On Sunday, German newspaper Der Spiegel published a story about the National Security Agency’s “Tailored Access Operations” unit, based in San Antonio, Texas. The NSA, whose mandate concerns intercepting electronic communications, is usually associated with high-tech espionage. Buried in the article, however, is an altogether lower-tech revelation: the NSA’s TAO unit has swiped computers in transit. Says Der Spiegel: “If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops.”
From there, the NSA can install malicious software or even hardware components on the intercepted computer. The NSA refers to this technique as “interdiction,” a term reminiscent of the way the Drug Enforcement Agency nabs drug smugglers on their way into the U.S. To better understand the implications of this interception, I spoke with Kit Walsh, a fellow at the Cyberlaw Clinic of Harvard University’s Berkman Center for Internet and Society.
Intercepting packages and bugging them is an older technique than, say, collecting location data from cell phones. Is there clear legal precedent for secretly installing hardware onto confiscated computers?
Walsh: While dragnet surveillance is contrary to the Constitution, intrusive targeted surveillance can be authorized by a judge. If there is probable cause to believe the intrusion will yield evidence of a particular crime, then particular intrusions of specific scope can be authorized by an impartial judge. That’s the basic framework required by the Constitution.
Knowing that this tactic is being used does not tell us how its use is being governed.
Knowing that this tactic is being used does not tell us how its use is being governed. It could be in use in rampantly illegal ways, or constrained only to narrow, legitimate circumstances. We cannot know. Which is itself a problem in a democratic nation. Thanks to Snowden, we are having the overdue public debate about how our government should and shouldn’t spy on us and others.
Of course, it is unlikely that the NSA is constraining itself to what is constitutional, given that they have the very broad FISA statute to work with and they are willing to stretch the English language to the breaking point in their secret interpretations of the law. U.S. law is also very bad at protecting any rights of foreigners in the intelligence-gathering context.
What rights does such interception by the NSA threaten?
Walsh: This kind of surveillance implicates the same rights of privacy as other forms of surveillance, with the consequent chilling effect on free speech and freedom to associate with persons of your choosing. To give a technical answer, it also implicates the target’s property right in the device being modified.
What do you see as the most troubling consequence of this?
Walsh: This tactic makes it more difficult and expensive for activists, journalists, and others to acquire computing devices they can trust, and inevitably people and organizations will be compromised and have a reduced ability to hold their government accountable. It dangerously alters the relationship between the people and the state.
Unlike broader metadata collection, these “interdictions” seem to be targeted. For the general public, is that a good thing? What does it mean for activists?
Walsh: This tactic is used in addition to, not instead of, dragnet surveillance. If the NSA had to justify intrusions to a neutral judge, with respect to particular individuals, that would be a much healthier system than the one that has evolved in the U.S., closer both to the Constitution and to the governance scheme envisioned by Congress when it set up the FISA court.
Any further thoughts on the matter?
Walsh: Even if you personally don’t feel you need privacy, you can help those who do just by playing with anonymization technology such as Tor and encryption technology for communications, so no one sticks out as one of the few users of privacy-enabling technologies.