Skip Navigation
Analysis

How the CIA Is Acting Outside the Law to Spy on Americans

Concerned senators have revealed that the government is using an executive order to bypass privacy protections enacted by Congress.

February 15, 2022

There’s a lot to unpack in the bomb­shell announce­ment by Sens. Ron Wyden (D-OR) and Martin Hein­rich (D-NM) last week that the CIA has been conduct­ing a bulk collec­tion program and search­ing through the result­ing data for inform­a­tion about Amer­ic­ans.

“Bulk collec­tion” is what happens when the govern­ment vacu­ums up data indis­crim­in­ately rather than target­ing indi­vidu­als or groups. The term was last in the news when whis­tleblower Edward Snowden revealed in 2013 that the NSA had collect­ing Amer­ic­ans’ tele­phone records in bulk.

You might be asking, didn’t Congress end bulk collec­tion? The short answer is no. In 2015, Congress passed legis­la­tion that ended the NSA’s program and sought to prohibit bulk collec­tion when the govern­ment is acting under the Foreign Intel­li­gence Surveil­lance Act of 1978 (FISA). But that law only applies to certain types of surveil­lance that target U.S. persons or happen inside the United States. When the collec­tion happens over­seas or falls into one of FISA’s stat­utory gaps, it takes place under Exec­ut­ive Order 12333, issued by Pres­id­ent Ronald Reagan in 1981.

As the Bren­nan Center noted in a 2016 report, most foreign intel­li­gence surveil­lance actu­ally takes place under EO 12333, not FISA. That means it is subject to no stat­utory constraints what­so­ever, and there is no judi­cial review or over­sight. EO 12333 does place some limits on surveil­lance, but not shock­ingly, its rules are much more permissive than those Congress estab­lished in FISA. Bulk collec­tion is just one example — it’s banned under FISA but permit­ted under EO 12333.

The FISA/EO 12333 distinc­tion might have made sense in 1978, when surveil­lance in the United States gener­ally meant surveil­lance of U.S. persons and surveil­lance abroad gener­ally meant surveil­lance of foreign nation­als. It makes zero sense today, when Amer­ic­ans’ commu­nic­a­tions and other personal data are as likely to be routed through or stored in Europe or Asia as the United States. Bulk collec­tion under EO 12333 will inev­it­ably sweep in dizzy­ing amounts of Amer­ic­ans’ inform­a­tion.

What stops the CIA from poring through the data look­ing for Amer­ic­ans’ inform­a­tion? Let’s be honest: noth­ing. The CIA’s internal rules from 2017 say the inform­a­tion sought must be “related to a duly author­ized activ­ity of the CIA,” as determ­ined by. . .  the CIA. The FBI has similar rules limit­ing its searches of data obtained under FISA Section 702. Year after year, the Foreign Intel­li­gence Surveil­lance Court finds that FBI agents have viol­ated these rules—and that’s when there’s a court actu­ally watch­ing them.

The CIA’s rules also say that CIA officers should docu­ment their purpose in running searches for Amer­ic­ans’ inform­a­tion. But accord­ing to staff members of the Privacy and Civil Liber­ties Over­sight Board, these rules, despite having been final­ized five years ago and released with great fanfare, have not yet been “imple­men­ted.”

And suppose for a moment that the CIA did restrict itself to searches designed to retrieve foreign intel­li­gence (a limit­a­tion that would certainly satisfy the CIA’s rules, despite the fact that EO 12333 defines “foreign intel­li­gence” to include liter­ally any inform­a­tion about the actions of any foreign person). Since when does the Fourth Amend­ment allow govern­ment agen­cies to help them­selves to Amer­ic­ans’ private data as long as they’re conduct­ing agency busi­ness? Should police be able to search your house without a warrant as long as they’re invest­ig­at­ing a crime?

At this point, you’re prob­ably wonder­ing what kind of data the CIA is collect­ing in bulk and using to spy on Amer­ic­ans. We don’t know, because the Biden admin­is­tra­tion is refus­ing to declas­sify a single word about the nature of the program. Simil­arly, while the CIA’s offi­cial state­ment says that the congres­sional intel­li­gence commit­tees have been kept fully informed about the program, Wyden and Hein­rich — both members of the Senate Select Commit­tee on Intel­li­gence — say other­wise. (Given the track record of the parties, my money’s on Wyden and Hein­rich.)

The former Obama offi­cials who now lead the intel­li­gence agen­cies seem to have forgot­ten the lesson of the NSA illegal spying fiasco: Public trust is neces­sary for intel­li­gence agen­cies to oper­ate effect­ively. That trust took an enorm­ous hit after the Snowden disclos­ures, and intel­li­gence agen­cies spent years trying to build it back through increased trans­par­ency. But if intel­li­gence lead­ers continue to with­hold any and all inform­a­tion about a bulk collec­tion program that sweeps in Amer­ic­ans’ data, they will lose whatever ground they gained — and they will be doing so by choice.

As for Congress, it cannot continue to allow the exec­ut­ive branch to have free access to Amer­ic­ans’ most personal data based on outdated factual distinc­tions that have no relev­ance to the level of privacy intru­sion or risk of abuse. No surveil­lance that has a signi­fic­ant impact on Amer­ic­ans’ privacy should take place without stat­utory safe­guards or judi­cial over­sight. Surveil­lance scan­dals over the past decade have yiel­ded a long list of changes that Congress should make to FISA. In light of last week’s news, Congress must now add one more crit­ical reform to that list: legis­late limits on EO 12333 surveil­lance — includ­ing a ban on bulk collec­tion — and bring it under the over­sight of the Foreign Intel­li­gence Surveil­lance Court.