E180 -

Patrick G. Eddington joins us this week to tell us about the history of the Central Intelligence Agency and how it operates.

Patrick G. Eddington joins us this week to tell us about the history of the Central Intelligence Agency, how the CIA operates, and what the new Wikileaks revelations mean for our privacy online.

What does the CIA do, and how does it go about that? How close to reality does Hollywood get when portraying the CIA? What’s the difference between the CIA, the FBI, and the NSA? What have these new revelations told us about what the CIA is doing?

Correction: Eddington states that the Privacy and Civil Liberites Oversight Board was composed of three Republicans and two Democrats under Obama; it was actually composed of two Republicans and three Democrats. Today, the only remaining board member is a Republican.

Show Notes and Further Reading

Eddington mentions Glenn Greenwald’s book No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State (2015).

He also mentions a new study by our colleague Adam Bates, “Stringray: A New Frontier in Police Surveillance.”

Here is the previous Free Thoughts episode we recorded with Eddington on the CIA’s torture program. Listeners may also be interested in this episode with Julian Sanchez, “Deconstructing the Surveillance State,” and this episode with Matthew Feeney and Adam Bates, “How New Technology Is Changing Law Enforcement.”



Aaron Powell: Welcome to Free Thoughts from Lib​er​tar​i​an​ism​.org and the Cato Institute. I’m Aaron Powell …
Trevor Burrus: And I’m Trevor Burrus.
Aaron Powell: Joining us today is Patrick Eddington. He’s a policy analyst in homeland security and civil liberties at the Cato Institute. Welcome back to Free Thoughts.
Patrick Eddington: Thank you very much for having me.
Aaron Powell: From 1988 to 1996, you were a military imagery analyst at the CIA’s National Photographic Interpretation Center.
Patrick Eddington: May it rest in peace.
Aaron Powell: [00:00:30] What does that all mean?
Patrick Eddington: I was hired in the last big hiring wave of the Cold War for folks they were looking at for doing satellite imagery work and overhead imagery work. When we talk about this, we’re talking about looking at not only satellite imagery, but U2 photography and other forms of photography. It’s no different than the kind of photographic [00:01:00] analysis or imagery analysis that has been done since World War One. The technology’s changed, obviously, a little bit, but the basics of it in so many ways remain the same.
Trevor Burrus: First of all, were they still using U2s in the 80s. You said U2s [inaudible 00:01:18] …
Patrick Eddington: We have continued to use the U2, I think even up through the Iraq war.
Trevor Burrus: Oh, fascinating, so this is mostly looking at [00:01:30] pictures of … Obviously, you can’t say everything, but probably not of America?
Patrick Eddington: Whenever they launch a new electro optical imaging satellite, which works in an invisible spectrum, just like you and I are looking at each other right now, okay, they do calibration testing. Some of that will be done over the United States. They basically have a dispensation to do that. They’ll also do calibration testing over other parts of the world as well, but they sometimes [00:02:00] like being able to take photographs of the Statue of Liberty, I mean, you can just kind of fill in the blank. The Pentagon, you know, any large building essentially that’s really well known or other large, man‐​made features, you know, Hoover Dam, etcetera.
Trevor Burrus: I just wanted to clarify, I assume you didn’t have control over … You analyzed the photographs, but in terms of who gets to say that the satellite’s going to go take a picture of X, Y, and Z, was that something that you could do?
Patrick Eddington: So, excellent [00:02:30] question. The way things were set up in my day, you had this entity called COMIREX or the Committee on Imagery, Exploitation, the Requirements and it was this big interagency group of muckety mucks, essentially, who kind of delegated down the authority for figuring out targets target sets, that’s what we called them, to basically, in government terms, a GS15 level group of folks who would get together and decide on what you would, basically, be imaging. Some [00:03:00] of these things were what were known as standing target decks so this is stuff that would only be reviewed, basically, on a yearly basis. You knew, for example, that you were going to be taking photographs of Soviet air fields, Soviet ship yards, all the rest of those kinds of things. Right?
For emerging issues, you would then have folks, and this included individual analysts like me, who could actually put in for collection, [00:03:30] both as specific point targets, but also for things like what we called directed search areas. You would basically, if you were looking … I’ll use the first Gulf War as an example. When we were trying to track Saddam Hussein’s forces after they had invaded Kuwait in early August of 1990, one of the techniques that we needed to use was this directed search area concept, which means essentially, you’re taking four geographic points that create a rectangle [00:04:00] or a square, whatever, and you’re basically asking the bird to go out and shoot that whole area. That’s what you use basically to try to find stuff that you think is out there or try to find stuff that you know has been in one particular location, but you think has moved to another. In the course of doing this, you’ll utilize signals intelligence and, if it’s available, human intelligence or even open press sources to help you refine exactly where you point the satellite.
Trevor Burrus: This [00:04:30] sounds like it actually has interesting ramification. The question of who gets to direct the resources of the CIA has interesting ramifications for security now, particularly in terms of whose hard drive you’re going to search or whose calls you’re going to tap, or whatever and whether or not you’re just going to go look at your ex‐​wife and what she’s doing and who’s staying at her house and things like that.
Patrick Eddington: Yeah, no, I mean the way that … I mean, COMIREX, and even individual analyst only have the authority to task [00:05:00] foreign targets so if I were to basically put in a nomination for a particular target that had US geo coordinates, I can guarantee you that I would have got a phone call and somebody would have said, “What the hell do you think you’re doing?” In that respect, kind of the standing controls there I think generally worked pretty well.
Trevor Burrus: [crosstalk 00:05:19] using the satellite though, I mean, that’s a big resource.
Patrick Eddington: It is and that was kind of the fun thing about it, quite frankly, is because here I was, 25 years old and they were [00:05:30] basically giving me the ability to go in and do this kind of stuff. It was remarkable, I mean, to have that kind of authority to be able to point a multi hundred‐​million‐​dollar satellite at a point on the earth and tell it to take a picture of it. That’s kind of cool.
Aaron Powell: How did you then, as a 25‐​year‐​old, end up doing this? What was your path in to the CIA.
