General Michael Hayden (Four star, US Air Force) was the head of America’s National Security Agency from 1999 to 2005. He then became the Director of the CIA. He was in Oxford giving two lectures and two talks. We met for a good-natured exchange on Thursday 13 February 2014 under time pressure for 25 minutes. This was followed up with some email questions and answers, I inserted these into an edited version of the exchange and General Hayden lightly edited his responses for publication. So this is not a transcript, it is a text in the form of a conversation. Anthony Barnett
Thank you very much for giving me some time. What I’m interested in is the issue of mass surveillance. To put my cards on the table I’m a big critic of mass surveillance but I’m against paranoid coverage of it and want to know exactly how it happened and what its extent is. Can we start with some history. You were running the NSA during 9/11?
General Michael Hayden: Right.
Were you like Richard Clarke? Did you know immediately that it was al Qaida?
Yes. Absolutely. All instinct, no evidence, but the evidence came in pretty quickly. What I would call the equivalent of celebratory gunfire on al Qaida networks.
Clarke had tried to warn the President. Should you have been better prepared for it?
The phrase I use is that this 9/11 was preventable but a 9/11 was inevitable. You can point to any one thing: you could have gotten the guys in San Diego, the FBI could have permitted a search of Moussaoui’s computer, something could have been different, and maybe it could have been stopped. But given what the enemy was trying to do and the energy the enemy was putting into it, the way we were organised - the different authorities, the legal structure, the separation of intelligence from law enforcement, a whole bunch of things - meant sooner or later something like this was going to happen.
There was no attempt to change the organisation before 9/11?
Should there have been?
In retrospect, of course, in prospect that’s a tough argument to make.
So you then set about, with others, trying to change the structures of organisation?
And at what point did you start to think, ‘we need to collect metadata’? When did you first hear the word?
It actually existed prior, by late 1999, early 2000 it was certainly a focus area. We were beginning to use it in foreign collection. It was a way to handle volume: to turn volume into a useful tool rather than an obstruction to learning important information. And so we had begun to develop metadata along the theory that you can use the pattern of communications to create operationally valuable information.
But then the challenge becomes if you want metadata you have got to be able to accommodate bulk collection. This requires lots of storage, lots of access and then tools by which you can manipulate the metadata. The concept is that I can turn volume into my friend if I can do these things. And the technology has to be developed so that you can do it. The big break with the past after 9/11 is to begin to address the metadata question not outside the United States but inside the United States.
So you took the decision to create the mass, bulk collection of data?
I did an awful lot of things within my own authority and told George Tenet [head of the CIA] and I told the intelligence committees. George told the Vice-President [Dick Chaney] and President Bush. They said “Good, can he do anything more?” Tenet called me and I answered, “not within my current authority.” He said, “that’s not the question I asked you”, and I said, “I’ll get back to you”. This is in 2001 shortly after 9/11. I get my team together and say “Alright, blank slate: what can we do more against this threat?” And we came up with two or three courses of action, one of which was domestic metadata, which would then allow us to better detect a terrorist related phone call coming into the United States.
This is done under 215? [Article 215 of the Patriot Act]
No, that’s what it is done under now. In 2001 we did it on raw Presidential authority: a direct order from the President, its lawfulness averred to by the Attorney General.
In a sense, that's correct. Certainly not individualized warrants from a court
Did you at some point think, ‘I am now going in for warrantless surveillance of American citizens’?
Yes, in that clearly, if we could collect metadata that was useful that was abroad we would do it. Now we had a different issue. Keep in mind the original problem set we were given was, ‘How can I be more confident about detecting terrorist related conversations one end of which was in the United States’.
Cartoon by Doaa Eladl/Web We Want via Flickr . Some rights reserved.
What was the name of the programme when you began creating after 9/11 that became the 215 database after 9/11?
The Terrorist Surveillance program and the President's Surveillance Program
Much discussion of metadata seems limited to references to telephone calls, for example in Obama’s recent speech. You were collecting all kinds of metadata?
