In the late 90’s I co-created the program “ThinThread” which was the perfect alternative to mass surveillance – but it was ditched by NSA for money.
ThinThread was a fully automated system that could monitor signals then filter and alert on genuine threats in near real time. It did this all whilst protecting citizens rights to privacy. Its efficacy was down to its being metadata focused.
See more about the film of ThinThread’s story and my career here. Currently screening in CPH:DOX Copenhagen and will screen in NYC on the 15th Nov. http://agoodamerican.org/
Here’s proof of me being live now: https://twitter.com/AGAmovie/status/664481877890195457
What’s your opinion on Deep Web, Tor and other untraceable internet-browsing systems? Do you think a user is compelled to resort to such tools to protect their privacy and information?
Part of the Treasuremap program includes approx 1000 trace route programs embedded in switches and servers, to trace the route of packets through the network, and they are using this to attack Tor, which I believe they still have problems following.
Google the NSA program Treasuremap for more info.
What is the oversight process for budgets and spending at the NSA?
There is NO oversight of NSA spending! They are not audited at all.
I’ve always wondered what employees thoughts are when asked to do questionable things like some of the stuff the NSA does. Back when you were an employee, what was the general consensus around the “office” when asked to create a civilian surveillance program? Were your coworkers all gung-ho and convinced they were doing the right thing? Did they think it was awful, but it paid the bills? Or was it something that was just never discussed?
Most of them did not like the program and opposed it (Stellar Wind). But the vast population of NSA are ISTJ on the Myers Briggs scale, which means they are afraid to stand up and oppose things to avoid conflicts.
What can people do to protect themselves and attain as close to anonymity if they choose? What do you think it will take for this issue to be raised on a political level with actual results instead of mere foot stomping and rhetoric? Would it matter if other countries didn’t buy in and went full 1984 surveillance on its citizens.
Use smoke signals! With NSA’s budget of over $10bill a year, they have more resources to acquire your data than you can ever hope to defend against.
This has to be addressed in law and legislation. Call your local governmental representative and complain, otherwise, if you sit and do nothing… you are fucked!!!
Can you go into more detail about how ThinThread works? How did it protect privacy? What technology did it use? How is it different than the current metadata programs the NSA is using?
It protected privacy by encrypting attributes that identify people and filtering out and collecting ONLY specifically targeted data.
Who are some other whistleblowers that you respect and honor for doing what they did?
Jesselyn Radack, Tom Drake, Kirk Wiebe, John Kiriakou, Julian Assange, Chelsea Manning, Jeffrey Stirling, Russ Tice… I cant remember them all. All the ones that the government has sent to jail to cover up their crimes.
What is the biggest threat to U.S. citizens? How can citizens combat it?
The biggest threat to U.S. citizens is the U.S. government.
Fire everyone in DC!
If I am anywhere in the USA, and am talking on my cellphone, can the government hear me? And are they recording? And can they use it against me at any time?
Yes. See the program Fairview.
Estimate of 80% collection of content (inc. text and audio) and metadata in the Upstream program.
Would ThinThread be effective at all against encrypted data transmissions?
Yes. Its metadata based, which is not encrypted. Because thats what’s used to route data through the system.
How efficient was the identification of targets in ThinThread? It’s a difficult balancing act in statistical data classification to achieve a high hit-rate (catch all the bad guys) AND a low false-alarm rate (don’t single out any good guys as a bad guys).
It was built on reliable attributes used to route data through the network. That was metadata we used to do the selection and it was spot on.
Can you elaborate at all on what those attributes were? Is it really possible to look at those attributes and know if you hit on any “false positives”?
Its evaluating a combination of factors; numbers such as IPV4, IPV6, MAC Numbers, User ID Service Provider, Phone Numbers and like factors and comparing to historical records to help verify accuracy.
How efficient are these surveillance programs compared to classical police work in detecting and stopping unlawful actors?
The program answers in milliseconds, humans take much longer to find and take action, and the system verified data before executing. People dont necessarily do that. Example: drone strikes.
My question was more about how many actual threats are being detected by the programs, not about speed.
ThinThread was killed in 2001 and so is not producing any threat assessments now, but prior to that it was producing intel everyday on targets that were not terrorist related. All the programs currently in use by NSA have failed to produce results on anything, but are really good at bulk collection.
Why didn’t you ever leak anything? What do you think about Snowden and Manning?
Because I designed most of what they are using and I didn’t think I needed to take anything with me and Congress knew I did.
I think they are both whistleblowers who have tried their best to defend the constitution and inform the public of things they need to know.
How would you recommend that people in tech give back to their country (eg: civic hacking, DoD contracting, going into US Digital Services, policy making, working for an agency)?
Im all for infiltration! And when you do that you bring with it your integrity and character.
How much of Government overreach would you attribute to the public’s misunderstanding of mission stress and financial disincentives?
