Daniel July 1, 2014 5:57 PM

“The paper also said surveillance can also be carried out across the wider Internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.”

I’d like to point out that it is not clear that this true as legal matter.

The actual judicial opinion discusses at great length when the 4A applies abroad but the key takeaway is that there are circumstances when the 4A does in fact apply abroad, even to non-US citizens. In the case discussed in the article the court held that the 4A didn’t apply but that the 5A did.

This area of the law has yet to be litigated fully. It may well be that as time marches on the courts may find that the 4A does in fact apply to data stored oversees.

Benni July 1, 2014 6:09 PM

Somewhere, the guardian notes that the NSA has the opinion, whenever someone communicates from america to someone outside america, he has no privacy rights.

Essentially the same argumentation has the BND in germany.

I guess that these agencies do not even do much real traffic shaping. Perhaps their strategy is simpler:

Just massively upgrade and nourish certain internet exchange points that lead to foreign countries, in order to ensure that the data packets from, say, New York over Frankfurt to Washington go faster and especially cheaper for the Internet Service Provider which has to pay for this, than a direct connection from New York to Washington directly.

This is also mentioned by the researchers:

“path selection is often based on the price of forwarding traffic to the neighboring AS that announced the path, as well as on the number of ASes on the path announced by that neighbor. This means that it can sometimes be cheaper to forward traffic through a neighboring AS that is physically located in a different country, rather than one located in the same country; this situation is common, for example,”

I have noted in comments for the posts on the NSA and BND cooperation, and here
that the german government makes a full take from all Isp’s which have a foreign bridge head.

Formerly, the world’s largest internet node de-cix in Frankfurt has admitted that it provides data to the BND, saying to a german computer magazine de-cix would be forced to do an “egg dance” because of a gag order. Now de-cix has issued a press release with weaselly language on this, as I noted in the above posting.

And of course de-cix as opened a node in New York.

So all the NSA/BND/GCHQ gang has to do is;

Make the traffic from an arbitrary US location over de-cix New York to de-cix Frankfurt and then to the final destination, which is another arbitrary US location, cheaper than the direct route from an arbitrary US location to the destination in the US.

Then, the route over de-cix frankfurt is preferred and the BND gets, by german law, its full copy, later BND shares this with NSA (i.e. puts the data into Xkeyscore) and all agencies are satisfied, as is de-cix, which grows due to larger traffic….

Well, and there were these reports that BND delivered raw data from de-cix to NSA until 2007 . Yes, that is the exact date when NSA created their presentations noting that BND has Xkeyscore access now So, since 2007, BND did not send the raw data back forth meade any longer but they could put it into NSA’s database when they recived it….

uh, Mike July 1, 2014 6:52 PM

Here’s the new jurisdiction field. “You agree that litigation regarding this packet will be conducted according to Mexican law.”

65535 July 1, 2014 7:37 PM

I find some interesting timing between this paper and other on going events.

I did take the time to read the 24 page report that Bruce linked. There seems to be two components of “high jacking” American communication abroad for “legal” spying related to Presidential order “EO 12333.”

The two parts of this legal loophole are routing tricks and DNS Manipulation.

“3.2.2 Deliberate DNS Manipulations.”

See page 18 of the paper

As Senator Feinstein noted:

“Twelve-triple-three [EO 12333] programs are under the executive branch
entirely.” Feinstein has also said the order has few, if any, privacy pro- tections. I don’t think privacy protections are built into it,” she said.”

See page 13 of the paper

This seems to indicate that high jacking American’s communications via routing tricks and DNS manipulations are unethical and/or illegal. Thus, it might be time to “wind-down” such a program quickly now that it has been exposed.

That would include winding-down a free Dynamic DNS network with Spy Trojans run on Vialwerks (a Nevada LLC) and apparently created by a Kuwaiti and Algerian nationals (Naser Al Mutairi and Mohamed Benabdellah, aka Houdini) and mostly run on foreign soil.

[All the spy tools an agency would need]

This bot networks featured: Remote Desktop [View victim’s computer], Remote cam [Turn on victim’s computer camera to watch/record the victim], Microphone [Listen to/record victim’s conversations], Get Password [Steal passwords], Run file, from link, from disk, Scrip [Remotely executing files on victim’s computer], Process Manager [Remotely terminate processes including antivirus, firewalls…], Keylogger [Record victim’s keystrokes]…

See Microsoft’s complaint diagram page 17

Microsoft seeks to reveal all free [and anonymous] users of said free dynamic DNS service – which forces them into the financial payment system where they could be traced… and possibly push them into companies that Microsoft invests [the latter is only a guess].

