How Traffic Shaping Can Help the NSA Evade Legal Oversight
New research paper on how the NSA can evade legal prohibitions against collecting Internet data and metadata on Americans by forcing domestic traffic to leave and return to the US. The general technique is called “traffic shaping,” and has legitimate uses in network management.
From a news article:
The Obama administration previously said there had been Congressional and Judicial oversight of these surveillance laws—notably Section 215 of the Patriot Act, which authorized the collection of Americans’ phone records; and Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorized the controversial PRISM program to access non-U.S. residents’ emails, social networking, and cloud-stored data.
But the researchers behind this new study say that the lesser-known Executive Order (EO) 12333, which remains solely the domain of the Executive Branch—along with United States Signals Intelligence Directive (USSID) 18, designed to regulate the collection of American’s data from surveillance conducted on foreign soil—can be used as a legal basis for vast and near-unrestricted domestic surveillance on Americans.
The legal provisions offered under EO 12333, which the researchers say “explicitly allows for intentional targeting of U.S. persons” for surveillance purposes when FISA protections do not apply, was the basis of the authority that reportedly allowed the NSA to tap into the fiber cables that connected Google and Yahoo’s overseas to U.S. data centers.
An estimated 180 million user records, regardless of citizenship, were collected from Google and Yahoo data centers each month, according to the leaked documents. The program, known as Operation MUSCULAR, was authorized because the collection was carried out overseas and not on U.S. soil, the researchers say.
The paper also said surveillance can also be carried out across the wider Internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.
We saw a clumsy example of this in 2013, when a bunch of Internet traffic was mysteriously routed through Iceland. That one was the result of hacking the Border Gateway Protocol (BGP). I assure you that the NSA’s techniques are more effective and less obvious.
EDITED TO ADD (7/13): Author responds to NSA comments.
Daniel • July 1, 2014 5:57 PM
“The paper also said surveillance can also be carried out across the wider Internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.”
I’d like to point out that it is not clear that this true as legal matter.
http://news.yahoo.com/border-agent-shot-mexican-teen-sued-court-says-171004594.html?.tsrc=attcf
The actual judicial opinion discusses at great length when the 4A applies abroad but the key takeaway is that there are circumstances when the 4A does in fact apply abroad, even to non-US citizens. In the case discussed in the article the court held that the 4A didn’t apply but that the 5A did.
This area of the law has yet to be litigated fully. It may well be that as time marches on the courts may find that the 4A does in fact apply to data stored oversees.