Can using privacy-enhancing tools (such as Tor or a Virtual Private Network) actually expose you to warrantless surveillance by the National Security Agency? This week, the ACLU sent off four FOIA requests to federal agencies in order to try and answer this question.
To understand why we think that may be the case, we have to go back to the passage of the FISA Amendments Act (FAA) in 2008. That act was not a high-point for civil liberties or the rule of law. It included a provision giving immunity to the telecom companies that violated the law by assisting the NSA with its warrantless wiretapping program. Although the get-out-of-jail-free card given to the phone companies is the most well-known aspect to the FAA, there is much more to the law, and many other things that give privacy advocates reason to worry.
Under the original Foreign Intelligence Surveillance Act (FISA), the government was required to provide specific, targeted requests aimed at foreign powers or their agents before lawful surveillance was permissible. But the FAA created an additional, broader surveillance system, enabling the government to conduct surveillance without particularized suspicion where a “significant purpose” is to obtain “foreign intelligence” and where the surveillance is targeted against persons "reasonably believed to be located outside the United States."
Although the FAA defined several key terms, it did not provide a definition for a person “reasonably believed to be located outside the United States." In that ambiguity lies the source of our concern.
Tor and VPNS
To understand why, it’s important to understand how the privacy tools work. The Tor Project (Tor) is an anonymizing network that provides censorship and surveillance resistant internet connectivity to activists, journalists, researchers and privacy advocates around the world. There are an estimated 500,000 users of Tor. These include law enforcement and intelligence agencies in the United States, which was the intention of the US Naval Research Lab when it invented the underlying technology and funded the early development of the project. Tor is also used by activists, journalists and the general public in Iran, Syria, China and other countries with authoritarian governments, which has led to significant funding for Tor from the US State Department and the Broadcasting Board of Governors. However, Tor is also used by many people in the United States—it is estimated that approximately 15% of the users of Tor are located in the United States.
Tor is but one tool used by people who want to protect their anonymity online. Virtual Private Networks, offered by dozens (if not hundreds) of companies, provide a weaker degree of security than Tor, but still allow them to sever the link between their own computer’s IP address and their online browsing activities. Such services are extremely popular with users who wish to circumvent geo-restrictions on streaming content. For example, VPNs make it possible to listen to Pandora or watch the Daily Show when you are outside the US, which are normally blocked.
When someone browses the web using Tor or a VPN service their Internet traffic appears to originate at the Tor or VPN server, rather than from their home connection. Thus, a US citizen located in Chicago who uses a Tor exit server in France will, to Google or Facebook, appear to be a user in France. Likewise, someone in Iran connecting to the web via a Tor exit server located in San Francisco will appear to the New York Times as a web surfer from San Francisco.
Tor, VPNs and the FISA Amendments Act
If the NSA is engaging in surveillance of foreign networks and it encounters traffic originating from a foreign Tor exit server, it will have no way of knowing if that traffic originally came from the United States or another foreign computer. Likewise, the NSA has no way of knowing if traffic exiting a US Tor exit server is actually from domestic users, or foreign. That is, after all, the point of Tor. This presents a pretty interesting and troubling legal question. Tor is extremely popular in countries like Iran, where the NSA is actively monitoring communications networks. However, Tor is also popular with users in the United States, whose communications the NSA shouldn’t be monitoring.
When the traffic of Iranian, Chinese, British and American citizens is combined and anonymized such that the true origin of the traffic cannot be determined, which set of the intelligence rules does the NSA follow? Certainly, a US citizen shouldn’t have his or her communications traffic intercepted by the NSA simply because they want to watch the latest season of Downton Abbey streamed directly from the UK.