Patrick Eddington: Yeah, no, it was really very interesting. I had always wanted to get in to military intelligence and when I went through my [00:06:00] ROTC course at what was then Southwest Missouri State University, now Missouri State University, when you go through that process they basically tell you, okay, list your top three. Meaning, the top three different branches within the Army that you want to go to. I listed military intelligence first, I think I listed air defense artillery second, and then armor third. Of course, the Army in its infinite wisdom it puts me in armor. What was really hysterical about that is they put me through [00:06:30] the very last course at Fort Knox that was teaching guys how to operate the M60 A3 main battle tank, which was being replaced that very year by the new M1 Abrams so they gave me the branch I didn’t want and they trained me on an obsolete tank. It was just …
Trevor Burrus: They knew it was going to be obsolete. That sounds like a good government process by itself.
Patrick Eddington: It was perfect. It was so perfect.
Trevor Burrus: If I ever find one of those in the street, or if someone’s selling one, I could be like Pat, I need to operate this tank.
Patrick Eddington: I could fire it up for you, yeah.
Trevor Burrus: Okay, okay, good.
Patrick Eddington: I could actually do it.
Aaron Powell: There’s always got [00:07:00] to be a last guy to die for a contracting change.
Patrick Eddington: Good point, but what I will say is this, going through that armor officer basic course, it made me a combat arms officer and it also helped me, fundamentally, when I became an actual intelligence officer at CIA because it helped me to understand instantly what I was looking at on imagery. That really gave me a leg up, frankly, on a lot of my competitors as I went through the training process.
Trevor Burrus: How did the CIA itself start?
Patrick Eddington: [00:07:30] America has, I mean, even since the Revolution, we’ve had an intelligence elements, essentially, within our government. Usually, it’s been a military intelligence element, but it wasn’t until really the 20th century that you begin to see the creation of essentially a standing intelligence capability for the United States and that tended to be kind of siloed to being with. Right? You had a nascent army intelligence capability, a nascent naval intelligence capability, which really [00:08:00] matured a lot during the first World War, and in the interwar period, but it wasn’t until World War Two itself that you began to see an interest, essentially, in something that would be more permanent and kind of be broader in scope.
The guy who’s really responsible for it is a fellow by the name of William J., Wild Bill, Donovan, who was a World War One army veteran. Won every major [00:08:30] military accolade that you could think of, including the Metal of Honor. He became a businessman and an attorney and in that interwar period, spent an awful lot of time traveling, circulating among European political and economic elites, as well as, in Asia. He began to develop his own worldwide intelligence network. That’s really what it boiled down to, so even though he was a Republican, and wasn’t crazy about Franklin Roosevelt, [00:09:00] he and Roosevelt shared an absolute mortal fear about the rise of fascism and what it would ultimately mean.
So, Roosevelt began to develop this relationship with Donovan in the late 1930s and by the summer of 1941 he is basically asking Donovan to stand up this thing that became known as the Committee on Information or he asked him to become what would be known as the Coordinator of Information. This would ultimately lead to the creation [00:09:30] of this thing that we know as the Office of Strategic Services or OSS. In modern military parlance, the OSS would really be more like the current United States Special Operations Command or the Joint Special Operations Command. A lot of what the OSS did during World War Two wasn’t just simply trying to collect information on the Germans and the Japanese and the Italians, it was about actually parachuting people behind the lines to blow stuff up. Right? This is kind of where the covert action [00:10:00] aspect of the CIA would ultimately emerge.
Trevor Burrus: [crosstalk 00:10:04] Like real guns of Navarone.
Patrick Eddington: Yeah, yeah, exactly. It’s exactly what it was. You go through World War Two and the OSS operates globally. It’s probably more successful in the Balkans and in France and other places like that, but they develop a reputation. For some folks it’s a mixed reputation, but then Supreme Commander in Chief, Dwight Eisenhower, thought highly of it, General [00:10:30] Patton thought highly of it. Donovan was able to develop a constituency essentially, for this concept and even after Roosevelt’s death and his loss of influence because he was definitely not on the same page with Truman about a lot of this stuff, Donovan essentially kept up his lobbying campaign to create this kind of capability.
Truman’s original concept for what we call the CIA today was essentially a think tank in a lot of respects. [00:11:00] He wanted an entity that would actually gobble up all the available information overtly and covertly, and basically act as an advisor to the President in that respect, but with the rise of this very aggressive Soviet posture in the wake of World War Two and all these de facto covert actions that the Soviets themselves were working, by 1947, [00:11:30] Truman had really come around to Donovan’s way of thinking. This is how you get, finally, in the National Security Act of 1947, the formal creation of the CIA.
Throughout pretty much all of its history, literally up until within the last decade or so, it was almost always a four‐​component organization. First and foremost, what became known as the Director of Operations, which is the spy element, this is the James Bond type element or Jack Bauer element, whatever [00:12:00] term you prefer, the human spies, the Director of Intelligence, which is actually the think tank aspect of the CIA. The Director of Administration, which is pretty self‐​explanatory, they provide the payroll and everything else and then the Director Science and Technology, which is where I wound up working within the National Photographic Interpretation Center.
That particular entity, NPIC, as we called it was really unique in so many ways. [00:12:30] Most importantly, it was actually a joint organization, so while it was technically administratively controlled by the CIA, it was a true joint entity in that we had army, navy, air force and marine corps personnel intelligence analysts integrated in to our operation, as well as, folks from the Defense Intelligence Agency. This would become the organization that would give the CIA what I still think is its greatest accomplishment, which is actually locating the missiles in Cuba [00:13:00] in 1962 and providing President Kennedy with the information he needed, essentially, in order to navigate through that crisis.
Trevor Burrus: I’ve asked you this before just personally, but I think our listeners would enjoy the answer. What is the movie that best portrays, you think, the CIA and what it really does and is like, or book I guess, but movie would probably be better.
