Unprecedented and Unlawful: The NSA’s 'Upstream' Surveillance
& Patrick Toomey, Staff Attorney, ACLU National Security Project
The FISA Amendments Act of 2008 (FAA) — the statute the government uses to engage in warrantless surveillance of Americans’ international communications — is scheduled to expire in December 2017. In anticipation of the coming legislative debate over reauthorization, Congress has already begun to hold hearings. While Congress must address many problems with the government’s use of this law to surveil and investigate Americans, the government’s use of “Upstream” surveillance to search Internet traffic deserves special attention. Indeed, Congress has never engaged in a meaningful public debate about Upstream surveillance — but it should.
First disclosed as part of the Snowden revelations, Upstream surveillance involves the NSA’s bulk interception and searching of Americans’ international Internet communications — including emails, chats, and web-browsing traffic — as their communications travel the spine of the Internet between sender and receiver. If you send emails to friends abroad, message family members overseas, or browse websites hosted outside of the United States, the NSA has almost certainly searched through the contents of your communications — and it has done so without a warrant.
The executive branch contends that Upstream surveillance was authorized by the FAA; however, as others have noted, neither the text of the statute nor the legislative history support that claim. Moreover, as former Assistant Attorney General for National Security David Kris recently explained, Upstream raises “challenging” legal questions about the suspicionless searching of Americans’ Internet communications — questions that Congress must address before reauthorizing the FAA.
Because of how it operates, Upstream surveillance represents a new surveillance paradigm, one in which computers constantly scan our communications for information of interest to the government. As the legislative debate gets underway, it’s critical to frame the technological and legal issues that Congress and the public must consider — and to examine far more closely the less-intrusive alternatives available to the government.
Upstream Surveillance: An Overview
As we’ve learned from official government sources and media reports, Upstream surveillance consists of the mass copying and content-searching of Americans’ international Internet communications while those communications are in transit. The surveillance takes place on the Internet “backbone” — the network of high-capacity cables, switches, and routers that carry Americans’ domestic and international Internet communications. With the compelled assistance of telecommunications providers like AT&T and Verizon, the NSA has installed surveillance equipment at dozens of points along the Internet backbone, allowing the agency to copy and then search vast quantities of Internet traffic as those communications flow past.
The NSA is searching Americans’ international communications for what it calls “selectors.” Selectors are, in essence, keywords. Under the FAA, they are typically email addresses, phone numbers, or other identifiers associated with the government’s targets. While this might sound like a narrow category, the reality is much different, as Jennifer Granick and Jadzia Butler recently explained. That’s because the NSA can target any foreigner located outside the United States who is believed to possess “foreign intelligence information” — including journalists, human rights researchers, and attorneys, not just suspected terrorists or foreign spies. At last count, the NSA was targeting more than 94,000 people, organizations, and groups under the FAA.
In practice, that means the NSA is examining the contents of each communication for the presence of tens of thousands of different search terms that are of interest to the government. And that list continues to grow, as the NSA adds new targets and entirely new categories of selectors to Upstream surveillance. Whenever the NSA finds a communication that contains a “hit” for any one of its many selectors, it stores that communication for the agency’s long-term use and analysis — and it may share those communications with the FBI for use in criminal investigations.
Observers, including the Privacy and Civil Liberties Oversight Board (PCLOB), have singled out one feature of this surveillance as especially controversial: what’s often called “about” surveillance. This term refers to the fact that the government is not only intercepting communications to and from its targets, but is systematically examining the communications of third parties in order to identify those that simply mention a targeted selector. (In other words, the NSA is searching for and collecting communications that are merely “about” its targets.)
“About” surveillance has little precedent. To use a non-digital comparison: It’s as if the NSA sent agents to the U.S. Postal Service’s major processing centers to engage in continuous searches of everyone’s international mail. The agents would open, copy, and read each letter, and would keep a copy of any letter that mentioned specific items of interest — despite the fact that the government had no reason to suspect the letter’s sender or recipient beforehand. In the same way, Upstream involves general searches of Americans’ international Internet communications.
Upstream Surveillance Is Bulk Searching
Although the government frequently contends otherwise, Upstream surveillance is a form of bulk surveillance. To put it plainly, the government is searching the contents of essentially everyone’s communications as they flow through the NSA’s surveillance devices, in order to determine which communications contain the information the NSA seeks. While the government has “targets,” its searches are not limited to those targets’ communications. Rather, in order to locate communications that are to, from, or “about” its targets, the government is first copying and searching Americans’ international communications in bulk.