“However, because Defendant leases sub-domains of its registered domains to its free subscribers, Defendant is not expressly required to make the identities and contact information of its sub-domain subscribers publicly available.”

See page 7 of Microsoft complaint:

“Microsoft made available a map with the global impact of the two threats, and users in Europe are the most affected. It appears that the most detections have been recorded in France, the United Kingdom, Germany, Italy, Netherlands, Belgium and Austria.” –Softpedia

This group of countries is composed of the 5-eyes + group who just happen to work with the NSA.

Given the vast spying capabilities of these bot nets, the foreign countries they operate from, the length of time they have operated and the fact that the “high jack” and “copy data” game has been exposed, I somewhat suspicious of the timing of this bundle of news and the rapidity (both legal, visual and with neat explanations of protecting the public). In the past there has been a connection between elite zero day hackers and certain spy agencies.

Granted there could be no connection between the spy agencies and a spy hacker group. But, the timing still seems very odd.

Benni July 1, 2014 8:03 PM

@Uh, Mike:

Mexico sounds at first like a “nearby routing”, but for the NSA, it certainly isn’t.

At least there is no partnership known with the NSA and Mexico. NSA’s partners are Canada, UK and Australia and New Zealand. And then there is Germany.

According to whistleblower Thomas Drake,

the relationship between the NSA and BND from Germany is so close that there is almost no difference between a five eyes partner and BND.

Drake says: After the 9/11, Germany became spy target no. 1 in Europe. In some sense, the NSA holds the German services responsible for that they did not notify the 9/11 attackers who lived and trained in Germany. And so, the NSA had made its demands, leading to an “extremely deep cooperation”. I already noted that the largest internet node in the world is in Germany. So it would make sense to route US traffic to Frankfurt, with BND as their rueful puppet, allowed to monitor everything according to germany’s G10 law.

The capacity of de-cix scales linearly. Its current hardware is such that 20% of the capacity are its current maximum load. This network can, without any problems, deal with the entire internet traffic from america.

The maximum load of de-cix is currently 3.5 Tb/s, which is, strangely, exactly the same as the load of Rampart-A:

NSA just has to make sure that bits are likely, or with a cheap prize, to go into fibers monitored by a rampart-a partner. Of course routes to Canada, or the GCHQ in Britain will do similarly as routes to Frankfurt and back.

Chris Abbott July 1, 2014 8:39 PM

This is why we need good end-to-end crypto for everything, every connection on the internet from point-to-point. They’re always going to have tricks up their sleeve, and in a top secret environment, accountability isn’t really possible. We have to protect ourselves because the legal system sure as hell won’t. Ha! End-to-end encryption of ALL internet connections: Wouldn’t that be their worst nightmare!

NobodySpecial July 1, 2014 9:33 PM

@benne – First England is knocked out of a World Cup that German looks likely to win and now it seems we are to be displaced as America’s favourite puppet.

We should demand that the government make a great patriotic effort to do whatever is required to show that when it comes to spying on Americans – we can do just as well as Germany.

Benni July 1, 2014 10:07 PM

@Chris Abbott:
End to end encryption is certainly desirable. But then, they still have the metadata.

Maybe they do not have anymore the content of the site you visited. But they have the address of the server that you asked to be connected with. Thereby, your webbrowsing history is still in their catalogue.

End to end encryption makes only sense for email, and internet forums where you sent text to some server.

What we basically need is to replace the internet by two tools:
1) a friend to friend network like retroshare, where you can send strongly encrypted information to known, thrusted friends, in case the metadata is unimportant,

2) a faster tor like system. but then you have again attack vectors like these Would users start to use tor massively, the NSA certainly will switch to these methods. The security of tor depends on the assumption that no agency can monitor the entire internet.

Services like gchq attempt to “master” the internet, and they are eager to “partner it all”, especially internet backbones, ISP’s, internet exchange nodes and international fibers. It would cost these agencies much, but if they really wanted, they certainly could pull of the attacks mentioned at wikipedia against tor, even if that would be a major effort for them.

In the short run, if users would start to massively use tor, it would only render the police helpless, when they are searching for real criminals. Faced with things like child pornography, filesharers, or terrorists using tor, agencies like the NSA will, at the end, finally get the money to monitor enough tor servers. Once NSA/BND/GCHQ succeed with that, the situation will be the same that we already have now.