No, actually, this is one of the aspects that makes this more rather than less possible, NSA actually is not collecting it. It is acquiring it from the companies. This isn't actually collection, like putting alligator clips on a wire, it isn't electronic surveillance. NSA acquires the business records of the phone companies that they are keeping for their own purposes and sharing with us. Now, metadata collected overseas? Sure that’s electronic surveillance – you’re grabbing the signal.
You’re also in this cooperating with GCHQ?
We’ve partners around the world. You know we are accused of grabbing up tens of millions of French metadata records and Spanish metadata records and it turns out, no: they were provided to us by the French and the Spanish and they were metadata records not from France or Spain but from elsewhere in the world.
But you were then combining all these records.
That’s why people give it to us!
And it is not just telephonic records, even if it grew from that?
First of all, in terms of the business records it is only telephonic because emails don’t leave a business records trail, there is no billing for separate emails. Now, do you collect digital metadata in addition to telephonic metadata in the normal course of foreign intelligence gathering? Sure: ‘To’, ‘From’.
And if you mash it correctly with telephone records you get ‘Where’, you get position.
The intelligence community has explicitly refused to gather position on domestic metadata. There is no reason we’d not, if it is technologically feasible and operationally useful, do it for foreign metadata.
PRISM is a different intelligence gathering programme based on gathering internet metadata and bulk records, as I understand it, of non-US citizens, which started after your term at the NSA.
That's correct. PRISM began after my time as Director of NSA. Based on the FISA Amendment Act of 2008 which - with Congressional approval - gave NSA authority well beyond what President Bush had authorized under his Article II authorities. But PRISM is not focused either on bulk collection or on metadata. It is about email content of specific foreign intelligence targets related to terrorism, proliferation or cyber threats.
Is it correct to say that the tendency, the muscle building, of the NSA and its partners, is towards a unified database of all metadata?
We were challenged after 9-11 to connect the dots. That does require lashing up information from multiple sources.
Then you are building, to take it from here, a very considerable metadata base of everybody here in this country as we are not American citizens.
It wouldn’t apply to this country.
But it could apply?
As a matter of policy, as you know, there are understandings between our countries - not of law but of policy.
To return to the States, was there a moment when you felt, ‘This is going too far’?
Clearly, in the time I was Director, it was not going too far! This sounds self-serving, but no, if you ask my opinion, by the time I left in Spring of 05, we still had a ways to go. Now, I take your question, in 2014, given the accomplishments of the National Security Agency, it's a legitimate question. Are each of these individually correct, operationally relevant and legally defensible decisions, taken in aggregation with what they create, where you want to be? Good question. Fair question.
And your answer?
I’m not dodging it but my answer is that I don’t know enough. I have not been in the NSA for ten years.
If you look at the recent Report of the President Obama’s Group of Advisors [now published by Princeton] - I don’t know what you think of it.
I call it intelligence strategy written from the faculty lounge but go ahead
But they did a lot of work, they had access.
Three of them were academics, but go ahead.
Their Recommendation 4 says, “…as a general rule, and without senior policy review, the government should not be permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes…” That is what they oppose. They are against that.
They are. But what is the President’s response? His response [in Obama’s speech of 17 January] is to say we will limit bulk data collection, which is his way of saying metadata, to counter-intelligence, counter-terrorism, counter proliferation, force protection, counter-narcotics, transnational crime, and cyber threats, which is just about the universe. And there is a footnote in the White Paper that says any limitations on data collection do not apply to SIG DEV. That's signals development, which is the exploration of a new circuit or of a new cable or of any new system. So, I understand what they recommend. The President appears to have offered some concessions - as a practical matter, not a lot.
But underlying the argument of the Advisors Group is the argument that if you hold in a single database all the metadata from across the range of our activities, financial, medical, personal, web visits, if you hold all that, then you risk three things: subduing peoples capacities to be citizens, it's a form of intimidation of our liberty...
Yes, second, you are exposing people to the potential abuse of the use of this information and third you are creating a database that can be hacked or used by others inappropriately.
