Loopholes for Circumventing the Constitution: Unrestrained Bulk Surveillance on Americans by Collecting Network Traffic Abroad

This Article reveals interdependent legal and technical loopholes that the US intelligence community could use to circumvent constitutional and statutory safeguards for Americans. These loopholes involve the collection of Internet traffic on foreign territory, and leave Americans as unprotected as foreigners by current United States (US) surveillance laws. This Article will also describe how modern Internet protocols can be manipulated to deliberately divert American’s traffic abroad, where traffic can then be collected under a more permissive legal regime (Executive Order 12333) that is overseen solely by the executive branch of the US government. Although the media has reported on some of the techniques we describe, we cannot establish the extent to which these loopholes are exploited in practice. An actionable short-term remedy to these loopholes involves updating the antiquated legal definition of “electronic surveillance” in the Foreign Intelligence Surveillance Act (FISA), that has remained largely intact since 1978. In the long term, however, a fundamental reconsideration of established principles in US surveillance law is required, since these loopholes cannot be closed by technology alone. Legal issues that require reconsideration include the determination of applicable law by the geographical point of collection of network traffic, the lack of general constitutional or statutory protection for network-traffic collection before users are “intentionally targeted,” and the fact that constitutional protection under the Fourth Amendment is limited to “US persons” only. The combination of these three principles results in high vulnerability for Americans when the US intelligence community collects Americans’ network traffic abroad

New Data Security Requirements and the Proceduralization of Mass Surveillance Law after the European Data Retention Case

This paper discusses the regulation of mass metadata surveillance in Europe through the lens of the landmark judgment in which the Court of Justice of the European Union struck down the Data Retention Directive. The controversial directive obliged telecom and Internet access providers in Europe to retain metadata of all their customers for intelligence and law enforcement purposes, for a period of up to two years. In the ruling, the Court declared the directive in violation of the human rights to privacy and data protection. The Court also confirmed that the mere collection of metadata interferes with the human right to privacy. In addition, the Court developed three new criteria for assessing the level of data security required from a human rights perspective: security measures should take into account the risk of unlawful access to data, and the data’s quantity and sensitivity. While organizations that campaigned against the directive have welcomed the ruling, we warn for the risk of proceduralization of mass surveillance law. The Court did not fully condemn mass surveillance that relies on metadata, but left open the possibility of mass surveillance if policymakers lay down sufficient procedural safeguards. Such proceduralization brings systematic risks for human rights. Government agencies, with ample resources, can design complicated systems of procedural oversight for mass surveillance - and claim that mass surveillance is lawful, even if it affects millions of innocent people

Loopholes for Circumventing the Constitution: Unrestrained Bulk Surveillance on Americans by Collecting Network Traffic Abroad

This Article reveals interdependent legal and technical loopholes that the US intelligence community could use to circumvent constitutional and statutory safeguards for Americans. These loopholes involve the collection of Internet traffic on foreign territory, and leave Americans as unprotected as foreigners by current United States (US) surveillance laws. This Article will also describe how modern Internet protocols can be manipulated to deliberately divert American’s traffic abroad, where traffic can then be collected under a more permissive legal regime (Executive Order 12333) that is overseen solely by the executive branch of the US government. Although the media has reported on some of the techniques we describe, we cannot establish the extent to which these loopholes are exploited in practice. An actionable short-term remedy to these loopholes involves updating the antiquated legal definition of “electronic surveillance” in the Foreign Intelligence Surveillance Act (FISA), that has remained largely intact since 1978. In the long term, however, a fundamental reconsideration of established principles in US surveillance law is required, since these loopholes cannot be closed by technology alone. Legal issues that require reconsideration include the determination of applicable law by the geographical point of collection of network traffic, the lack of general constitutional or statutory protection for network-traffic collection before users are “intentionally targeted,” and the fact that constitutional protection under the Fourth Amendment is limited to “US persons” only. The combination of these three principles results in high vulnerability for Americans when the US intelligence community collects Americans’ network traffic abroad

Security Collapse in the HTTPS Market

Assessing legal and technical solutions to secure HTTPS