Patrick Eddington: Yeah, I mean, it’s funny because when The Hunt for Red October came out in 1990, a bunch of us from [00:13:30] NPIC went to the premier here in DC and we had this block of seats. Since this movie’s almost 30 years old, I’m going to assume this is not a spoiler for most people who are listening here, but there is a scene where Alec Baldwin’s character, Jack Ryan, the CIA analyst is basically going on about what he knows about Marko Ramius, the Soviet Submarine Commander and strategist and so on and so forth. The Army General present [00:14:00] said, “How could you possibly know anything about this guy, you’re just an analyst?” Every one of us from NPIC just roared with laughter. You had this group of people in the theater who are just laughing uproariously and everybody else around us is basically beginning to look at us like, who the hell are these people? What are they doing? We literally outed ourselves. Right? If any Russian KGB or GRU guy would be in the audience, he would go, “Oh, those are the CIA people.”
In terms of the basic process of assessing [00:14:30] information, it’s not a bad stand in, in that respect in a lot of ways. The kind of the bias and the attitude that the general showed, there’s some truth to that. I mean, there’s always kind of been some truth to that. Within the agency itself, I think, folks who worked in the Director of Intelligence have always kind of felt like they were the step‐​child, right, because the agency’s culture was built on [00:15:00] Wild Bill Donovan’s adventures and the adventures of the OSS in World War Two and all the rest of this stuff and that whole macho things is very different than sitting at your desk or the light table like I was, just trying to figure out what the other side was necessarily up to. That continues to this day.
Aaron Powell: Let me flip Trevor’s question then. We know that your career looked just like a James Bond film, but that’s probably not typical. [00:15:30] The CIA that we get from Hollywood movies and television, what are the things that people made. The myths that people may believe or what does Hollywood get most wrong by presenting it?
Patrick Eddington: Oh, I think there are probably a lot of things that Hollywood gets wrong. I mean, this is an organization, when you look at its history, has a very, very mixed, I mean really mixed track record. I cited what I felt was the high point analytically [00:16:00] for the agency, which was the Cuban Missile Crisis. There were a lot of low points and there have been many low points. Right? The idea that the agency is always on the ball, always gets it right, etcetera, etcetera, I think for a long time in this country a lot of folks were kind of mesmerized by that. I think we’ve seen some fundamental alterations in people’s attitudes and it isn’t just in the post‐​Watergate [00:16:30] era. Right?
In the Church Committee era, everything about what the agency had been up to kind of coming out. It hasn’t just been that. It’s even more recent history. We go back to the 2002 Iraq national intelligence estimate, which is one of the greatest failures really, in the agency’s history and mainly a moral failure. It was an analytical failure, but it was an analytical failure that was driven by a refusal to stand up to George Bush and especially [00:17:00] Dick Cheney and say, “We’re not going to tell you what you want to hear. We’re going to tell you what we really think.” That was the real failure.
You had a cataclysmic failure of that kind in 1967 when you had a very similar circumstance. Whereby the Pentagon and its intelligence element at General Westmoreland behest, he was our commander in Vietnam at the time, was pushing this notion that we were winning the war in Vietnam. One of my predecessors [00:17:30] at CIA, a man who I revere and whose picture is on my desk in this building, Sam Adams, figured out by 1967 that Westmoreland was lying. That we were, in fact, facing at least twice as many Viet Cong and North Vietnamese forces as he and his intelligence staff were claiming. Adams and some of his colleagues in the agency went head‐​to‐​head with those folks, but they were betrayed by CIA Director, Richard Helms, who decided to go along [00:18:00] with these falsified estimates. Then, when the Tet Offensive happens in 1968, all of a sudden, it’s like wow, Westmoreland blew it. He lied, etcetera, etcetera, etcetera.
Trevor Burrus: Just came out of nowhere [crosstalk 00:18:10].
Patrick Eddington: Yeah, exactly and so that literally precipitated, not only Lyndon Johnson’s political fall, because he basically tied his fate to Westmoreland and the entire campaign in Vietnam, but it really began, I think, the destruction of the agency reputation in a lot of respects. [00:18:30] You go from this high, the Cuban Missile Crisis in 1962 where you could make an argument that the CIA really did help to save the world, to six years later, the agency essentially going along with a fraudulent intelligence estimate that helps to prolong the war in Vietnam by years and basically leads to tens of thousands more American deaths and hundreds of thousands more wounded.
Trevor Burrus: There’s definitely a over competence that that’s sort of what I … with Aaron’s [00:19:00] question about what did they get wrong?
Patrick Eddington: Yeah.
Trevor Burrus: It’s part of this, I think, too, that the particularly conservatives, I think they generally think the military is more competent than it actually is.
Patrick Eddington: Yeah.
Trevor Burrus: Then, we just do have this idea of Bourne movies, that the intelligence communities know everything …
Patrick Eddington: Oh yeah.
Trevor Burrus: … and that they’re ever in …
Patrick Eddington: Yeah.
Trevor Burrus: … all these James Bond kind of people. We also first had the FBI and the NSA and maybe some dark agency behind everything. [inaudible 00:19:24] kind of popular perceptions, the [crosstalk 00:19:25] Gnomes of Zurich.
Patrick Eddington: What was that?
Aaron Powell: The Gnomes of Zurich.
Trevor Burrus: The Gnomes of Zurich, but actually [00:19:30] what is the difference between the CIA, the FBI and the NSA for those who don’t know?
Patrick Eddington: The interesting thing about these agencies is how much they compete with each other. In terms of kind of the history and the origins of all the rest of that, the FBI is the oldest. Created as a result of another domestic spying controversy, we had one of the very first ones in our country, for the longest time the Secret Service [00:20:00] itself was the element that was most responsible for actually conducting forms of domestic surveillance here in the country. At the beginning of the 20th century, of course, particularly in the wake of the assassination of President McKinley, the focus was on anarchists. Right? The anarchism [crosstalk 00:20:17] …
Trevor Burrus: Not the kind that we talk about on Free Thoughts, right?
