by

CBS News and a host of other outlets have covered my new paper with Sharon Goldberg, Loopholes for Circumventing the Constitution: Warrantless Bulk Surveillance on Americans by Collecting Network Traffic Abroad. We’ll present the paper on July 18 at HotPETS [slides, pdf], right after a keynote by Bill Binney (the NSA whistleblower), and at TPRC in September. Meanwhile, the NSA has responded to our paper in a clever way that avoids addressing what our paper is actually about.

In the paper, we reveal known and new legal and technical loopholes that enable internet traffic shaping by intelligence authorities to circumvent constitutional safeguards for Americans. The paper is in some ways a classic exercise in threat modeling, but what’s rather new is our combination of descriptive legal analysis with methods from computer science. Thus, we’re able to identify interdependent legal and technical loopholes, mostly in internet routing. We’ll definitely be pursuing similar projects in the future and hope we get other folks to adopt such multidisciplinary methods too.

As to the media coverage, the CBS News piece contains some outstanding reporting and an official NSA statement that seeks – but fails – to debunk our analysis:

However, an NSA spokesperson denied that either EO 12333 or USSID 18 “authorizes targeting of U.S. persons for electronic surveillance by routing their communications outside of the U.S.,” in an emailed statement to CBS News. “Absent limited exception (for example, in an emergency), the Foreign Intelligence Surveillance Act requires that we get a court order to target any U.S. person anywhere in the world for electronic surveillance. In order to get such an order, we have to establish, to the satisfaction of a federal judge, probable cause to believe that the U.S. person is an agent of a foreign power,” the spokesperson said.

The NSA statement sidetracks our analysis by re-framing the issue to construct a legal situation that conveniently evades the main argument of our paper. Notice how the NSA concentrates on the legality of targeting U.S. persons, while we argue that these loopholes exist when i) surveillance is conducted abroad and ii) when the authorities do not “intentionally target a U.S. person.” The NSA statement, however, only talks about situations in which U.S. persons are “targeted” in the legal sense.

As we describe at length in our paper, there are several situations in which authorities don’t intentionally target a U.S. person according to the legal definition, but the internet traffic of many Americans can in fact be affected. The best evidence of that point came a few days after we released our paper, in a Washington Post piece that sources original NSA documents on presumed foreignness – confirming exactly what we outline in our paper. Concrete examples include untargeted bulk surveillance (for instance based on non-personal “selectors” or search terms) and the fact that data collected abroad may be presumed foreign. Another clear-cut example is conducting surveillance for a particular policy objective, such as “cybersecurity”.

In addition, data on Americans may be retained and further processed when it was “incidentally” or “inadvertently” collected through surveillance that did not have the goal of “targeting a U.S. person” in the legal sense. Quoting the recent Washington Post piece:

Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.

This issue has already received a lot of attention over the last months, but this high percentage is new: the personal information of all these account holders may be collected and retained, even though the surveillance operation was not intentionally targeting a U.S. person according to the legal definition. As so often happens in law, legal speak in the books may obscure what really is going on on the ground.

Another point to emphasize is that those “limited exceptions (for example, an emergency)” from the NSA statement are outlined in USSID 18 section 4.1, and in fact span four heavily redacted pages. It’s quite impossible to tell what lies beneath those redactions – beginning on page 11 of our paper, we make a start and highlight what passages are particularly important to de-classify or include in FOIA requests. In any event, it’s quite a stretch to brand four full pages of exceptions – which add up to dozens of actual situations – as “limited”.

Bruce Schneier’s blogpost is also worth reading. The expert discussion below his post really captures what blogging is all about.

Our paper is still a work in progress. In addition to adding recently disclosed information (such as Greenwald’s book and the Washington Post piece), we’ll spend more time analyzing the solutions at hand – from technical, policy, and legal perspectives. The Guardian reports that the U.S. Government’s Privacy and Civil Liberties Oversight Board (PCLOB) will decide on July 23rd whether it will review EO 12333; hopefully the PCLOB will take note of our work so far. In any event, your comments here or by dropping us an email are more than appreciated.