Americans as 'vulnerable' to NSA surveillance as foreigners, despite Fourth Amendment

Americans as 'vulnerable' to NSA surveillance as foreigners, despite Fourth Amendment

Summary: By manipulating internet traffic to push American data outside of the country, the NSA can vacuum up vast amounts of US citizen data for intelligence purposes, a new report warns.

SHARE:
a1-(zdnet)-clapper-obama copy
Director of National Intelligence James Clapper with the President in 2011 (Image: Pete Souza/White House)

Secret loopholes exist that allow the National Security Agency to bypass Fourth Amendment protections to conduct massive domestic surveillance on US citizens, according to leading legal academics.

The research paper released Monday by academics at Harvard University and Boston University details how the US government can "conduct largely unrestrained surveillance on Americans by collecting their network traffic abroad," despite constitutional protections against warrantless searches.

One of the paper's authors, Axel Arnbak at Harvard University's Berkman Center for Internet & Society, told CNET that US surveillance laws presume internet traffic is non-American when it is collected from overseas.

"The loopholes in current surveillance laws and today's internet technology may leave American communications as vulnerable to surveillance, and as unprotected, as the internet traffic of foreigners," Arnbak said.

Although Americans are afforded constitutional protections against the US government from unwarranted searches of their emails, documents, social networking data, and other cloud-stored data while it's stored or in-transit on US soil, the researchers suggest these protections do not exist when American data leaves the country.

By manipulating internet traffic to push American data outside of the country, the NSA can vacuum up vast amounts of US citizen data for intelligence purposes, thus "circumventing constitutional and statutory safeguards seeking to protect the privacy of Americans," they warned.

The academic paper lands just over a year since the Edward Snowden revelations first came to light, outlining the massive scope of US government surveillance — under the justification of preventing terrorism. Although the classified programs that make up the NSA's data acquisition arsenal have only been disclosed over the past year, the laws have been under close scrutiny for years. The paper only adds fuel to the fire of the intelligence agency's potential spying capabilities, which have been heavily criticized by civil liberties and privacy groups alike.

"The fix has to come from the law — the same laws that apply to internet traffic collected domestically should also apply to traffic that is collected abroad," the paper's co-author Sharon Goldberg at Boston University's Computer Science Department, said.

While the researchers do not speculate as to whether these loopholes are being actively exploited, aiming solely to broaden the understanding of the current legal framework as disclosed, the current legislation as it stands "opens the door" for unrestrained spying capabilities.

Patrick Toomey, staff attorney at the American Civil Liberties Union's National Security Project, said: "Today, Americans' communications increasingly travel the globe — and privacy protections must reliably follow. This report raises key questions about whether our current legal regime meets that standard, or whether it allows the NSA to vacuum up Americans' private data simply by moving its operations offshore."

"The loopholes in current surveillance laws and today's Internet technology may leave U.S. communications as vulnerable to surveillance, and as unprotected as the internet traffic of foreigners."

He added that there should be a uniform set of laws that protect Americans' privacy regardless of where they are in the world, and that Congressional oversight of all rules governing surveillance is needed for comprehensive reforms.

Since the Sept. 11 terrorist attacks in New York, the subsequent introduction of the Patriot Act allowed certain kinds of data to be collected for the prevention of terrorism — so-called "metadata," such as the time and date of phone calls and emails sent, including phone numbers and email addresses themselves. But the contents of those phone calls or emails require a warrant.

The classified documents leaked by Snowden showed that while the public laws have been in effect for years or even decades, the US government has used secret and classified interpretations of these laws for wider intelligence gathering outside the statute's text.

The Obama administration previously said there had been Congressional and Judicial oversight of these surveillance laws — notably Section 215 of the Patriot Act, which authorized the collection of Americans' phone records; and Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorized the controversial PRISM program, to access non-US residents' emails, social networking, and cloud-stored data.

But the researchers say that the lesser-known Executive Order (EO) 12333, which remains solely the domain of the Executive Branch — along with USSID 18, designed to regulate the collection of American's data from surveillance conducted on foreign soil — can be used as a legal basis for vast and near-unrestricted domestic surveillance on Americans.

The legal provision offered under EO 12333, which the researchers say "explicitly allows for intentional targeting of US persons" for surveillance purposes when FISA protections do not apply, was the basis of the authority that allowed the NSA to tap into the fiber cables that connected Google and Yahoo's overseas to US datacenters. The program was authorized because the collection was carried out overseas and not on US soil — including attacking a US-based company that has a physical presence in other jurisdictions, the researchers say.

An estimated 180 million user records, regardless of citizenship, were collected from Google and Yahoo datacenters each month, according to the leaked documents.

