From the Book NO PLACE TO HIDE: Edward Snowden, the NSA, and the U.S. Surveillance State by Glenn Greenwald. Copyright © 2014 by Glenn Greenwald. Reprinted by arrangement with Metropolitan Books, an imprint of Henry Holt and Company LLC.
On December 1, 2012, I received my first communication from Edward Snowden, although I had no idea at the time that it was from him.
The contact came in the form of an email from someone calling himself Cincinnatus, a reference to Lucius Quinctius Cincinnatus, the Roman farmer who, in the fifth century BC, was appointed dictator of Rome to defend the city against attack. He is most remembered for what he did after vanquishing Rome’s enemies: he immediately and voluntarily gave up political power and returned to farming life. Hailed as a “model of civic virtue,” Cincinnatus has become a symbol of the use of political power in the public interest and the worth of limiting or even relinquishing individual power for the greater good.
The email began: “The security of people’s communications is very important to me,” and its stated purpose was to urge me to begin using PGP encryption so that “Cincinnatus” could communicate things in which, he said, he was certain I would be interested. Invented in 1991, PGP stands for “pretty good privacy.” It has been developed into a sophisticated tool to shield email and other forms of online communications from surveillance and hacking.
The program essentially wraps every email in a protective shield, which is a code composed of hundreds, or even thousands, of random numbers and case-sensitive letters. The most advanced intelligence agencies around the world—a class that certainly includes the National Security Agency—possess password-cracking software capable of one billion guesses per second. But so lengthy and random are these PGP encryption codes that even the most sophisticated software requires many years to break them. People who most fear having their communications monitored, such as intelligence operatives, spies, human rights activists, and hackers, trust this form of encryption to protect their messages.
In this email, “Cincinnatus” said he had searched everywhere for my PGP “public key,” a unique code set that allows people to receive encrypted email, but could not find it. From this, he concluded that I was not using the program and told me, “That puts anyone who communicates with you at risk. I’m not arguing that every communication you are involved in be encrypted, but you should at least provide communicants with that option.”
“Cincinnatus” then referenced the sex scandal of General David Petraeus, whose career-ending extramarital affair with journalist Paula Broadwell was discovered when investigators found Google emails between the two. Had Petraeus encrypted his messages before handing them over to Gmail or storing them in his drafts folder, he wrote, investigators would not have been able to read them. “Encryption matters, and it is not just for spies and philanderers.” Installing encrypted email, he said, “is a critically-necessary security measure for anyone who wishes to communicate with you.”
To motivate me to follow his advice, he added, “There are people out there you would like to hear from who will never be able to contact you without knowing their messages cannot be read in transit.”
Then he offered to help me install the program: “If you need any help at all with this, please let me know, or alternately request help on Twitter. You have many technically-proficient followers who are willing to offer immediate assistance.” He signed off: “Thank you. C.”
Using encryption software was something I had long intended to do. I had been writing for years about WikiLeaks, whistle-blowers, the hacktivist collective known as Anonymous, and related topics, and had also communicated from time to time with people inside the US national security establishment. Most of them are very concerned about the security of their communications and preventing unwanted monitoring. But the program is complicated, especially for someone who had very little skill in programming and computers, like me. So it was one of those things I had never gotten around to doing.
C.’s email did not move me to action. Because I had become known for covering stories the rest of the media often ignores, I frequently hear from all sorts of people offering me a “huge story,” and it usually turns out to be nothing. And at any given moment I am usually working on more stories than I can handle. So I need something concrete to make me drop what I’m doing in order to pursue a new lead. Despite the vague allusion to “people out there” I “would like to hear from,” there was nothing in C.’s email that I found sufficiently enticing. I read it but did not reply.
Three days later, I heard from C. again, asking me to confirm receipt of the first email. This time I replied quickly. “I got this and am going to work on it. I don’t have a PGP code, and don’t know how to do that, but I will try to find someone who can help me.”
C. replied later that day with a clear, step-by-step guide to the PGP system: Encryption for Dummies, in essence. At the end of the instructions, which I found complex and confusing, mostly due to my own ignorance, he said these were just “the barest basics. If you can’t find anyone to walk you through installation, generation, and use,” he added, “please let me know. I can facilitate contact with people who understand crypto almost anywhere in the world.”
This email ended with more a pointed sign-off: “Cryptographically yours, Cincinnatus.”
Despite my intentions, I never created the time to work on encryption. Seven weeks went by, and my failure to do this weighed a bit on my mind. What if this person really did have an important story, one I would miss just because I failed to install a computer program? Apart from anything else, I knew encryption might be valuable in the future, even if Cincinnatus turned out to have nothing of interest.
On January 28, 2013, I emailed C. to say that I would get someone to help me with encryption and hopefully would have it done within the next day or so.
C. replied the next day: “That’s great news! If you need any further help or have questions in the future, you will always be welcome to reach out. Please accept my sincerest thanks for your support of communications privacy! Cincinnatus.”
But yet again, I did nothing, consumed as I was at the time with other stories, and still unconvinced that C. had anything worthwhile to say. There was no conscious decision to do nothing. It was simply that on my always too-long list of things to take care of, installing encryption technology at the behest of this unknown person never became pressing enough for me to stop other things and focus on it.
C. and I thus found ourselves in a Catch-22. He was unwilling to tell me anything specific about what he had, or even who he was and where he worked, unless I installed encryption. But without the enticement of specifics, it was not a priority to respond to his request and take the time to install the program.
In the face of my inaction, C. stepped up his efforts. He produced a ten-minute video entitled PGP for Journalists. Using software that generates a computer voice, the video instructed me in an easy, step-by-step fashion how to install encryption software, complete with charts and visuals.
Still I did nothing. It was at that point that C., as he later told me, become frustrated. “Here am I,” he thought, “ready to risk my liberty, perhaps even my life, to hand this guy thousands of Top Secret documents from the nation’s most secretive agency—a leak that will produce dozens if not hundreds of huge journalistic scoops. And he can’t even be bothered to install an encryption program.”
That’s how close I came to blowing off one of the largest and most consequential national security leaks in US history.
Go here to find out when “This Week” airs in your area.