They had duped the public into thinking they need to do bulk surveillance and this has allowed them to almost triple their budgets.
Does the NSA actually think they need to do this to catch bad guys or are they doing it because results=more funding?
They are doing this purposely to get the money. Their track record is that they continuously fail using bulk collection, and they know it.
Is there any credibility to the claims that encryption is causing legitimate surveillance to “go dark”? Doesn’t thin thread’s mode of operation make encrypted content irrelevant?
I do not believe thats true. And yes ThinThread makes encrypted content irrelevant.
What are real steps we as citizens can take to combat the infringement of our privacy in the tech sector? As in, aside from just letting people know on Facebook to contact our representatives… What practical method do you recommend to reverse the flow?
Again the problem here is that the NSA resources that are available are too great to overcome.
Eg, Google didnt even know that the ‘Muscular’ program existed, which tapped the transfer of data between their data centers. This gave NSA all the data that google had. And thats not the only tap program.
The Nation magazine quotes you saying that “the United States has created a police state with few parallels in history” and a direct quote from you as “It’s better than anything that the KGB, the Stasi, or the Gestapo and SS ever had.” Can you expound this a little bit? What do you think about American mass surveillance of non-US citizens?
Yes thats a quote from Wolfgang Schmidt, a former Lieutenant Colonel in the Stasi, concerning NSA surveillance. “You know, for us, this would have been a dream come true.”
I dont think much of mass surveillance of everybody. Because it dumps too much data on analysts and makes them dysfunctional, and invades privacy of everyone.
Reading through the responses, Thin Thread sounds like an AI like program, would that be a correct assumption? Would thin thread dump non pertinent data rather than logging it?
It was a learning system, and yes it ONLY took in pertinent data and let the rest go right by.
ThinThread is described as being able to identify targets efficiently using automated filtering while at the same time considering the privacy of non-targets by encrypting the data concerning them or by not storing it in the first place. Would it be fair to still call ThinThread a tool of mass surveillance since the data of everyone is under surveillance?
No. ThinThread looks at all data as it goes by, but filters out only targeted information and encrypts identities of people until it gets probable cause.
What determines a person is affiliated with a group? Is it known communication with members? Can visiting say an ISIS website be enough for the government to deem you affiliated and increase scrutiny on you?
Because of NSA’s bulk collection they cant do this on the fly, but retroactively yes, they make those associations. Communications or travel or human reports from the FBI or other Police organisations can add you to the target list. The idiots at NSA are probably still using a three hop approach.
Is it possible to think that governments will come to the idea that selling citizens data to companies is totaly ok?
They dont have to sell it, they are giving it to them now because the contractors run their databases. Indirectly they have access to it all. Eg. Ed Snowden and Booz Allen Hamilton.
Aliens from another planet, are they real?
The random probability is one… so yes.
Could you please tell us what you think about the FISA court? Is there any place for a secret court in our Republic? I’m also curious about the NSLs which come with gag orders such as the one that Yahoo fought and lost with regards to PRISM. Do you think that the courts would uphold the right of the government to gag the tech companies that want to tell their users what is going down?
They (FISC) need to be fired.
I would not replace it with anything except the existing Article III Courts.
NSLs have been ruled by the second court of appeals to be unconstitutional and are illegal.
What is the rationale behind these programs?
The rationale is very simple, to stop threats to people. Thats the objective of intelligence.
The NSA has such a bad reputation, so how/why should we trust anything you tell us or any of the answers you give us?
Im a whistleblower against NSA’s mass surveillance for 14 years. Its up to you if you want to believe me.
How has that worked out for you financially? Did you lose your pension? Are you employable?
I still have my retirement, but they killed all opportunity to do work anywhere else in the United States.
You can see more about this in the movie: ‘A Good American’ – Im in it.
Bill, as a Cyber Security worker myself, are you in favor of a national personal information regulatory agency? I’ve gone back and forth on this several times, and keep landing on the fact that personal information needs a centralized enforcement agency, similar to the IRS, with the power to force institutions to use standards and policies that make sense, and assure the safe keeping of everyone’s personal data. Additionally, what do you think of a national two step verification system for every persons Social Security number?
No. That just gives governments another opportunity to collect information on everybody!
If the system is so good, as you have said, why has it not been able to stop mass shootings like ones in Colorado or Oregon? IIRC the oregon dude had posted material about his future actions.
Because NSA and associated industrial partners killed the program in 2000/01!
Why hire contractors instead of regular employees? I’m sure you can find the right talent if you position it properly, look at the U.K. for example. I would love to work with the NSA (Canadian, unfortunately), what credentials do you look for recruiting?
Because they want to build dependencies within the military industrial intelligence complex. Its an incestuous relationship, they are screwing everybody.
You have to be a US citizen or… a working member of the FVEYS.