When you monitor all of the network traffic, you can easily deanonymize (even encrypted) tunnels via simple timing attacks. VPNs don't help.

I keep getting into discussions with people this month about Tor, and they keep bringing up the fact that "we don't know how many tor nodes are run by the government or other attackers". Fact is, if you can monitor all of the long-haul network traffic in full, you don't need to run _any_ tor nodes to deanonymize all of the users. You can just watch the traffic flows as they go into the tor network, bounce around, and pop out - encrypted or not.

Agreed. But when you have "John Smith" coming in over VPN from a foreign IP to a domestic email account, how can you tell if they are an expat citizen or a masquerade? Presumably this is why the NSA monitors whenever at least one half of the connection is foreign.

The number of expat citizens is small enough as to be statistically insignificant at this scale of monitoring. For all intents and purposes they can just be treated as foreigners.

I mean, what real American would ever deign to leave the homeland?! If you leave the USA to go live in some stupid foreign land you must not want your human rights anyway.