Upstream Internet Surveillance Confusion

A Federal District Court judge today threw out the ACLU-led challenge to the NSA’s warrantless upstream surveillance of one-end-foreign Internet communications under the FISA Amendments Act, ruling that the plaintiffs, including Wikimedia Foundation, had not established standing. The case touched on an article that I wrote in August 2013, early in the post-Snowden leak era, that is worth commenting on because subsequent revelations have given us a better understanding of how upstream Internet surveillance under that statute works.

Back in the summer of 2013, I figured out that the NSA was not just collecting messages to and from targeted foreigners, but also those that were merely “about” such foreigners but between two other people. This turned out to be a side consequence of how “upstream” style surveillance – collection of e-mails and other text-based communications as they cross fiberoptic Internet switches – works: it grabs any message with a targeted selector, whether the selector was in the e-mail header (“To: [email protected]”) or in the e-mail body (“Hey when you get there, send a message to [email protected] so he knows it worked out.”) This feature is alien to phone wiretapping, and we had not before understood that the government was doing this.

In that article I also wrote what I had figured out at the time about how Upstream-style worked:


To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. The senior intelligence official, who, like other former and current government officials, spoke on condition of anonymity because of the sensitivity of the topic, said the N.S.A. makes a “clone of selected communication links” to gather the communications, but declined to specify details, like the volume of the data that passes through them.

In the ACLU/Wikimedia case, the plaintiffs cited this article to argue that the NSA had temporarily copied their communications, giving them standing. The judge today rejected that this had been shown to be true. He cited a passage in a July 2014 Privacy and Civil Liberties Oversight Board report about the FISA Amendments Act saying that my article put forth “a misunderstanding of a more complex reality.”

This echoed another judge’s ruling in February 2015, in an Electronic Frontier Foundation-led case, which threw out much of a lawsuit on behalf of AT&T customers against the National Security Agency based on state-secrets claims. It also focused on Upstream. The judge said that, based on his reading of classified documents, their description of how it works, which echoed the one I had written in 2013, was incorrect, but did not elaborate.

But we now understand better what is going on.

Last summer, working with ProPublica and some previously undisclosed Snowden documents, I helped write an article focused on AT&T’s role in facilitating NSA surveillance of Internet communications. Among other things, we figured out an important aspect: the NSA is not directly performing the copying and sifting. Rather its telecom partners do that on its behalf, using the selectors (and in some cases the equipment) the government supplied, and forwarding only those messages the NSA has legal authority to collect. So the NSA is not coming into direct possession of the fulltake data stream. As we wrote:

Many privacy advocates have suspected that AT&T was giving the N.S.A. a copy of all Internet data to sift for itself. But one 2012 presentation says the spy agency does not “typically” have “direct access” to telecoms’ hubs. Instead, the telecoms have done the sifting and forwarded messages the government believes it may legally collect.

“Corporate sites are often controlled by the partner, who filters the communications before sending to N.S.A.,” according to the presentation. This system sometimes leads to “delays” when the government sends new instructions, it added.

The companies’ sorting of data has allowed the N.S.A. to bring different surveillance powers to bear. Targeting someone on American soil requires a court order under the Foreign Intelligence Surveillance Act. When a foreigner abroad is communicating with an American, that law permits the government to target that foreigner without a warrant. When foreigners are messaging other foreigners, that law does not apply and the government can collect such emails in bulk without targeting anyone.

Privacy advocates, confronted with this complexity, argue that it doesn’t make any difference – if the telecoms are doing something they would not normally do because the government has asked or directed them to do it, then they are effectively N.S.A. agents at that moment and the Fourth Amendment still applies. Their argument, in other words, is that actually the description as I wrote it two years ago, when I didn’t yet understand the role of the telecoms, was nevertheless correct, as a legal matter.

That is an interesting argument. If a court ever lets a plaintiff gets to the merits, rather than throwing cases out on standing or on state-secrets grounds, it would be a central question to litigate.