Most Americans have a fuzzy understanding of exactly what the National Security Agency can and cannot see with its surveillance programs, much less what a former NSA contractor named Edward Snowden tried to do about it.
That’s the finding, anyway, of informal street interviews by John Oliver’s crew at Last Week Tonight on HBO.
Oliver devoted his April 5 show to the NSA spying story. It included an exclusive interview with Snowden, who is living in Russia after the State Department canceled his passport. And it included the topic of this fact-check: Can emails sent between two people living in the United States unwittingly end up on the computer screen of some NSA analyst?
Oliver, who blends comedy with journalism, framed the discussion around the NSA peeping on nude pictures.
Oliver asked Snowden to describe the capability of various NSA surveillance programs in relation to nude pictures sent by Americans, starting with "702 surveillance." This refers to section 702 of the Foreign Intelligence Surveillance Act of 1978. This section was added in 2008 and was renewed under President Barack Obama in 2012.
Could the NSA see a picture of, say, Oliver’s privates under this provision, he asked?
"Yes," Snowden said, "the FISA Amendments Act of 2008, which section 702 falls under, allows the bulk collection of internet communications that are one-end foreign."
After an Oliver joke about "bulk collection," Snowden continued, "So if you have your email somewhere like Gmail, hosted on a server overseas or transferred overseas or anytime crosses outside the borders of the United States, your junk ends up in the database."
Oliver jumped in and asked Snowden to clarify that the racy picture — if you’ve seen the interview, you know we’re paraphrasing — wouldn’t necessarily have to be sent to Germany in order to end up in NSA storage.
"No," Snowden said. "Even if you sent it to someone within the United States, your wholly domestic communication between you and your wife can go to New York to London and back and get caught up in the database."
Is it really true that this situation (regardless of the content of the email) could happen, and if so, is it likely?
You’ve got mail … being collected by the NSA
Several experts in national security law agreed Snowden’s scenario is plausible, thanks to holes in international surveillance laws that affect data shared between Americans living in America.
The law that Oliver mentioned, Section 702 of FISA Amendments Act of 2008, is labeled "Procedures For Targeting Certain Persons Outside The United States Other Than United States Persons." Going on name alone, that sounds like the opposite of a license for the NSA to collect private messages between Americans.
The section addresses spying on communications on U.S. soil in which one end of the conversation is foreign. Critics, including the Electronic Frontier Foundation, Center for Technology and Democracy, and American Civil Liberties Union, deem it a "backdoor search loophole" that allows the NSA to get access to information on U.S. citizens.
The section says the government cannot "intentionally target" citizens of the United States with its surveillance, nor can it target a person outside the country to learn more about the communications of a person who is in the United States. "Intentionally," obviously, is a pretty big gap. NSA communications spying under Section 702 does not need an individual warrant.
There are a few government spying programs that we know about, through Snowden’s leaks to journalists, that operate using Section 702, including Prism and Upstream.
Prism, as outlined in a leaked slide, allows the NSA to collect via court order email, chats, videos, photos, stored data and files of foreign targets from technology companies such as Google, Apple, Yahoo, Microsoft and Facebook.
Analysts reportedly use Prism in concert with Upstream, by which the NSA collects foreigners’ communications directly from the fiber-optic backbone of the Internet. A leaked NSA slide reported by the Washington Post describes Upstream as amassing "communications on fiber cables and infrastructure as data flows past."
Through those spying programs, it is possible that American-to-American email could hit an overseas server and be pulled into NSA databases even though those emails are not the target of NSA searches. The law does not prohibit this kind of "incidental" collection of Americans’ communications, as long as it was part of an otherwise valid collection of non-Americans’ information, said Stephen Vladeck, American University national security law professor.
Government reports, leaks and a scathing 2011 Foreign Intelligence Surveillance Court opinion offer more proof that the NSA cannot separate out communications between Americans from the emails involving a foreigner. "NSA’s knowing acquisition of tens of thousands of wholly domestic communications through its Upstream collection is a cause of concern for the court," wrote FISC Judge John D. Bates in the declassified opinion.
It’s unknown exactly how often this happens, but it does not appear unusual.
"It doesn’t matter whether it’s a d--- pic or a bland email," said Andrew Crocker, a senior analyst at the Electronic Frontier Foundation, which sued the NSA to release the Bates opinion. "These are all things that can be swept up."
