In Depth Review: New NSA Documents Expose How Americans Can Be Spied on Without A Warrant
The Guardian published a new batch of secret leaked FISA court and NSA documents yesterday, which detail the particulars of how government has been accessing Americans’ emails without a warrant, in violation of the Constitution. The documents lay bare fundamental problems with the ineffectual attempts to place meaningful limitations on the NSA’s massive surveillance program.
Essentially, the new documents, dated July 2009 and approved in August 2010, detail how the NSA deals with the huge streams of information it receives during the collection program that gathers the content of email and telephone calls, allowing it to keep vast quantities of content it could never get with a warrant. They may not be the current procedures - more on that in another blog post shortly.
The Guardian published two documents: one showing the procedures for determining if their target is foreign for purposes of surveillance under the FISA Amendments Act (FAA) and the other describing the NSA’s “minimization” procedures when they come across United States persons, which also sets out the myriad ways they can keep Americans’ communications instead of minimizing them.
Weak Standards for Avoiding Intentionally Targeting Americans
The FAA was enacted in 2008, intending to put a veneer of legal restrictions on aspects of the unconstitutional NSA spying program that has been in place since 2001. The heavily criticized law purports to protect Americans by prohibiting the NSA from “intentionally targeting” United States persons. The procedures describe a process more intent on making sure it was not “intentional” than ensuring Americans were not actually spied upon.
The Washington Post previously reported that the NSA only needs to have 51% confidence in a person’s “foreignness.” These new documents reveal that if the NSA cannot determine its target's 'foreignness,' they can keep on spying. Instead, you “will be presumed to be a non-United States person unless [you] can be positively identified as a United States person."
The targeting document also references a key fact that the NSA has previously shrouded in secrecy and word games: the existence of an NSA database of the content of communications. When checking for “foreignness,” the document instructs the NSA to “Review NSA content repositories and Internet communications data repositories.” In the Jewel litigation, we have contended for years that the NSA has a database of content, and now have an explicit reference.
The targeting document also exposes the government’s deceptive strategy to down-play their gigantic database of all the phone call records of Americans, obtained by misusing Section 215 of the PATRIOT Act. They collect all information on who you call and how long the call lasts, but as President Obama emphatically stated "There are no names." Maybe not in that database, but the documents here shows that NSA also maintains a separate database of names, telephone numbers and other identifiers.
Minimizing Domestic Communications Rules Littered With Exceptions
The second document published yesterday explains the NSA’s “minimization” procedures. Minimization refers to the process that is supposed to limit the exposure of Americans. The NSA, however, has decided to minimize the minimization.
Critically, this document reveals various loopholes that allow the NSA to access your data and read your emails without a warrant. According to the NSA document, they can retain and use information from Americans if:
- They were retained due to limitation on the NSA’s ability to filter communications.
- They contain information on criminal activity or a threat of harm to people or property. This is not very comforting – the Fourth Amendment wouldn’t mean anything if the government could search your house everyday, but would only act if they found evidence of a crime inside.
- They are encrypted or could be used for traffic analysis.
- They contain "foreign intelligence information," including if it is contained within attorney-client communications.
Your protection is summed up best by the NSA’s own description: “Personnel will use reasonable discretion in determining whether information acquired must be minimized.” While the government claims that a court order is required before they listen to an American’s call, this is only if an analyst, in his reasonable discretion, decided that the parties were American. Otherwise, no court order and no Constitutional protections are applied.
Moreover, the minimization document has tremendous loopholes. The NSA may provide un-minimized data to the CIA and FBI, if they identify the target, and to foreign governments for “technical or linguistic assistance.” While the data would then be subject to rules for those agencies, there is little assurance there would be no abuse.
Using Email Encryption or Tor Is Grounds for Surveillance
At EFF, we have long recommended anyone who cares about privacy should use tools such as PGP (“Pretty Good Privacy”) email encryption and Tor, which anonymizes your location. We still do, but are disturbed by the way the NSA treats such communications.
In the United States, it has long been held that there is a Constitutional right to anonymous speech, and exercising this right cannot be grounds for the government to invade your privacy. The NSA blows by all that by determining that, if the person is anonymous, then necessarily the NSA is not intentionally targeting a US person, with a rare exception when they have "positively identified" the user as an American. Thus, in the NSA’s view, if you use Tor, the protections for a US person simply do not apply.
More appallingly, the NSA is allowed to hold onto communications solely because you use encryption. Whether the communication is domestic or foreign, the NSA will hang on to the encrypted message forever, or at least until it is decrypted. And then at least five more years.1
NSA also says they can keep domestic communications that are "reasonably believed to contain technical data base information." The phrase “technical data base” is a specifically defined term that means “information maintained for cryptographic, traffic analytic or signal exploitation purposes.”
This suggests that the NSA believe it can keep domestic communication to the extent that they can be used for traffic analysis. This is a limitation without a meaning: all communications can be used for traffic analysis. In other words, with an aggressive read of this, they can keep all communications and don’t have to discard any.
Attorney-Client Privilege Means Nothing
The attorney client privilege is a long-standing feature of American law, one of the oldest and most cherished privileges through out the ages. As one court explained, it is the cornerstone of the privilege is “that one who seeks advice or aid from a lawyer should be completely free of any fear that his secrets will be uncovered.”
The NSA document shows they cut through this privilege like a hot knife through butter. The NSA only has to stop looking at the communication if the person is known to be under criminal indictment in the United States and communicating with her attorney for that particular matter.
This remarkably myopic view of the privilege means communications between attorneys and clients in many cases will be unduly spied on. This is exactly what the ACLU was worried about when they challenged the constitutionality of the FISA Amendments Act. They alleged that attorneys working with clients overseas had an ethical obligation not to electronically communicate with them because the NSA was likely able to read their emails. While the Supreme Court dismissed their suit for lack of standing, these documents at least in part, confirm their fears.
This could also mean any attorney-client communications with someone like Julian Assange of WikiLeaks, who has never been publicly acknowledged as indicted in the U.S., would be fair game.
Even where the privilege applies, the NSA does not destroy the information. The privileged nature is noted in the log, to “protect it” from use in criminal prosecutions, but the NSA is free to retain and use the information for other purposes. No limits on other uses, so long as the NSA General Counsel approves. This is a complete perversion of the attorney-client privilege. The privilege is designed to allow free communication of attorneys and those who they represent, so the client can get good counsel without hiding the truth from his attorney. It is not simply about preventing that communication from being used as evidence in a criminal case.
What It All Means: All Your Communications are Belong to U.S.
In sum, if you use encryption they’ll keep your data forever. If you use Tor, they’ll keep your data for at least five years. If an American talks with someone outside the US, they’ll keep your data for five years. If you’re talking to your attorney, you don’t have any sense of privacy. And the NSA can hand over you information to the FBI for evidence of any crime, not just terrorism. All without a warrant or even a specific FISA order.
It’s time the government is held accountable for these gross constitutional violations. Email your representative to demand a full-scale independent investigation into the NSA now.
- 1. Dear future NSA analyst: 09c841a6940f59d3f405c603db03366171617984ea45ecb59213fd00a6b822c7.
Recent DeepLinks Posts
May 23, 2016
May 20, 2016
May 20, 2016
May 19, 2016
May 19, 2016
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- UK Investigatory Powers Bill
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games