The National Security Agency can legally monitor every American, inside and outside the U.S., “by collecting their network traffic abroad,” according to a working paper by researchers at Harvard University and Boston University.
This can happen without any checks and balances from Congress or the Foreign Intelligence Surveillance Court, which oversees surveillance requests from the NSA, said researchers Axel Arnbak of Harvard’s Berkman Center for Internet & Society and Sharon Goldberg, a BU assistant professor of computer science.
The paper documents what it calls “interdependent technical and legal loopholes” that the NSA could use to snoop on American citizens inside the U.S.
Arnbak and Goldberg aren’t the only ones raising red flags. The Privacy and Civil Liberties Oversight Board, an independent federal agency that ensures “liberty concerns” are considered in anti-terrorism policy, is reviewing the same NSA legal authority as the researchers, and a former State Department official warned in a recent op-ed the legal authority is prone to abuse.
The researchers focus on Executive Order 12333, which was issued by President Ronald Reagan in 1981 to authorize foreign intelligence investigations, and the U.S. Signals Intelligence Directive 18. The executive order “has largely been ignored by the public and other branches of Government in recent months, especially since relevant legal documents related to EO 12333 remain classified or redacted,” the working paper said.
Section 215 of the Patriot Act and the Foreign Intelligence Surveillance Act (FISA) limit the NSA’s authority to carry out domestic electronic surveillance, whereas the executive order does not have any congressional oversight and has never been subject to court review.
If messages between two people in the U.S. are intercepted and rerouted through overseas routers, Arnbak and Goldberg say, the NSA could stockpile massive amounts of data and content without violating U.S. law.
“There are various ways one could ‘deliberately’ reroute traffic international[ly] in a manner that is very hard to detect,” such as through “DNS cache poisoning,” Goldberg told The College Fix. She clarified that there’s no evidence “that the NSA or any other government agency is actually doing this,” and that her study with Arnbak was meant to shine a light on loopholes, not to disclose illegal wiretaps.
Executive Order 12333 is on the “short-term agenda” of the Privacy and Civil Liberties Oversight Board, following its review of Section 215 and FISA Section 702, Chairman David Medine said at the body’s July 23 public meeting.
The attorney general’s guidelines for implementing the executive order – some of which go back 30 years – had already been identified as “outdated, to say the least,” when Medine joined the board last year, he said. The board will keep advocating not only for the guidelines to be updated, but consider “how to approach 12333 more broadly” and look at staff recommendations for the order’s operations, he said.
It’s legal to collect an individual’s communications if that collection happens “incidentally” during the course of a lawful overseas foreign intelligence investigation, The Washington Post reported last month following a four-month investigation. An affected U.S. person, who may have never directly interacted with a lawful target, does not have to be suspected of wrongdoing, and there’s no limit on the volume of communications that may be collected and retained through such incidental eavesdropping.
Former State Department official John Napier Tye, who served as section chief for Internet freedom in the Bureau of Democracy, Human Rights and Labor until January and testified at Medine’s public meeting, warned in a Washington Post op-ed last month that Executive Order 12333’s definition of “incidental” is vague and ripe for abuse.
“‘Incidental’ collection may sound insignificant, but it is a legal loophole that can be stretched very wide,” Tye said. Citing reports that the NSA is building a Utah data center with its own power plant, he said. “‘Incidental collection’ might need its own power plant.”
While the executive order might have been a sensible measure in the past, with different levels of privacy for information depending on where it was gathered, “an email from New York to New Jersey is likely to wind up on servers in Brazil, Japan and Britain,” Tye wrote. “The same is true for most purely domestic communications.”
Arnbak agreed. “As long as you tailor your operation to those ancient laws,” he told The College Fix via email, “we find that a range of new surveillance techniques may be conducted fairly unrestrained.”
The NSA told the Boston Globe that neither the executive order nor the directive “authorizes targeting of US persons for electronic surveillance by routing their communications outside of the US.” The agency said that under federal law, it still needs to get a judge to approve a court order before it can “target any US person anywhere in the world for electronic surveillance.”
College Fix contributor Christopher White is a University of Missouri graduate student and an editorial assistant for The College Fix.
IMAGE: EFF Photos/Flickr