Recent debates about privacy and technology have focused on the actions of government agencies inside the U.S. — for example, the Federal Bureau of Investigation’s efforts to break encryption on iPhones or the National Security Agency’s bulk collection of Americans’ phone records. But in a new report, we found that the NSA’s overseas surveillance activities through Executive Order 12333, most of which remain shrouded in secrecy, may have a far great impact on Americans’ privacy.
Since Edward Snowden’s 2013 revelations about National Security Agency (“NSA”) spying, there has been an ongoing public debate about the size and scope of the government’s domestic surveillance operations. Snowden’s disclosure about the NSA’s gathering of millions of Americans’ telephone records has already spurred Congress to set new limits on domestic bulk data collection. And next year, a provision of the Foreign Intelligence Surveillance Act authorizing the warrantless domestic collection of communications between Americans and foreigners will expire unless reauthorized. A spirited discussion about whether and how that law should be extended has already begun.
In contrast, there has been relatively little public or congressional debate within the United States about the NSA’s overseas surveillance operations, which are governed primarily by Executive Order (EO) 12333 — a presidential directive issued by Ronald Reagan in 1981 and revised by subsequent administrations. These activities, which involve the collection of communications content and metadata alike, constitute the majority of the NSA’s surveillance operations, yet they have largely escaped public scrutiny.
There are several reasons why EO 12333 and the programs that operate under its aegis have gone largely unnoticed. One is the misconception that overseas surveillance presents little privacy risk to Americans. Another is the scant information in the public domain about how EO 12333 actually operates. Finally, the few regulations that are public create a confusing and sometimes internally inconsistent thicket of guidelines.
This report sets out to invigorate the public debate on EO 12333 in three ways. First, it reviews several known EO 12333 programs to test the assumption that the NSA’s overseas operations have a minimal effect on Americans. Information disclosed both by Snowden and intelligence agencies shows that these operations have implications for Americans’ privacy that could well be greater than those of their domestic counterparts. The flow of electronic data is not constrained by territorial borders. The vast majority of Americans — whether wittingly or not — engage in communication that is transmitted or stored overseas. This reality of the digital age renders Americans’ communications and data highly vulnerable to NSA surveillance abroad.
Second, the report attempts to distill and make sense of the complex ecosystem of directives, policies, and guidance that form the regulatory backbone of the NSA’s overseas operations. Despite a series of significant disclosures, the scope of these operations, as well as critical detail about how they are regulated, remain secret. Nevertheless, an analysis of publicly available documents reveals several salient features of the EO 12333 regime:
• Bulk collection of information: The NSA engages in bulk collection overseas — for example, gathering all of the telephone calls going into or out of certain countries. These programs include the data of Americans who are visiting those countries or communicating with their inhabitants. While recent executive branch reforms place some limits on how the government may use data collected in bulk, these limits do not apply to data that is collected in bulk and held for a temporary (but unspecified) period of time in order to facilitate “targeted” surveillance.
• Treating subjects of discussion as “targets”: When the NSA conducts surveillance under EO 12333 that it characterizes as “targeted,” it is not limited to obtaining communications to or from particular individuals or groups, or even communications that refer to specified individuals or groups (such as e-mails that mention “ISIS”). Rather, the selection terms used by the NSA may include broad subjects, such as “Yemen” or “nuclear proliferation.”
• Weak limits on the retention and sharing of information: Despite recent reforms, the NSA continues to exercise significant discretion over how long it may retain personal data gathered under EO 12333 and the circumstances under which it may share such information. While there is a default five-year limit on data retention, there is an extensive list of exceptions. Information sharing with law enforcement authorities threatens to undermine traditional procedural safeguards in criminal proceedings. Current policies disclosed by the government also lack specific procedures for mitigating the human rights risks of intelligence sharing with foreign governments, particularly regimes with a history of repressive and abusive conduct.
• Systemic lack of meaningful oversight: Operations that are conducted solely under EO 12333 (i.e., those that are not subject to any statutory law) are not vetted or reviewed by any court. Members of the congressional intelligence committees have cited challenges in overseeing the NSA’s network of EO 12333 programs. While the Agency has argued that its privacy processes are robust, overreliance on internal safeguards fails to address the need for external and independent oversight. It also leaves Congress and the public without sufficient means to assess the risks and benefits of EO 12333 operations.
The report concludes with a list of major unanswered questions about EO 12333 and the array of surveillance activities conducted under its rules and policies. While many operational aspects of surveillance programs are necessarily secret, the NSA can and should share the laws and regulations that govern EO 12333 programs, significant interpretations of those legal authorities, and information about how EO 12333 operations are overseen both within the Executive Branch and by Congress. It should clarify internal definitions of terms such as “collection,” “targeted,” and “bulk” so that the scope of its operations is understandable rather than obscured. And it should provide more information on how its overseas operations impact Americans’ privacy, by releasing statistics on data collection and by specifying in greater detail the instances in which it shares information with other U.S. and foreign agencies and the relevant safeguards. Providing this information will not only enhance accountability and public confidence; it will permit an informed public debate and, ultimately, a democratic choice about the ways in which we authorize our government to gain access to our own private data and the data of people around the world. That, in turn, will pave the way for laws and policies that protect both liberty and security.