Just now read a rather disturbing article from Sophos security. The article describes the interpretation of the law by NSA and some of the internal policies that they use in surveillance.
They also reveal that courts don’t always determine who’s targeted for surveillance because that discretion is practiced by the NSA’s own analysts, with only a percentage of decisions being reviewed by regular internal audits.
To make those decisions, NSA analysts use information including IP addresses, potential targets’ statements, and public information and data collected by other agencies.
In the absence of such information - for example, if a potential target is using online anonymity services such as Tor, or sending encrypted email and instant messages - agents are encouraged to assume that the target is outside the US.
This is the part that needs to be emphasized again and again - all this hullaboo in USA about NSA’s surveillance is about snooping on American citizens. If you are not one, you have no rights at all and NSA has no limits to what they can sniff out of you and how long they can keep that info. I know, it is pretty much common sense, but when I see Indians getting all worked up about this revelation, I sometimes feel that some of them don’t get this.
So coming back to the article, if an American is using Tor or encrypted email or encrypted chat messages, unless the American has been positively identified as an US citizen, he will be treated like a foreign person - essentially with no rights.
And this part is interesting:
If communication is encrypted - particularly if a US person is using certain types of cryptology or steganography known to have been used by “individuals associated with a foreign power or foreign territory” - the NSA is free to collect it and store it “indefinitely” for future reference and cryptanalysis attempts.
That is a loophole right there in my opinion - will they still keep the crypto data if they already have the means to crack it? :-)