May 26, 2024

"Loopholes for Circumventing the Constitution", the NSA Statement, and Our Response

CBS News and a host of other outlets have covered my new paper with Sharon Goldberg, Loopholes for Circumventing the Constitution: Warrantless Bulk Surveillance on Americans by Collecting Network Traffic Abroad. We’ll present the paper on July 18 at HotPETS [slides, pdf], right after a keynote by Bill Binney (the NSA whistleblower), and at TPRC in September. Meanwhile, the NSA has responded to our paper in a clever way that avoids addressing what our paper is actually about.

In the paper, we reveal known and new legal and technical loopholes that enable internet traffic shaping by intelligence authorities to circumvent constitutional safeguards for Americans. The paper is in some ways a classic exercise in threat modeling, but what’s rather new is our combination of descriptive legal analysis with methods from computer science. Thus, we’re able to identify interdependent legal and technical loopholes, mostly in internet routing. We’ll definitely be pursuing similar projects in the future and hope we get other folks to adopt such multidisciplinary methods too.

As to the media coverage, the CBS News piece contains some outstanding reporting and an official NSA statement that seeks – but fails – to debunk our analysis:

However, an NSA spokesperson denied that either EO 12333 or USSID 18 “authorizes targeting of U.S. persons for electronic surveillance by routing their communications outside of the U.S.,” in an emailed statement to CBS News.

“Absent limited exception (for example, in an emergency), the Foreign Intelligence Surveillance Act requires that we get a court order to target any U.S. person anywhere in the world for electronic surveillance. In order to get such an order, we have to establish, to the satisfaction of a federal judge, probable cause to believe that the U.S. person is an agent of a foreign power,” the spokesperson said.

The NSA statement sidetracks our analysis by re-framing the issue to construct a legal situation that conveniently evades the main argument of our paper. Notice how the NSA concentrates on the legality of targeting U.S. persons, while we argue that these loopholes exist when i) surveillance is conducted abroad and ii) when the authorities do not “intentionally target a U.S. person.” The NSA statement, however, only talks about situations in which U.S. persons are “targeted” in the legal sense.

As we describe at length in our paper, there are several situations in which authorities don’t intentionally target a U.S. person according to the legal definition, but the internet traffic of many Americans can in fact be affected. The best evidence of that point came a few days after we released our paper, in a Washington Post piece that sources original NSA documents on presumed foreignness – confirming exactly what we outline in our paper. Concrete examples include untargeted bulk surveillance (for instance based on non-personal “selectors” or search terms) and the fact that data collected abroad may be presumed foreign. Another clear-cut example is conducting surveillance for a particular policy objective, such as “cybersecurity”.

In addition, data on Americans may be retained and further processed when it was “incidentally” or “inadvertently” collected through surveillance that did not have the goal of “targeting a U.S. person” in the legal sense. Quoting the recent Washington Post piece:

Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.

This issue has already received a lot of attention over the last months, but this high percentage is new: the personal information of all these account holders may be collected and retained, even though the surveillance operation was not intentionally targeting a U.S. person according to the legal definition. As so often happens in law, legal speak in the books may obscure what really is going on on the ground.

Another point to emphasize is that those “limited exceptions (for example, an emergency)” from the NSA statement are outlined in USSID 18 section 4.1, and in fact span four heavily redacted pages. It’s quite impossible to tell what lies beneath those redactions – beginning on page 11 of our paper, we make a start and highlight what passages are particularly important to de-classify or include in FOIA requests. In any event, it’s quite a stretch to brand four full pages of exceptions – which add up to dozens of actual situations – as “limited”.

Bruce Schneier’s blogpost is also worth reading. The expert discussion below his post really captures what blogging is all about.

Our paper is still a work in progress. In addition to adding recently disclosed information (such as Greenwald’s book and the Washington Post piece), we’ll spend more time analyzing the solutions at hand – from technical, policy, and legal perspectives. The Guardian reports that the U.S. Government’s Privacy and Civil Liberties Oversight Board (PCLOB) will decide on July 23rd whether it will review EO 12333; hopefully the PCLOB will take note of our work so far. In any event, your comments here or by dropping us an email are more than appreciated.


  1. A few days and weeks after the release of our paper, EO 12333 has been getting a lot of attention in the media and policy arenas.

    First, a former State Dept. official wrote an Op Ed, warning about the loopholes we also describe in the paper:

    Then, the WaPo released the NSA SIGINT Decision Tree, along with the announcement that the Obama appionted Privacy and Civil Liberties Oversight Board will investigate surveillance overreach through EO 12333:

    To be continued.

  2. NSA in action?

    email traffic, US to a UK based email server run by Google:
    # tcptraceroute -n 25
    Selected device eth0, address xxxxxxxx, port 40567 for outgoing packets
    Tracing the path to on TCP port 25 (smtp), 30 hops max
    1 0.268 ms 0.216 ms 0.196 ms
    2 0.283 ms 0.261 ms 0.261 ms
    3 [open] 0.262 ms 0.249 ms 0.277 ms

    same destination, http traffic:
    # tcptraceroute -n 80
    Selected device eth0, address xxxxxx, port 37853 for outgoing packets
    Tracing the path to on TCP port 80 (http), 30 hops max
    1 0.303 ms 0.221 ms 0.190 ms
    2 0.280 ms 0.224 ms 0.225 ms
    3 * * *
    4 0.704 ms 0.670 ms 0.672 ms
    5 2.288 ms 1.176 ms 1.200 ms
    6 1.279 ms 1.215 ms 1.192 ms
    7 1.332 ms 1.274 ms 1.352 ms
    8 1.476 ms 1.444 ms 1.507 ms
    9 73.141 ms 73.179 ms 73.137 ms
    10 77.488 ms 77.405 ms 77.427 ms
    11 * * *
    12 * * *
    13 * * *
    14 * * *
    15 * * *
    16 * * *
    17 * * *
    18 * * *
    19 * * *
    20 * * *
    21 * * *
    22 * * *
    23 * * *