The main takeaway of two recent disclosures around N.S.A. surveillance practices, is that Americans must re-think ‘U.S. citizenship’ as the guiding legal principle to protect against untargeted surveillance of their communications. Currently, U.S. citizens may get some comfort through the usual political discourse that ‘ordinary Americans’ are protected, and this is all about foreigners. In this post, I’ll argue that this is not the case, that the legal backdoor of U.S. Citizenship is real and that relying on U.S. citizenship for protection is not in America’s interests. As a new CITP Fellow and a first time contributor to this amazing blog, I’ll introduce myself and my research interests along the way.
On 14 October the Washington Post disclosed that the National Security Agency ‘collects millions of e-mail address books globally’, and on 29 September the New York Times reported that the ‘N.S.A. Gathers Data on Social Connections of U.S. Citizens’. These latest series of disclosures debunk earlier statements from senior U.S. officials that these surveillance practises are targeted at foreigners, and have little or no impact on U.S. residents; even up to President Obama. How come U.S. legal safeguards in the books don’t seem to protect Americans against such untargeted surveillance in the real world?
The Foreign Intelligence Surveillance Act (‘FISA’), in particular section 702, is the talk of the day, and rightly so. It enables untargeted surveillance of ‘foreign intelligence information’ — which includes surveillance for foreign affairs-, economic- and political purposes — of non-U.S. citizens and people living outside the U.S. without any meaningful legal restriction. The aim of FISA is to provide legal safeguards for U.S. citizens and people living in the U.S. But for the N.S.A. c.s., there exist at least three ways to work around the ‘U.S. citizenship principle’:
- Make favorable assumptions of non-U.S. citizenship: either uphold that you are ‘51% certain’ that a data subject is non-American, or collect data outside the U.S. and assume that those data belong to foreigners. If you make such assumptions, FISA doesn’t require consultation of the Foreign Intelligence Surveillance Court for specific intelligence operations. Such practices, subsequently, go without any check and balances, even with regard to U.S. citizens.
- Draft favorable exemptions in minimization procedures for U.S. citizens: see section 5(2) and 5(3) of the 21 June disclosed documents and Josh Kroll’s fine analysis. For instance, regardless of citizenship, encrypted communications can be kept forever – which given the fact that HTTPS is becoming an industry standard amounts to a large portion of your communications.
- Circumvent local laws through international intelligence sharing: another easy work-around is to collude with an allied agency to gather intelligence information on each other’s citizens, and subsequently share the data bilaterally. This ‘quid pro quo’ principle mediates bilateral co-operation between intelligence agencies. This could well be the driving dynamic behind the TEMPORA program, in which the N.S.A. and its English equivalent GCHQ closely work together to intercept data of fiber-optics running across the Atlantic, as well as the untargeted backbone interception at ~20 Internet Exchanges around the world that NSA-whistleblower Bill Binney pointed at during a conference recently in Lausanne, which is huge, but still (for how long?) remains absent from mainstream reporting.
This is the short version, detailed analysis can be found in two papers on FISA or my slides [pdf] from a recent talk that The Guardian live-blogged. I have worked on FISA for over two years now, and will continue to do so this year during my Fellowships at CITP and the Berkman Center at Harvard University, visiting from the Institute for Information Law in Amsterdam (bio and publications).
A closely related topic is HTTPS governance on which my papers on several Certificate Authority breaches ask the question if regulation or other species of governance should overcome the systemic vulnerabilities of SSL/TLS and the CA ecosystem. This also ties into how untargeted interception of SSL/TLS encrypted communications is conducted in practice. I wouldn’t be surprised if we find out that the N.S.A. has its legal and technical backdoors in the SSL/TLS- and CA ecosystem protecting a great deal of our social and financial communications, which the BULLRUN disclosures by The Guardian suggest. Extrapolating from these issues, the third topic I’ll dive into is whether we need a new governance model for communications security, the subject of my very early-stage research talk at CITP on 3 October.
Back to the U.S. Citizenship backdoor. Much of the societal debate has been focused on whether these programs where ‘legal’ and ‘authorized’. Currently, the only remaining meaningful obstacle against untargeted surveillance of U.S. residents is not so much in the law, and not even in the 4th Amendment of U.S. Constitution (one wonders why U.S. lawyers haven’t framed this issue more as a 1st Amendment issue of speech and associational freedom, receiving stronger protections in the U.S.). What remains is the quite trivial area of executive opportunism: ‘if this comes out, do we get away with it?’ Can our constituencies be convinced that this doesn’t impact us, but them?
To be clear, several agencies in Europe have joined the bilateral party, so this is not a beauty contest between legal regimes. Nonetheless, it becomes clear that it is in America’s interest to re-think the U.S. citizenship legal criterion, that functions as a practical backdoor for untargeted surveillance of both them and us. I would argue that the question Americans of all sides of the political spectrum, notably the centre, need to ask is whether the reliance on a trivial legal safeguard and executive opportunism is sufficient when (the next) Edward Snowden illuminates another legal backdoor connected to the U.S. citizenship principle.
A broader perspective on that question would also factor in the implications of this principle for the credibility of the U.S. internet freedom agenda, U.S. moral leadership in the world, U.S. business opportunities abroad and universal human rights obligations in the U.N. conventions to which the U.S. is also a party. Is the U.S. citizenship principle a tenable way forward for both Americans’ privacy, broader U.S. interests and even more broadly for a robust and trustworthy information society in the 21st century?