

This graphic from NSA internal training materials, provided to The Washington Post by former NSA contractor Edward Snowden, outlines the various authorities for signals intelligence collection. At the bottom, there are 'checkboxes' for target status, target location and collection site. (Source: Barton Gellman)

An independent privacy watchdog agency announced Wednesday that it will turn its focus to the largest and most complex of U.S. electronic surveillance regimes: signals intelligence collection under Executive Order 12333.

That highly technical name masks a constellation of complex surveillance activities carried out for foreign intelligence purposes by the National Security Agency under executive authority. But unlike two other major NSA collection programs that have been in the news lately, EO 12333 surveillance is conducted without court oversight and with comparatively little Congressional review.

The Privacy and Civil Liberties Oversight Board, an independent executive branch agency, over the last year has taken in-depth looks at the other two NSA programs. It concluded the bulk collection of Americans’ phone call metadata under Section 215 of the Patriot Act was illegal and raised constitutional concerns. By contrast, it found the gathering of call and email content under Section 702 of the Foreign Intelligence Surveillance Act to be lawful, though certain elements pushed “close to the line” of being unconstitutional.

Now the board is planning to delve into EO 12333 collection, among other topics. It is not clear, however, how deep or broad its examination will be.

“It’s obviously a complex thing to look at 12333,” but "it's something we'll likely be delving into,” said a member of the Privacy and Civil Liberties Oversight Board who requested anonymity in order to speak freely. The board has highlighted 12333 issues in the past. For example, each agency is supposed to have guidelines to carry out the executive order, but some guidelines are three decades old. The board has encouraged the guidelines be updated, the source said.

Collection outside the United States has attained new relevance given media reports in the last year about broad NSA surveillance based on documents leaked to journalists by former agency contractor Edward Snowden.

“Americans should be even more concerned about the collection and storage of their communications under Executive Order 12333 than under Section 215,” said a former State Department official, John Napier Tye, in an op-ed published Sunday in The Washington Post.

Issued in 1981 by President Ronald Reagan, EO 12333 laid out the roles and powers of the various intelligence agencies. It specified that the NSA had control of signals intelligence collection for foreign intelligence and counterintelligence purposes. But the nature and scope of the collection activities have not been clarified for the public.

Unlike surveillance inside the United States or which targets U.S. citizens and legal residents, collection under 12333 does not require a warrant.

Once upon a time, you could be fairly certain that overseas collection would pick up only foreigners’ phone calls, and that Americans’ communications would stay inside the United States. But today, emails, calls and other communications cross U.S. borders and are often stored beyond them. Companies like Google and Yahoo have “mirror” servers around the world that hold customers’ data.

That means Americans’ data are often stored both in the United States and abroad simultaneously, subject to two different legal and oversight regimes. Surveillance on U.S. soil requires court permission and an individual warrant for each target. Surveillance abroad requires a warrant for U.S. persons, but if collection is coming from a data center overseas, large volumes of Americans’ communications may be picked up as “incidental” to collection on a foreign target.

“So a lot of ordinary data crosses borders, including domestic communications between Americans,” said Edward W. Felten, a computer science professor at Princeton University.

Or as former NSA Deputy Director John C. Inglis has said of the falling away of borders in cyberspace: “There is not an away game. There is not a home game. There is only one game.”

With the merging of the home and away games, the question arises as to whether a legal regime that bases privacy protections and oversight largely on geography is sufficient, analysts say.

The Post reported last fall, for example, that NSA was collecting 500,000 e-mail account “address books” a day outside the United States from companies such as Yahoo and Google. According to documents obtained from Snowden, the agency was collecting the data through secret arrangements with foreign telecommunications companies or allied intelligence services in control of facilities that direct traffic along the Internet’s main data routes.

Although the collection takes place overseas, two senior U.S. intelligence officials acknowledged that it “incidentally” sweeps in the contacts of many Americans, the article said. The Post also reported that the agency in conjunction with Britain’s GCHQ, was collecting data traveling between Google and Yahoo data centers overseas. In Google’s case, that was up to 6 million records a day, according to a slide obtained from Snowden. The firms have since said they are encrypting the data moving between their data centers.

EO 12333 collection is not available everywhere in the world, former U.S. officials said. It is not as precise as collection from a U.S. carrier in the United States, which can filter out unwanted communications. Under 12333, the agency is “collector and processor,” said one former U.S. official, who spoke on condition of anonymity to discuss a sensitive topic. “Things go by and you now have to figure out which things are of interest to you.” And those things are “incredibly fractured and packetized.”

Tye said before he left the State Department, he filed a complaint with its inspector general, as well as the NSA inspector general, alleging that 12333 collection through its “incidental collection” of Americans’ data, violated the Fourth Amendment’s bar on unreasonable searches and seizures.

“Basically 12333 is a legal loophole,” said Tye, who is now legal director at Avaaz, a civil society group working on regional and national issues ranging from corruption and poverty to conflict and climate change. “It allows the NSA to collect all kinds of communications by Americans that the NSA would not be able to collect inside the borders” without a warrant.

Inglis said Tye’s description of 12333 as a loophole is “simply wrong, in both fact and spirit.” Said Inglis: “There are no ‘rules free’ zones at NSA and the responsibility to ensure the privacy rights of U.S. persons conveys across all facets of the signals intelligence cycle, from collection to dissemination.”

Jennifer Granick, Director of Civil Liberties at the Stanford Center for Internet and Society, said 12333 allows “bulk collection” of data or the ingestion of massive amounts of data without a filter for a target’s e-mail address or phone number, for instance.

“Both collection and use are far less regulated” than collection inside the United States, she said. “We don't know how or how much information is collected, used, analyzed or shared.”

At the same time, she said, “while 12333 greatly affects Americans and regular people from all over the world, the public and Congress are basically in the dark about what the NSA is doing.”

NSA Spokeswoman Vanee Vines said that “whether NSA’s activities are conducted under EO 12333 or the Foreign Intelligence Surveillance Act [which governs domestic surveillance], NSA applies attorney general-approved processes to protect the privacy of U.S. persons in the collection, retention and use of foreign intelligence.”

She added that President Obama issued additional guidance in January under Presidential Policy Directive 28, which provides that such activities “shall be as tailored as feasible.”

The directive specified that “appropriate safeguards be applied to protect the personal information of all individuals, regardless of nationality.”

A fundamental unresolved question is this: At what point should these privacy safeguards kick in? At the point the data are swept in by the intelligence agency or when they are plucked out for analysis and sharing with other agencies?

Currently, they apply once the data are processed, former officials said.

The privacy protections governing 12333 collection are in US Signals Intelligence Directive 18. That NSA policy document, for instance, states that communications to, from or about U.S. persons collected under the authority may be retained for five years, unless the NSA director determines a longer period is required.

It also states that they may be kept for a “period sufficient” if they are reasonably believed to become relevant to a current or future foreign intelligence requirement. Or if the information provides evidence of a crime, in which case it may be shared with the relevasnt agency.

Such qualifications, privacy advocates have said, amount to “loopholes” that enable the retention of large amounts of U.S. persons’ data.

One thing is clear: examining overseas collection under 12333 “is a massive undertaking,” the board source said. But “it is something we have to look at.”

Soltani is an independent security researcher and consultant.​