So in the long run, the only measures against NSA/GCHQ/BND are political ones.

Demonstrate at their headquaters like, call the politicians personally, vote for parties who try to change the laws, sue these agencies in court whenever it is possible.

Benni July 1, 2014 10:15 PM

“We should demand that the government make a great patriotic effort to do whatever is required to show that when it comes to spying on Americans – we can do just as well as Germany.”

Fairly easy. Let de-cix open a node in Cheltenham at gchq. It currently only operates in
Germany, then in Dubai! (that was de-cix’ first foreign node, probably because BND was eager to get its Saudi Telecom Company collection) and now in New York.

Figureitout July 2, 2014 1:08 AM

a friend to friend network like retroshare
–Still relies on cables which are owned by cable/telephone companies, some of which are essentially gov’t organizations…then you say “thrusted friends”, if it doesn’t rely on a physically shared secret using common sense OPSEC then that connection is MITM’d or split. Radio mesh networks is the way to go, but that means that your connection can be heard (but split up via say..Spread spectrum/FSK for small budgets). Yes, I realize the cost of such a system, such is the cost of dragnet surveillance and will result in massive wastes of electrical power (like usual for security). So, we can still spew the info out and it can’t be contained (barring a “Russian woodpecker” next door), but everyone can hear it (reality is not so many), if you have multiple modes, times, frequencies, locations…

things like child pornography, filesharers, or terrorists
–Being nit-picky, but you need an asterisk (*) after filesharers, as there are many legitimate filesharers. Hopefully I don’t need to provide an example of that (linking or hosting an html page could be considered filesharing…)…

the only measures against NSA/GCHQ/BND are political ones.
–Ah, seen a few more people say this lately, and Bruce is a believer in this as well. Question: Have you or any of the people who recommend this actually tried to contact your representatives (so many don’t even know their names!!), or organize your community (a solution which would have the best results politically), or vote or any of that crap? Guess what happens? Someone stupid comes in and ruins the entire process; I had a class that simulated this perfectly, seeing it in real-life, it was worse than I could’ve possibly imagined. You’ll probably end up blaming someone else eventually like everyone else and the failure perpetuates and continues to smear its stupidity in everyone’s lives. I used to believe this, I was a “believer” that I could get involved and represent the people and I would be able to fight for them. Reality: The process is owned and mostly a meaningless show; so much so I went back to school to get out of that field. Dominated by people who drink metamucil for lunch and probably wear adult diapers. A while back Bruce even had a meeting w/ some politicians, did that accomplish much of anything “in the long term”? Haven’t heard anything since. The only caveats are things like EPIC or EFF, some established groups (that can still be infiltrated) making a difference.

REAL solution: Go along w/ current horribly organized political system so as not to waste your life fighting/dying (unless you want to, many have before). Based on actual physics not some arbitrary rules most times not well considered, ie: computationally impossible to surveil. Ignore idiots until they become irrelevant, get in science-related fields and ignore them (and scream when their stupid decisions cause your field harm). And then move on otherwise they keep the human race chained to the Earth if you let them drag you down to their mental states…

Conclusion: Please don’t waste years of your life like I did, which won’t do anything.

Clive Robinson July 2, 2014 3:57 AM

@ Figureitout,

Yes, I realize the cost of such a system, such is the cost of dragnet surveillance and will result in massive wastes of electrical power (like usual for security)

Don’t ever forget this as it’s the way you deal with traffic analysis, the trick is ensuring it’s the opposition burning the energy not you, and that way you end up winning what becomes a war of attrition.

Since traffic analysis became a working tool during WWII the question arose of how do you prevent it from being effective (because you can’t stop them listening).

The usual first answer is traffic stuffing the link. That is if the link works at fixed capacity then you deny the opposition one set of statistics. The down side of this is you fix your position with the broadcast and make yourself a target.

Thus the idea of swamping the opposition with many links to monitor without them being able to correlate one link with another. Omnidirectional radio links have the advantage over cables that whilst you know where the TX is you don’t know where the RX is unless it gives it’s self away by the likes of error correction where it requests repeates etc.

One soloution to the error correction issue is to route repeats across different links in a network. Which in turn gives rise to the idea of actually fragmenting messages across multiple links as well.

With a little thought you can see how the ideas for secure mesh networks came about.

However from this also comes the idea of lowering the power of the links and increasing the number of nodes in the mesh. This realy increases the cost for the opponent faster than it does for the allies hence the idea of micro mesh networks where the nodes are very simple and there are hundreds in small areas.

