In the public debate thus far over the NSA's mass surveillance programs, Americans have obsessed over our right to protect our emails, phone calls, and other communications from warrantless spying. But an issue that is just as important has been almost completely ignored: should the U.S. government be collecting the communications of foreigners without a warrant or any suspicion of wrongdoing? Unlike spying on U.S. citizens, where the government may well be breaking the law, spying on foreigners is almost certainly legal. But is it wise? We don't think so. Unfettered U.S. spying on foreigners will cause serious collateral damage to America's technology companies, to our Internet-fueled economy, and to human rights and democracy the world over. Rampant surveillance harms both privacy and our long-term national security.
Foreigners don't vote in American elections, so perhaps it's not surprising that U.S. law throws them under the privacy bus. "If you are a U.S. person," President Obama (inaccurately) assures us, "the NSA cannot listen to your telephone calls." But the government doesn't disguise its broad snooping on foreigners. Director of National Intelligence James Clapper confirmed recently that the NSA "targets foreigners located overseas for a valid foreign intelligence purpose."
The legal basis for wide-scale Internet spying on foreigners is set out in black and white in the Foreign Intelligence Surveillance Act (FISA). FISA allows collection of "foreign intelligence information," a grant of authority which goes well beyond counterterrorism or national security to include "information with respect to a foreign power or foreign territory that relates to ... the conduct of the foreign affairs of the United States." In the original version of FISA, individuals could only be targeted if they were "agents of foreign powers," but 2008 amendments to the statute did away with that limitation. Thus, FISA as it now stands authorizes warrantless surveillance of any non-U.S. individual reasonably believed to be located abroad, allowing for the interception of the most private kind of information so long as it "relates to" U.S. foreign affairs. That language is broad enough to allow the U.S. to seize almost any sort of foreign communication, on the grounds that a communication might relate in some way to a foreign-affairs interest of the United States.
For foreigners who don't regularly read American surveillance statutes, this all came as an unpleasant surprise. And the details of how the NSA administers the mass surveillance programs do not make the surprise any more palatable. Individuals subject to NSA surveillance are almost never notified. The proceedings authorizing the surveillance are secret. The orders and directives are classified. The Internet companies that respond to the U.S. government's information demands are under gag order, or otherwise obligated not to disclose. And from a foreigner's perspective, all this happens at the request of a government they can't hold to account and is approved by a secret foreign court they can't petition.
In addition to its broad legal authority to spy on foreigners, the U.S. now has a distinct technological advantage in doing so. In the past, the nature of the telecommunications infrastructure meant that NSA commonly had to operate abroad to intercept in real-time phone calls between non-Americans. But today, most communications flow over the Internet and a very large percentage of key Internet infrastructure is in the United States. Thus, foreigners' communications are much more likely to pass through U.S. facilities even when no U.S. person is a party to a particular message. Think about a foreigner using Gmail, or Facebook, or Twitter -- billions of these communications originate elsewhere in the world but pass through, and are stored on, servers located in the U.S.
With so few legal or technical checks on the U.S. government's power to snoop, Internet users look to U.S. Internet companies to serve as gatekeepers. Fortunately, some U.S.-based Internet companies also have a pro-privacy streak, and view themselves as critical checkpoints in the surveillance infrastructure. Here are just two examples: In 2007, Yahoo unsuccessfully challenged the Protect America Act, a precursor law to the updated FISA. More recently, an unknown company brought a case before the FISA court which resulted in a secret 2011 holding that the NSA had violated the Fourth Amendment.
Yet, Internet companies are in a terrible position to rein in government overreach. The court processes and the reasons for surveillance are kept secret from the companies. The cases that interpret the government's powers under the law are secret. And for whatever protections FISA might afford to Americans, it serves no such role for foreigners, who comprise a growing majority of any global company's customers. When the government comes to an Internet company with a lawful but secret court order signed by a judge and demanding certain data, they can review the order skeptically. They can judiciously select the responsive information. They can bring a secret lawsuit in the FISA court to challenge the secret law on behalf of their international clients who have speculative Fourth Amendment rights under the U.S. Constitution. But beyond these usually quixotic efforts, the companies' powers are limited.