There is no question that these searches are extraordinarily far-reaching. The leading treatise on national-security surveillance, co-authored by former Assistant Attorney General David Kris, explains that the “NSA’s machines scan the contents of all of the communications passing through the collection point, and the presence of the selector or other signature that justifies the collection is not known until after the scanning is complete.” Likewise, the Foreign Intelligence Surveillance Court (FISC) has made clear that the NSA is searching the full text of every communication flowing through the surveillance devices installed on certain international backbone links.
For technological reasons, Upstream surveillance — at least as it’s conducted today — necessarily ensnares vast quantities of communications. When an individual uses the Internet, whether to browse a webpage or send an email, his computer sends and receives information in the form of data “packets” that are transmitted separately across the Internet backbone. As Charlie Savage recently explained in Power Wars, “when an e-mail is transmitted over the Internet, it is broken apart like a puzzle. Each piece of the puzzle travels independently to a shared destination, where they converge and are reassembled. For this reason, interception equipment on a switch in the middle cannot grab only a target’s e-mail. Instead, the wiretapper has to make a copy of everything.” While the NSA may exclude certain types of irrelevant traffic — like Netflix videos — it can identify the communications it’s seeking only by copying and searching the remaining Internet traffic in bulk.
In court, the Department of Justice has resisted acknowledging the breadth of these bulk searches —preferring to say, euphemistically, that the NSA is “screening” or “filtering” communications. But it’s playing word games. The only way for the NSA to determine whether a communication contains one of its selectors is to search the contents of that communication. At scale, that means the NSA is searching the contents of trillions of Internet communications, without anything resembling a warrant.
Upstream Surveillance Is Unprecedented and Unlawful
Because it involves bulk searches, Upstream surveillance is very different from other forms of surveillance, and it should be debated with that in mind. As the Privacy and Civil Liberties Oversight Board (PCLOB) explained:
Nothing comparable is permitted as a legal matter or possible as a practical matter with respect to analogous but more traditional forms of communication. From a legal standpoint, under the Fourth Amendment the government may not, without a warrant, open and read letters sent through the mail in order to acquire those that contain particular information. Likewise, the government cannot listen to telephone conversations, without probable cause about one of the callers or about the telephone, in order to keep recordings of those conversations that contain particular content.
In short, the Fourth Amendment does not allow the government to conduct a general, suspicionless search in order to locate specific information or evidence. Instead, as the ACLU has explained at length elsewhere, the government is required to have probable cause — and a warrant — before it searches the contents of our communications. Upstream surveillance reverses this logic, using the end results of the NSA’s searches to justify the continuous, bulk review of Americans’ Internet traffic. The ODNI General Counsel has effectively called for rewriting the Fourth Amendment to permit these types of searches — which only underscores how novel and extreme the government’s legal theory really is.
Americans — and Congress — need to be concerned about what it means to have government computers monitoring our communications in real-time. As the PCLOB emphasized, one of the fundamental problems posed by Upstream surveillance is that “it permits the government to acquire communications exclusively between people about whom the government had no prior suspicion, or even knowledge of their existence, based entirely on what is contained within the contents of their communications.” David Kris highlighted a related problem, asking whether the government should be permitted to “review the contents of an unlimited number of e-mails from unrelated parties in its effort to find information ‘about’ the target.”
The PCLOB, in its report, expressed serious concern about Upstream surveillance, finding that the nature and breadth of this surveillance pushed it “close to the line” in terms of lawfulness. At the same time, however, the PCLOB expressed the view that “about” surveillance was unavoidable for technological reasons. While this is the subject for a separate post, that factual claim is doubtful. The NSA could, if it chose, do far more to isolate the communications of its targets based on metadata — such as email addressing information — rather than searching the entire contents of everyone’s communications using selectors. Indeed, “Next Generation Firewall” technology is capable of distinguishing metadata from content across many different types of communications. Moreover, the NSA has already shown that it can implement this capability on the Internet backbone — because its bulk Internet metadata program, which it operated for ten years, required very similar capabilities. Even with these modifications, significant questions about the lawfulness of the surveillance would remain; but there is no question that it would be more protective of Americans’ privacy than today’s Upstream surveillance.
Between now and the sunset of the FAA in December 2017, it is crucial that Congress engage in an informed, public debate about whether it is constitutional — and whether it is prudent — to permit the executive branch to wield this incredibly invasive surveillance tool.
This post originally appeared at Just Security.