By law, the NSA is supposed to "minimize" wholly domestic communications it obtains, said Molly Bishop Shadel, a University of Virginia law professor who represented the United States on terrorism-related matters before the Foreign Intelligence Surveillance Court while working for the Justice Department. This could mean deleting the email or not searching or using the information, something Snowden doesn’t say.
"I can’t promise the email wouldn’t end up in an NSA database," she said, "but it’s not going to be accessible to the government if it does."
Other experts pointed out that we don’t know for sure what happens to these exchanges when they are collected. Jonathan Mayer, a cybersecurity fellow at Stanford University’s Center for Internet and Society, said many important features of Upstream collection "haven’t leaked and remain classified," such as whether it involves bulk collection, massive-but-targeted collection or only individually targeted collection, he said.
Email routes that cross international boundaries
So, yes, it’s possible that an email between you and your wife or husband about the grocery list could wind up in the hands of the NSA. But to do so, the electronic footprint of that email needs to leave the confines of the United States.
How likely is that to happen?
Understanding how or why an email may hit an overseas server even if it’s sent to someone in the same area requires a basic knowledge of how the Internet works. But even then, it’s complicated. So we turned to technologists, who had different opinions.
Predicting how an email travels to its destination once you hit "send" is not an exact science — and it can change from hour to hour. When a person sends an email, it goes through the Internet service provider to an email provider, is exchanged with another provider, and goes back to someone else’s Internet service provider.
If the Internet provider is big, like Verizon, the most efficient, least congested path to route the bits of information might just be a cable that crosses a foreign country’s boundary.
Chats, pictures and messages travel from senders to recipients through the Internet along fiber-optic cables, some underground and some undersea. These cables can send messages in milliseconds.
"The way the network thinks about distance is very different from the way you think about distance in the real physical world," said Joseph Hall, Center for Democracy and Technology chief technologist.
Hall mentioned an example using the concept of "trombone routing:" Two people could be on opposite sides of Denver, and the most efficient way to get bits of information to them may be through a cable that runs through Canada.
Mayer, of Stanford University, suggested the odds are good that your message is stored domestically if you’re an American who is working within the continental United States and who is using Gmail. Mayer called Snowden’s example of an intimate picture shared between a couple in New York hitting a London server en route to its destination "hypothetically possible, but it’s unlikely." The route between providers would have to be unusual, and the connection would have to be unencrypted, he said.
"There are enormous privacy implications from the one-end foreign rule, to be clear," Mayer said. "I just don’t think this is a very generalizable example."
On the other hand, Hall said, "It’s not hard to see this happening at all," even though more providers are encrypting their networks in response to NSA practices.
Even though Hall and Mayer have different estimations for how likely it is for a U.S. user’s communications to be transmitted over a national border at a given time, Hall agrees it’s more likely for an email to cross a border in places that don’t have a huge infrastructure.
Because Snowden mentioned Google’s Gmail service as an example, we checked in with the company to figure out under which conditions this example could happen.
The company has strengthened the encryption of its infrastructure as a way to dissuade the government from using "backdoor" methods of tapping its network data without its knowledge.
Emails between Gmail accounts are encrypted as they go to Gmail servers, which essentially means they look like gibberish to outsiders, and as they move from Google’s data centers around the country and the world. Copies of emails could be stored in several places, including in data centers abroad, as a way to provide backups in case one center fails. If the NSA tried to collect emails between Google data centers, they may be able to pull the metadata of messages (the to and from) but not the content.
If one side of the exchange is not a Gmail user, the message may not be encrypted and therefore may be more vulnerable.
As for how often an email may end up in a foreign server, even if it’s between two American Gmail users, spokesman Aaron Stein said, "We aren't always able to predict how often that happens."
The NSA press office did not return requests for comment.
Snowden said, "Even if you sent it to someone within the United States, your wholly domestic communication between you and your wife can go to New York to London and back and get caught up in the database."
In Oliver’s context of a naked picture, the comment may be surprising. But to experts familiar with the laws governing surveillance practices and the NSA programs brought to light through his leaks, Snowden is correct that this could happen.
But this isn’t the most likely scenario for most Americans emailing other Americans day-in, day-out. Moreover, the NSA is supposed to "minimize" domestic emails that get caught up in a broader sweep, either by deleting them or not searching or using the information.
Snowden’s claim is accurate but misses that context. We rate it Mostly True.