The way John Tye tells it, we’ve all been missing the forest for the trees.

Over the course of two phone calls, the former State Department official told Ars that anyone who has been following the government surveillance discussion since the Snowden disclosures has been too concerned with things like metadata collection. Since last summer, journalists, politicians, and the public have been inundated with largely-unknown terminology, like “Section 215” and “Section 702.”

(For a recap: The first disclosure to come from the documents provided by Snowden described the bulk metadata programs, whose legal authority derives from Section 215 of the Patriot Act. Section 702 of the Foreign Intelligence Surveillance Act is the legal authority which the NSA uses as the basis for PRISM and other surveillance and data collection programs.)

But according to Tye, what we should be really worried about is Executive Order 12333 (EO 12333)—or “twelve triple three” in government parlance. It's a Reagan-era order that spells out the NSA's authority to conduct signals intelligence among other things. EO 12333 was amended three times under President George W. Bush and, famously, the NSA expanded its domestic surveillance operation after the September 11 attacks without a direct order from the president, who later provided cover under EO 12333.

In July 2014, Tye wrote an op-ed in The Washington Post outlining his concerns. It drew a direct response from the Office of the Director of National Intelligence on Tuesday. According to Tye, the massive amounts of content sucked up by the American spy apparatus “incidental” to targeted collecting is voluminous, unnecessary, and unconstitutional. And no one in the government has ever tried to challenge this legal authorization.

“12333 is used to target foreigners abroad, and collection happens outside the US," he told Ars. "My complaint is not that they’re using it to target Americans, my complaint is that the volume of incidental collection on US persons is unconstitutional.” Tye continued:

There are networks of servers all over the world and there have been news stories on Google and Yahoo—the minute the data leaves US soil it can be collected under 12333. That’s true not just for Google and Yahoo, that’s true for Facebook, Apple iMessages, Skype, Dropbox, and Snapchat. Most likely that data is stored at some point outside US or transits outside the US. Pretty much every significant service that Americans use, at some point it transits outside the US. Hypothetically, under 12333 the NSA could target a single foreigner abroad. And hypothetically if, while targeting that single person, they happened to collect every single Gmail and every single Facebook message on the company servers not just from the one person who is the target, but from everyone—then the NSA could keep and use the data from those three billion other people. That’s called 'incidental collection.' I will not confirm or deny that that is happening, but there is nothing in 12333 to prevent that from happening.

Not leaking, but whistleblowing

Earlier this year, Tye began his own quiet campaign to change all that, and he’s dotting every i, crossing every t, and jumping through every possible hoop in order to make his point to whoever will listen.

In April 2014, before leaving his post at the State Department to become a legal director at a non-profit organization, Avaaz , Tye filed a whistleblower complaint with State’s Inspector General and filed related letters with the Senate and House Intelligence Committees and the National Security Agency Office of the Inspector General. He only received perfunctory responses , nothing substantial.

The Washington Post op-ed was the first time Tye publicly aired his concerns. It was even submitted for pre-publication review by the State Department and the NSA to ensure the op-ed did not contain classified information, but apparently neither agency changed a single word. Since then, Tye's been profiled in Vice, The New York Times, and a few other media outlets. His public remarks have finally gotten the government's attention.

The public response to Tye came from Alexander Joel, the civil liberties protection officer for the Office of the Director of National Intelligence (ODNI) who reports directly to Director of National Intelligence James R. Clapper. He published an op-ed in Politico responding to Tye by name, even praising him for staying within the lines laid out for government oversight.

Joel wrote that the government cannot target Americans without the Attorney General finding that the person is an agent of a foreign power. He noted that when the government collects Americans' e-mails due to incidental collection, that data can't just be searched willy-nilly.

These procedures, which must be approved by the [Foreign Intelligence Surveillance Act] court, restrict what the government can do with collected information about US persons (such as for how long that information may be retained, and under what circumstances it may be shared). Similarly, EO 12333 requires procedures to minimize how an agency collects, retains or disseminates US person information. These procedures must be approved by the attorney general, providing an important additional check. The National Security Agency’s procedures are reflected in documents such as United States Signals Intelligence Directive SP0018 (USSID 18), issued in 1993 and updated in 2011. These procedures generally provide that communications may not be retained for more than five years. In addition, NSA personnel may not use US person “selection terms” (such as names, phone numbers or e-mail addresses) to retrieve communications from its collection under EO 12333 without a finding by the attorney general that the US person is an agent of a foreign power (or in other similarly narrow circumstances). And even if the NSA determines that information about an American constitutes foreign intelligence, it routinely uses a generic label like “US Person 1” in intelligence reporting to safeguard the person’s identity. The underlying identity may be provided only in a very limited set of circumstances, such as if it’s necessary to understand the particular foreign intelligence being conveyed.

Tye isn't swayed by this argument. He told Ars that what Joel outlined only covers part of the primary four steps involved in such digital surveillance.

According to Tye, the first step is the government deciding who is and isn't a legitimate surveillance target. The second step contains the collection process itself—how that data is swept up. Next, the third step is how all that information is filtered and how long it is retained for. Finally, the fourth step describes how that data is used. Joel's rebuttal seems to focus only on steps one and four, while Tye is arguing about the collection and retention itself.

This is similar to the argument the Electronic Frontier Foundation (EFF) made in a related case, Jewel v. NSA. In a June 2014 hearing in Oakland, California , EFF lawyer Cindy Cohn argued that the government’s data collection under Section 702 should be thought of in two sections, the first being the bulk collection and the second being the filtering through the government’s minimization procedures.

“The fight in our case has been largely about Step 1,” she said. “The government’s argument is about Step 2. We’re arguing on behalf of the millions of people whose e-mails were collected.”

Tye makes the same point with respect to Executive Order 12333.

"In theory the NSA could have a single legitimate foreign target that’s using Gmail, Yahoo, Dropbox, iMessage, Skype—and 'incidental collection' means that could mean that every person's data from all of those services is swept up and stored—billions of people," he said. "I know that sounds crazy but that's how the executive order works. The targeting is not a meaningful constraint on NSA collection." He continued: