STANFORD -- Cyber security experts are questioning whether President Barack Obama can make good on his assurance that U.S. intelligence agencies aren't spying on "ordinary folks."
That promise is especially dubious, experts say, in instances where Americans are communicating with U.S. citizens living abroad and other people overseas.
"It's very clear there are enormous loopholes," said Jonathan Mayer, a cybersecurity fellow at Stanford University's Center for International Security and Cooperation, who is reverse engineering the NSA surveillance program to learn how much collection -- if taken to extremes -- is legally possible. "Their rules, combined with their capabilities, cut against the classical protections built into our legal system."
The National Security Agency and the CIA are tasked with gathering foreign -- not domestic -- intelligence. Agency rules say they must have a "reasonable, articulated suspicion" about the people they target, and are required to sift through all the data they collect and eliminate any that might have been intercepted from an innocent American, on U.S. soil or abroad.
This week the Obama Administration proposed that Congress overhaul the electronic surveillance program by having phone companies hold onto the call records as they do now.
But there remain a number of significant ambiguities that allow Americans' data to be swept up, saved and analyzed, according to a series of disclosures from former intelligence contractor Edward Snowden, WikiLeaks source Pvt. Chelsea (previously known as Bradley) Manning and the federal government itself:
-- Analysts need to be just "51 percent confident" that someone is not in the U.S., based on phone numbers, Internet Protocol addresses and email addresses, before they can target the person.
-- The NSA is allowed to store encrypted communications, domestic or foreign, at least until analysts can decrypt it to find out whether it contains information relating to national security. With widely used services like Gmail and Facebook adding encryption, this could encompass a vast amount of domestic communications.
-- Domestic communications with foreign targets can be scooped up without a warrant if the point of collection is outside the US.
On March 18 the Washington Post, using documents from Snowden, reported that the NSA has been recording and storing all of a foreign country's telephone calls, then listening to the conversations up to a month later. At the request of U.S. officials, the Post said it withheld details that could be used to identify the particular country.
The complexities of Internet traffic routing also could help the spy agencies to skirt the rules. Mayer's research found that five to 10 percent of all visits to popular U.S.-based websites bounce off foreign servers. For example, he said, a person in San Francisco shopping for a pair of shoes on a Denver-based retailer's website might have his computer's unique identifier sent, for a fraction of a second, to Japan where a program the retailer deployed is analyzing web traffic in real time. In theory, that San Francisco shopper can now have his data legally collected by the government, said Mayer.
"If you define almost nothing as breaking the rules, it becomes easy to say, 'Don't worry, we never break the rules,'" he said.
NSA spokeswoman Vanee Vines said all of the agency's work has a foreign intelligence purpose and that the NSA deletes data it accidentally collects.
And during a hearing last week, Deputy Assistant Attorney General Brad Wiegmann said a review of all foreignness determinations found an error rate of less than .1 percent.
"So that equates to essentially less than one in a thousand cases in which we're finding that NSA is making erroneous foreignness determinations," he said.
Rick Ledgett, who leads the NSA's media leaks task force, elaborated in a blog in January: "Limitations on our activities protect the privacy of all people and, in particular, any incidentally acquired communications of U.S. persons. The protections are applied at every possible step. In addition, the NSA works to remove as much extraneous data as early in the process as possible; the communications of any person who is not a foreign intelligence target are of no use to us."
In November, the Director of National Intelligence declassified internal NSA documents including training slides for its own intelligence analysts and internal guidance about how to strip out data the agency is not allowed to have.
But these measures do not reassure Sean Sullivan, a U.S. citizen living in Finland where he is a security adviser at F-Secure, a cybersecurity firm. He wonders how U.S. intelligence agents would know that his Finnish telephone number, email address and other information belong to a U.S. citizen and thus may not be collected.
"It seems impossible that the NSA could be unaware of the fact that many Americans live abroad," he said. "Thus, it is knowingly collecting data on US persons but pretending not to do so."
There have been several confirmations of breaches among the recent disclosures.
The Foreign Intelligence Surveillance Court ruled in 2011 that the NSA had repeatedly violated the Constitution's Fourth Amendment privacy protections when it collected tens of thousands of domestic emails that were technologically bundled with targeted foreign electronic messages. Two years earlier, the court said NSA analysts routinely ran unapproved and inappropriate search terms through its massive database of all domestic calls. The NSA resolved both issues to the court's satisfaction.
But Mark Rumold, a staff attorney at the nonprofit Electronic Frontier Foundation specializing in electronic surveillance and national security issues, said Americans living abroad or in touch with people abroad should assume their communications have been gathered.
"There is a significant chance that for anyone who has ever communicated overseas, at least some of their communications resided in some federal database at some point and have the potential to be reviewed by an analyst," he said.
Former Justice Department and NSA staffers said that while the rules may be designed to comply with the Constitution, the broad legal sweeps are deliberate, and computer, phone and email systems make those rules at times impossible to follow.
"The rules are almost certainly written this way to maximize the ability to store as much information as possible, in case it is needed later," said Veracode vice president Chris Eng, a former member of the NSA's "Red Team," which tested U.S. government and military networks for vulnerabilities.
But Eng said the government almost certainly could provide more rigorous oversight and perhaps establish data retention limits that wouldn't prevent the agency from doing its job.
Washington D.C.-based attorney Michael Sussmann, a former Justice Department computer crime prosecutor, said users of social media, video chats, blogs and other forms of communication can obscure their locations, making it tougher for intelligence agencies to identify people living or communicating abroad.
"I think a really big hurdle and cause for breakdown is when well understood black and white rules meet up against technologies that don't segment that well," he said. "So there are times when that can lead to inadvertent collection."
Philadelphia-based attorney Scott Vernick, who handles technology and privacy cases, said that because the federal intelligence agencies are so opaque, it's impossible to gauge the effectiveness of the government's privacy protections.
"The difficult thing is that we just don't know because there's so little transparency," he said. "There aren't good checks and balances."