Loopholes for Circumventing the Constitution: Unrestrained Bulk Surveillance on Americans by Collecting Network Traffic Abroad
Also presented at Privacy Enhancing Technologies Symposium (HOTPETS'14), Amsterdam, NL, July 2014.
47 Pages Posted: 30 Jun 2014 Last revised: 16 Jun 2015
Date Written: 2015
We reveal interdependent legal and technical loopholes that the U.S. intelligence community could use to circumvent constitutional and statutory safeguards for Americans. These loopholes involve the collection of Internet traffic on foreign territory, and leave Americans as unprotected as foreigners by current U.S. surveillance laws. We also describe how modern Internet protocols can be manipulated to deliberately divert American's traffic abroad, where traffic can then be collected under a more permissive legal regime (Executive Order 12333) that is overseen solely by the Executive branch of the U.S. government. While the media has reported on some of the techniques we describe, we cannot establish the extent to which these loopholes are exploited in practice.
An actionable short-term remedy to these loopholes involves updating the antiquated legal definition of "electronic surveillance" in the Foreign Intelligence Surveillance Act (FISA), that has remained largely intact since 1978. On the long term, however, a fundamental reconsideration of established principles in U.S. surveillance law is required, since these loopholes cannot be closed by technology alone. Legal issues that require reconsideration include: the determination of applicable law by the geographical point of collection of network traffic; the lack of general constitutional or statutory protection for network traffic collection before users are "intentionally targeted"; and the fact that constitutional protection under the Fourth Amendment is limited to "U.S. persons" only. The combination of these three principles means that Americans remain highly vulnerable to bulk surveillance when the U.S. intelligence community collects their network traffic abroad.
Notes: The paper is accepted and will be presented at the Privacy Enhancing Technologies Symposium of July 2014, during the HOTPETS session.
Keywords: Surveillance, Privacy, FISA, Executive Order 12333, Network protocols, DNS attacks, BGP attacks
Suggested Citation: Suggested Citation