The paper also said surveillance can also be carried out across the wider internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.

The report highlights a fundamental yet widely known issue with the Internet. Data takes the quickest route possible rather than staying solely within a country's borders. Data between two US servers located within the US can still sometimes be routed outside of the US.

Although this is normal, the researchers warn data can be deliberately routed abroad by manipulating the Internet's core protocols — notably the Border Gateway Protocol (BGP), which determines how Internet traffic is routed between individual networks; and the Domain Name Service (DNS), which converts website addresses to numerical network addresses — Internet traffic can be pushed outside of the United States.

By deliberately pushing internet traffic outside of the US, the NSA would have enough time to capture the data while it is outside the reach of constitutional protection.

An NSA spokesperson denied in an emailed statement that either EO 12333 or USSID 18 "authorizes targeting of US persons for electronic surveillance by routing their communications outside of the US." 

"Absent limited exception (for example, in an emergency), the Foreign Intelligence Surveillance Act requires that we get a court order to target any US person anywhere in the world for electronic surveillance. In order to get such an order, we have to establish, to the satisfaction of a federal judge, probable cause to believe that the US person is an agent of a foreign power," the spokesperson added.

The researchers rebuffed the NSA's statement in an email: "We argue that these loopholes exist when surveillance is conducted abroad and when the authorities don't 'intentionally target a 'US person'. There are several situations in which you don't 'target a US person', but internet traffic of many Americans can in fact be affected."

"We cannot tell whether these loopholes are exploited on a large scale, but operation MUSCULAR seems to find its legal and technical basis in them."

Mark M. Jaycox, a legislative analyst at the Electronic Frontier Foundation, said: "If you are intentionally spying on a US person, the government must go to the FISA Court," he said. "That's the way the law is supposed to operate."

Describing how the NSA says it never "intentionally collects" US information, he warned the foreign data dragnet would inevitably include US data.

"The NSA is an intelligence organization — it's going to be targeting foreigners. But it's the way that it's targeting millions of foreigners, and millions of foreign communications that will eventually pick up US persons' data and information. And once that data has been collected, it must be destroyed."

"It's a question the NSA can't reconcile, so they lean heavily on saying they never 'intentionally collect' the US person information," he said.

A recent primer on EO 12333 written by the privacy group said the order "mandates rules for spying... on anyone within the United States." The group also notes that, because the order remains inside the Executive Branch, the Obama administration could "repeal or modify" it immediately.

"This report raises key questions about whether our current legal regime meets that standard, or whether it allows the NSA to vacuum up Americans' private data simply by moving its operations offshore."

The American Civil Liberties Union said in a post on its website that the US government interprets USSID 18 to "permit it to sweep up Americans' international communications without any court order and with little oversight."

The privacy group has also filed a Freedom of Information lawsuit with a federal court in New York, questioning "whether it appropriately accommodates the constitutional rights of American citizens and residents whose communications are intercepted in the course of that surveillance."

Although there is no direct evidence yet to suggest the NSA has exploited this loophole, network monitoring firm Renesys observed two "route hijacking" events in June and November 2013 that led internet traffic to be invisibly routed through Belarus and Iceland on separate occasions. These events are almost unnoticeable to the ordinary internet user, but the side effect is that data may be readable by foreign governments travelling through their country's infrastructure. It also allows the NSA to capture that data by treating it as foreign data.

These legal and technical loopholes can allow "largely unrestrained surveillance on Americans communications," the researchers wrote.

The NSA, whose job it is to produce intelligence from overseas targets, said for the first time in August 2013 that it derives much of its "foundational authority" for its operations from EO 12333. Recent Snowden disclosures shed new light on understanding the capabilities of the executive order.

It was also recently revealed that Snowden himself questioned the legal authority of EO 12333, according to one declassified email exchange released by Director of National Intelligence James Clapper.

According to John Schindler, a former NSA chief analyst, speaking to The Washington Post in October, the sole aim of the NSA's "platoon" of lawyers' is to figure out "how to stay within the law and maximize collection by exploiting every loophole."

"It's fair to say the rules are less restrictive under [EO] 12333 than they are under FISA," he added.

FISA expanded the NSA's powers allowing it to obtain foreign intelligence — including economic and political surveillance of foreign governments, companies, news outlets, and citizens. But the amended law in 2008 also restricted what can be collected on US citizens.

The so-called "targeting" and "minimization" procedures, which remain classified but were reported as a result of the Snowden leaks, were introduced to ensure any data inadvertently collected on US citizens from overseas would not be used in investigations. These were later criticized following subsequent leaks which suggested the rules on collecting US persons' data were more relaxed than the statute led the public to believe.