Patrick Eddington: Well …
Trevor Burrus: The ones who are left wing, bomb throwing … [inaudible 00:20:23]
Patrick Eddington: Well, sure, I mean as you know a couple of different strains of anarchism that developed in Europe in the mid‐​19th [00:20:30] century, but there was ultimately a violent strain of this that develops and it starts in Europe. You have this series of bombings and assassinations, particularly against European heads of state, European royalty, and King Umberto the First of Italy, was the one who was killed literally just a little bit over a year before the assassination attempt against President McKinley. The Secret Service literally began to keep track of every [00:21:00] single anarchist here domestically or abroad. They actually kept their names and where they could get them, their addresses, in these written ledger books at Secret Service headquarters in the Department of Treasury. It’s really interesting because in researching all of this, I had discovered that I was probably the first researcher in the United States to actually look at those particular records at the National Archives.
It was chilling to see other human being’s names, essentially, written down in these books [00:21:30] and knowing precisely why they were doing it. You didn’t actually have to have committed an act of violence to get your name recorded here. You just had to be an alleged or actual anarchist, a professed anarchist, if you will. When President Roosevelt, Theodore Roosevelt, takes over after the assassination of McKinley, he begins to very aggressively use the Secret Service for a variety of things. A lot of different Federal [00:22:00] departments begged, essentially, to have Secret Service agents to help them expose crimes that were under the purview essentially, of these departments, so you get white slave traffic, if you will, the illegal importation of Chinese workers that gets investigated, land fraud cases within the Department of the Interior become a huge, huge area of business for the Secret Service.
Then, some folks within the Executive Branch take it even further than that. In [00:22:30] 1907, the Secretary of the Navy asks the Secret Service to basically spy on a midshipman who is believed to be having an affair with the daughter of a very politically connected couple here in Washington and this leaks. This gets out and this is what gets in to the press and this is what then begins to motivate Congress to actually try to do something to reign this in. They pass legislation in 1908 that restricts the Secret Service to just protecting [00:23:00] the President and to just going after counterfeiters. Roosevelt’s response through his Attorney General, Charles Bonaparte, who was, in fact, a relative of Napoleon, is to create what became known as the Bureau of Investigation.
They created the, what would become known as the FBI in 1935. They created this out of whole cloth using generally appropriated funds with absolutely no Congressional authorization. They get this thing off the ground and Roosevelt’s last year in office is just super [00:23:30] contentious with Congress over this issue especially. Once he’s gone and Taft takes over, you suddenly see Congress lose interest in really what the Bureau is up to and all the rest of that. It’s in this period of the Taft and Wilson administrations that you see kind of an exponential growth in the Bureau and it’s beginning to get in to some of these other domestic surveillance activities that would then give us the J. Edgar Hoover’s and everything else [00:24:00] that would follow after that.
That’s kind of the FBI’s origin and then, of course, the National Security Agency is an outgrowth of these different army and navy intelligence programs that began in, basically in the pre‐​World War One era and then became very large organizations during World War Two itself. The Pearl Harbor Committee, one of the recommendations that they made was that these cryptographic efforts, these code breaking efforts by the army, navy, be combined in to a single [00:24:30] entity. This is how we get the National Security Agency. Then, of course, my former employer is also essentially kind of stood up in this same time period as we discussed earlier.
Aaron Powell: As far as their reach, are there differences? [inaudible 00:24:44] surveillances, mass surveillance is the big thing right now, are there differences between the three agencies because all three of them come up in the context of surveillance of who they surveil and how they go about it?
Patrick Eddington: The FBI [00:25:00] and NSA probably are the two that have the greatest overlap in many respects at this point. Part of this goes back to the change in Rule 41 that went in to effect last year that now basically gives the Bureau the ability to go to any magistrate judge pretty much anywhere in this country and say, we want to get in to these computers that are located in X, Y, and Z place that don’t even have to be in the same jurisdiction that judge is now. They can go [00:25:30] up and they can get this data. The FBI in its own way is kind of getting in to the mass surveillance business and has been in the mass surveillance business, but NSA’s reach is global and because of the partnerships they have with the major telecommunications organizations that we know so much more about now thanks to the heroism of Edward Snowden, it dwarfs what the FBI can do on a day to day basis.
[00:26:00] There’s an awful lot of coordination and this is something else that the WikiLeaks dumps on the so‐​called Vault 7 and the CIA and attacking tools kind of helped us to understand it in even more depth. A lot of these hacking tools that have been discussed are actually shared, not just amongst FBI, CIA and NSA, but also with our British cousins at the [inaudible 00:26:22] Code and Cypher School and Headquarters, or GCHQ as it’s known. When we look at the scope [00:26:30] of it, NSA very heavily focused on foreign intelligence, mass collection of data there. CIA also focused heavily on the collection of foreign intelligence, but usually in a much more targeted fashion. If you look at these so‐​called Vault 7 leaks, that’s what you see. Most of the exploits that we’re talking about here tend to be designed to go against individual machines, whereas NSA seeks to actually get to the backbone, and does get to the backbone of the internet, [00:27:00] which gives them the ability to just sweep up, literally, hundreds of millions of communications almost on a daily basis.
Trevor Burrus: I think that the CIA is the one that actually has spies, like human assets, or does the NSA use human, like spies, in some ways?
Patrick Eddington: You have a little bit of a division here. On the one hand, you have CIA, which runs essentially this agent network on a global basis.
Trevor Burrus: Would you say that they are [00:27:30] in every country in the world probably?
Patrick Eddington: They are in every country that is ultimately of concern to the United States. Right? You’re going to put more case officers and more assets against the targets that really matter to you, but there are also some targets that are extremely difficult to operate against, and I would put North Korea and Iran at the top of those lists. Especially North Korea. The ability to actually physically get people in there, the ability to actually recruit people, I think, is [00:28:00] a very daunting prospect, which is why, I think, a lot of people at CIA are probably extremely pro Iran Nuclear Agreement. They would like to see a lot more of these kinds of things. They would like to see American businesses be able to get in there because it would give them more pathways to actually gather intelligence.
The Defense Intelligence Agency also runs its own set of assets and sources. Most of its activity is supposed to be [00:28:30] against foreign military targets. You have what are known as the defense attachés who are, of course, assigned to every embassy that we have around the world, but the Defense [inaudible 00:28:41] Service operates its own assets as well. You get in to these issues oftentimes where maybe the agency is trying to run an operation against somebody and DIA is trying to run an operation against somebody. If the coordination is not there, some [00:29:00] very, very bad things can happen.
