Spies Without Borders I: Using Domestic Networks to Spy on the World

This article has been co-authored by Tamir Israel, Staff Lawyer at CIPPIC and Katitza Rodriguez, EFF International Rights Director.  The Spy Without Borders posts are looking into how the information disclosed in the NSA leaks affect the international community and how they highlight one part of an international system of surveillance that dissolves what national privacy protections any of us have, whereever we live. This article has been crossposted on the website of OpenMedia.ca. You can follow the Spy Without Borders series here.

Much of the U.S. media coverage of last week’s NSA revelations has concentrated on its impact on the constitutional rights of U.S.-based Internet users. But what about the billions of Internet users around the world whose private information is stored on U.S. servers, or whose data travels across U.S. networks or is otherwise accessible through them?

While the details are still emerging, what is clear is that many of the newly exposed surveillance activities have been shaped by U.S. foreign intelligence surveillance laws. The secret court that rubberstamped the collection of phone records from Verizon came from the Foreign Intelligence Surveillance Court (FISC), a secret court established under the Foreign Intelligence Surveillance Act (FISA); the PRISM requests, the U.S. government has said, were FISA orders intended to target non-American persons outside of the United States.

As U.S. officials have repeated, FISA is designed to protect the rights of “U.S. persons” (citizens, permanent residents, and others on U.S. soil) in the face of operations targeting foreigners. But regardless of their effectiveness (or lack thereof) in achieving this objective, these slim protections offer nothing to the vast majority of Internet users around the world. One privacy expert, Caspar Bowden, has gone so far as to say that U.S. foreign intelligence powers “offer[] zero protection to foreigners’ data in U.S. Clouds.”

In this article, we will look into how the NSA leaks may affect the rest of the world, and how they highlight one part of an international system of surveillance that dissolves what national privacy protections any of us have, where ever we live.

Global Communications Networks & Trans-border Surveillance

Before looking at the specifics of the NSA’s surveillance program, it is worth noting that these programs are part of a broader trend: as greater use of cloud computing and other web-based services entails more global data routing and storage, many states gain the practical ability to capture, access and in many cases spy on data passing through their territory or accessible remotely through terminals based in their territory. While not an entirely new problem, states have met this increase in practical capacity to conduct sweeping extra-territorial surveillance has not been matched with an increase in extra-territorial protections. This is especially true with foreign intelligence activities, where agencies have historically been granted close to carte blanche legal capacity to surveill foreigners, while incentives to adopt a “capture everything” approach to information gathering have been high. Now, even as it becomes feasible for foreign intelligence agencies to capture all data on all individuals everywhere, states are moving to impose this troubling carte blanche foreign intelligence paradigm to digital networks. The United States government’s FISA powers represent just such a move.

There are many indications of states’ increasing capacity to conduct sweeping and invasive extra-territorial surveillance from domestic soil. In 2009, security researchers uncovered a broad network of infiltrated computer systems, which included a significant proportion of high value targets including foreign ministries, news media, NGOs and political dissidents around the world. Infiltration was likely used to extract sensitive documents and even to surreptitiously hijack audio and video-recording capabilities on many affected computers and transmit it to IP addresses found to be based in China. While there is no direct evidence that this was a state-sponsored at