DHS Watchdog Repeatedly Misled Congress, Federal Probe Finds.

Championing Responsible National Security Policy
|
Analysis

Executive Order 12333: The Spy Power Too Big for Any Legal Limits

How a Cold War era authority morphed into a mass surveillance system that collects billions of private communications
(Photos: Getty Images; Jordan Brierley / Unsplash; Illustration: Leslie Garvey / POGO)

Last month, a new report and set of recommendations from the Privacy and Civil Liberties Oversight Board and a letter from Senators Ron Wyden (D-OR) and Martin Heinrich (D-NM) revealed a troubling surveillance program that has long been hidden. The CIA is collecting financial records in bulk — meaning on a massive scale without any targets — sweeping up private records of individuals not in any way suspected of wrongdoing, including Americans.

It’s an important indicator that for all the meaningful reforms over the past decade, there is still a surveillance elephant in the room: The newly unveiled financial program falls under a major component of national security surveillance that operates with practically no rules and absent the safeguards needed given how modern surveillance operates in the digital age. That component is Executive Order 12333 (commonly referred to as “EO twelve-triple-three” and abbreviated EO 12333), the authority for all executive-based national security surveillance. Because its focus is abroad, many Americans are unfamiliar with the executive order, but that doesn’t diminish its importance: The government uses this authority to vacuum up billions of emails, texts, and calls from people across the globe, grabbing Americans' sensitive communications in the process.

The fundamental problem with EO 12333 is that it is a virtually lawless surveillance authority. Not lawless in the sense of violating statutes and court-imposed rules, but rather in that it operates absent any limits or oversight from Congress and the courts. Given how EO 12333 has steadily morphed into a mass collection tool, this is not sustainable.

The Origins of EO 12333

Before examining the problems with the newly revealed financial surveillance program and other modern EO 12333 surveillance programs, it’s worth looking at the history of this authority and how its original applications contrast with its use today.

Just 50 years ago, the rules and limits for national security surveillance were shockingly undeveloped. Not only was there no comprehensive set of specific rules governing this type of surveillance, the law did not even establish a broad line of what limits should exist.

Fortunately that changed in 1972 with an important Supreme Court ruling, commonly known as the “Keith case,” involving a series of warrantless wiretaps used against a group conspiring to destroy government buildings. The Supreme Court ruled that any investigations involving domestic security — even national security threats — required standard compliance with the Fourth Amendment, warrant rules, and statutory limits for law enforcement. However, the court also noted that this standard was based on domestic security threats, effectively putting the ball in Congress’s court to establish rules for foreign intelligence surveillance.

Six years later Congress did just that, passing the Foreign Intelligence Surveillance Act (FISA). The law created a set of boundaries for surveillance conducted in the United States focused on foreign powers and their agents. FISA allows the government to engage in searches, wiretaps, and other clandestine surveillance as long as it shows a court (specifically the FISA Court, also created as part of the law) there is probable cause the target is a foreign agent.

While rules were set for surveillance within the U.S. of foreign and domestic threats to national security, one major area was unaddressed: surveillance abroad.

But while rules were set for surveillance within the United States of foreign and domestic threats to national security, one major area was unaddressed: surveillance abroad. In 1981, three years after the passage of FISA, President Ronald Reagan signed EO 12333. The order provided broad authority for military and intelligence agencies to engage in surveillance abroad. It did not include court authorizations or probable cause requirements akin to FISA, and was authorized entirely under the executive’s inherent commander-in-chief authority, absent legislative or court approval.

Given the threats and nature of foreign surveillance at the time, there was logic to this system: The CIA was not going to seek out a search warrant with a local judge in East Berlin, or provide a wiretap order to a telephone company in Moscow. And because these clandestine activities were focused on specific targets, they were unlikely to sweep in information from Americans abroad or even from large numbers of non-U.S. persons.

EO 12333 in the Digital Age

Fast forward 40 years, and the type of surveillance that the government conducts for foreign intelligence has dramatically changed. Rather than focusing on specific pre-identified targets and threats, the government adopted a “collect it all” mentality in the wake of the September 11 attacks, and by then had the technology to accomplish that goal. While the executive unlawfully sidestepped FISA for mass domestic surveillance (most notably in the bulk collection of Americans’ phone records that would be outlawed in 2015), it also began to build up bulk surveillance abroad under the auspices of EO 12333.

We probably only see the tip of the iceberg in terms of what these surveillance systems are (more on that transparency issue below), but a few examples that have come to light are illustrative of how massive the EO 12333 dragnet can be.

One program called CO-TRAVELER sweeps up billions of cellphone location records each day, monitoring the movements of individuals across the globe. As the Washington Post described in its article exposing the program, it is “tracking people from afar into confidential business meetings or personal visits to medical facilities, hotel rooms, private homes and other traditionally protected spaces.” Another program called Dishfire engages in mass collection of text messages, sweeping up the content of almost 200 million messages per day from phones around the world. A third program named SOMALGET acts as a nationwide wiretap, recording every phone call made in entire countries. The government has not provided any details on these programs since these disclosures in 2013 and 2014 revealed their existence — meaning we do not know if they are still operating in this manner, have been scaled down, or have grown even more pervasive.

