Using Domestic Networks to Spy on the World
Spies Without Borders I
This is the first article of our Spies Without Borders series. This article has been co-authored by Tamir Israel, Staff Lawyer at CIPPIC and Katitza Rodriguez, EFF International Rights Director. The Spies Without Borders series are looking into how the information disclosed in the NSA leaks affect the international community and how they highlight one part of an international system of surveillance that dissolves what national privacy protections any of us have, whereever we live. You can follow the Spies Without Borders here.
Much of the U.S. media coverage of last week’s NSA revelations has concentrated on its impact on the constitutional rights of U.S.-based Internet users. But what about the billions of Internet users around the world whose private information is stored on U.S. servers, or whose data travels across U.S. networks or is otherwise accessible through them?
While the details are still emerging, what is clear is that many of the newly exposed surveillance activities have been shaped by U.S. foreign intelligence surveillance laws. The secret court that rubberstamped the collection of phone records from Verizon came from the Foreign Intelligence Surveillance Court (FISC), a secret court established under the Foreign Intelligence Surveillance Act (FISA); the PRISM requests, the U.S. government has said, were FISA orders intended to target non-American persons outside of the United States.
As U.S. officials have repeated, FISA is designed to protect the rights of “U.S. persons” (citizens, permanent residents, and others on U.S. soil) in the face of operations targeting foreigners. But regardless of their effectiveness (or lack thereof) in achieving this objective, these slim protections offer nothing to the vast majority of Internet users around the world. Privacy expert, Caspar Bowden, has gone so far as to say that U.S. foreign intelligence powers “offer zero protection to foreigners’ data in U.S. Clouds.”
In this article, we will look into how the NSA leaks may affect the rest of the world, and how they highlight one part of an international system of surveillance that dissolves what national privacy protections any of us have, where ever we live.
Global Communications Networks & Trans-border Surveillance
Before looking at the specifics of the NSA’s surveillance program, it is worth noting that these programs are part of a broader trend: as greater use of cloud computing and other web-based services entails more global data routing and storage, many states gain the practical ability to capture, access and in many cases spy on data passing through their territory or accessible remotely through terminals based in their territory. While not an entirely new problem, states have met this increase in practical capacity to conduct sweeping extra-territorial surveillance has not been matched with an increase in extra-territorial protections. This is especially true with foreign intelligence activities, where agencies have historically been granted close to carte blanche legal capacity to surveill foreigners, while incentives to adopt a “capture everything” approach to information gathering have been high. Now, even as it becomes feasible for foreign intelligence agencies to capture all data on all individuals everywhere, states are moving to impose this troubling carte blanche foreign intelligence paradigm to digital networks. The United States government’s FISA powers represent just such a move.
There are many indications of states’ increasing capacity to conduct sweeping and invasive extra-territorial surveillance from domestic soil. In 2009, security researchers uncovered a broad network of infiltrated computer systems, which included a significant proportion of high value targets including foreign ministries, news media, NGOs and political dissidents around the world. Infiltration was likely used to extract sensitive documents and even to surreptitiously hijack audio and video-recording capabilities on many affected computers and transmit it to IP addresses found to be based in China. While there is no direct evidence that this was a state-sponsored attack, it demonstrates the potential for vast and targeted malware-based extra-territorial surveillance. When the lid was finally blown off Gadhafi’s surveillance regime, dissidents in the United Kingdom, foreign activists, casual callers and foreign political adversaries discovered they were caught in its expansive web. Bahreini activists abroad have found malware on their machines, presumably from state-connected actors. An Angolan journalist working from Oslo discovered his Skype conversations being recorded, almost certainly to be relayed back to his government watchers at home. The German government has leveraged the ability to remotely compromise computer systems in order to spy on them by its acquisition of commercial malware and is reportedly in the process of developing its own custom state-owned malware. While there has been no confirmation that Germany is deploying these investigative techniques against persons outside German territories, infection occurs by email and information transmission is over the Internet, so extra-territorial use is certainly feasible.
Far from reining in this growing technical capacity, domestic laws are increasingly removing all remaining barriers to extra-territorial spying. Surveying a long and growing list of legal frameworks designed to take advantage of this new-found global reach, the United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, recently concluded in a report that:
These developments suggest an alarming trend towards the extension of surveillance powers beyond territorial borders, increasing the risk of cooperative agreements between State law enforcement and security agencies to enable the evasion of domestic legal restrictions.
Exacerbating this problem is an aura of secrecy that pervades trans-border electronic surveillance. The secrecy provisions inherent in U.S. foreign intelligence legislation have, for example, prevented companies like Google and Microsoft from revealing any raw statistics regarding these activities in the Transparency reports these companies publish in their efforts to ensure the public is aware of the true scope and nature of government surveillance activities on their services, although many have now called on the U.S. government to let them do so.
