Early on in its operation I got an email that almost stopped Heartbeat forever. A faraway administrator—apparently the only one in the entire IC who actually bothered to look at his access logs—wanted to know why a system in Hawaii was copying, one by one, every record in his database. He had immediately blocked me as a precaution, which effectively locked me out, and was demanding an explanation. I told him what I was doing and showed him how to use the internal website that would let him read Heartbeat for himself. His response reminded me of an unusual characteristic of the technologists’ side of the security state: once I gave him access, his wariness instantly turned into curiosity. He might have doubted a person, but he’d never doubt a machine. He could now see that Heartbeat was just doing what it’d been meant to do, and was doing it perfectly. He was fascinated. He unblocked me from his repository of records, and even offered to help me by circulating information about Heartbeat to his colleagues.

Nearly all of the documents that I later disclosed to journalists came to me through Heartbeat. It showed me not just the aims but the abilities of the IC’s mass surveillance system. This is something I want to emphasize: in mid-2012, I was just trying to get a handle on how mass surveillance actually worked. Almost every journalist who later reported on the disclosures was primarily concerned with the targets of surveillance—the efforts to spy on American citizens, for instance, or on the leaders of America’s allies. That is to say, they were more interested in the topics of the surveillance reports than in the system that produced them. I respect that interest, of course, having shared it myself, but my own primary curiosity was still technical in nature. It’s all well and good to read a document or to click through the slides of a PowerPoint presentation to find out what a program is intended to do, but the better you can understand a program’s mechanics, the better you can understand its potential for abuse.

This meant that I wasn’t much interested in the briefing materials—like, for example, what has become perhaps the best-known file I disclosed, a slide deck from a 2011 PowerPoint presentation that delineated the NSA’s new surveillance posture as a matter of six protocols: “Sniff It All, Know It All, Collect It All, Process It All, Exploit It All, Partner It All.” This was just PR speak, marketing jargon. It was intended to impress America’s allies: Australia, Canada, New Zealand, and the UK, the primary countries with which the United States shares intelligence. (Together with the United States, these countries are known as the Five Eyes.) “Sniff It All” meant finding a data source; “Know It All” meant finding out what that data was; “Collect It All” meant capturing that data; “Process It All” meant analyzing that data for usable intelligence; “Exploit It All” meant using that intelligence to further the agency’s aims; and “Partner It All” meant sharing the new data source with allies. While this six-pronged taxonomy was easy to remember, easy to sell, and an accurate measure of the scale of the agency’s ambition and the degree of its collusion with foreign governments, it gave me no insight into how exactly that ambition was realized in technological terms.

Much more revealing was an order I found from the FISA Court, a legal demand for a private company to turn over its customers’ private information to the federal government. Orders such as these were notionally issued on the authority of public legislation; however, their contents, even their existence, were classified Top Secret. According to Section 215 of the Patriot Act, aka the “business records” provision, the government was authorized to obtain orders from the FISA Court that compelled third parties to produce “any tangible thing” that was “relevant” to foreign intelligence or terrorism investigations. But as the court order I found made clear, the NSA had secretly interpreted this authorization as a license to collect all of the “business records,” or metadata, of telephone communications coming through American telecoms, such as Verizon and AT&T, on “an ongoing daily basis.” This included, of course, records of telephone communications between American citizens, the practice of which was unconstitutional.

Additionally, Section 702 of the FISA Amendments Act allows the IC to target any foreigner outside the United States deemed likely to communicate “foreign intelligence information”—a broad category of potential targets that includes journalists, corporate employees, academics, aid workers, and countless others innocent of any wrongdoing whatsoever. This legislation was being used by the NSA to justify its two most prominent Internet surveillance methods: the PRISM program and upstream collection.

PRISM enabled the NSA to routinely collect data from Microsoft, Yahoo!, Google, Facebook, Paltalk, YouTube, Skype, AOL, and Apple, including email, photos, video and audio chats, Web-browsing content, search engine queries, and all other data stored on their clouds, transforming the companies into witting coconspirators. Upstream collection, meanwhile, was arguably even more invasive. It enabled the routine capturing of data directly from private-sector Internet infrastructure—the switches and routers that shunt Internet traffic worldwide, via the satellites in orbit and the high-capacity fiber-optic cables that run under the ocean. This collection was managed by the NSA’s Special Sources Operations unit, which built secret wiretapping equipment and embedded it inside the corporate facilities of obliging Internet service providers around the world. Together, PRISM (collection from the servers of service providers) and upstream collection (direct collection from Internet infrastructure) ensured that the world’s information, both stored and in transit, was surveillable.

The next stage of my investigation was to figure out how this collection was actually accomplished—that is to say, to examine the documents that explained which tools supported this program and how they selected from among the vast mass of dragneted communications those that were thought worthy of closer inspection. The difficulty was that this information did not exist in any presentation, no matter the level of classification, but only in engineering diagrams and raw schematics. These were the most important materials for me to find. Unlike the Five Eyes’ pitch-deck cant, they would be concrete proof that the capacities I was reading about weren’t merely the fantasies of an overcaffeinated project manager. As a systems guy who was always being prodded to build faster and deliver more, I was all too aware that the agencies would sometimes announce technologies before they even existed—sometimes because a Cliff-type salesperson had made one too many promises, and sometimes just out of unalloyed ambition.

In this case, the technologies behind upstream collection did exist. As I came to realize, these tools are the most invasive elements of the NSA’s mass surveillance system, if only because they’re the closest to the user—that is, the closest to the person being surveilled. Imagine yourself sitting at a computer, about to visit a website. You open a Web browser, type in a URL, and hit Enter. The URL is, in effect, a request, and this request goes out in search of its destination server. Somewhere in the midst of its travels, however, before your request gets to that server, it will have to pass through TURBULENCE, one of the NSA’s most powerful weapons.

Specifically, your request passes through a few black servers stacked on top of one another, together about the size of a four-shelf bookcase. These are installed in special rooms at major private telecommunications buildings throughout allied countries, as well as in US embassies and on US military bases, and contain two critical tools. The first, TURMOIL, handles “passive collection,” making a copy of the data coming through. The second, TURBINE, is in charge of “active collection”—that is, actively tampering with the users.