An English version of this post was published on Freedom to Tinker on 12 May 2014.

Vandaag komt het langverwachte boek van Glenn Greenwald uit, ‘No Place to Hide’. Naast persoonlijke verhalen over samenwerken met klokkenluider Edward Snowden, belooft Greenwald nieuwe onthullingen van surveillance praktijken van Westerse inlichtingendiensten. In de laatste weken, heb ik samen met Sharon Goldberg (Computer Science, Boston University) een publicatie voorbereid over ‘Executive Order 12333’. Volgens de NSA is dit besluit van President Reagan de ‘belangrijkste juridische grondslag’ voor massale surveillance buiten de V.S. In ons paper beargumenteren we dat ‘EO 12333’ juridische mazen mogelijk maakt in de Amerikaanse Grondwet, waardoor diensten als de NSA vrij van toezicht door het V.S. Congres of de rechter en andere juridische waarborgen Amerikaanse communicatie kunnen afluisteren en analyseren.

Als onafhankelijke onderzoeker, kunnen we natuurlijk  niet weten wat Amerikaanse diensten precies uitvoeren. Maar ons centrale punt is, dat de wetten en de techniek het mogelijk maken om de Amerikaanse Grondwet, die overigens alleen bescherming biedt voor Amerikanen, te omzeilen.  Hiermee willen we de wetenschappelijke en de politieke discussie in Amerika informeren: denk niet dat nationaliteit een waarborg is tegen de sleepnetten van je eigen diensten.

Sharon en ik vragen ons nu af: zal het nieuwe boek van Greenwald onze theoretische bevindingen bevestigen met nieuwe onthullingen? Gisteren publiceerde Greenwald ineens een flarde over het hacken van routers, die bestemd zijn voor het buitenland. Het zou dus zomaar kunnen. Hier de samenvatting van ons paper, volgende week de eerste versie online.

Loopholes for Circumventing the Constitution: Warrantless Bulk Surveillance on Americans by Collecting Network Traffic Abroad

In this multi-disciplinary paper, we reveal interdependent legal and technical loopholes that intelligence agencies of the U.S. government could use to circumvent 4th Amendment and statutory safeguards for Americans. We outline known and new circumvention techniques that can leave the Internet traffic of Americans as vulnerable to surveillance, and as unprotected by U.S. law, as the Internet traffic of foreigners.

First, we describe the current U.S. regulatory framework for intelligence gathering. From public and (until recently) secret primary legal sources, three regimes can be distinguished, based on where the surveillance is conducted and who it targets:

1. Surveillance of domestic communications conducted on U.S. soil under s.215 of the Patriot Act;
2. Surveillance of foreign communications conducted on U.S. soil under s.702 of the Foreign Intelligence Surveillance Act; and
3. Surveillance conducted entirely abroad under EO 12333 and its permissive minimization policies, such as the recently released U.S. Signals Intelligence Directive 18 (“USSID 18”). USSID 18 was drafted and approved within the Executive branch with minimal congressional or judicial oversight.

We outline when these regimes apply, and how the level of legal protection substantially decreases when a surveillance operation presumes two connected criteria: i) it does not target a particular, known U.S. person, and ii) it is conducted abroad. The key insight we develop is that by constructing plausible presumptions that a surveillance operation meets these two legal criteria, the legal regime of EO 12333 can be applied to a surveillance operation, with minimal protection for American communications ‘incidentally’ or ‘inadvertantly’ collected. While the Patriot Act and FISA have attracted most media attention, according to the N.S.A., the regime under EO 12333 is indeed the “primary legal authority” [pdf, p. 2-3] for its operations.

Next, we discuss known and new techniques that may exploit these legal loopholes for surveillance of American communications. One known method is to monitor American network traffic while it is routed or stored abroad. The revealed MUSCULAR/TURMOIL program illustrates how the NSA presumed authority under EO 12333 to acquire traffic between Google and Yahoo! servers located on foreign territory, collecting up to 180 million user records per month abroad, regardless of efforts to establish whether or not the surveillance concerns “a known, particular U.S. person.” In addition to eavesdropping on intradomain traffic (i.e., data sent within a network belonging to a single organization), we discuss exploiting these loopholes in the interdomain setting, where traffic traverses networks belonging to different organizations. We explain why interdomain routing with BGP can naturally cause traffic originating in a U.S. network to be routed abroad, even when it is destined for an endpoint located on U.S. soil. We also show how core Internet protocols – BGP and DNS – can be deliberately manipulated to force traffic originating in American networks to be routed abroad. We discuss why these deliberate manipulations fall within the permissive EO 12333 regime, and how they can be used to collect, in bulk, all internet traffic (including metadata and content) sent between a pair of networks, even if both networks are located on U.S. soil (e.g., from Harvard University to Boston University).

Finally, we explore technical, legal and policy solutions that address the international surveillance loophole. We discuss why technical solutions like encryption, DNSSEC, and the RPKI can help combat these risks, but still are no panacea. Even encrypted traffic, for example, exposes metadata about which parties are communicating. Meanwhile, the NIST Cybersecurity Framework (February 2014) leaves encryption implementation to individual companies, rather than proactively creating market incentives stimulating uptake across industries. The proposed U.S.A. Freedom Act and 4th Amendment case-law concentrate on legal safeguards for “known, particular U.S. persons”, and offer little promise in closing the international surveillance loophole for Americans.

We do not intend to speculate on whether or not the intelligence community is exploiting the interdependent technical and legal loopholes that we describe in this paper. Instead, our aim is to broaden our understanding of the possibilities at hand. Our analysis suggests that, without a fundamental reconsideration of the lack of privacy and due process safeguards for foreigners, current surveillance legislation opens the door for ubiquitous surveillance on Americans from abroad.

Our paper combines descriptive, internal legal analysis with threat models from computer science, and offers new insights for normative policy evaluation and analytical frameworks for further research. This research is a work-in-progress and will be posted online shortly.