If ECPA is tweaked to protect email privacy, will the NSA still spy on US Tor users?

Even if ECPA is tweaked to protect email privacy, does that mean if you use Tor, with an IP that appears as if you are on foreign soil, that your real-time communications are being spied upon also by the NSA thanks to FISA?

The more you try to protect your online privacy by using encryption, the more the government may consider that a potential threat and break into the cloud to access your stored communications. This is one more reason that the ECPA needs to be updated. But the more you protect your privacy by using Tor or a VPN service, if that IP makes you look like you are on foreign soil, does that mean the U.S. government under FISA's FAA is monitoring those real-time communications too? The ACLU is determined to find out and has filed FOIAs with the DOJ, FBI and NSA.

Peter Swire served as Chief Counselor for Privacy under President Clinton and is leading a project on government access to personal information for the Future of Privacy Forum. Swire has written extensively about how the more you take advantage of services that encrypt your data, the more the government breaks into your cloud.

As it stands right now, we have basically no protection when it comes to digital privacy. The Electronic Communication Privacy Act was drawn up in the 1980s, but we live in a different world where cloud no longer means the puffy white objects against the blue sky. The government and police need no warrant to tap into your private electronic messages and emails that are older than 180 days. On Thursday, a Senate committee will consider tweaking ECPA so that the government or law enforcement would be required to obtain a search warrant to access email regardless of how old it is. While it would be so much better if ECPA protected any private electronic communications, requiring a warrant for email reinforces the Fourth Amendment in some way.

Don't get me started on the opposition's position that objecting to the current ECPA, and wanting to be anonymous, must mean you have something to hide. That is a ludicrous idea put forth by the same people who believe innocent behaviors are suspicious because potential terrorists are everywhere in the USA.

The EFF "is working with a number of coalitions-including the Digital Due Process Coalition and Vanishingrights.com to continue to push for ECPA reform in order to not only clarify that the government must obtain a warrant to read private electronic messages, but also to mandate a warrant before the government accesses location information from your electronic devices."

Meanwhile, as you try to protect your digital privacy and use encryption, it drives the government to the break into your cloud. Instead of the ECPA, what if the government was spying on your electronic communications due to the Foreign Intelligence Surveillance Act (FISA), specifically the FAA (FISA Amendment Act)? The ACLU has suggested that using certain privacy-enhancing tools like a VPN or Tor might actually expose you to warrantless NSA surveillance. In fact, Chris Soghoian wrote on the ACLU blog that Freedom of Information Act requests to find out were sent to the "DOJ, the FBI and NSA."

Take the Tor Project,  which about 500,000 people worldwide use as an anonymizing network to protect their privacy, or to get around surveillance and censorship. You may appear to be in the UK by using Tor, while a UK user may appear to be in the Italy, and a Tor user in Iran may appear to be in the United States. Soghoian wrote:

If the NSA is engaging in surveillance of foreign networks and it encounters traffic originating from a foreign Tor exit server, it will have no way of knowing if that traffic originally came from the United States or another foreign computer. Likewise, the NSA has no way of knowing if traffic exiting a US Tor exit server is actually from domestic users, or foreign. That is, after all, the point of Tor. This presents a pretty interesting and troubling legal question.


When the traffic of Iranian, Chinese, British and American citizens is combined and anonymized such that the true origin of the traffic cannot be determined, which set of the intelligence rules does the NSA follow?

Regarding FAA and the government monitoring the communications of Tor or VPN users, stay tuned as the ACLU, as it always does, will undoubtedly alert us as soon as it hears back about the newest FOIA requests. Regarding ECPA, the EFF urges, "If you haven't done so, please sign the "petition urging Congress to protect our privacy by updating ECPA."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022