Exactly How the NSA Is Getting Away With Spying on US Citizens

The Guardian published a new batch of secret leaked FISA court and NSA documents yesterday, which detail the particulars of how government has been accessing Americans’ emails without a warrant, in violation of the Constitution. The documents lay bare fundamental problems with the ineffectual attempts to place meaningful limitations on the NSA’s massive surveillance program.

There is a lot of PRISM data getting leaked out there; it's hard to keep track of it all. Lucky for all of us, the Electronic Frontier Foundation is on the case. And here's its in-depth look at all the little loopholes that are letting the NSA spy on U.S. citizens everywhere without a warrant in sight.

Essentially, the new documents, dated July 2009 and approved in August 2010, detail how the NSA deals with the huge streams of information it receives during the collection program that gathers the content of email and telephone calls, allowing it to keep vast quantities of content it could never get with a warrant. They may not be the current procedures - more on that in another blog post shortly.

The Guardian published two documents: one showing the procedures for determining if their target is foreign for purposes of surveillance under the FISA Amendments Act (FAA) and theother describing the NSA’s “minimization” procedures when they come across United States persons, which also sets out the myriad ways they can keep Americans’ communications instead of minimizing them.

Weak Standards for Avoiding Intentionally Targeting Americans

The FAA was enacted in 2008, intending to put a veneer of legal restrictions on aspects of the unconstitutional NSA spying program that has been in place since 2001. The heavily criticized law purports to protect Americans by prohibiting the NSA from “intentionally targeting” United States persons. The procedures describe a process more intent on making sure it was not “intentional” than ensuring Americans were not actually spied upon.

The Washington Post previously reported that the NSA only needs to have 51% confidence in a person’s “foreignness.” These new documents reveal that if the NSA cannot determine its target's 'foreignness,' they can keep on spying. Instead, you “will be presumed to be a non-United States person unless [you] can be positively identified as a United States person."

The targeting document also references a key fact that the NSA has previously shrouded in secrecy and word games: the existence of an NSA database of the content of communications. When checking for “foreignness,” the document instructs the NSA to “Review NSA content repositories and Internet communications data repositories.” In the Jewel litigation, we have contended for years that the NSA has a database of content, and now have an explicit reference.

The targeting document also exposes the government’s deceptive strategy to down-play their gigantic database of all the phone call records of Americans, obtained by misusing Section 215 of the PATRIOT Act. They collect all information on who you call and how long the call lasts, but as President Obama emphatically stated "There are no names." Maybe not in that database, but the documents here shows that NSA also maintains a separate database of names, telephone numbers and other identifiers.

Minimizing Domestic Communications Rules Littered With Exceptions

The second document published yesterday explains the NSA’s “minimization” procedures. Minimization refers to the process that is supposed to limit the exposure of Americans. The NSA, however, has decided to minimize the minimization.

Critically, this document reveals various loopholes that allow the NSA to access your data and read your emails without a warrant. According to the NSA document, they can retain and use information from Americans if:

  • They were retained due to limitation on the NSA’s ability to filter communications.
  • They contain information on criminal activity or a threat of harm to people or property. This is not very comforting – the Fourth Amendment wouldn’t mean anything if the government could search your house everyday, but would only act if they found evidence of a crime inside.
  • They contain "foreign intelligence information," including if it is contained within attorney-client communications.

Your protection is summed up best by the NSA’s own description: “Personnel will use reasonable discretion in determining whether information acquired must be minimized.” While the government claims that a court order is required before they listen to an American’s call, this is only if an analyst, in his reasonable discretion, decided that the parties were American. Otherwise, no court order and no Constitutional protections are applied.

Moreover, the minimization document has tremendous loopholes. The NSA may provide un-minimized data to the CIA and FBI, if they identify the target, and to foreign governments for “technical or linguistic assistance.” While the data would then be subject to rules for those agencies, there is little assurance there would be no abuse.

Using Email Encryption or Tor Is Grounds for Surveillance

At EFF, we have long recommended anyone who cares about privacy should use tools such as PGP (“Pretty Good Privacy”) email encryption and Tor, which anonymizes your location. We still do, but are disturbed by the way the NSA treats such communications.

In the United States, it has long been held that there is a Constitutional right to anonymous speech, and exercising this right cannot be grounds for the government to invade your privacy. The NSA blows by all that by determining that, if the person is anonymous, thennecessarily the NSA is not intentionally targeting a US person, with a rare exception when they have "positively identified" the user as an American. Thus, in the NSA’s view, if you use Tor, the protections for a US person simply do not apply.

More appallingly, the NSA is allowed to hold onto communications solely because you use encryption. Whether the communication is domestic or foreign, the NSA will hang on to the encrypted message forever, or at least until it is decrypted. And then at least five more years.1

Traffic Analysis

NSA also says they can keep domestic communications that are "reasonably believed to contain technical data base information." The phrase “technical data base” is a specifically defined term that means “information maintained for cryptographic, traffic analytic or signal exploitation purposes.”

This suggests that the NSA believe it can keep domestic communication to the extent that they can be used for traffic analysis. This is a limitation without a meaning: all communications can be used for traffic analysis. In other words, with an aggressive read of this, they can keep all communications and don’t have to discard any.

Attorney-Client Privilege Means Nothing

The attorney client privilege is a long-standing feature of American law, one of the oldest and most cherished privileges through out the ages. As one court explained, it is the cornerstone of the privilege is “that one who seeks advice or aid from a lawyer should be completely free of any fear that his secrets will be uncovered.”

The NSA document shows they cut through this privilege like a hot knife through butter. The NSA only has to stop looking at the communication if the person is known to be under criminal indictment in the United States and communicating with her attorney for that particular matter.

This remarkably myopic view of the privilege means communications between attorneys and clients in many cases will be unduly spied on. This is exactly what the ACLU was worried about when they challenged the constitutionality of the FISA Amendments Act. They alleged that attorneys working with clients overseas had an ethical obligation not to electronically communicate with them because the NSA was likely able to read their emails. While the Supreme Court dismissed their suit for lack of standing, these documents at least in part, confirm their fears.

This could also mean any attorney-client communications with someone like Julian Assange of WikiLeaks, who has never been publicly acknowledged as indicted in the U.S., would be fair game.

Even where the privilege applies, the NSA does not destroy the information. The privileged nature is noted in the log, to “protect it” from use in criminal prosecutions, but the NSA is free to retain and use the information for other purposes. No limits on other uses, so long as the NSA General Counsel approves. This is a complete perversion of the attorney-client privilege. The privilege is designed to allow free communication of attorneys and those who they represent, so the client can get good counsel without hiding the truth from his attorney. It is not simply about preventing that communication from being used as evidence in a criminal case.

What It All Means: All Your Communications are Belong to U.S.

In sum, if you use encryption they’ll keep your data forever. If you use Tor, they’ll keep your data for at least five years. If an American talks with someone outside the US, they’ll keep your data for five years. If you’re talking to your attorney, you don’t have any sense of privacy. And the NSA can hand over you information to the FBI for evidence of any crime, not just terrorism. All without a warrant or even a specific FISA order.

It’s time the government is held accountable for these gross constitutional violations. Email your representative to demand a full-scale independent investigation into the NSA now.

Republished from the Electronic Frontier Foundation under Creative Commons