This thinking gave rise to the idea of MIMO which is receiving some academic interest currently.

There are issues however, the first being the issues surounding KeyMat not just for distribution but also from loss due to simple nodes getting captured by the opposition.

There are solutions to this and Ross J. Anderson over at Cambridge labs wrote atleast one paper on the subject.

As I’ve said befor TOR falls foul of traffic analysis because it does not take some basic steps such as link stuffing and tries to be low latency. Thus it’s something that should be avoided untill the basic problems are fixed.

CallMeLateForSupper July 2, 2014 6:13 AM

“So in the long run, the only measures against NSA/GCHQ/BND are political ones.”

Not strictly true: there is also direct action. Administrations take care to leave all options “on the table”; so should everyone else.

steven July 2, 2014 6:56 AM

The reverse is also possible: traffic could be forced through the US or a monitored country, that normally wouldn’t go there.

QUANTUM sounds capable of doing that, if it were permissible to use it where collection is not allowed; then redirect a user’s browsing to someplace where it is?

A lot of websites effectively do this out of ignorance; when using a CDN or embed third-party scripts, the referrer URI and potentially much more detail about the visitor and their activities could be leaked.

Or suppose an anycast DNS infrastructure serves millions of (sub)domains, and the queries typically remain in or close to the visitor’s country, without passing through a country that has the infrastructure or legal agreement in place to collect from it. But one day with a court order, an US corporation takes over authoritative DNS for all of that, and filters everything through its IP ranges in the US for the purpose of ‘Internet safety’…

steven July 2, 2014 7:34 AM

@clive makes some brilliant points all at once.

A lot of communication needs to only travel a short distance; having shorter local links would exponentially increase the number of places to monitor to get the same coverage, vs. an Internet centralised around fewer peering points or users centralised on major services or cloud infrastructure.

Raising the ‘floor’ on whether to, or how strongly to, encrypt traffic would substantially increase the cost or lower the returns of doing untargetted, sweeping surveillance. Even if the crypto is less than perfect and breakable with some effort. Mass collection (e.g. the 7 or 30+ day ‘buffer’) only seems possible at the moment because the uninteresting noise (high-volume p2p traffic) can be immediately recognised and filtered out, leaving only the interesting parts to store. A trivially breakable stream cipher in CBC or CTR mode means having to do at least some computation and look at previous traffic in the stream, and that’s a huge overhead to try to keep up with in real time unless you focus your efforts on the traffic of people really worth spying on.

And also if a link used for confidential communication has sufficient uncontended bandwidth (which leased lines for voice often have), that really ought to be maxxed out with encrypted junk traffic instead of idling. Taking away timing information and usage patterns, but also increasing the overall cost of getting at the interesting data.

axel arnbak July 2, 2014 8:42 AM


Hi, Daniel, thoughtful comment! I’m one of the authors on this paper, and you’re of course right. We don’t argue that the 4th Amendment doesn’t apply at all across borders. What we do say, is that the protection on offer substantially decreases when surveillance is regulated under EO 12333, as opposed to FISA. Look forward to further studying your reference!

Cheers, axel

kronos July 2, 2014 8:47 AM

@NobodySpecial: …that when it comes to spying on Americans – we can do just as well as Germany.

I (an American) once had a long friendly conversation with an European in which we both argued that our own politicians were the dumbest and most corrupt. For some time we regaled each other with tales to bolster our argument and in the end decided it was a tie. But then he offered to trade all his corrupt politicians for mine and I declined by saying I would rather have the ones I know than the ones I do not know (neither of which are trustworthy).

axel arnbak July 2, 2014 8:56 AM


adding to that, the US Supreme Court clearly establishes that foreigners have no 4th Amendment rights altogether in the case of United States v. Verdugo-Urquidez (1990): “There is […] no indication that the Fourth Amendment was understood by contemporaries of the Framers to apply to activities of the United States directed against aliens in foreign territory or in international waters”, and later, “If there are to be restrictions on searches and seizures which occur incident to such American action, they must be imposed by the political branches through diplomatic understanding, treaty, or legislation.” So, barring legal and political action, no constitutional protection – as opposed to the European Convention on Human Rights (ECHR) that has some universal rights [I won’t expand on some here, that would require a seperate book 🙂 ].

stine July 2, 2014 9:13 AM

Bruce, this isn’t new, and also doesn’t require the traffic to pass to a foreign (non-US) carrier. There are quite a few fiber paths with both ends in the U.S. that pass through Canada. Also, consider that every country’s embassy is considered, for diplomatic reasons, to be the soil of the home country. The best example of this is currently Julian Assange’s residence in the Ecuadorian embassy in England. This means that any cable or fiber that passes through their propery has crossed the U.S. border. (Hopefully ICE don’t use this an excuse to extend their search powers across the entire U.S. as most of the U.S. is within 100 miles of a foreign embassy.)

