- Associated Press - Wednesday, March 26, 2014

STANFORD, Calif. (AP) - Cyber security experts are questioning whether President Barack Obama can make good on his assurance that U.S. intelligence agencies aren’t spying on “ordinary folks.”

That promise is especially dubious, experts say, in instances where Americans are communicating with U.S. citizens living abroad and other people overseas.

“It’s very clear there are enormous loopholes,” said Jonathan Mayer, a cybersecurity fellow at Stanford University’s Center for International Security and Cooperation, who is reverse engineering the NSA surveillance program to learn how much collection - if taken to extremes - is legally possible. “Their rules, combined with their capabilities, cut against the classical protections built into our legal system.”

The National Security Agency and the CIA are tasked with gathering foreign - not domestic - intelligence. Agency rules say they must have a “reasonable, articulated suspicion” about the people they target, and are required to sift through all the data they collect and eliminate any that might have been intercepted from an innocent American, on U.S. soil or abroad.

This week the Obama Administration proposed that Congress overhaul the electronic surveillance program by having phone companies hold onto the call records as they do now.

But there remain a number of significant ambiguities that allow Americans’ data to be swept up, saved and analyzed, according to a series of disclosures from former intelligence contractor Edward Snowden, WikiLeaks source Pvt. Chelsea (previously known as Bradley) Manning and the federal government itself:

- Analysts need to be just “51 percent confident” that someone is not in the U.S., based on phone numbers, Internet Protocol addresses and email addresses, before they can target the person.

- The NSA is allowed to store encrypted communications, domestic or foreign, at least until analysts can decrypt it to find out whether it contains information relating to national security. With widely used services like Gmail and Facebook adding encryption, this could encompass a vast amount of domestic communications.

- Domestic communications with foreign targets can be scooped up without a warrant if the point of collection is outside the US.

On March 18 the Washington Post, using documents from Snowden, reported that the NSA has been recording and storing all of a foreign country’s telephone calls, then listening to the conversations up to a month later. At the request of U.S. officials, the Post said it withheld details that could be used to identify the particular country.

The complexities of Internet traffic routing also could help the spy agencies to skirt the rules. Mayer’s research found that five to 10 percent of all visits to popular U.S.-based websites bounce off foreign servers. For example, he said, a person in San Francisco shopping for a pair of shoes on a Denver-based retailer’s website might have his computer’s unique identifier sent, for a fraction of a second, to Japan where a program the retailer deployed is analyzing web traffic in real time. In theory, that San Francisco shopper can now have his data legally collected by the government, said Mayer.

“If you define almost nothing as breaking the rules, it becomes easy to say, ‘Don’t worry, we never break the rules,’” he said.

NSA spokeswoman Vanee Vines said all of the agency’s work has a foreign intelligence purpose and that the NSA deletes data it accidentally collects.

And during a hearing last week, Deputy Assistant Attorney General Brad Wiegmann said a review of all foreignness determinations found an error rate of less than .1 percent.

“So that equates to essentially less than one in a thousand cases in which we’re finding that NSA is making erroneous foreignness determinations,” he said.

Story Continues →