Skip Navigation

Recent debates about privacy and tech­no­logy have focused on the actions of govern­ment agen­cies inside the U.S. — for example, the Federal Bureau of Invest­ig­a­tion’s efforts to break encryp­tion on iPhones or the National Secur­ity Agency’s bulk collec­tion of Amer­ic­ans’ phone records. But in a new report, we found that the NSA’s over­seas surveil­lance activ­it­ies through Exec­ut­ive Order 12333, most of which remain shrouded in secrecy, may have a far great impact on Amer­ic­ans’ privacy.

Exec­ut­ive Summary

Since Edward Snowden’s 2013 revel­a­tions about National Secur­ity Agency (“NSA”) spying, there has been an ongo­ing public debate about the size and scope of the govern­ment’s domestic surveil­lance oper­a­tions. Snowden’s disclos­ure about the NSA’s gath­er­ing of millions of Amer­ic­ans’ tele­phone records has already spurred Congress to set new limits on domestic bulk data collec­tion. And next year, a provi­sion of the Foreign Intel­li­gence Surveil­lance Act author­iz­ing the warrant­less domestic collec­tion of commu­nic­a­tions between Amer­ic­ans and foreign­ers will expire unless reau­thor­ized. A spir­ited discus­sion about whether and how that law should be exten­ded has already begun.

In contrast, there has been relat­ively little public or congres­sional debate within the United States about the NSA’s over­seas surveil­lance oper­a­tions, which are governed primar­ily by Exec­ut­ive Order (EO) 12333 — a pres­id­en­tial direct­ive issued by Ronald Reagan in 1981 and revised by subsequent admin­is­tra­tions. These activ­it­ies, which involve the collec­tion of commu­nic­a­tions content and metadata alike, consti­tute the major­ity of the NSA’s surveil­lance oper­a­tions, yet they have largely escaped public scru­tiny.

There are several reas­ons why EO 12333 and the programs that oper­ate under its aegis have gone largely unnoticed. One is the miscon­cep­tion that over­seas surveil­lance presents little privacy risk to Amer­ic­ans. Another is the scant inform­a­tion in the public domain about how EO 12333 actu­ally oper­ates. Finally, the few regu­la­tions that are public create a confus­ing and some­times intern­ally incon­sist­ent thicket of guidelines.

 This report sets out to invig­or­ate the public debate on EO 12333 in three ways. First, it reviews several known EO 12333 programs to test the assump­tion that the NSA’s over­seas oper­a­tions have a minimal effect on Amer­ic­ans. Inform­a­tion disclosed both by Snowden and intel­li­gence agen­cies shows that these oper­a­tions have implic­a­tions for Amer­ic­ans’ privacy that could well be greater than those of their domestic coun­ter­parts. The flow of elec­tronic data is not constrained by territ­orial borders. The vast major­ity of Amer­ic­ans — whether wittingly or not — engage in commu­nic­a­tion that is trans­mit­ted or stored over­seas. This real­ity of the digital age renders Amer­ic­ans’ commu­nic­a­tions and data highly vulner­able to NSA surveil­lance abroad.

Second, the report attempts to distill and make sense of the complex ecosys­tem of direct­ives, policies, and guid­ance that form the regu­lat­ory back­bone of the NSA’s over­seas oper­a­tions. Despite a series of signi­fic­ant disclos­ures, the scope of these oper­a­tions, as well as crit­ical detail about how they are regu­lated, remain secret. Never­the­less, an analysis of publicly avail­able docu­ments reveals several sali­ent features of the EO 12333 regime:

• Bulk collec­tion of inform­a­tion: The NSA engages in bulk collec­tion over­seas — for example, gath­er­ing all of the tele­phone calls going into or out of certain coun­tries. These programs include the data of Amer­ic­ans who are visit­ing those coun­tries or commu­nic­at­ing with their inhab­it­ants. While recent exec­ut­ive branch reforms place some limits on how the govern­ment may use data collec­ted in bulk, these limits do not apply to data that is collec­ted in bulk and held for a tempor­ary (but unspe­cified) period of time in order to facil­it­ate “targeted” surveil­lance.

• Treat­ing subjects of discus­sion as “targets”: When the NSA conducts surveil­lance under EO 12333 that it char­ac­ter­izes as “targeted,” it is not limited to obtain­ing commu­nic­a­tions to or from partic­u­lar indi­vidu­als or groups, or even commu­nic­a­tions that refer to specified indi­vidu­als or groups (such as e-mails that mention “ISIS”). Rather, the selec­tion terms used by the NSA may include broad subjects, such as “Yemen” or “nuclear prolif­er­a­tion.”

• Weak limits on the reten­tion and shar­ing of inform­a­tion: Despite recent reforms, the NSA contin­ues to exer­cise signi­fic­ant discre­tion over how long it may retain personal data gathered under EO 12333 and the circum­stances under which it may share such inform­a­tion. While there is a default five-year limit on data reten­tion, there is an extens­ive list of excep­tions. Inform­a­tion shar­ing with law enforce­ment author­it­ies threatens to under­mine tradi­tional proced­ural safe­guards in crim­inal proceed­ings. Current policies disclosed by the govern­ment also lack specific proced­ures for mitig­at­ing the human rights risks of intel­li­gence shar­ing with foreign govern­ments, partic­u­larly regimes with a history of repress­ive and abus­ive conduct.

• Systemic lack of mean­ing­ful over­sight: Oper­a­tions that are conduc­ted solely under EO 12333 (i.e., those that are not subject to any stat­utory law) are not vetted or reviewed by any court. Members of the congres­sional intel­li­gence commit­tees have cited chal­lenges in over­see­ing the NSA’s network of EO 12333 programs. While the Agency has argued that its privacy processes are robust, over­re­li­ance on internal safe­guards fails to address the need for external and inde­pend­ent over­sight. It also leaves Congress and the public without suffi­cient means to assess the risks and bene­fits of EO 12333 oper­a­tions.

The report concludes with a list of major unanswered ques­tions about EO 12333 and the array of surveil­lance activ­it­ies conduc­ted under its rules and policies. While many oper­a­tional aspects of surveil­lance programs are neces­sar­ily secret, the NSA can and should share the laws and regu­la­tions that govern EO 12333 programs, signi­fic­ant inter­pret­a­tions of those legal author­it­ies, and inform­a­tion about how EO 12333 oper­a­tions are over­seen both within the Exec­ut­ive Branch and by Congress. It should clarify internal defin­i­tions of terms such as “collec­tion,” “targeted,” and “bulk” so that the scope of its oper­a­tions is under­stand­able rather than obscured. And it should provide more inform­a­tion on how its over­seas oper­a­tions impact Amer­ic­ans’ privacy, by releas­ing stat­ist­ics on data collec­tion and by specify­ing in greater detail the instances in which it shares inform­a­tion with other U.S. and foreign agen­cies and the relev­ant safe­guards. Provid­ing this inform­a­tion will not only enhance account­ab­il­ity and public confid­ence; it will permit an informed public debate and, ulti­mately, a demo­cratic choice about the ways in which we author­ize our govern­ment to gain access to our own private data and the data of people around the world. That, in turn, will pave the way for laws and policies that protect both liberty and secur­ity.