Trevor Burrus: Such as to they’re both spies and they’re both running operations against each other and they’re not talking to each other?
Patrick Eddington: Yeah.
Trevor Burrus: That sounds like either a tragic comedy or a hilarious Pinkerton detective’s kind of story.
Aaron Powell: Spy versus spy?
Trevor Burrus: Spy versus spy. Let’s talk about those WikiLeaks. What generally happened and, I guess, will happen? They’re not all out yet and what did you … Did you learn anything? What did you learn and did you learn anything that shocked you?
Patrick Eddington: [00:29:30] I wouldn’t say that I learned anything that necessarily shocked me. I think it was more a question of having a lot of existing suspicions confirmed more than anything else. At the beginning of March of 2017, we had this initial dump of not quite 9,000 documents by WikiLeaks probably as a result of a disgruntled CIA contractor or ex‐​CIA contractor providing essentially information on these tools and, in some case, [00:30:00] actual source code for some of these tools to WikiLeaks. What we did learn that I thought was significant is that, whereas the agency for most of these existence, had these four directors that I mentioned earlier, you now have a fifth. This Director of Digital Innovation, or DDI as it’s known and it’s underneath this fifth directorate where all of this clandestine hacking activity basically takes place. The fact that [00:30:30] the agency has established an entire directorate dedicated to just this for me is the big news. That means that they had to get approval from Congress to do that. They also, obviously, had to get a lot of money and additional resources from Congress.
As I’ve noted in some of the stuff that I’ve published on this, the silence from Congress on this, in terms of the implications of it, has been kind of deafening. Everything that’s been revealed so far is about CIA hacking efforts against commercially available [00:31:00] software, firmware and hardware. In other words, the stuff that you and I and everybody else uses in their homes and in their businesses. That, to me, is like the real problem. I’ve used this analogy before. I look at this kind of malware, I look at these kinds of tools, basically, as like the one ring from The Lord of the Rings. Right? I mean, you think that, you know what? It’s like you a super weapon essentially. We know it’s evil and we know it can do a lot of damage and we’re really, really not [00:31:30] going to use it unless it’s like the most extreme circumstance and we don’t have a choice. Then, we’ll employ it.
Trevor Burrus: Once you do have it you’re like, I might put it on my [crosstalk 00:31:39].
Patrick Eddington: That’s exactly it. Right? The other part of it is, everybody else wants this, too. When you turn around, you create these tools and then you, apparently, put them on a single server or single local area network as the agency apparently did, it’s an invitation to hackers? [00:32:00] It’s like, come and get it. Right?
Trevor Burrus: Hack the CIA.
Patrick Eddington: Well, exactly and a lot of folks in the privacy and civil liberties and technology community have been warning for years about this very kind of scenario and now it’s come to pass.
Aaron Powell: The exploits that came out in the first batch and then, was it yesterday that there was a second batch?
Patrick Eddington: Yes.
Aaron Powell: The second batch seemed to be a lot about Apple products, but Apple announced today or yesterday that these were all old exploits [00:32:30] that had been patched long ago. Should we take that as this was dangerous stuff and they have may have done things with it, but we don’t have to worry or is it likely that they have found even more exploits on top of the ones that we’ve seen the old versions of?
Patrick Eddington: We should bear in mind that whatever this individual or individuals gave to WikiLeaks is simply what the individuals chose [00:33:00] to give to WikiLeaks. It does not necessarily, contrary to Julian Assange’s propaganda, it does not necessarily represent everything that the CIA has. We also know that the material that’s been contained in these two dumps so far covers essentially the period from 2013 to roughly 2016, but I don’t think it’s necessarily inclusive. I think it would be a mistake to necessarily assume that it’s all inclusive. You know, [00:33:30] I’m an Apple product user, I have been since 2007. My entire household is nothing but Apple stuff, but if Apple has a weakness, it is the fact that they do not release their source code for public audit. Right? Within the cryptography community, that’s the gold standard. Open‐​source stuff is the gold standard because it means that you have to subject your stuff to peer review from other cryptographers, which is how you really get a chance to test whether or not this [00:34:00] stuff is worth anything.
That’s why Open Whisper Systems, Signal messaging app is considered, still to this day, the gold standard for that kind of activity because there is no evidence thus far that anybody has been able to crack it, including the National Security Agency. You can’t necessarily say that about Apple because their source code is proprietary. They don’t put it out there. That’s not to say that, as a general rule, [00:34:30] they’re not doing, I think, what most people would characterize as a pretty damn good job trying to do this, but as our friend Orin Kerr at George Washington University Law School has observed, we don’t know how to write perfect software. Even the best efforts of folks, whether they’re working with proprietary stuff like Apple, or whether they’re doing it with open‐​source stuff just you’re going to find gaps. That’s why it’s an arms race. That’s why you always have to keep up with it [00:35:00] and exactly how the intelligence community looks at it.
Aaron Powell: We’ve had very strong commercial encryption commercially available and open‐​source and free encryption for quite a while. I mean, I generated PGP keys back when I was in middle school and high school. Given that and given that there’s ones out there that to our knowledge have not been cracked yet and are fairly easy to use, why [00:35:30] is this a problem? Why do they have access to so much stuff still if we can encrypt it powerfully and easily?
Patrick Eddington: In the case of some of these exploits having to do with iOS, Apple’s mobile operating system, the agency apparently at least had one that gave them the ability to get right at the base operating system itself. When you’re able to do that, you can install software that allows you to log every keystroke. If you can do that, [00:36:00] the game is over because then you get every password, anything anybody types on that, they’re going to be able to figure out. Even though, in this case, Signal and even WhatsApp, from what I understand, remain essentially fine. When you’re able to circumvent the encryption literally by just getting directly at the keyboard, that’s an issue. The war goes on and it’s going to be that way until a day comes when we can actually develop [00:36:30] flawless software and I kind of doubt that’s over the immediate horizon.
