3 months in federal prison, reportedly the longest sentence ever imposed for leaking classified information to the media.

So was Winner’s act of leaking ONE document (unlike Snowden or Chelsea Manning, who both released thousands of classified documents) really a crime that endangered national security or a courageous attempt to alert the US public to an unprecedented foreign attack on America’s electoral system? At the time when she leaked the NSA report, Americans were becoming aware of Russian meddling in the 2016 election to benefit Donald Trump, but it was not yet generally known that specific US electoral databases, including electronic voter registration rolls, had been penetrated and compromised. It was not until May 8, 2018–nearly a year after The Intercept published the leaked NSA report, and 3 months before Winner’s sentencing–that the Senate Select Committee on Intelligence (SSCI) published an unclassified report which stated that at least 18 state election systems had been targeted by Russian cyber attacks. The SSCI report also stated: “In at least six states, the Russian-affiliated cyber actors went beyond scanning and conducted malicious access attempts on voting-related websites. In a small number of states, Russian-affiliated cyber actors were able to gain access to restricted elements of election infrastructure. In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data.” The Mueller Report (section entitled “Intrusions Targeting Administration of US Elections”), released in March 2019, contains much of the same information that was in the NSA report published by The Intercept.

Incredibly, however, the details of such intrusions known to the FBI and the US Intelligence Community apparently still have not been made available to local and state officials responsible for voter registration rolls and other electoral databases. In May 2019, the New York Times reported that “At a news conference in Tallahassee, [Florida governor Ron] DeSantis, a Republican, said that officials from the F.B.I. and the Department of Homeland Security had asked him to sign a nondisclosure agreement pledging not to identify the two counties that fell victim to a “spearphishing” attempt by Russian hackers.” Both DeSantis and Sen. Marco Rubio have expressed frustration and dismay that more information has not been forthcoming.

The NSA report leaked by Winner pointed to VR Systems, based in Tallahassee, as a private contractor that was targeted by Russian cyber attackers. According to the Miami Herald, VR Systems is the vendor that handles registration software for most of Florida’s 67 counties, as well as systems in a number of other states. (CNN had reported back in October 2016 that “Federal investigators believe Russian hackers were behind cyberattacks on a contractor for Florida’s election system that may have exposed the personal data of Florida voters”, but did not name the company.) Throughout, everyone officially involved has insisted that there is no evidence that the Russian intrusions changed the voting results.

But how confident can we be about that? The New York Times reported that there were large numbers of suspicious irregularities in North Carolina voter databases in the 2016 election that prevented people from voting, particularly in Durham County where the database used software from VR Systems. The Times article noted, “Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies.” In any case, it has become clear that voter registration databases are the Achilles heel of the US electoral system, whether for foreign-based tampering or domestic partisan voter repression.

So does Reality Winner really deserve to spend another 5 years in prison? Did her action really endanger US national security, or did she actually perform a noble service to the American public? Does her punishment seem appropriate, when the Trump Administration and the Republican Senate leadership refuse to make any meaningful or systematic effort to secure the integrity of US elections? Who is the real criminal here?

Edward Snowden seems a more complicated call. Ultimately it comes down to what you think about the legitimate limits of surveillance by US intelligence and law enforcement of US citizens and residents in the Internet Age. Should we really be so concerned about NSA harvesting of phone call metadata (i.e., who called who when and for how long) if they’re not actually listening to the content without a warrant.  After all, we willingly hand over vast amounts of far more intimate data to private companies like Google, Amazon, Facebook, Apple, etc. who can do literally anything they want with it with virtually no legal restraints. Shouldn’t that concern us more? The collaboration of companies like Facebook with Cambridge Analytica may well have done more to put Donald Trump in the White House than the Russians. As Jill Lepore observes, “Google, Facebook, and Amazon know far, far more about most Americans than the N.S.A. does.”

There are legitimate reasons for classifying information and for imposing penalties for disclosing information that could harm the interests of the country. If you work in that world, you certainly understand the rules as well as what could happen if you break them. That said, classification is often over- and misused. Reality Winner accepted her punishment, even though it seems grossly disproportionate.  But Edward Snowden wants to get off as some kind of libertarian folk hero. He doesn’t fit the mold of a spy, but I am bothered by the indiscriminate magnitude of the information that he stole and disseminated. And whether he recognizes it or not, he is now a Russian asset–a living symbol of the hypocrisy of American claims of freedom who had to flee to Mother Russia for protection. Certainly not nearly as big an asset as Trump, but significant all the same. Let him stay there until Putin or someone else decides he’s no longer useful.