Related:

12 December 2013, WH: Liberty and Security in a Changing World: Report and Recommendations of the President's Review Group on Intelligence and Communications Technologies (PDF)

25 January 2011, ODNI: NSA: United States Signals Intelligence Directive: Legal Compliance and U.S. Persons Minimization Procedures (USSID SP0018) (PDF)

4 December 1981, NARA: Federal Register: WH: Executive Order 12333--United States intelligence activities
http://www.washingtonpost.com/opinions/meet-executive-order-12333-the-reagan-rule-that-lets-the-nsa-spy-on-americans/2014/07/18/93d2ac22-0b93-11e4-b8e5-d0de80767fc2_story.html

Meet Executive Order 12333: The Reagan rule that lets the NSA spy on Americans

By John Napier Tye

July 18, 2014

In March I received a call from the White House counsel's office regarding a speech I had prepared for my boss at the State Department. The speech [1] was about the impact that the disclosure of National Security Agency surveillance practices would have on U.S. Internet freedom policies. The draft stated that "if U.S. citizens disagree with congressional and executive branch determinations about the proper scope of signals intelligence activities, they have the opportunity to change the policy through our democratic process."

But the White House counsel's office told me that no, that wasn't true. I was instructed to amend the line, making a general reference to "our laws and policies," rather than our intelligence practices. I did.

Even after all the reforms President Obama has announced, some intelligence practices remain so secret, even from members of Congress, that there is no opportunity for our democracy to change them.

Public debate about the bulk collection of U.S. citizens' data by the NSA has focused largely on Section 215 of the Patriot Act, through which the government obtains court orders to compel American telecommunications companies to turn over phone data. But Section 215 is a small part of the picture and does not include the universe of collection and storage of communications by U.S. persons authorized under Executive Order 12333.

From 2011 until April of this year, I worked on global Internet freedom policy as a civil servant at the State Department. In that capacity, I was cleared to receive top-secret and "sensitive compartmented" information. Based in part on classified facts that I am prohibited by law from publishing, I believe that Americans should be even more concerned about the collection and storage of their communications under Executive Order 12333 than under Section 215.

Bulk data collection that occurs inside the United States contains built-in protections for U.S. persons, defined as U.S. citizens, permanent residents and companies. Such collection must be authorized by statute and is subject to oversight from Congress and the Foreign Intelligence Surveillance Court. The statutes set a high bar for collecting the content of communications by U.S. persons. For example, Section 215 permits the bulk collection only of U.S. telephone metadata -- lists of incoming and outgoing phone numbers -- but not audio of the calls.

Executive Order 12333 [2] contains no such protections for U.S. persons if the collection occurs outside U.S. borders. Issued by President Ronald Reagan in 1981 to authorize foreign intelligence investigations, 12333 is not a statute and has never been subject to meaningful oversight from Congress or any court. Sen. Dianne Feinstein (D-Calif.), chairman of the Senate Select Committee on Intelligence, has said [3] that the committee has not been able to "sufficiently" oversee activities conducted under 12333.

Unlike Section 215, the executive order authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person's communications are "incidentally" collected (an NSA term of art) [4] in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

"Incidental" collection may sound insignificant, but it is a legal loophole that can be stretched very wide. Remember that the NSA is building a data center in Utah five times the size of the U.S. Capitol building, with its own power plant that will reportedly burn $40 million a year in electricity.

"Incidental collection" might need its own power plant.

A legal regime in which U.S. citizens' data receives different levels of privacy and oversight, depending on whether it is collected inside or outside U.S. borders, may have made sense when most communications by U.S. persons stayed inside the United States. But today, U.S. communications increasingly travel across U.S. borders -- or are stored beyond them. For example, the Google and Yahoo e-mail systems rely on networks of "mirror" servers located throughout the world. [5] An e-mail from New York to New Jersey is likely to wind up on servers in Brazil, Japan and Britain. The same is true for most purely domestic communications.

Executive Order 12333 contains nothing to prevent the NSA from collecting and storing all such communications -- content as well as metadata -- provided that such collection occurs outside the United States in the course of a lawful foreign intelligence investigation. No warrant or court approval is required, and such collection never need be reported to Congress. None of the reforms that Obama announced [6] earlier this year will affect such collection.

Without any legal barriers to such collection, U.S. persons must increasingly rely on the affected companies to implement security measures to keep their communications private. The executive order does not require the NSA to notify or obtain consent of a company before collecting its users' data.

The attorney general, rather than a court, must approve "minimization procedures" for handling the data of U.S. persons that is collected under 12333, to protect their rights. I do not know the details of those procedures. But the director of national intelligence recently declassified a document [7] (United States Signals Intelligence Directive 18) showing that U.S. agencies may retain such data for five years.

