The main takeaway of two recent disclosures around N.S.A. surveillance practices, is that Americans must re-think ‘U.S. citizenship’ as the guiding legal principle to protect against untargeted surveillance of their communications. Currently, U.S. citizens may get some comfort through the usual political discourse that ‘ordinary Americans’ are protected, and this is all about foreigners. In this post, I’ll argue that this is not the case, that the legal backdoor of U.S. Citizenship is real and that relying on U.S. citizenship for protection is not in America’s interests. As a new CITP Fellow and a first time contributor to this amazing blog, I’ll introduce myself and my research interests along the way.
On 14 October the Washington Post disclosed that the National Security Agency ‘collects millions of e-mail address books globally’, and on 29 September the New York Times reported that the ‘N.S.A. Gathers Data on Social Connections of U.S. Citizens’. These latest series of disclosures debunk earlier statements from senior U.S. officials that these surveillance practises are targeted at foreigners, and have little or no impact on U.S. residents; even up to President Obama. How come U.S. legal safeguards in the books don’t seem to protect Americans against such untargeted surveillance in the real world?
The Foreign Intelligence Surveillance Act (‘FISA’), in particular section 702, is the talk of the day, and rightly so. It enables untargeted surveillance of ‘foreign intelligence information’ — which includes surveillance for foreign affairs-, economic- and political purposes — of non-U.S. citizens and people living outside the U.S. without any meaningful legal restriction. The aim of FISA is to provide legal safeguards for U.S. citizens and people living in the U.S. But for the N.S.A. c.s., there exist at least three ways to work around the ‘U.S. citizenship principle’:
- Make favorable assumptions of non-U.S. citizenship: either uphold that you are ‘51% certain’ that a data subject is non-American, or collect data outside the U.S. and assume that those data belong to foreigners. If you make such assumptions, FISA doesn’t require consultation of the Foreign Intelligence Surveillance Court for specific intelligence operations. Such practices, subsequently, go without any check and balances, even with regard to U.S. citizens.
- Draft favorable exemptions in minimization procedures for U.S. citizens: see section 5(2) and 5(3) of the 21 June disclosed documents and Josh Kroll’s fine analysis. For instance, regardless of citizenship, encrypted communications can be kept forever – which given the fact that HTTPS is becoming an industry standard amounts to a large portion of your communications.
- Circumvent local laws through international intelligence sharing: another easy work-around is to collude with an allied agency to gather intelligence information on each other’s citizens, and subsequently share the data bilaterally. This ‘quid pro quo’ principle mediates bilateral co-operation between intelligence agencies. This could well be the driving dynamic behind the TEMPORA program, in which the N.S.A. and its English equivalent GCHQ closely work together to intercept data of fiber-optics running across the Atlantic, as well as the untargeted backbone interception at ~20 Internet Exchanges around the world that NSA-whistleblower Bill Binney pointed at during a conference recently in Lausanne, which is huge, but still (for how long?) remains absent from mainstream reporting.
This is the short version, detailed analysis can be found in two papers on FISA or my slides [pdf] from a recent talk that The Guardian live-blogged. I have worked on FISA for over two years now, and will continue to do so this year during my Fellowships at CITP and the Berkman Center at Harvard University, visiting from the Institute for Information Law in Amsterdam (bio and publications).
A closely related topic is HTTPS governance on which my papers on several Certificate Authority breaches ask the question if regulation or other species of governance should overcome the systemic vulnerabilities of SSL/TLS and the CA ecosystem. This also ties into how untargeted interception of SSL/TLS encrypted communications is conducted in practice. I wouldn’t be surprised if we find out that the N.S.A. has its legal and technical backdoors in the SSL/TLS- and CA ecosystem protecting a great deal of our social and financial communications, which the BULLRUN disclosures by The Guardian suggest. Extrapolating from these issues, the third topic I’ll dive into is whether we need a new governance model for communications security, the subject of my very early-stage research talk at CITP on 3 October.
Back to the U.S. Citizenship backdoor. Much of the societal debate has been focused on whether these programs where ‘legal’ and ‘authorized’. Currently, the only remaining meaningful obstacle against untargeted surveillance of U.S. residents is not so much in the law, and not even in the 4th Amendment of U.S. Constitution (one wonders why U.S. lawyers haven’t framed this issue more as a 1st Amendment issue of speech and associational freedom, receiving stronger protections in the U.S.). What remains is the quite trivial area of executive opportunism: ‘if this comes out, do we get away with it?’ Can our constituencies be convinced that this doesn’t impact us, but them?
To be clear, several agencies in Europe have joined the bilateral party, so this is not a beauty contest between legal regimes. Nonetheless, it becomes clear that it is in America’s interest to re-think the U.S. citizenship legal criterion, that functions as a practical backdoor for untargeted surveillance of both them and us. I would argue that the question Americans of all sides of the political spectrum, notably the centre, need to ask is whether the reliance on a trivial legal safeguard and executive opportunism is sufficient when (the next) Edward Snowden illuminates another legal backdoor connected to the U.S. citizenship principle.
A broader perspective on that question would also factor in the implications of this principle for the credibility of the U.S. internet freedom agenda, U.S. moral leadership in the world, U.S. business opportunities abroad and universal human rights obligations in the U.N. conventions to which the U.S. is also a party. Is the U.S. citizenship principle a tenable way forward for both Americans’ privacy, broader U.S. interests and even more broadly for a robust and trustworthy information society in the 21st century?
Privacy issues have little or nothing to do with the covert manner in which the NSA and its vetted subsidiary’s, operate. Mass spying and surveillance in the US on its citizens is standard operating procedure for the NSA in its bid to know ‘everything’. Whatever it takes for the NSA to secure information that in all reality is 99.9% useless to the national security of the US and its ‘vetted Allies’ is of little consequence to concerned private citizens. This agency is not unlike a Machine with a never ending supply of fuel, and unfortunately guys like Snowden just give a high octane boost.
I am worried that the ‘broader perspective’ argued here is actually fairly narrow. The broader issues you raise at the end, the credibility of the U.S. internet freedom agenda, US business opportunities abroad, and so on, these issues reflect concerns of countries outside the US seeking to protect their internal communications, and they are not going to be much affected by different interpretations of US citizenship.
At last weekend’s Drone Conference in NYC, Prof. Katherine Strandburg made some highly interesting remarks about associational freedom under the 1st Amendment and protection from surveillance. Here’s her 2008 paper on the topic: ‘Freedom of Association in a Networked World: First Amendment Regulation of Relational Surveillance’ – http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1136624
Moreover, the assurance that “US Citizens are protected” at best protects only the most parochial of us. Every day, I correspond with people in multiple nations. It appears that under the government’s current reasoning, the fact that I do so justifies monitoring all my communications, and those of all my correspondents, foreign or domestic.
The argument gets made that by exercising my First Amendment freedoms of speech and association, I surrender my Fourth Amendment rights against unreasonable search, just as I do when I use a public conveyance to exercise my First Amendment rights of assembly and petition. Current jurisprudence seems to believe that rights exist only in isolation.
And the people eat it up. “I have nothing to worry about. I don’t talk to foreigners, or talk to anyone that does!” is a common sentiment among the authoritarians.
My prediction for the next slide down the slippery slope: the argument will be advanced that “acting suspicious” is the moral equivalent of turning in a false fire alarm, because it distractes the attention of the authorities from catching the real Bad Guys. That is perhaps the most pernicious authoritarian argument in existence: it is a demand for total conformity, since any departure from the norm is potentially “suspicious.”