Perhaps the most interesting answers offered by Snowden on Monday came when he addressed the line between what intelligence agencies are technically capable of versus what policy allows them to do.
The issue came up twice. The first time, Snowden was responding to a question asking him to "[d]efine in as much detail as you can what 'direct access' means." (In the wake of the original stories in The Guardian and The Washington Post citing documents released by Snowden, several of the technology companies that had been identified as part of the PRISM program denied giving the government "direct access" to their servers.)
Here's how Snowden responded:
More detail on how direct NSA's accesses are is coming, but in general, the reality is this: if an NSA, FBI, CIA, DIA, etc analyst has access to query raw SIGINT databases, they can enter and get results for anything they want. Phone number, email, user id, cell phone handset id (IMEI), and so on - it's all the same. The restrictions against this are policy based, not technically based, and can change at any time. Additionally, audits are cursory, incomplete, and easily fooled by fake justifications. For at least GCHQ, the number of audited queries is only 5% of those performed.
Snowden returned to the issue later in the chat. A reader asked Snowden if he stood by his claim that, as an NSA contractor, he "had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, to even the President if I had a personal email." Snowden said that he stood by the claim, then again discussed the relationship between policy protections and technical capabilities:
US Persons do enjoy limited policy protections (and again, it's important to understand that policy protection is no protection - policy is a one-way ratchet that only loosens) and one very weak technical protection - a near-the-front-end filter at our ingestion points. The filter is constantly out of date, is set at what is euphemistically referred to as the 'widest allowable aperture,' and can be stripped out at any time. Even with the filter, US comms get ingested, and even more so as soon as they leave the border. Your protected communications shouldn't stop being protected communications just because of the IP they’re tagged with. More fundamentally, the 'US Persons' protection in general is a distraction from the power and danger of this system. Suspicionless surveillance does not become okay simply because it's only victimizing 95% of the world instead of 100%. Our founders did not write that 'We hold these Truths to be self-evident, that all US Persons are created equal.'
Res publica 17.06.13
consigliato da Rhadamanth