Before I left the State Department, I filed a complaint with the department's inspector general, arguing that the current system of collection and storage of communications by U.S. persons under Executive Order 12333 violates the Fourth Amendment, which prohibits unreasonable searches and seizures. I have also brought my complaint to the House and Senate intelligence committees and to the inspector general of the NSA.

I am not the first person with knowledge of classified activities to publicly voice concerns about the collection and retention of communications by U.S. persons under 12333. The president's own Review Group on Intelligence and Communication Technologies, in Recommendation 12 of its public report, [8] addressed the matter. But the review group coded its references in a way that masked the true nature of the problem.

At first glance, Recommendation 12 appears to concern Section 702 of the FISA Amendments Act, which authorizes collection inside the United States against foreign targets outside the United States. Although the recommendation does not explicitly mention Executive Order 12333, it does refer to "any other authority." A member of the review group confirmed to me that this reference was written deliberately to include Executive Order 12333.

Recommendation 12 urges that all data of U.S. persons incidentally collected under such authorities be immediately purged unless it has foreign intelligence value or is necessary to prevent serious harm. The review group further recommended that a U.S. person's incidentally collected data never be used in criminal proceedings against that person, and that the government refrain from searching communications by U.S. persons unless it obtains a warrant or unless such searching is necessary to prevent serious harm.

The White House understood that Recommendation 12 was intended to apply to 12333. That understanding was conveyed to me verbally by several White House staffers, and was confirmed in an unclassified White House document that I saw during my federal employment and that is now in the possession of several congressional committees.

In that document, the White House stated that adoption of Recommendation 12 would require "significant changes" to current practice under Executive Order 12333 and indicated that it had no plans to make such changes.

All of this calls into question some recent administration statements. Gen. Keith Alexander, a former NSA director, has said publicly that for years the NSA maintained a U.S. person e-mail metadata program similar to the Section 215 telephone metadata program. And he has maintained that the e-mail program was terminated in 2011 because "we thought we could better protect civil liberties and privacy by doing away with it." [9] Note, however, that Alexander never said that the NSA stopped collecting such data -- merely that the agency was no longer using the Patriot Act to do so. I suggest that Americans dig deeper.

Consider the possibility that Section 215 collection does not represent the outer limits of collection on U.S. persons but rather is a mechanism to backfill that portion of U.S. person data that cannot be collected overseas under 12333.

Proposals for replacing Section 215 collection are currently being debated in Congress. We need a similar debate about Executive Order 12333. The order as used today threatens our democracy. There is no good reason that U.S. citizens should receive weaker privacy and oversight protections simply because their communications are collected outside, not inside, our borders.

I have never made any unauthorized disclosures of classified information, nor would I ever do so. I fully support keeping secret the targets, sources and methods of U.S. intelligence as crucial elements of national security. I was never a disgruntled federal employee; I loved my job at the State Department. I left voluntarily and on good terms to take a job outside of government. A draft of this article was reviewed and cleared by the State Department and the NSA to ensure that it contained no classified material.

When I started at the State Department, I took an oath to protect the Constitution of the United States. I don't believe that there is any valid interpretation of the Fourth Amendment that could permit the government to collect and store a large portion of U.S. citizens' online communications, without any court or congressional oversight, and without any suspicion of wrongdoing. Such a legal regime risks abuse in the long run, regardless of whether one trusts the individuals in office at a particular moment.

I am coming forward because I think Americans deserve an honest answer to the simple question: What kind of data is the NSA collecting on millions, or hundreds of millions, of Americans?

John Napier Tye served as section chief for Internet freedom in the State Department's Bureau of Democracy, Human Rights and Labor from January 2011 to April 2014. He is now a legal director of Avaaz, a global advocacy organization.

[1] http://www.humanrights.gov/2014/03/04/state-department-on-internet-freedom-at-rightscon/

[2] http://www.archives.gov/federal-register/codification/executive-order/12333.html

[3] http://www.mcclatchydc.com/2013/11/21/209167/most-of-nsas-data-collection-authorized.html

[4] http://www.washingtonpost.com/world/national-security/in-nsa-intercepted-data-those-not-targeted-far-outnumber-the-foreigners-who-are/2014/07/05/8139adf8-045a-11e4-8572-4b1b969b6322_story.html

[5] http://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html

[6] http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/17/everything-you-need-to-know-about-obamas-nsa-reforms-in-plain-english/

[7] http://www.dni.gov/files/documents/1118/CLEANEDFinal USSID SP0018.pdf

[8] http://apps.washingtonpost.com/g/page/world/nsa-review-boards-report/674/

[9] http://abcnews.go.com/blogs/politics/2013/06/nsa-chief-on-email-collection-nsa-deleted-data-wanted-to-protect-privacy/