US intelligence agencies can only do so much with US data, therefore they have a "strong incentive to conduct surveillance abroad," the researchers say, which includes individuals and companies, because legal protections under the Fourth Amendment and FISA do not apply outside US territory.

"Programs under EO 12333 may collect startling amounts of sensitive data on both foreigners and Americans," the paper summarizes, because it presumes by default that "targets and communications are non-Americans, precisely because their operations are conducted abroad."

Topics: Security, Government US, Legal, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • Is anyone surprised anymore?

    Maybe we should adopt a page from the media industry's playbook and consider all personal communications subject to copyright and sue anyone who collects information without the owner's permission for copyright infringement.
    :x
    • Apparently I'm the only one who noticed that this is a speculation article

      This piece is peppered with words like "may" "can" might" "could" etc. Pure conjecture without a shred of evidence that this is actually happening. I guess ZDNet readers aren't skilled in nuanced reading.
      harry_dyke
      • Who said it was being exploited?

        ...like we'd ever know if it was...

        "We cannot tell whether these loopholes are exploited on a large scale, but operation MUSCULAR seems to find its legal and technical basis in them."

        It's bad enough the laws are crafted to allow these kinds of abuses. Maybe you aren't skilled at nuanced reading of people's comments.
        :x
      • Speculation - BS

        It is and has been happening ever since the "coalition-of-the-willing" was formed in 1947. You should ensure the reliability of your sources and preform a little due-diligence before assuming anything...
        NightLife6
  • This stopped being news...

    As soon as Congressed passed the Patriot Act.

    in 2001.

    Where was your outrage then, America?
    d20dad
    • I was outraged

      But far too many came up with the "if you don't have anything to hide..." argument.
      mdsock@...
  • Still a seizure

    If the NSA is "deliberately pushing Internet traffic outside of the US" that in itself is a seizure and a clear violation of the 4th Amendment. (Not that anyone there has anything but utter contempt for the Constitution and the rights of U.S. citizens.)
    scotteast@...
    • My question is...

      ...how does the NSA arrange this, given that neither it nor the US government directly control any backbone network?
      John L. Ries
  • Patriot Act

    Did anyone REALLY think this wouldn't happen after the Patriot Act?
    bd048
    • So you are saying that because Bush implemented this it is OK?

      I do remember the outrage. The media crucified Bush even though HE wanted to tap the phones of foreigners. Everyone said how evil it was. Now that it is Americans (and traffic is being routed outside the country to bypass protections), it seems to be OK?
      kevinbwood9
      • He didn't say that

        And you're the one who brought up partisan politics.
        John L. Ries
  • Hey "Master Race", get real!

    Why are Americans so damn special. Treat all equally, less you appear arrogant.
    allis0
    • Who said we claimed to be the "master race"?

      "Grandest on earth", perhaps; but "master race" is associated with a completely different country and political movement.
      John L. Ries
  • What has changed?

    WWI and the Zimmerman telegram and the US listening in on German "official" correspondence because it was "routed" through the US.
    nrkmann@...
  • Metadata has given the " five eyes agencies" so much information that...

    The "five eyes" intelligence agencies have already enough information stored about us citizens in their metadata, that in case of widespread civil unrest they can come in anytime day or night to put us in jail or concentration camps! The sad thing is that many young people died during the second World War (D day remembrances were just celebrated a few days ago!) in order to protect our privacy and our human and civil rights. Our younger generations will at one point or another have to fight all over again for those rights against the police and corporate state!
    Araldo001
  • American Data is Less Secure

    American Data is not as vulnerable to hacking as foriegn data.

    It is more so.

    Why ?

    Because foreign governments are actually taking steps to protect their data and fire the spies that have crept into the system (germany booting out Verizen , Russia and china vowing to get rid of microsoft computers in their government offices and move to ubuntu / Linux , etc)

    And the american government ... is not.
    Kevin OConnor1
  • The Fourth Amendment

    It is stated very clear here and would apply wherever the data was illegally pushed to:
    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
    Bobdeloyd
  • This has been happening since before the patriot act and...

    This has been happening since before the patriot act and they don't even need to route traffic over seas or outside of the US borders. To make it around the laws they only need to route traffic to an international territory like an international airport. A lot of California internet traffic is routed through LAX and I'm sure a trace route from just about any IP to any other would show at least one server that is either on international territory or simply unidentified. I don't think it would matter what country you're in either...
    rsn11010
  • liars

    They're all untrustworthy (and therefore dangerous) liars. Enough said.
    code_flogger