Mark T July 2, 2014 9:47 AM

The big announcement by MS that they’re deploying PFS w/Outlook & OneDrive, I don’t think that means your stuff is stored encrypted and only YOU can decrypt it. You still have to do that yourself. It only pertains to privacy enroute. And PFS will be the first thing to collapse with QC’ing. The effort to develop QC’ing now exceeds anything since the Manhattan Project, even Apollo. It’s just not visible.

Mark T July 2, 2014 11:44 AM

Some people see everything in legal terms. Other people see everything in technological terms.

Then at one end are alarmists, at the other those who like to wave their hand dismissing all the stories, like the writer of the stupid Wired article, probably because they think it makes them appear smart and confident …”what? Me worry? Heck no I’m an expert and everyone is stupid except me.”

DB July 2, 2014 2:00 PM


Right. The Supreme Court establishes that all foreigners are slaves and dogs to America, put on earth only to do our bidding. All other countries should take note and treat America accordingly as a hostile force.

jon July 2, 2014 2:30 PM

I’m glad this problem is getting some recognition. I’ve been concerned about it for a few years now. Much internet traffic originating and ending in the US travels outside US borders, as part of the natural and intentional design of the internet’s distributed network and node structure. It seemed that any packets straying outside the border would be considered ‘foreign’. I was wondering if that premise would then be extended to include all of the remaining packets of a message? The NSA seems intent on maximizing the number of ways that it can intercept any and every electromagnetic emanation, everywhere, all the time, from everybody.

Mike the goat July 2, 2014 5:02 PM

jon: I must admit it always had me bemused that traffic appears to take what appears to be the direct opposite to a reasonable route to its destination. I guess now we know why… I always just assumed it was crappy network design.

Derf July 2, 2014 6:26 PM

How is this any different than the NSA sneaking into a UPS depot and slapping a mailing label on a target package that sends it to an NSA location in Mexico?

DB July 2, 2014 11:39 PM

Just to be clear, I wasn’t intending to advocate any kind of “Jihad” against America… I was intending to point out that since the US Supreme Court declares that human rights do not apply to foreigners, therefore they must not be human. Only Americans are bonna fide humans.

All you other countries might want to have a declaration of independence FROM America, you can borrow ours, I hear it says something about all men being equal with certain unalienable rights…. Sign your name really big so King Obama can read it without his spectacles too.

Figureitout July 2, 2014 11:43 PM

Clive Robinson
Don’t ever forget this
–I won’t as it really makes me mad. Systems should be efficient, healthy and easy on the environment. Real security requires pollution like heavy encryption, wiping HDD’s, then shredding them into powder and might as well the rest of the motherboard b/c you can’t diagnose the tiny component that’s broken and we lose all those metals to a landfill which will likely never be re-mined. Not to mention heavy stress by being constantly vigilant and always recovering I mean preparing for the next attack…

And criticizing TOR, what other choices do people have besides paid VPN’s and getting closer to the big cable companies? As it seems now, no one’s going to have the effort or capital to make the kind of network TOR is; but it’s just sketchy sometimes…

RE: Mesh networks
–You can get 600ft range w/ a PCB “F-antenna” (guess the company lol) powered off a 3.3V coin cell…these signals could be encrypted via flash programming everyday and provide some sort of authentication. In cities this would be best but I’m not sure about the interference there…

Botsors July 3, 2014 10:43 AM


Re TOR, there seems to be a fair amount of buzz among academics about MIMO as a reasonably efficient anonymization network with better resistance to traffic analysis. Does anybody know whether we might expect any exciting implementations down the line?

Figureitout July 4, 2014 5:14 PM

there seems to be a fair amount of buzz among academics about MIMO
–Yes, there is. I’ll have to read up on it more later, I could use a little explanation on the math behind it too. I guess we’ll have to wait and see on if a group can put together a trusted implementation…It’s radio though and for that bandwidth you typically need proximity, so going across the ocean would need to be thought about to get a true world-wide anonymity network…

An unexpected problem w/ a really good anonymity network is not being able to track down an attacker though…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.