A report from researchers at Harvard University and Boston University warns that the National Security Agency could freely monitor the electronic communications of American citizens by rerouting Internet traffic through overseas networks.
Federal intelligence services have greater legal latitude to conduct electronic surveillance outside the United States, the researchers said. If messages between two parties in the United States could be routed through foreign data centers, the NSA could scoop up the data without violating US law.
“The surveillance law that purports to protect American communications contains several major loopholes,” said Axel Arnbak, a security and privacy law researcher at Harvard’s Berkman Center For Internet & Society. “We’ve found several known and also several new ways that intelligence agencies can exploit the legal loopholes.”
Arnbak identified those loopholes in a paper he co-authored with Sharon Goldberg, a BU assistant professor of computer science the pair will present later in July at a conference in the Netherlands.
Goldberg said they did not find any evidence that the NSA is actually rerouting Internet traffic. “The reason we wrote this is to point out that it could happen.”
Two federal laws, the Patriot Act and the Foreign Intelligence Surveillance Act, or FISA, limit domestic eavesdropping on US citizens. For instance, the Washington Post reported recently that a program to spy on foreigners suspected of terrorism inadvertently scooped up information on as many as 65,000 Americans. In order to comply with FISA, the NSA redacted information about US citizens from the database.
But when it conducts surveillance overseas, the NSA’s activities are governed not by federal law, but by presidential Executive Order 12333, and the NSA’s Signals Intelligence Directive 18. Neither of these guidelines are as strict as the FISA, and they are not subject to oversight by Congress or the courts.
The executive order, first issued in 1981, “authorizes the NSA to conduct largely unrestrained surveillance operations on foreign soil,” Arnbak and Goldberg write.
In a statement, the NSA said neither the executive order or agency directive “authorizes targeting of US persons for electronic surveillance by routing their communications outside of the US.” Moreover, the agency would under federal law still need to get judge to approve a court order before it could “target any US person anywhere in the world for electronic surveillance.”
But in October documents leaked by former NSA engineer Edward Snowden revealed the existence of a program codenamed Muscular, which tapped the overseas traffic of the giant Internet companies Google Inc. and Yahoo Inc. and gained access to millions of messages transmitted by American users.
The taps were placed outside the United States, and so broke no American laws. In addition, the taps were not intended to monitor specific American individuals, which would require a court order. However, the NSA can retain any data inadvertently collected from American citizens if the agency has reason to believe the data contains “significant foreign intelligence” or evidence of a crime.
Arnbak and Goldberg said that the NSA could increase its surveillance of Americans by modifying overseas communications networks so that they would intercept data being transmitted between destinations inside the United States. As soon as the data passes through a foreign server, the NSA could legally monitor it, they said.
“There are all sorts of things you can do to change the flow of traffic,” Goldberg said.
For example, the NSA could use a foreign computer to feed deceptive information to the Domain Name Service, the system that translates numerical Internet addresses into easily understood names like google.com.
This inaccurate address data could trick American computers to send data traffic meant for Google to an overseas NSA site instead, Goldberg said. After this data is recorded, it would be rerouted to Google’s real address, leaving no sign that the messages had been intercepted.
“Unfortunately, the idea of surreptitiously routing information around the Internet is in fact technically feasible,” said Jeremy Gillula, a staff technologist at the Electronic Frontier Foundation in San Francisco. “As long as you had a clear path to the real Google, they could intercept all your traffic back and forth.”
Arnbak said that it is unclear whether this rerouting tactic would be legal under the laws of other countries. But he noted that the NSA could shield itself by using a foreign data center owned by a US company, or by teaming up with an allied foreign intelligence service. The Muscular program, for instance, was a joint venture with GCHQ, Britain’s electronic spying agency.