Aaron Powell: Do you think, though, that we will end up some time in the relatively near future where, at the very least, so yes, if they get access to your device itself they can get at your information, but where all internet traffic itself and all communications traffic is encrypted end to end?
Patrick Eddington: There are lots of different places along the way that it can [00:37:00] be intercepted, right, so if you’re able to get on the internet backbone, for example, if you’re able to get in to other places before the actual encryption takes place, then you’re able to defeat it. Because there’s so many parts to the system of communications, digital communications, it means that there potentially a number of different attack vectors. A number of different weak points. One of my favorite things about Glenn Greenwald’s [00:37:30] book, No Place to Hide, which is about the whole Snowden episode is the photograph that he put in there of folks from NSA’s Tailored Access Operations or TAO Office, breaking open Cisco router boxes in order to actually put implants in them. Right?
When you have the ability to potentially get in to a supply chain and put implants like that in, it just gets back to this whole issue, [00:38:00] the larger issue of reigning in the intelligence community and Federal law enforcement in terms of what they’re engaged in because they’re treating the entire internet and the entire global telecommunication’s infrastructure as an absolutely no holds barred target. Whereas in the pre‐​internet age, all of this intelligence collection activity was going against other country’s ciphers and codes because they were passing over dedicated communication circuits, dedicated communication’s cables.
While [00:38:30] that’s still largely the case for a lot of your most sensitive military and diplomatic traffic, it’s not exclusively the case. When we talk about the terrorism threat, which is really where a lot of this collection is justified or they … Let me rephrase that. It’s how they justify the collection against the internet and the digital infrastructure of the globe, they’re really attacking all of us at the end of the day and that’s what makes it so incredibly disturbing. It’s just this mentality of my highest duty, and if you listen carefully, it doesn’t matter [00:39:00] whether it’s a president or an attorney general or a DNI, it’s always some formulation of my highest duty is to protect the American people, which is, as Libertarians, as we know, is a lie.
Their highest duty is protect the Bill of Rights and to uphold our rights and to uphold the Constitution, but that’s part of the problem that we have today. It’s the age that we’re living in where everyone, and especially folks in government and a lot of our friends in the media, have gotten in to this habit of repeating this nonsense that you can have [00:39:30] a completely safe and secure world and still be free. The founders understood that the only way you can be safe and secure is if you have liberty, if the government can’t do these very things, but that’s what’s been lost. For me, the greatest challenge I face on a daily basis really, is trying to explain to folks, especially on Capitol Hill, do you understand the mistake that you’re making here by buying in to this government argument? [00:40:00] That’s really what they’re doing.
Aaron Powell: Okay, but so government, one of its key roles, the reason that if we take our social contract, we’re getting out of the stated nature, the reason we institute it in the first place is to protect us. Otherwise, we wouldn’t have set it up and so for a lot of people, you know, so like, say, me, I, for those law enforcement agents listening in, am not engaged in any criminal activity nor am I planning a terrorist attack, so why [00:40:30] should I really be bothered?
Patrick Eddington: Right.
Aaron Powell: Even if it keeps me … It doesn’t keep me perfectly safe, but maybe it keeps me a little bit safer than I would have otherwise been so why should I be bothered by them listening in on Trevor and me arguing about Batman versus Daredevil?
Trevor Burrus: Daredevil by the way.
Patrick Eddington: The fundamental problem is essentially the precept that they operate under, which is this idea that they need to collect it all, to use a Keith Alexander phrase, [00:41:00] a former NSA Director.
Trevor Burrus: Or a Pokémon phrase, I guess …
Patrick Eddington: Yes.
Trevor Burrus: … that would be, too.
Patrick Eddington: Yes, yes. If you’re collecting everything it means you don’t actually know who the hell it is that you’re really supposed to be going after. Right? I mean, if we go back to the entire precept of the Fourth Amendment, it’s about individualized, particularized suspicion, based on a probable cause standard. In other words, you’re supposed to be going after individual human beings and that’s what we have here. We have a small group of human beings out there, I’m thinking specifically [00:41:30] Salafist terrorist organizations, who represent a certain level of threat, but in comparison to other threats, they kind of shrink to insignificance.
For example, if you look at the number of people that are actually killed in terrorist incidence in this country on a yearly basis, I’m talking post 911 now, which is definitely a one‐​off event, it was caused by incompetence among FBI, CIA, and NSA not actually sharing the information they already had. In a post 911 environment, [00:42:00] in a year in and year out basis, you’re much more likely to be shot and killed by a cop in this country than you are a terrorist. To me, sure, having government is designed to do certain limited things, but when folks in government begin to view each and every one of us as a potential suspect first and citizen second, which is exactly how our system works right now, that’s exactly how you get these abuses and it’s also why they actually don’t get the bad [00:42:30] guys.
Trevor Burrus: I wanted to clarify something you brought up if our listeners are not familiar with this, the Cisco routers because you mentioned it briefly. It was in Snowden’s leaks, correct?
Patrick Eddington: Mm‐​hmm (affirmative).
Trevor Burrus: For routers being shipped to the retail market in Europe, the US government intercepted the boxes, opened them up, and placed … It had physical access to the routers that placed something in them so they could constantly [00:43:00] … They undermined the company Cisco, they undermined … It shows that even if you lockdown the information streams, just doing an old fashioned, I think you called it a black bag, is what you called it?
Patrick Eddington: Yes, a black bag job is what we called those.
Trevor Burrus: Just go and put something on their smart television so they can use it because I think one of the leaks was about your smart TV might be watching you, but I think they had to give you the physical access …
Patrick Eddington: They did.
Trevor Burrus: … the smart TV to get that. Then, they just say hey, you know, we’re here [00:43:30] to do a building inspection. Right?
Aaron Powell: I’m with Comcast, I understand you have a [crosstalk 00:43:35].
Patrick Eddington: Exactly.
Aaron Powell: Or, if they know you live in an area, you intercept shipments to that area. Don’t even need … [crosstalk 00:43:40].
Trevor Burrus: Mm‐​hmm (affirmative).
Patrick Eddington: Yeah.
