What is arguably the most powerful of the U.S. government's surveillance authorities is also the most secretive, and it operates with the least amount of oversight.
Today, we're releasing a new set of documents concerning Executive Order 12333 that we — alongside the Media Freedom and Information Access Clinic at Yale Law School — obtained in an ongoing Freedom of Information Act lawsuit. EO 12333 hasn't received much public attention to date, but the government's prior disclosures in our suit have shown that the executive order in fact governs most of the NSA's surveillance. In the NSA's own words, EO 12333 is "the primary source of the NSA's foreign intelligence-gathering authority."
Surveillance conducted under EO 12333 is implemented almost entirely by the executive branch, without review by Congress or the courts. EO 12333 lacks even the plainly inadequate legislative and judicial checks on the two more well-known surveillance authorities — Section 215 of the Patriot Act and the FISA Amendments Act.
Some of the most significant conclusions to be drawn from the new documents:
"It is not possible" for the NSA to adequately protect the privacy of innocent Americans swept up in its dragnet.
Even when the NSA is "targeting" foreigners abroad, the agency sweeps up vast quantities of innocent Americans' communications. This is true when the agency is conducting surveillance under FISA, and it's just as true when the agency is conducting surveillance under EO 12333.
But we don't yet have a full understanding of EO 12333's implications for Americans' privacy. That's in part because of the secrecy surrounding EO 12333, and in part because, as one NSA memo acknowledges, the agency itself often doesn't know whether it's handling communications to or from Americans:
The government frequently argues that its sweeping, "collect it all" approach to surveillance is lawful because it follows certain procedures when searching and sharing the information it gathers. These "minimization procedures" vary by agency and by surveillance program, but in general, they require special treatment of Americans' communications to mitigate the intrusion on privacy rights.
But if the NSA can't — or won't — ensure that it is correctly identifying Americans' communications when it vacuums them up, how can the public trust that the NSA is properly safeguarding Americans' private information? Furthermore, if the NSA doesn't know what it's collecting, how can it effectively assess its compliance with its own rules?
NSA analysts may be laughing at your sex tape.
One of the other new documents, another internal NSA memo, considers whether "sharing of voice cuts among signals intelligence (SIGINT) analysts for purposes other than official ones constitutes a violation of any laws, policies, or procedures." Unsurprisingly, the deputy general counsel concludes that it's not permitted:
The memo appears to be a response to allegations made in 2008 by a former NSA military intercept operator, David Murfee Faulk, that he and others routinely circulated "good phone sex" recordings, or "cuts," around the office. Faulk and another operator also alleged that the NSA had eavesdropped on hundreds of U.S. citizens overseas as they called home — capturing not only phone sex, but more mundane pillow talk as well.
While phone sex may be a slowly dying art, the risk of NSA abuse has only grown as new media takes its place. Today, EO 12333 surveillance can put your nude selfies and your sex tapes into the NSA's hands, where analysts may once again be tempted to pass them around in violation of agency rules. As Edward Snowden recently said, the auditing of the NSA's systems is weak, and the ability to ogle nude photos is seen as one of the "fringe benefits of surveillance positions."
The NSA agrees that your phone number is identifying (except when it doesn't).
Much of the public debate on the NSA's collection of phone records, or "metadata," has focused on the Section 215 program. But reports suggest that the NSA collects an even greater quantity of call records under EO 12333 — up to five billion records per day. Though this collection takes place overseas, it still captures Americans' domestic metadata and other sensitive information, like location data, that the NSA says it does not collect under Section 215. That raises concerns that the NSA is using EO 12333 to maneuver around restrictions it faces under other statutory authorities.
The government has argued that phone records are not private because they don't include names, just numbers. This is an absurd argument. As the ACLU has explained, phone numbers are every bit as identifying as our social security numbers — no two of us have the same one — and it's a trivial matter for the government to attach a name to a number. One of the new documents shows that, back in 2007, the NSA's own lawyers recognized that Congress had considered this question — and had agreed with the ACLU:
This memo goes on to argue that Americans' metadata may be shared widely across intelligence agencies because it is not constitutionally protected — an argument that's wrong on several grounds. Metadata can reveal personal information that is just as sensitive and private as the content of communications. In addition, as the memo itself acknowledges, the handling of Americans' metadata is subject to certain statutory requirements. But it's not yet clear how the NSA interpreted those protections.
We're hoping that our FOIA litigation will result in the release of more information — not only about the scope of collection under EO 12333, but also about how the NSA and other agencies are handling and sharing the vast amounts of data they acquire.