Skip Navigation

How the CIA Is Acting Outside the Law to Spy on Americans

Concerned senators have revealed that the government is using an executive order to bypass privacy protections enacted by Congress.

February 15, 2022

There’s a lot to unpack in the bombshell announcement by Sens. Ron Wyden (D-OR) and Martin Heinrich (D-NM) last week that the CIA has been conducting a bulk collection program and searching through the resulting data for information about Americans.

“Bulk collection” is what happens when the government vacuums up data indiscriminately rather than targeting individuals or groups. The term was last in the news when whistleblower Edward Snowden revealed in 2013 that the NSA had collecting Americans’ telephone records in bulk.

You might be asking, didn’t Congress end bulk collection? The short answer is no. In 2015, Congress passed legislation that ended the NSA’s program and sought to prohibit bulk collection when the government is acting under the Foreign Intelligence Surveillance Act of 1978 (FISA). But that law only applies to certain types of surveillance that target U.S. persons or happen inside the United States. When the collection happens overseas or falls into one of FISA’s statutory gaps, it takes place under Executive Order 12333, issued by President Ronald Reagan in 1981.

As the Brennan Center noted in a 2016 report, most foreign intelligence surveillance actually takes place under EO 12333, not FISA. That means it is subject to no statutory constraints whatsoever, and there is no judicial review or oversight. EO 12333 does place some limits on surveillance, but not shockingly, its rules are much more permissive than those Congress established in FISA. Bulk collection is just one example — it’s banned under FISA but permitted under EO 12333.

The FISA/EO 12333 distinction might have made sense in 1978, when surveillance in the United States generally meant surveillance of U.S. persons and surveillance abroad generally meant surveillance of foreign nationals. It makes zero sense today, when Americans’ communications and other personal data are as likely to be routed through or stored in Europe or Asia as the United States. Bulk collection under EO 12333 will inevitably sweep in dizzying amounts of Americans’ information.

What stops the CIA from poring through the data looking for Americans’ information? Let’s be honest: nothing. The CIA’s internal rules from 2017 say the information sought must be “related to a duly authorized activity of the CIA,” as determined by. . .  the CIA. The FBI has similar rules limiting its searches of data obtained under FISA Section 702. Year after year, the Foreign Intelligence Surveillance Court finds that FBI agents have violated these rules—and that’s when there’s a court actually watching them.

The CIA’s rules also say that CIA officers should document their purpose in running searches for Americans’ information. But according to staff members of the Privacy and Civil Liberties Oversight Board, these rules, despite having been finalized five years ago and released with great fanfare, have not yet been “implemented.”

And suppose for a moment that the CIA did restrict itself to searches designed to retrieve foreign intelligence (a limitation that would certainly satisfy the CIA’s rules, despite the fact that EO 12333 defines “foreign intelligence” to include literally any information about the actions of any foreign person). Since when does the Fourth Amendment allow government agencies to help themselves to Americans’ private data as long as they’re conducting agency business? Should police be able to search your house without a warrant as long as they’re investigating a crime?

At this point, you’re probably wondering what kind of data the CIA is collecting in bulk and using to spy on Americans. We don’t know, because the Biden administration is refusing to declassify a single word about the nature of the program. Similarly, while the CIA’s official statement says that the congressional intelligence committees have been kept fully informed about the program, Wyden and Heinrich — both members of the Senate Select Committee on Intelligence — say otherwise. (Given the track record of the parties, my money’s on Wyden and Heinrich.)

The former Obama officials who now lead the intelligence agencies seem to have forgotten the lesson of the NSA illegal spying fiasco: Public trust is necessary for intelligence agencies to operate effectively. That trust took an enormous hit after the Snowden disclosures, and intelligence agencies spent years trying to build it back through increased transparency. But if intelligence leaders continue to withhold any and all information about a bulk collection program that sweeps in Americans’ data, they will lose whatever ground they gained — and they will be doing so by choice.

As for Congress, it cannot continue to allow the executive branch to have free access to Americans’ most personal data based on outdated factual distinctions that have no relevance to the level of privacy intrusion or risk of abuse. No surveillance that has a significant impact on Americans’ privacy should take place without statutory safeguards or judicial oversight. Surveillance scandals over the past decade have yielded a long list of changes that Congress should make to FISA. In light of last week’s news, Congress must now add one more critical reform to that list: legislate limits on EO 12333 surveillance — including a ban on bulk collection — and bring it under the oversight of the Foreign Intelligence Surveillance Court.