How Traffic Shaping Can Help the NSA Evade Legal Oversight
New research paper on how the NSA can evade legal prohibitions against collecting Internet data and metadata on Americans by forcing domestic traffic to leave and return to the US. The general technique is called “traffic shaping,” and has legitimate uses in network management.
From a news article:
The Obama administration previously said there had been Congressional and Judicial oversight of these surveillance laws—notably Section 215 of the Patriot Act, which authorized the collection of Americans’ phone records; and Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorized the controversial PRISM program to access non-U.S. residents’ emails, social networking, and cloud-stored data.
But the researchers behind this new study say that the lesser-known Executive Order (EO) 12333, which remains solely the domain of the Executive Branch—along with United States Signals Intelligence Directive (USSID) 18, designed to regulate the collection of American’s data from surveillance conducted on foreign soil—can be used as a legal basis for vast and near-unrestricted domestic surveillance on Americans.
The legal provisions offered under EO 12333, which the researchers say “explicitly allows for intentional targeting of U.S. persons” for surveillance purposes when FISA protections do not apply, was the basis of the authority that reportedly allowed the NSA to tap into the fiber cables that connected Google and Yahoo’s overseas to U.S. data centers.
An estimated 180 million user records, regardless of citizenship, were collected from Google and Yahoo data centers each month, according to the leaked documents. The program, known as Operation MUSCULAR, was authorized because the collection was carried out overseas and not on U.S. soil, the researchers say.
The paper also said surveillance can also be carried out across the wider Internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.
We saw a clumsy example of this in 2013, when a bunch of Internet traffic was mysteriously routed through Iceland. That one was the result of hacking the Border Gateway Protocol (BGP). I assure you that the NSA’s techniques are more effective and less obvious.
EDITED TO ADD (7/13): Author responds to NSA comments.