The NSA Leaks: Rare Glimpses into a Vast & Unfettered International Monitoring Program
In the past week or so, new details on the scope of NSA and FBI surveillance were revealed in a series of leaks released primarily by The Guardian (one co-leaked by the Washington Post). In response to these leaks, the Director of National Intelligence has released some additional information on the parameters of the program. Collectively, these releases paint a picture of two specific aspects of surveillance programs that seem designed to leverage the trans-global nature of modern communications in order to empower U.S. foreign intelligence.
The first component targets a huge amount of metadata from telephone calls originating and/or terminating within the United States. The leaked documents reveal that at least one company – Verizon – was ordered to hand over all metadata associated with all telephone communications originating or terminating within the United States (as well as calls wholly within the United States). It has been reported that this program has been operating for about 7 years, meaning the U.S. Government could potentially have a historical database of all calls since 2008.
Metadata is defined quite broadly, to include all ‘routing’ information, as well as unique mobile phone identifiers such as International Mobile Subscriber Identity (IMSI) numbers. The enhanced capacity to generate, store and analyze metadata has transformed what may once have been innocuous data points – who spoke to who, when, for how long, from where – into a highly valuable intelligence capable of revealing people’s most intimate and private affairs. Metadata, for example, played an instrumental role in forcing former CIA Director David Petraeus to resign. Even in its most basic form – who did you call – metadata can be extremely revealing. This invasive capacity is greatly exacerbated by the pervasiveness and scope of the NSA’s collection program.
A second revealed component of these surveillance programs is called PRISM. The full parameters and capacities of PRISM remain unclear. Initially suspected to provide back-door access to the networks of a number of Internet companies, giving the NSA direct access to search service providers networks unilaterally, more recent reports paint a picture of a more narrowly curtailed, but still potentially troubling interface. At its most innocuous, PRISM appears to be a database capable of interacting directly with the networks of participating Internet companies through a series of portals whose specific features and capacities are negotiated and developed with each participating company. Acquisition orders are issued under FISA and sent to the respective companies, who then review them and make use of the portal to respond to the orders electronically. This provides responses in a quicker and more efficient manner than could be otherwise achieved. Portals of this nature have reportedly been set up in other jurisdictions, albeit for law enforcement purposes. It is possible, but not confirmed, that some of the portals in question also facilitate qualitatively different levels of data acquisition. For example, citing a lawyer representing one of the companies in question, the New York Times reports that Internet companies do have the technical capacity to digitally transmit data in real-time to the NSA where a valid FISA order requires this. It is not clear whether this real-time transmission capacity is mediated through the PRISM interface directly. While a U.S. law requires carriers and managed VoIP providers (potentially including Skype) to build real-time interception capabilities into their services, these obligations have not yet been applied to Internet services such as Gmail and Facebook, so real-time access capacity would signal a meaningful qualitative shift in access capability.
Even without the addition of real-time acquisition capacities, however, the PRISM leaks still reveal a program that leverages the domestic presence of remote computing services in order to collect significant amounts of personal data that many individuals around the world would consider highly sensitive. Various reports describe PRISM as providing access to emails, online chats (video and voice), photos, file transfers, search queries, online social networking details and more. The leaks point to this social media, email and cloud data as growing not only in scope, but also in frequency of use. Reports suggest that PRISM information collection interfaces are designed to limit exposure of U.S.-based targets on a balance of probabilities: “designed to produce at least 51 percent confidence in a target’s foreigness.”
An additional leak provided further insight into the staggering size of the NSA’s overall communications surveillance activities. While there have always been hints of the breadth of these activities – earlier this year it was reported the NSA was building a data centre the size of a small village just to store (and analyze) all the data it was collecting – this leak provided specific details on the immense amount of data sets collected by the NSA on a monthly basis. For example, in March 2013 alone, it seems the NSA collected 97 billion pieces of intelligence from computer networks worldwide, bringing new meaning to the term ‘big data’. As explained below, given the questionable legality of NSA domestic surveillance, a lot of the attention from this final revelation will be focused on the close to 3 billion data points marked as ‘United States’. However, the rest of the world should be more concerned with the remaining 94 billion data points particularly in light of the highly dim prospects of a domestic legal remedy to this collection given that such collection occurs under powers intended to facilitate broad surveillance of foreigners outside the U.S.
One more element of the PRISM system is worth examining in light of its implications for non-U.S. persons. According to the Guardian, the United Kingdom’s NSA counterpart, the Government Communications Headquarters, apparently has had access to the PRISM database, generating 197 intelligence reports in 2012 – far less than the 2,000 reports per month issued by the NSA, but still not an insubstantial amount. This raises concerns as the PRISM database is populated through extra-ordinary NSA foreign intelligence powers that far exceed what most democratic governments would be allowed to accomplish under their own laws. It is not clear, for example, that GCHQ would have the legal ability to set up its own PRISM system. If the United States is allowing its security services to collect vast amounts of data on the citizens of its allies, then freely hands that data over to their security services, what protections they might have under domestic surveillance law is completely undermined. And we still don't know what information the U.S. government might receive in return.
In our next Spies Without Borders post, we'll take a closer look at the US laws at the heart of these programs, and why it leaves non-US citizens out in the cold.