Edward Snowden and the NSA

Zusammenfassung

On June 5, 2013, The Guardian published the first article based on documents leaked by Edward Snowden: a classified FISA court order requiring Verizon to provide the NSA with metadata on every phone call its customers made. Over the following months, Snowden’s documents — shared with journalists Glenn Greenwald, Laura Poitras, and Barton Gellman — revealed PRISM (bulk collection of data from Apple, Google, Facebook, Microsoft, and others), XKeyscore (NSA’s global internet surveillance tool), and the scale of the Five Eyes intelligence-sharing alliance. The disclosures triggered the most significant global debate about digital surveillance, encryption, and government power since the Cold War. They also directly accelerated widespread adoption of end-to-end encryption, influenced EU data protection law, and contributed to the European invalidation of the US-EU Safe Harbor data transfer agreement. Snowden has lived in exile in Russia since June 2013.

The NSA and the Post-9/11 Surveillance Expansion

The National Security Agency was established in 1952, inheriting signals intelligence functions from earlier wartime organizations. Its legal authority came primarily from the Foreign Intelligence Surveillance Act (FISA) of 1978, which established a secret court (FISC) to authorize surveillance of foreign intelligence targets inside the United States with judicial oversight.

The September 11, 2001 attacks produced a dramatic expansion of NSA authority. The PATRIOT Act (October 2001) broadened surveillance authorities, reduced judicial oversight, and established the legal framework for bulk collection programs that had previously been legally prohibited. President Bush secretly authorized the NSA to conduct warrantless surveillance of communications crossing US borders — the program later known as the Terrorist Surveillance Program — drawing in part on the broad signals-intelligence authority of Executive Order 12333 (signed by President Reagan in 1981).

The President’s Surveillance Program (PSP), revealed partially in 2005 by the New York Times, included programs collecting bulk internet and phone records. The 2005 disclosure was significant but incomplete — it did not reveal the scale, the specific programs, or the extent of cooperation from private technology companies.

By 2013, the NSA was operating under legal authorities that, as the Snowden disclosures would show, allowed collection of communications metadata for virtually all Americans, bulk collection of internet communications from non-US persons, and access to data held by major US technology companies through programs that the companies were legally prohibited from disclosing.

Edward Snowden: From Contractor to Leaker

Edward Snowden was born in 1983 in Elizabeth City, North Carolina. He dropped out of high school, earned a GED, took community college courses, and joined the Army Reserve in 2004 — leaving after injuring both legs in a training accident. He subsequently worked for the CIA as a technical specialist, then left for private sector NSA contracting work through Dell and later Booz Allen Hamilton.

By 2013, Snowden was working as an NSA contractor in Hawaii with access to some of the NSA’s most sensitive programs. He had held security clearances for years and had become increasingly disturbed by what he saw: surveillance programs that he believed violated the Fourth Amendment and were being concealed from the American public and from most of Congress itself.

Snowden began copying NSA documents in late 2012. He contacted filmmaker Laura Poitras using encrypted email — Poitras had been systematically detained and questioned at US airports for years because of her documentary work on the Iraq War and surveillance, and was known as a contact for sensitive disclosures. He subsequently contacted Glenn Greenwald, then writing for The Guardian.

In May 2013, Snowden met Greenwald and Poitras in Hong Kong to hand over the documents. He had chosen Hong Kong specifically as a location without an extradition treaty with the United States and with a free press tradition. He had already applied for permanent asylum in Ecuador.

The Disclosures: What Was Revealed

The first disclosure, June 5, 2013: Verizon court order. FISA court order requiring Verizon to provide the NSA with daily bulk data transfers of metadata (origin, destination, duration, location) for all calls on its network — approximately 300 million Americans’ phone records, collected without individual suspicion.

June 6, 2013: PRISM. A program through which the NSA collected internet communications — email, video, photos, stored data, VoIP, file transfers — from the servers of Apple, Facebook, Google, Microsoft, Yahoo!, YouTube, Skype, AOL, and Paltalk. The companies denied providing “direct access”; subsequent reporting clarified that the access was through compelled disclosure under FISA Section 702 orders, with compliance required and gag orders preventing disclosure.

XKeyscore: The NSA’s global analysis tool for internet data, described internally as providing analysts with “nearly everything a typical user does on the internet.” The tool could search by email address, phone number, name, and various identifiers and retrieve historical communications. Analysts could access data without prior approval, subject to post-hoc review.

MUSCULAR: A program in which NSA (and GCHQ, its UK counterpart) collected data from the private fiber links connecting Google’s and Yahoo!’s data centers globally — tapping communications within the companies’ private networks rather than through legal process on user-facing services.