As a result, from the perspective of many foreign individuals and governments, global Internet companies headquartered in the U.S. are a security and privacy risk. And that means foreign governments offended by U.S. snooping are already looking for ways to make sure their citizens' data never reaches the U.S. without privacy concessions. We can see the beginnings of this effort in the statement by the vice president of the European Commission, Viviane Reding, who called in her June 20 op-ed in the New York Times for new EU data protection rules to "ensure that E.U. citizens' data are transferred to non-European law enforcement authorities only in situations that are well defined, exceptional and subject to judicial review." While we cheer these limits on government access, the spying scandal also puts the U.S. government and American companies at a disadvantage in ongoing discussions with the EU about upcoming changes to its law enforcement and consumer-privacy-focused data directives, negotiations critical to the Internet industry's ongoing operations in Europe.
Even more troubling, some European activists are calling for data-storage rules to thwart the U.S. government's surveillance advantage. The best way to keep the American government from snooping is to have foreigners' data stored locally so that local governments - and not U.S. spy agencies -- get to say when and how that data may be used. And that means nations will force U.S.-based Internet giants like Google, Facebook, and Twitter, to store their user data in-country, or will redirect users to domestic businesses that are not so easily bent to the American government's wishes.
So the first unintended consequence of mass NSA surveillance may be to diminish the power and profitability of the U.S. Internet economy. America invented the Internet, and our Internet companies are dominant around the world. The U.S. government, in its rush to spy on everybody, may end up killing our most productive golden goose.
Even worse, a shift away from U.S.-based Internet services is a blow to free expression around the world. We expect U.S.-based Internet companies to resist authoritarian governments that ask for help squelching political dissent. That resistance is good for global democracy, and good for the United States. Of course, U.S. technology companies' response to such demands have not always been exemplary. Rebecca Mackinnon's 2012 book details corporate complicity with repressive regimes' censorship and surveillance. Yet, without question, the role of Internet firms, especially those based in America, is a net plus for democracy abroad. Having Twitter in the U.S. helped when the U.S. State Department asked it in 2009 to delay its regularly scheduled maintenance to ensure activists can communicate during the Iranian elections. It is much harder to say no to a foreign government when a business has employees and data in that country.
In this way, the EU push for local data storage plays right into what some have called the "cyber sovereignty movement," an effort by many nations for more national control over the Internet within their own borders. But unlike current discussions in Europe, those demands are not motivated by a desire to protect civil liberties. To the contrary, authoritarian countries want to censor, spy on, and control Internet access within their own borders. These nations -- Russia, China, the United Arab Emirates, Sudan, Saudi Arabia, and others -- unsuccessfully pushed for changes to the Internet's infrastructure at the International Telecommunications Union meeting last December in Dubai. The growth of cyber-sovereignty would be a serious blow to the spread of liberal democracy worldwide. The U.S. government's fervor for Internet surveillance has now provided advocates for such cyber-sovereignty with new privacy-motivated allies and a great set of talking points.
President Obama recently chided Americans concerned with NSA surveillance for our naïveté, saying "you can't have 100 percent security and also then have 100 percent privacy." But this administration's rhetoric is short-sighted and depressing when, in fact, rampant surveillance harms our long-term security. Given the Internet's role in empowering democracy activists the world over, the State Department now ranks support for an open and uncensored Internet as one of it fundamental missions. We think this is unquestionably correct. But, we can't have secret warrantless mass surveillance -- of Americans or of foreigners -- and also enjoy Internet-fueled economic, democratic, and political empowerment. It is time to demand both security and privacy, for everyone -- Americans and foreigners alike -- before it's too late.
We want to hear what you think about this article. Submit a letter to the editor or write to firstname.lastname@example.org.