I am more concerned about your third, that we could not protect the data in a way that it deserves to be protected given the privacy concerns, I agree with that. I also agree that there is a potential for abuse. I would not agree, look, I don’t know what the retention is for bulk collection in other countries, but that’s how you do it. I mean there is another recommendation that we should look for a scientific innovation that allows us to achieve our objectives without the collection of bulk data. To me that’s "fairy dust". I don’t know how to do it without beginning with the haystacks. Now your concern is that we are going to abuse the haystacks. We are going to pick out individual pieces of hay and abuse them without purpose, right?
With the wrong purpose.
And, you should not be under constant surveillance. To be under constant surveillance is a Stasi like form of oppression.
I got hit in Germany at the very interesting Munich conference about ‘suspicionless surveillance’. But there is no law enforcement function here - it is an intelligence function. It is not based on suspicion of anyone. It is based upon seeking to identify a legitimate foreign intelligence target. Stasi-like is when this happens against your own citizens and then it is used not to deprive your citizens potentially of privacy but to deprive them of liberty. My German friends said this reminds them of the Stasi and my answer is that the NSA simply cannot use this information to harm you as the Stasi did.
But if the information is held, about what I am doing and what I am reading on the web, my medical records, who I am seeing...
But that’s not a fair characterization of what is being done
It’s there in the metadata. And if that record of my metadata is held and can be accessed by people unknown to me who have the power to influence my life then my capacity to act as a free person, my liberty, is invaded.
I go back to the key point, how else am I going to do this? In a world in which I am now challenged by volume, I don’t have discreet frequencies that are used by the Soviet navy so that all I need to do is log onto their frequencies. I know hostile actors are sending emails around the world through paths that are unpredictable, unless I have the metadata in a way that allows me to query the metadata with regards to selectors that are not you or me, alright, but selectors of legitimate foreign intelligence targets to see where their communications are… I can’t do that without accessing bulk communications.
The Privacy Board Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court, January 23, 2014 (available at www.fas.orgm ) stated:
“We have not identified a single instance involving a threat to the United States in which the telephone records program made a concrete difference in the outcome of a counterterrorism investigation. Moreover, we are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack.”
The implication is that the vast databases are not useful tools for counter-terrorism. Why do you disagree with their findings?
Because it's rare that one tool is solely decisive for any action. They all become threads in a fabric. Why else would I, my successor General Alexander, the current DNI and his predecessors, two Presidents, and the leadership of the two intelligence committees want to stick with this?
There is an argument that you are grabbing too much and are not able to focus. Senator Leahy makes that argument the whole time. But then again, the major muscle movement in the NSA that was true under me and was immediately reinforced under Keith [Alexander] is that I have got to use volume to my advantage and I can only do so by capturing it and then querying it with either selectors or other search engines in order then to draw my attention to the thread I should be paying attention to. I realise that there is potential for abuse, because the innocent or, in my terms, the uninteresting, are in there as well.
And that would include yourself.
Of course, in American metadata, in that 215 database.
Yes, and you don’t feel that that monitoring in any way effects your liberty as a person?
It does not because I know and have great confidence as to how and when the data is accessed and it is under very narrow specifications.
And how is that controlled?
The system has key-stroke monitoring which is reportable through oversight mechanisms and there are about 20 people in NSA who are authorized to do this and they have to have what is called a reasonable, articulable suspicion that the seed number – not me, not you – that the seed number that they use for a query is an affiliate of al Qaida. They don’t just jump into the pool and see what’s going on in the 215 database. They have to have a seed number, almost always foreign, and the seed number has got to have that RAS – reasonable, articulable, suspicion – that it’s al Qaida. All you do, and this is the important thing as I realise that it could be abused and other things could be done, all that is done is to ask "has that seed number ever shown up inside that ocean of American telephone activity?" And if it has and it says, “Yes it called that number in, say, northern New York” you get to ask that number who do you talk to, and with that data there is nothing more than can be done by the NSA. It is then given to the FBI. Then, anything beyond that is between the FBI and the American court system.