The newly revealed financial collection program follows in this same pattern: It takes private information — in this case financial records — and vacuums it up in bulk without regard to how sensitive the records are or whose information is swept up in the dragnet.

Mass Surveillance Leads to Mass Violation of Privacy Rights

Collecting private information on this scale creates significant privacy harms in two distinct ways.

First, it endangers the privacy of Americans. With bulk programs sweeping up billions of private conversations and sensitive records from millions of people, it is bound to collect Americans’ information, even when focused abroad. Tourists, students, and individuals working or living abroad could all have their information collected and stored by National Security agency (NSA) and CIA programs, as well as distributed to other government agencies. So could Americans whose communications are with individuals located abroad. American business-people, journalists, lawyers, human rights advocates, and others could all have their most sensitive information and activities collected by the U.S. government.

This is unacceptable — U.S.-persons don’t relinquish their constitutional rights at customs or simply because their conversation is with someone in another country. Even when private information is collected abroad, it could still impact individuals in terms of how the government treats them in the U.S., and in relation to domestic investigations. Beyond the risk that these records could be used for criminal investigations in a manner that circumvents warrant rules, mass collection of Americans’ private information through EO 12333 creates a risk that nefarious actors could misuse it for personal aims (such as selectively leaking private information, or using information like religious or political views as the basis for targeting).

U.S.-persons don’t relinquish their constitutional rights at customs or simply because their conversation is with someone in another country.

Second, it’s important to also consider the impact of these programs on non-U.S. persons. This is a more complex topic because while U.S. constitutional rights generally apply to everyone located in the United States and to Americans across the world, they largely do not extend to non-U.S. persons abroad. And it’s hard to reject the notion that the government should have a relatively free hand to monitor individuals such Russian oligarchs, Iranian Revolutionary Guard commanders, or Chinese government spies.

But current EO 12333 surveillance, by its nature, goes far beyond these types of targets. It works in bulk, collecting intimate information about entire populations. This affects average individuals across the globe, and raises important human rights concerns. The scale of EO 12333 collection has undermined U.S. standing in the world (try to image how you would feel if you discovered a foreign country collected every email, text, and phone call you made), and has hampered international relations to the degree of causing important economic agreements to be struck down. It also presents a serious risk if a foreign adversary ever stole surveillance data to subjugate its own people, and limits U.S. credibility to call for reforms in nations building up mass surveillance autocracies.

Who Watches the Mass-Surveillance-Watchers?

In addition to these issues, there is the daunting problem of a lack of basic oversight of EO 12333. The recent story on collection of financial records illustrates this perfectly: The Privacy and Civil Liberties Board report is heavily redacted, leaving the public with little understanding of what data is being collected or of the full range of ways it is being used. Release of the report was also significantly delayed. It was unanimously approved by the board in January 2017, but concealed from public view for five years.

Wyden and Heinrich’s letter was held in declassification limbo for nearly a year despite being less than three pages long. Perhaps most disturbing of all, the senators note that until a month before their letter was sent, “the nature and full extent of the CIA's collection was withheld even from the Senate Select Committee on Intelligence.”

The executive acting as its own watchdog for the EO 12333 mass surveillance system is a major problem.

The executive acting as its own watchdog for the EO 12333 mass surveillance system is a major problem. It undercuts the critical role that Congress and the courts play to maintain checks and balances in our democracy. Even if you accept the premise that EO 12333 surveillance is derived from the president’s commander-in-chief authority and gives the executive significant deference, it should not and cannot be limitless. Congress is vested with power to appropriate funds (or not) for intelligence agencies like NSA and CIA, as well as with confirming officials to top positions within these agencies. The executive cannot reasonably expect Congress to provide its funds and confirm its leaders but play no role in examining how that money is spent or what those officials do.

The lack of external oversight also creates serious danger of compliance issues. It’s more likely that the already-lax rules and limits of EO 12333 will be misinterpreted or ignored if they depend on self-policing. It’s repeatedly been made apparent by the extreme readings of surveillance powers after September 11 and the Office of Legal Counsel in general that if the executive is given the authority to interpret laws, it will do so in a manner that maximizes executive power even if its legal rationale defies credulity. And FISA Section 702 — the warrantless provision that requires no front-end approval from judges — has repeatedly demonstrated that less court oversight begets more violation of rules and standards.

We’re still a long way off from being able to meaningfully reform the scale of EO 12333 collection. But getting more public transparency and more oversight from Congress and the courts is a promising first step. A good opportunity to push for this will be coming soon, as next year a major component of FISA is set to expire. If the executive wants that surveillance power reauthorized, it’s reasonable to demand greater oversight for the part of foreign intelligence surveillance that currently has virtually none.