Bright minds from Harvard University and Boston University collaborated on a new research paper that looks at how the government can exploit legal loopholes as well as "technical realities of Internet communications" to get around Americans’ Fourth Amendment rights and hoover up their electronic communications.
According to "Loopholes for Circumventing the Constitution: Warrantless Bulk Surveillance on Americans By Collecting Network Traffic Abroad," the legal loopholes for surveillance that could be exploited include:
- "Surveillance of domestic communications conducted on U.S. soil under Section 215 of the Patriot Act;" this authorized the collection of Americans’ phone records.
- "Surveillance of foreign communications conducted on U.S. soil under Section 702 of the Foreign Intelligence Surveillance Act (FISA);" this authorized PRISM and the bulk surveillance of non-US residents’ electronic data.
- "Surveillance conducted entirely abroad under EO 12333 and its permissive minimization policies, such as the recently released U.S. Signals Intelligence Directive 18 ('USSID 18'). USSID 18 was drafted and approved within the Executive branch with minimal congressional or judicial oversight."
The first two are overseen by all three branches of government, but the third is "solely the domain of the Executive branch" and its relevant EO12333 legal documents are mostly redacted or classified. Yet since the NSA claims EO 12333 is the "primary legal authority" for its operations, the researchers say it "deserves more attention and careful scrutiny."
Although you might think that surveillance conducted overseas would not have an impact on the privacy of Americans, the researchers discussed technical loopholes such as when Americans' network traffic is routed overseas or stored abroad; that’s when a legal loophole can be exploited, because if Americans' data is overseas, it can legally be collected under EO 12333.
"The revealed MUSCULAR/TURMOIL program, for example, illustrates how the NSA presumed authority under EO 12333 to acquire traffic between Google and Yahoo! servers located on foreign territory; this program allegedly collected up to 180 million user records per month abroad, including those of Americans." They concluded that "even when this is not the case, core Internet protocols like BGP and DNS can be deliberately manipulated to ensure that traffic between U.S. endpoints takes an unusual path through a device located abroad."
That deliberate manipulation is allowed under EO12333. And if the data is overseas then, gee whiz, it might belong to a non-American citizen and can therefore be collected in bulk, such as "all internet traffic (including metadata and content) sent between a pair of networks."
The interdependent legal and technical loopholes can "enable largely-unrestrained surveillance on Americans communications. For instance, these techniques can be used to collect, in bulk, all communications sent from an autonomous system like Boston University to a given IP address block (with a BGP manipulation), or from an autonomous system to a particular domain like www.facebook.com (with a DNS manipulation)."
One of the authors, Axel Arnbak, excels at law and the other, Sharon Goldberg, is a Boston University Computer Science Professor. Neither are accusing the government of actively exploiting these loopholes.
Arnbak previously explained, "We do not intend to speculate on whether or not the intelligence community is exploiting the interdependent technical and legal loopholes that we describe in this paper. Instead, our aim is to broaden our understanding of the possibilities at hand. Our analysis suggests that, without a fundamental reconsideration of the lack of privacy and due process safeguards for foreigners, current surveillance legislation opens the door for ubiquitous surveillance on Americans from abroad."