Back when Yahoo was something hollered at a rodeo, and no one could conceive of Googling anything, President Ronald Reagan signed an executive order that extended the power of U.S. intelligence agencies overseas, allowing broader surveillance of non-U.S. suspects. At the time, no one imagined he was granting authority to spy on what became known as Silicon Valley.
But recent reports that the National Security Agency secretly broke into communications on Yahoo and Google overseas, have technology companies, privacy advocates and even national security proponents calling for a re-examination of Reagan’s order and other intelligence laws.
Experts suggest a legislative update is long overdue, to clear up what Electronic Frontier Foundation legal director Cindy Cohn calls “lots of big gray areas.”
With the cooperation of foreign allies, the NSA is potentially gaining access to every email sent or received abroad, or between people abroad, from Google and Yahoo’s email services, as well as anything in Google Docs, Maps or Voice, according to a series of articles in the Washington Post. It’s impossible to know how many of Google and Yahoo’s collective 1.8 billion accounts are affected, but in a single 30-day period last year, field collectors processed and warehoused more than 180 million new records — ranging from “metadata,” which would indicate who sent or received emails and when, to content such as text, audio and video, the Post reported.
The NSA and its British counterpart, the U.K. Government Communications Headquarters, have intercepted and tapped into data funneled by Google and Yahoo through fiber optic cables, routing information in an NSA operation called Muscular, the Post reported. The information was provided to the newspaper by former NSA contract employee Edward Snowden, who is being sought by the U.S. for leaking classified information.
“Had the NSA done the same warrantless tapping at Google’s Mountain View, California, headquarters, there’s no doubt they would be violating the law,” said Cohn, whose San Francisco-based non-profit fights for digital freedoms. “They’re doing this abroad because they want that fig leaf of legality.”
The NSA, in an online statement, says its collection operations comply with federal laws and orders.
Reagan’s 1981 Executive Order 12333, for the first time in a public, written record, allowed foreign covert action to be conducted from inside the U.S. The measure, amended several times after 9/11, outlines key rules for more than a dozen intelligence agencies. It spells out when spies are allowed to peek into mail, homes and electronics; identifies who has to approve of specific searches; and details how to carry out clandestine collection of foreign intelligence.
“What NSA does is collect the communications of targets of foreign intelligence value, irrespective of the provider that carries them,” the agency said, likening the data channels at private firms to super highways.
In other words, the NSA is not targeting information about Google and Yahoo as such, but is conducting surveillance on foreigners, using the services these companies provide, said University of Indiana law professor David Fidler. But Fidler says this explanation ignores the fact that the NSA is directly targeting the facilities of U.S. companies, “even if the information ostensibly sought concerned foreign persons.”
Even Google’s chairman Eric Schmidt, outraged by the invasion, says he’s not sure it is illegal, telling CNN the operation is “perhaps a violation of law, but certainly a violation of mission.”
It is unclear exactly how the intrusions were carried out, but Daniel Castro, senior analyst at the Washington nonprofit Information Technology and Innovation Foundation, suspects the surveillance required a computer-savvy person, either working for the NSA, another government, or a contractor, to physically get inside a network provider’s facilities to tap into the fiber optic network and route a copy of the online traffic into their own network. The setup could be similar to a secret NSA room built into an AT&T building in San Francisco in 2002, and made public by a retired AT&T staffer in 2007.
The Post reported that the NSA isn’t breaking into accounts as they sit, stored in data centers, but is able to gather the emails and other communications as they move between them.
The NSA says that if they accidentally scoop up extra, non-criminal related information from Americans, there are strict limits about how it can be used. But there’s no guarantee those limits apply if British intelligence agents are doing the rerouting and then turning information over to the NSA, and the Obama Administration will not talk about the methods used.
Thus the immediate pushback from advocates is a loud call for new laws.
“It’s a relatively new phenomenon, that the government is sweeping through American communications outside the U.S., so there haven’t been a lot of legal decisions,” said American Civil Liberty Union’s national security project attorney Patrick Toomey. “We think that these revelations show the ways in which the surveillance laws are in desperate need of reform. The location in which surveillance and collection occurs no longer matters.”
Those reforms are already underway, spearheaded by the USA FREEDOM Act, introduced by Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Congressman Jim Sensenbrenner (R-Wisc.), chairman of the Crime and Terrorism Subcommittee in the House. The proposed legislation, which is widely supported by the tech industry, including Google, seeks to limit the NSA’s surveillance powers, both here and abroad. The bill appears to have bipartisan support.
But it might not go far enough for Kel McClanahan, executive director of National Security Counselors, which represents clients involved in security or privacy law-related proceedings. McClanahan says that in addition to the broad privacy questions, there’s a problem with the NSA actions when it comes to attorney-client privilege. Working with an attorney in the United Kingdom, McClanahan is currently fighting a legal Freedom of Information Act battle with the NSA, seeking documents related to Sharif Mobley, a U.S. citizen charged with terrorism in Yemen. Under current law, says McClanahan, the NSA could ostensibly tap into the private communications between himself and the British attorney he is working with, and read the litigation strategies as he and the British attorney plan them.
“From what I can tell, what they’re doing is technically legal, because of the lack of any law prohibiting it,” he said.
The NSA says it has “minimization procedures” that limit how deeply it can examine communications of U.S. citizens while they’re in the U.S., but it’s unclear whether they extend to foreign attorneys.
Earlier reports, based on Snowden’s documents, revealed the existence of other NSA programs, including the PRISM data-gathering program, which forces major tech firms to turn over the detailed contents of internet communications, although those required court orders.
The difference this time is that the NSA is “tapping into the data centers as a backdoor activity, which made the tech firms extremely unhappy,” said attorney Pat Fowler, who handles data privacy and security cases from his Phoenix, Arizona office.
Indeed, several Google engineers who spend their days fighting hackers fired back with furious online responses to their systems being targeted.
And it’s quite possible Yahoo and Google weren’t the only ones, said Fowler, noting that Microsoft’s Hotmail, with Google’s Gmail and Yahoo’s email, dominate the email market.
“It wouldn’t be a stretch to think they might try to get that data from the other entities,” said Fowler.
Attorney Steven Bradbury, who headed the Justice Department’s office of legal counsel until 2009, used to advise the president and executives on constitutional questions of privacy and security. Today he says public concerns about invasions of privacy are off base, because the NSA is not allowed to target U.S. data abroad, and when it gets it, there are tight limits.
“Communications that travel over wires overseas are susceptible to interception by all kinds of foreign governments that are active in collecting and doing surveillance,” he said. “The difference is that the NSA and U.S. intelligence agencies are subject to strict rules and oversight. There’s much more protection for U.S. persons than for foreign citizens.”