Trevor Burrus: They will do that. If they’re blocked from one area, don’t think well, I guess we can’t get to that. They will absolutely go to the nitty gritty level to try …
Patrick Eddington: Absolutely.
Trevor Burrus: … and access.
Patrick Eddington: I mean, look, under the Patriot Act, right, when you talk about section 215 of the Patriot Act, it’s all [00:44:00] tangible things. It’s that business records provision, so they could under the Patriot Act, basically go to Best Buy or whoever and say has so and so ordered this router? Uh, yeah, they have. Okay, great. Number one, you can’t talk about this. This is a gag order. Number two, where’s the box and boom.
Trevor Burrus: That’s it.
Patrick Eddington: That’s it. I mean, look, if they’re going after somebody who’s like a child pornographer, somebody like that, and they’ve got genuine probable cause, that’s one thing, [00:44:30] but to do what they have been doing, which is literally engaging in this kind of fishing expedition surveillance on just an absolutely massive scale, there’s nothing that’s remotely Fourth Amendment compliant about that. It’s also militarily and from an intelligence standpoint completely ineffective.
Trevor Burrus: When you did photographic analysis, you had them take a picture of an area. If they would have given you a picture of the whole country [00:45:00] in minute detail, it would not have made your job easier to find what you were looking for.
Patrick Eddington: It would have made my job infinitely more difficult and that’s the thing about it. You have to be able to zero in on who the bad guys are. Listen, this gets back to the fundamental problem with my former employer. For decades, they have operated out of embassies and consulates. Right? I mean, this is not a secret. If you go to the CI website and you read about the account of the takeover of the embassy in Iran, in Tehran, there’s an account [00:45:30] there of how they were operating out of the embassy. It’s not a secret in that respect to talk about it. Everybody basically understands that they do that. That’s the drawback. Right? I mean, if you’re not able to essentially recruit enough folks in a given society and have them essentially be what are known as NOCs, you know, non‐​official cover type agents and have them be assets, and these are the native‐​born folks who can literally move around in the society without drawing any kind of real suspicion [00:46:00] or anything like that, if you can’t get to that point in a given country with human intelligence collection, you have a problem.
This continues to be, I think, a huge problem for the United States throughout the entire Arab and Muslim world. There’s no easy solution to it. Right? I mean, because we have spent so much time doing so many bad things and backing so many lousy governments over there that nobody trusts us. That’s one of the reasons that anti‐​Americanism [00:46:30] is so great. Well, when anti‐​Americanism is so profound, when it’s so deep‐​seated, how in the world are you going to be actually approach people successfully to get them to work for the Central Intelligence Agency as an asset for a lengthy period of time. Very tough.
Aaron Powell: I have a clarifying question about a detail you mentioned that I’m curious about. You mentioned when you thought the WikiLeaks dumps were from a disgruntled contractor and Snowden [00:47:00] was a contractor.
Patrick Eddington: Mm‐​hmm (affirmative).
Aaron Powell: Is there a reason why we see these leaks coming from contractors as opposed to agents or are they the same thing?
Patrick Eddington: It’s an interesting question that has been posed. I tend to think that it’s more a matter of coincidence at this point than anything else because if you go back and look at a lot of the leaks or espionage cases over the course of the last 30 years, the vast majority of them actually involve government employees. [00:47:30] It has been interesting to see back to back here Snowden and then what’s basically being billed by most folks in government right now who are at least being quoted on this, whether it’s on the record or on background, as more than likely being a result of some contractors who basically share these tools among themselves in an unauthorized fashion and then that’s how you wind up having all this go down. I do find [00:48:00] it interesting, though, that it still happens post Snowden because they initiated all these so‐​called insider threat programs to try to prevent this very thing from happening and it still happened.
Aaron Powell: We have seen thousands and thousands of leaked documents about the surveillance program and lots and lots of details of how it works, lots of details about how the CIA breaks in to devices, among those countless documents, have any of them shown evidence of this working? [00:48:30] Have there been any leaks of reports that yes, this surveillance program stopped this or got this guy that we wouldn’t have otherwise gotten?
Patrick Eddington: To date, and again bearing in mind that we only know, essentially, what has leaked out or what has otherwise been publicly acknowledged, the only post 911 program that I think we can even moderately say has had some kind of an impact, is the FISA Amendments Act, section 702 program. [00:49:00] That particular program, just to refresh folks, when the original illegal warrantless surveillance program was exposed by the New York Times, Jim Risen, in December 2005, that particular program was known as Stellar Wind and that was the original mass surveillance program that was started literally just two days after the 911 attacks. Michael Hayden, then NSA Director’s the one who authorized it. We know on the basis [00:49:30] of both the Snowden leaks and then follow‐​up reporting and Freedom of Information Act request lawsuit work by the New York Times, Charlie Savage, that the Inspectors General of the intelligence community actually did an audit, essentially, of this program. When they actually asked the analysts, people like me, was this actually of any value to you? The answer was no. Now, the muckety muck’s up the chain, right, the political appointees and all the rest of them, absolutely vital tool, [00:50:00] yada, yada, yada, but the actual worker bees who are the ones who really do the work to try to find the bad guys said, not really.
In the case of section 702, the Privacy and Civil Liberties Oversight Board, before it effectively went defunct towards the end of the Obama Administration, they did a report on section 702 back in 2014, I believe, and they actually said that there was pretty credible evidence that this program had, in fact, been responsible for helping [00:50:30] identify previously unknown terrorist networks, etcetera, etcetera. Now, none of the rest of us have actually seen the evidence, but that was a bipartisan panel, three Republicans, two Democrats, and they were pretty much unanimous in their assessment of it. That’s the most publicly known and objective assessment, essentially, that we have, but it’s the only one. The other program that Snowden exposed, the section 215, telephone metadata [00:51:00] mass surveillance program, totally ineffective. Never caught anybody, never saved a single life, etcetera. I don’t think anybody was really terribly surprised by that.
