In recent weeks there has been much criticism of the US National Security Agency. It spies on people indiscriminately – even the citizens of its European allies – goes the furious and clearly justified accusation. Politicians in Germany and the EU have repeatedly criticised the US. Yet it seems they themselves are sitting in a rather large glass house.

The German intelligence service – the Bundesnachrichtendienst (BND) – to name an example close to home, does exactly the same thing as the NSA abroad and it does so within a similar legal framework. "The differences between the BND and the NSA are much smaller than is generally accepted by the public," write Stefan Heumann and Ben Scott in their study on the legal foundations of internet surveillance programmes in the US, the UK and Germany.

Heumann works at the German thinktank Neue Verantwortung (New Responsibility), Scott was an adviser to the former US secretary of state Hillary Clinton and is now a policy adviser at the Open Technology Institute, part of the New America Foundation thinktank. In their study, the analysts compared the legal foundations, focus and parliamentary oversight of spying programmes in three countries.

Their findings: the NSA runs the biggest spying programme and has the advantage that its targets – the internet providers – are mainly based in the US. Yet at its core the NSA's surveillance is no different from that of the British GCHQ and the BND in Germany. The underlying laws have the same structure, write Heumann and Scott, even if "their interpretation can differ".

Heumann and Scott are not the first to say this. The Berlin-based lawyer Niko Härting, for example, has compared the legal foundations for the work of the NSA and the BND. He also found that both agencies are essentially doing the same thing in that they consider everyone living outside their territory to be "without rights". In short: intelligence services are allowed to spy on foreigners completely unimpeded. Härting points out that it is, after all, the job of foreign intelligence services to watch everybody else.

But Heumann and Scott go one step further, deploring the weakness of legal controls on the intelligence services, which they say are far too limited.

"In all three countries the services enjoy great secrecy and freedom when it comes to gathering information abroad. National legal limits and control mechanisms only apply to domestic citizens. And in most cases these limits only come into effect after the event, once the communication data in question has already been intercepted."

All three countries, they conclude, lack robust systems capable of protecting citizens from unwarranted surveillance.

Of the three countries they looked at, the authors said checks and balances in Britain are the weakest. Neither parliament nor the courts are involved in regulating or authorising surveillance programmes. Oversight is limited exclusively to within the service itself.

One point in the authors' comparison of Germany and the US stands out as particularly interesting. The US Fisa courts – closed courts that authorise and regulate surveillance there – come in for a lot of criticism for meeting in secret. In Germany it is the same, say Heumann and Scott. The sessions of the German equivalent, the G-10 parliamentary commission, are also held in secret. "Since the G-10 commission meets in secret, we do not know whether and to what extent [it] upholds its legal powers of control," writes Heumann.

In all three countries, the legal frameworks regulating surveillance are much too vague and broad. These are: the US Foreign Intelligence Surveillance Act (Fisa), particularly paragraphs 215 and 702; the British Intelligence Services Act (ISA) and the Regulation of Investigatory Powers Act (Ripa); and in Germany the BND Gesetz (BND Act) and, regulating interception of communication, the G-10 Gesetz.

The study's authors note that the German G-10 law – just like laws in the US – only protects residents in Germany. But as soon as these people communicate with someone outside of the country, this communication is not covered by the law and can be intercepted. Conversations and messages that cross borders are not subject to any control mechanisms. In practice, the BND operates at this point in a legal vacuum.

In Germany, the federal chancellery is also responsible for regulating the BND. But public trust in this body's resolve to impose limitations on the intelligence agency has been shaken – not least by suggestions back in August that the NSA scandal had been laid to rest without the need for further investigation.

Heumann summarises:

"In the United States, Britain and Germany, most of the legal foundations for surveillance measures by intelligence agencies date from a time when the internet played a subsidiary role in communications. The laws are formulated for the most part so broadly that they leave the intelligence services a lot of scope to interpret their mandates. How exactly the intelligence agencies interpret their powers is often classified information, and as such is not understandable for the public."

Technological development has meant it is now possible to mount surveillance on many things. Given that when filtering internet data in real time it is rarely possible to differentiate immediately between domestic and foreign communications, everything is recorded first and only then sorted into data that can be evaluated and that which cannot. "In other words: every communication on the internet which could be of significance for intelligence is stored and shared, regardless of which legal regulations apply to control the collection of this data," write the authors.

With their study, Heumann and Scott want to lay the foundations for an international debate on surveillance. They suggest how services and laws can be altered to strengthen privacy rights. This reform, they conclude, is urgently needed.

This article was originally published on Zeit Online. Translation by Josie Le Blond