Tomorrow, Glenn Greenwald’s highly anticipated book ‘No Place to Hide’ goes on sale. Apart from personal accounts on working with whisteblower Edward Snowden in Hong Kong and elsewhere, Mr. Greenwald announced that he will reveal new surveillance operations by Western intelligence agencies. In the last weeks, Sharon Goldberg and I have been finishing a paper on Executive Order 12333 (“EO 12333”). We argue that EO 12333 creates legal loopholes for U.S. authorities to circumvent the U.S. Constitution and conduct largely unchecked and unrestrained bulk surveillance of American communications from abroad. In addition, we present several known and new technical means to exploit those legal loopholes. Today, we publish a summary of our new paper in this post.
We stress that we’re not in a position to suggest that U.S. authorities are actually structurally circumventing the Constitution using the international loophole we discuss in the paper. But, we’re wondering: will the gist of our analysis be part of Greenwald’s new revelations tomorrow? A first snippet of Greenwald’s new book in The Guardian, about hacking American routers destined for use overseas, seems to point in that direction. Here’s our summary.
Loopholes for Circumventing the Constitution: Warrantless Bulk Surveillance on Americans by Collecting Network Traffic Abroad
In this multi-disciplinary paper, we reveal interdependent legal and technical loopholes that intelligence agencies of the U.S. government could use to circumvent 4th Amendment and statutory safeguards for Americans. We outline known and new circumvention techniques that can leave the Internet traffic of Americans as vulnerable to surveillance, and as unprotected by U.S. law, as the Internet traffic of foreigners.
First, we describe the current U.S. regulatory framework for intelligence gathering. From public and (until recently) secret primary legal sources, three regimes can be distinguished, based on where the surveillance is conducted and who it targets:
- 1. Surveillance of domestic communications conducted on U.S. soil under s.215 of the Patriot Act;
- 2. Surveillance of foreign communications conducted on U.S. soil under s.702 of the Foreign Intelligence Surveillance Act; and
- 3. Surveillance conducted entirely abroad under EO 12333 and its permissive minimization policies, such as the recently released U.S. Signals Intelligence Directive 18 (“USSID 18”). USSID 18 was drafted and approved within the Executive branch with minimal congressional or judicial oversight.
We outline when these regimes apply, and how the level of legal protection substantially decreases when a surveillance operation presumes two connected criteria: i) it does not target a particular, known U.S. person, and ii) it is conducted abroad. The key insight we develop is that by constructing plausible presumptions that a surveillance operation meets these two legal criteria, the legal regime of EO 12333 can be applied to a surveillance operation, with minimal protection for American communications ‘incidentally’ or ‘inadvertantly’ collected. While the Patriot Act and FISA have attracted most media attention, according to the N.S.A., the regime under EO 12333 is indeed the “primary legal authority” [pdf, p. 2-3] for its operations.
Next, we discuss known and new techniques that may exploit these legal loopholes for surveillance of American communications. One known method is to monitor American network traffic while it is routed or stored abroad. The revealed MUSCULAR/TURMOIL program illustrates how the NSA presumed authority under EO 12333 to acquire traffic between Google and Yahoo! servers located on foreign territory, collecting up to 180 million user records per month abroad, regardless of efforts to establish whether or not the surveillance concerns “a known, particular U.S. person.” In addition to eavesdropping on intradomain traffic (i.e., data sent within a network belonging to a single organization), we discuss exploiting these loopholes in the interdomain setting, where traffic traverses networks belonging to different organizations. We explain why interdomain routing with BGP can naturally cause traffic originating in a U.S. network to be routed abroad, even when it is destined for an endpoint located on U.S. soil. We also show how core Internet protocols – BGP and DNS – can be deliberately manipulated to force traffic originating in American networks to be routed abroad. We discuss why these deliberate manipulations fall within the permissive EO 12333 regime, and how they can be used to collect, in bulk, all internet traffic (including metadata and content) sent between a pair of networks, even if both networks are located on U.S. soil (e.g., from Harvard University to Boston University).
Finally, we explore technical, legal and policy solutions that address the international surveillance loophole. We discuss why technical solutions like encryption, DNSSEC, and the RPKI can help combat these risks, but still are no panacea. Even encrypted traffic, for example, exposes metadata about which parties are communicating. Meanwhile, the NIST Cybersecurity Framework (February 2014) leaves encryption implementation to individual companies, rather than proactively creating market incentives stimulating uptake across industries. The proposed U.S.A. Freedom Act and 4th Amendment case-law concentrate on legal safeguards for “known, particular U.S. persons”, and offer little promise in closing the international surveillance loophole for Americans.
We do not intend to speculate on whether or not the intelligence community is exploiting the interdependent technical and legal loopholes that we describe in this paper. Instead, our aim is to broaden our understanding of the possibilities at hand. Our analysis suggests that, without a fundamental reconsideration of the lack of privacy and due process safeguards for foreigners, current surveillance legislation opens the door for ubiquitous surveillance on Americans from abroad.
Our paper combines descriptive, internal legal analysis with threat models from computer science, and offers new insights for normative policy evaluation and analytical frameworks for further research. This research is a work-in-progress and will be posted online shortly.