The section 702 program was instituted in 2008, essentially, to try to take that illegal Stellar Wind warrantless surveillance program and turn it in to something legal and, at least, nominally constitutionally compliant, although I think most of us of our persuasion, would still argue that that is not the case. In any event, [00:51:30] what this program does is it allows the NSA to basically collect whatever they want to in the way of foreign intelligence over the communications networks of the world and because of the nature of the communications network, you are inevitably going to sweep up US person communications. Right? This is called “incidental collection” and I used air quotes for that because I think it’s a little bit of a misnomer, but, in any event, this [00:52:00] is probably how General Michael Flynn’s communications with Russian officials were actually captured.
It wasn’t that Obama ordered Flynn and Trump and the rest of them to be subjected to direct wiretapping, it is that the normal operation of the 702 program in collecting these kinds of US to overseas communications, picked up Flynn and probably picked up others. On the basis of the actual foreign targets of the 702 collection, in this case the Russian [00:52:30] Ambassador and probably some others, a decision was then made, after it had been bumped way up the chain of command, to go ahead and initiate other forms of collection. My guess is Flynn was probably subjected to full blown FISA surveillance in the wake of this thing, there may well have been others who are subjected to more fulsome FISA surveillance after this, but the 702 program is the only quasi mass surveillance program that we can actually point to, [00:53:00] or at least that some folks have pointed to, to say this has actually been useful in a fight against Salafist terrorists.
Trevor Burrus: On the Michael Flynn point, there’s been a lot of discussion in the opening months of the Trump Administration about the relationship between the intelligence community and Trump and possible leaks and what they may know. Just broadly asking because it’s hard to ask a specific question about this, but as someone who has been a member of that community and knows how it works [00:53:30] and probably knows people still there, what’s your read on what’s going on? Are they worried and trying to leak or some of them are or is there an internal battle? Is it a mixture of all three?
Patrick Eddington: Yeah, I think there are a lot of things that are probably in play here. I don’t think there’s any doubt that some former Obama Administration officials have been really pushing this whole Trump, I mean, as far as I’m concerned, the line they’ve been pushing is Trump is a de facto controlled agent of Vladimir Putin.
Aaron Powell: Right.
Trevor Burrus: Yeah, pretty much.
Aaron Powell: I mean, that’s [00:54:00] The Manchurian Candidate.
Patrick Eddington: Yeah. Yeah, yeah, exactly and to be clear, there’s zero evidence that has surfaced so far to validate that. Zero. I don’t believe that Donald Trump is a controlled agent of the Russian Federation. For one thing, I don’t think they’d be that stupid to try to recruit a guy who is clearly so completely uncontrollable that he would be vastly more trouble than what he’s worth. That’s not to say that some folks that have surrounded Mr. Trump or been in his orbit may [00:54:30] not have actually been targets of the Russian Intelligence Services. Mr. Manafort may well have been. General Flynn may have been. That’s why we need a comprehensive investigation, which is something that I’ve kind of been on a hobby horse about since at least December of 2016, but I think there are definitely some folks in the intelligence community who are not Trump fans and that’s easy to see why. I mean, he’s denigrated their product.
On the other hand, [00:55:00] when he said, these are the same people that blew it with Iraq, that was a factually accurate statement and the point that I’ve made to people is look, if folks in the intelligence community can’t take some honest criticism that’s based on fact, then they have no chance of protecting us from the likes of Al‐​Qaeda or ISIS or anybody else. If you’re going to get in to this business, you need to have a relatively thick skin and you need to understand that the political headwinds are going to surround you all the time. [00:55:30] You just have to learn to adjust to that and you have to, if you’re going to be a really good intelligence officer, you have to be willing to say no.
In fact, you have to be willing to walk away from your career, if necessary, in order to maintain your integrity. The problem we’ve had over and over again in the course of the last several decades is folks have not been willing to walk away. Right? They’ve been willing to go along to get along. We’ll see how this whole thing plays out. It’s obviously gotten much more political in the last few days [00:56:00] with all the back and forth between Mr. Nunes and Mr. Schiff and some of Mr. Nunes’ very questionable actions, but a …
Trevor Burrus: How paranoid are you and how paranoid should we be? Do you put tape over the camera on your computer?
Patrick Eddington: Well, I have software.
Trevor Burrus: Okay. All right, [crosstalk 00:56:18].
Patrick Eddington: No, I have software. Look, I worry a lot more on the day to day basis about the NSA and the FBI, than I do my former [00:56:30] employer. Even though I know they monitor what I write and what I publish, in the fall of 2015 or summer of 2015, I got a nice …
Trevor Burrus: Wait, will a CIA agent listen to this do you think?
Patrick Eddington: Oh, sure they will.
Trevor Burrus: Can we say hi to them right now?
Patrick Eddington: Oh, [crosstalk 00:56:44]
Trevor Burrus: Okay. Hey, how’s it going?
Aaron Powell: Tell your friends to listen.
Patrick Eddington: Yeah, I can guarantee you they will.
Aaron Powell: Leave a review on iTunes. [crosstalk 00:56:50].
Patrick Eddington: Some of the stuff that I’ve written for Cato I’ve gotten nasty letters from CIA security on and [00:57:00] stuff I’ve had published in CNN and elsewhere usually in connection with the torture investigation, right, because they’re not fans of having people be reminded of all of that. I sent them back little notes. I normally don’t use profanity or vulgarity or anything like that, but I will, basically, remind them that I retain counsel and all the rest of those kinds of things, but I think each one of us should be concerned about [00:57:30] just the proliferation of all of this surveillance. It’s not just at the national level.
Our colleague, Adam Bates has a terrific paper out about this Stingray technology, these cell site simulators that are basically loaned out by the FBI and other Federal law enforcement to state and locals. They’ve used those to surveil protestors in Baltimore and all over the country so it’s the pervasiveness of this stuff and kind of the interlocking nature of it. It’s kind of a perverse [00:58:00] form of federalism, you know? A surveillance form of Federalism that we should all be opposed to because it’s a direct threat to our liberty. As I like to tell people, it doesn’t matter whether you think you don’t have anything to hide, it only matters what the government charges you with.
Aaron Powell: Thanks for listening. This episode of Free Thoughts was produced by Tess Terrible and Evan Banks. To learn more, visit us at www​.lib​er​tar​i​an​ism​.org.