Bulk phone metadata: Beyond Verizon, a comprehensive program collecting metadata on most US phone calls under Section 215 of the PATRIOT Act, with judicial authorization that the government argued covered bulk collection.

The disclosures also revealed the scale of Five Eyes intelligence sharing (US, UK, Canada, Australia, New Zealand) and specific programs targeting foreign leaders including German Chancellor Angela Merkel’s cell phone.

The Scale of Surveillance

Documents revealed that the NSA was collecting approximately 5 billion cell phone location records per day worldwide. XKeyscore stored “full take” internet data — complete packet contents — for three days and metadata for thirty days. The scale was extraordinary: surveillance that had historically required targeting specific individuals had been transformed into comprehensive collection of communications from entire populations, with the targeting logic applied after collection.

The Technology Response: Encryption Everywhere

The Snowden disclosures had direct and measurable technical consequences.

HTTPS everywhere: Before 2013, approximately 25–30% of web traffic was encrypted with HTTPS. By 2020, approximately 90% of web traffic in major browsers used HTTPS. The transition was driven partly by awareness of surveillance (MUSCULAR specifically targeted HTTP data in transit between data centers), partly by Google’s decision to give HTTPS sites an SEO ranking boost (2014), and partly by the creation of Let’s Encrypt (2015), which provided free TLS certificates and eliminated a major economic barrier to HTTPS adoption.

End-to-end encrypted messaging: Signal (Open Whisper Systems, later Signal Foundation) was adopted by security researchers and journalists after the disclosures. WhatsApp implemented end-to-end encryption using Signal Protocol in April 2016, making E2E encryption available to its 1 billion users. iMessage already used E2E encryption; Apple’s decision not to break it despite FBI pressure during the 2015 San Bernardino shooter case became the highest-profile encryption policy confrontation of the decade.

Tor usage increased. PGP email encryption had increased uptake among journalists and activists. Signal added features (disappearing messages, sealed sender) specifically designed to minimize metadata exposure.

Encrypted DNS (DNS over HTTPS, DNS over TLS) was developed and standardized, addressing surveillance at the DNS layer that HTTPS did not protect.

The Legal and Policy Aftermath

The USA FREEDOM Act (June 2015) ended bulk telephone metadata collection under Section 215 of the PATRIOT Act, replacing it with a more targeted system requiring specific identifiers. This was a direct legislative response to the Snowden disclosures.

The EU-US Safe Harbor agreement, which allowed US companies to transfer EU citizens’ personal data to the United States by self-certifying compliance with EU data protection principles, was invalidated by the European Court of Justice in October 2015 (Schrems I). The ECJ found that the Safe Harbor mechanism did not provide adequate protection because US surveillance programs allowed access to Europeans’ data without equivalent protections. Safe Harbor’s replacement, Privacy Shield, was similarly invalidated in 2020 (Schrems II). The EU-US Data Privacy Framework (2023) attempted to address the underlying conflict by creating limitations on NSA access to EU data — limitations whose adequacy remained contested.

The General Data Protection Regulation (GDPR), finalized in 2016 and effective in 2018, was not a direct response to Snowden but was shaped by the political environment the disclosures created. European public and political concern about US surveillance of European citizens was a significant context for the GDPR’s strict data transfer requirements.

Snowden in Exile

Snowden flew from Hong Kong to Moscow on June 23, 2013, intending to travel to Ecuador via Havana and a European transit point. The US revoked his passport before he could board his connecting flight, stranding him in Moscow’s Sheremetyevo Airport. After 40 days in the airport, Russia granted him temporary asylum; he subsequently received permanent residency, obtained Russian citizenship in 2022, and married Lindsay Mills in Russia.

The US charged Snowden with two counts of violating the Espionage Act of 1917 and one count of theft of government property. He has been offered various forms of pardon or plea negotiation, none of which he accepted as adequate. As of 2025, he remains in Russia and subject to US charges.

The assessment of Snowden’s actions remains politically divided. The US government, bipartisan intelligence committee reports, and many national security professionals characterize him as a criminal whose disclosures damaged intelligence capabilities and endangered sources and methods. Civil libertarians, privacy advocates, and press freedom organizations characterize him as a whistleblower who revealed illegal surveillance and performed a public service. Courts have validated some of his disclosures: in 2020, the Ninth Circuit Court of Appeals found that the bulk phone metadata program revealed by Snowden violated FISA and may have violated the Fourth Amendment.