U.S. intelligence agents have broad authority to spy on U.S. companies as long as they are “believed to have some relationship with foreign organizations or persons” — a description that could conceivably apply to any company with foreign shareholders, subsidiaries, or even employees—according to newly released government documents published this morning by the ACLU.

The trove, which includes documents from the NSA, Department of Justice, and Defense Intelligence Agency, confirms long-standing suspicions that the bulk of U.S. foreign surveillance operations are governed not by acts of Congress, but by a 33-year-old executive order issued unilaterally by President Ronald Reagan.

The documents were released in response to a Freedom of Information Act lawsuit filed by the ACLU and the Media Freedom and Information Access Clinic at Yale Law School, and they detail the extent of the order — which is extraordinarily broad and until recently largely obscure — and which underpins expansive U.S. surveillance programs, like siphoning internet traffic from Google and Yahoo’s overseas data centers, recording every call in the Bahamas, and gathering billions of records on cellphone locations around the world.

They also point to a gap in the public reaction to Ed Snowden’s revelations about those programs. Despite that fact that most of the NSA’s spying relies on Reagan’s directive, Executive Order 12333, the vast majority of reform efforts have concentrated on the Foreign Intelligence Surveillance Act (FISA) and other legislative fixes. “Congress’s reform efforts have not addressed the executive order,” notes Alex Abdo of the ACLU, “and the bulk of the government’s disclosures in response to the Snowden revelations have conspicuously ignored the NSA’s extensive mandate under EO 12333.”

The documents assert that mandate baldly. A legal factsheet from the NSA, dated June 2013, states that the FISA, which requires judicial oversight over spying on Americans, “only regulates a subset of the NSA’s signals intelligence activities. NSA conducts the majority of its SIGINT activities solely pursuant to the authority provided by Executive Order 12333.”

Often referred to as “twelve triple three” or EO 12333, the executive order came into being in 1981 under Reagan. Much of the post-Snowden debate, particularly with respect to the bulk collection of Americans’ phone records, has focused on the interlocking legal authorities of Section 215 of the Patriot Act and the 2008 FISA Amendments Act. But, the ACLU notes, “because the executive branch issued and now implements the executive order all on its own, the programs operating under the order are subject to essentially no oversight from Congress or the courts.” The documents describe procedures for safeguarding the rights of Americans whose information might be “incidentally” collected under 12333, but those procedures are overseen by the director of national intelligence or the attorney general.

Numerous passages in the newly released documents from the Department of Justice’s Office of Legal Counsel are redacted, and dozens of pages are withheld in full. The few sentences left, for instance, in a 2001 memo by Bush counsel John Yoo are all assertions of the president’s inherent power to conduct surveillance to “protect the national security.” (Once such sentence—”intelligence gathering in direct support of military operations does not trigger constitutional rights against illegal searches and seizures”—substantially aligns with King George III’s position on the matter.) The majority of the FBI documents obtained by the ACLU are similarly censored.

Among the stand-out revelations in the documents:

The Defense Intelligence Agency permits collection on U.S. persons, a category which includes not just human American citizens, but also American companies, lawful permanent residents of the U.S., and more — so long as the information collected falls into one of 16 broad categories, which include “[c]ommerical organizations believed to have some relationship with foreign organizations or persons” and “[p]otential sources of assistance to intelligence activities.”

The order, which was established long before the era of social media, permits collection of “publicly available” information on Americans, opening the door for massive data-mining operations.

The Pentagon draws a distinction between information that is “gathered” and information that is “collected.” According to a 2004 DIA intelligence handbook, information is first “gathered” but is not “collected” until “an affirmative act” has been taken “in the direction of use or retention of that information.” In other words, information is not collected until it has been officially retained in a database, a report or elsewhere. “We see that ‘collection of information’ for DoD…purposes is more than ‘gathering’ —it could be described as ‘gathering, plus,’” the handbook reads.

The materials also confirm that EO 12333 information on Americans that has been “incidentally” collected can be passed to other agencies if the collector has reason to believe the information points to evidence of a crime or may contain information pertinent to understanding foreign intelligence. In August, an Intercept investigation revealed extensive information sharing between federal law enforcement and in the intelligence community—including DEA, FBI, CIA and the DIA—through a Google-like search engine known as ICREACH.

A review group appointed by Obama recommended last December that the government should be more cautious with the American data gathered under 12333. Those proposals were rejected, The New York Times recently reported. In July, John Napier Tye, a departing section chief for internet freedom in the State Department’s Bureau of Democracy, Human Rights, and Labor, came forward to publicly to raise concerns about the government’s reliance on 12333.

“Public debate about the bulk collection of U.S. citizens’ data by the NSA has focused largely on Section 215 of the Patriot Act, through which the government obtains court orders to compel American telecommunications companies to turn over phone data,” Tye wrote in an op-ed for The Washington Post. “But Section 215 is a small part of the picture and does not include the universe of collection and storage of communications by U.S. persons authorized under Executive Order 12333.”

“I believe that Americans should be even more concerned about the collection and storage of their communications under Executive Order 12333 than under Section 215,” Tye added.

Explore the documents in full here.

Photo of former President Ronald Reagan in 1981, the same year Executive Order 12333 went into effect. Express/Getty Images.