In the Advisors Report they said they were satisfied that there was no illegality of the kind that had occurred during the Vietnam period.
Right, and no abuse.
And no abuse, but the Courts did feel that there was a great deal of “non-compliance”.
And what does that mean?
It means it is complicated. Let me give you one example of non-compliance but it is representative. You have got these seed numbers, Reasonable, Articulable Suspicion, of links to al Qaida. Those are the ones you use to query. You have also got another population of seed numbers in waiting. You are working on building a case that they are an al Qaida number but you are not quite there yet at the level of reasonable, articulable suspicion. As the daily take came in, as the flow comes into the xillion record database, in addition to what I have just described to you, they set up a filter so that as the database is coming through, they screen the database on the daily uptake, to see if these not yet but almost ready for prime time seed numbers, all of them foreign, have shown up. The grounds being that I may have a 100 numbers out here I am working on as to whether or not they are al Qaida affiliated, but, boy, if one of them calls the United States then I’m moving it to the top the top of the list to make sure whether or not it is al Qaida affiliated. That was one of the non-compliances. The court said “Although you are not asking what is the American number, although you are not chaining out from the American number, it’s more than you asked us permission to do and therefore you are in non-compliance”. That’s one of the non-compliance issues.
Non-compliance was not in relation to non-telephonic communications?
The one I just gave you is the one I actually know about and it is illustrative of the kind of technical questions that were involved.
And when you say that wouldn’t happen here with GCHQ, they wouldn’t have to worry about that because they can make that decision themselves.
The United States is the only western democracy that takes these questions to a court. Here in the UK this kind of activity is done through ministerial rather than judicial warrants. The questions are dealt with in the political branches.
And you would regard it as more “robust”?
I’d regard it as more freedom of action. As you can probably tell, I’m pretty comfortable with all this. Don’t get me wrong. Don’t think I do not fear an overreaching government or an overreaching executive, I do. It can be scary.
The IRS thing, the President making recess appointments when the Congress does not think it is in recess, you know I’m jealous of our liberties too.
In your talk in Oxford you referred to the possibility of corporations becoming the leaders in the cyber domain, and of Google as acting like a sovereign.
I often compare today's globalization (e.g. the web), with the last great age of globalization (the European discovery of the western hemisphere and beyond). In the latter, corporations such as the East India Company, Hudson Bay, powerfully shaped the environment. Today is no different. My comments were just a recognition of this. I’m being descriptive not prescriptive. [Glenn] Greenwald is now making an issue of the NSA using Angry Birds. It is Angry Birds that is sucking information out of your iPhone, and grabbing your data, not the NSA. What NSA is doing is a legitimate intelligence operation. It’s Angry Birds that’s grabbing your data!
But the danger is that if I have given my information to a company, say Amazon if I use it for buying, I have given it freely. But I do not expect them to pass it on. I do not expect you to take it either. It’s my private information. Once you start to put together all my activities on line and where I am from my phone then you get a picture of someone.
NSA is gathering such information in pursuit of legitimate foreign intelligence targets. All I can say is that you’re uninteresting!
Maybe so if you are only interested in connections to al Qaida. But what if you become interested in me for other reasons? This, surely, is a danger you can recognize? To be “innocent” means we have a claim in law. This is our status and it belongs to us. To be “uninteresting” means that our status, so far as whether or not we are surveyed, lies entirely in the hands of the sovereign and the intelligence services.
Be careful not to confuse foreign intelligence with law enforcement. Foreign intelligence (in all states) pursues legitimate targets in order to know of things that help the state remain free and secure. That information need not be being communicated by "bad people". Lost in the current media uproar is the fact that countries like the US and the UK and Australia have a more narrow definition of legitimate intelligence than most. They do NOT include in that definition the enrichment of domestic industry through industrial espionage. Most others do. But here we are talking only about the American and British and the Australian services. Odd.
[Update June 2015: See here for a video of Dick Chaney on how the surveillance programme started]
Tomorrow, A discussion with William Binney, who left the NSA in 2001.