In the public debate thus far over the NSA's mass surveillance programs, Americans have obsessed over our right to protect our emails, phone calls, and other communications from warrantless spying. But an issue that is just as important has been almost completely ignored: should the U.S. government be collecting the communications of foreigners without a warrant or any suspicion of wrongdoing? Unlike spying on U.S. citizens, where the government may well be breaking the law, spying on foreigners is almost certainly legal. But is it wise? We don't think so. Unfettered U.S. spying on foreigners will cause serious collateral damage to America's technology companies, to our Internet-fueled economy, and to human rights and democracy the world over. Rampant surveillance harms both privacy and our long-term national security.
Foreigners don't vote in American elections, so perhaps it's not surprising that U.S. law throws them under the privacy bus. "If you are a U.S. person," President Obama (inaccurately) assures us, "the NSA cannot listen to your telephone calls." But the government doesn't disguise its broad snooping on foreigners. Director of National Intelligence James Clapper confirmed recently that the NSA "targets foreigners located overseas for a valid foreign intelligence purpose."
The legal basis for wide-scale Internet spying on foreigners is set out in black and white in the Foreign Intelligence Surveillance Act (FISA). FISA allows collection of "foreign intelligence information," a grant of authority which goes well beyond counterterrorism or national security to include "information with respect to a foreign power or foreign territory that relates to ... the conduct of the foreign affairs of the United States." In the original version of FISA, individuals could only be targeted if they were "agents of foreign powers," but 2008 amendments to the statute did away with that limitation. Thus, FISA as it now stands authorizes warrantless surveillance of any non-U.S. individual reasonably believed to be located abroad, allowing for the interception of the most private kind of information so long as it "relates to" U.S. foreign affairs. That language is broad enough to allow the U.S. to seize almost any sort of foreign communication, on the grounds that a communication might relate in some way to a foreign-affairs interest of the United States.
For foreigners who don't regularly read American surveillance statutes, this all came as an unpleasant surprise. And the details of how the NSA administers the mass surveillance programs do not make the surprise any more palatable. Individuals subject to NSA surveillance are almost never notified. The proceedings authorizing the surveillance are secret. The orders and directives are classified. The Internet companies that respond to the U.S. government's information demands are under gag order, or otherwise obligated not to disclose. And from a foreigner's perspective, all this happens at the request of a government they can't hold to account and is approved by a secret foreign court they can't petition.
In addition to its broad legal authority to spy on foreigners, the U.S. now has a distinct technological advantage in doing so. In the past, the nature of the telecommunications infrastructure meant that NSA commonly had to operate abroad to intercept in real-time phone calls between non-Americans. But today, most communications flow over the Internet and a very large percentage of key Internet infrastructure is in the United States. Thus, foreigners' communications are much more likely to pass through U.S. facilities even when no U.S. person is a party to a particular message. Think about a foreigner using Gmail, or Facebook, or Twitter -- billions of these communications originate elsewhere in the world but pass through, and are stored on, servers located in the U.S.
With so few legal or technical checks on the U.S. government's power to snoop, Internet users look to U.S. Internet companies to serve as gatekeepers. Fortunately, some U.S.-based Internet companies also have a pro-privacy streak, and view themselves as critical checkpoints in the surveillance infrastructure. Here are just two examples: In 2007, Yahoo unsuccessfully challenged the Protect America Act, a precursor law to the updated FISA. More recently, an unknown company brought a case before the FISA court which resulted in a secret 2011 holding that the NSA had violated the Fourth Amendment.
Yet, Internet companies are in a terrible position to rein in government overreach. The court processes and the reasons for surveillance are kept secret from the companies. The cases that interpret the government's powers under the law are secret. And for whatever protections FISA might afford to Americans, it serves no such role for foreigners, who comprise a growing majority of any global company's customers. When the government comes to an Internet company with a lawful but secret court order signed by a judge and demanding certain data, they can review the order skeptically. They can judiciously select the responsive information. They can bring a secret lawsuit in the FISA court to challenge the secret law on behalf of their international clients who have speculative Fourth Amendment rights under the U.S. Constitution. But beyond these usually quixotic efforts, the companies' powers are limited.