Mark M. Jaycox[*]

[Full text of this Article in PDF is available at this link]

I.   Introduction

In 2013, investigative journalists disclosed that the U.S. government had used section 215 of the USA PATRIOT Act as authorization for a now-defunct surveillance program that collected the daily call records of Americans from telecommunications companies.[1] Reporting also revealed that section 702 was, and still is, read to authorize the collection of Americans’ information from the telecommunications backbone,[2] even though section 702 targets foreigners outside the United States for foreign intelligence information.[3] Since then, national security scholars have applied particular scrutiny to those two key legal authorities used for electronic surveillance, while neglecting the legal authority used for the majority of the National Security Agency’s (“NSA”) signals intelligence collection: Executive Order 12,333 (“EO 12333”).[4]

EO 12333 codifies the President’s Article II power as Commander-in-Chief and head of the Executive Branch. It authorizes the intelligence community to conduct intelligence activities “necessary for the conduct of foreign relations and the protection of the national security of the United States,” including the “collection of information concerning, and the conduct of activities to protect against, intelligence activities directed against the United States, international terrorist…activities, and other hostile activities directed against the United States by foreign powers, organizations, persons, and their agents.”[5] It also authorizes the collection of information “constituting foreign intelligence or counterintelligence” so long as no foreign intelligence collection by the intelligence community is “undertaken for the purpose of acquiring information concerning the domestic activities of U.S. persons.”[6] In another section, it allows surveillance that would typically require a warrant, such as surveillance in the United States or against a U.S. person abroad, so long as the Attorney General determines there is probable cause to believe the surveillance is directed at a foreign power or agent of a foreign power.[7]

President Ronald Reagan signed the order in 1981, giving birth to an immense policy regime that oversees a variety of intelligence collection.[8] Disclosures about the legal authority provide some insight into the NSA’s EO 12333 signals intelligence—and specifically electronic surveillance—programs.[9] Much of the information is still difficult to decipher despite the disclosures. Even government analysts with full access to classified documents are advised to “adjust [their] vocabulary” before beginning EO 12333 training.[10] One handbook describes EO 12333’s implementation as a “maze” due to its complexity.[11]

Documents reveal EO 12333 authorizes the collection and analysis of communications, metadata, individual identifiers like International Mobile Equipment Identity (IMEI) and mobile telephone numbers, credentials to online platforms, and other electronic information.[12] The intelligence community collects this information by installing malware, obtaining access to internet traffic traversing the telecommunications backbone, and hacking U.S.-based companies like Yahoo and Google.[13] One program authorized by EO 12333 is estimated to collect more than 1.8 billion emails a month.[14] Information collected under EO 12333 is even used to map Americans’ social networks.[15]

This Article draws together various declassifications, disclosures, legislative investigations, and news reports to paint a clearer picture of the electronic surveillance programs implemented by the Executive Branch under EO 12333.[16] Particular attention is paid to EO 12333’s designation of the NSA as the agency primarily responsible for conducting signals intelligence.[17] This Article’s discussion of authorized surveillance is particularly important because EO 12333 collects Americans’ information despite the order’s focus on targeting foreign individuals for foreign intelligence.[18] This Article provides an introduction to EO 12333’s electronic surveillance programs, and aims to serve as a foundation for further research into critical legal and policy issues. Such research could investigate separation of powers concerns, including whether Congress can regulate certain Executive Branch powers or whether a foreign intelligence exception to the Fourth Amendment of the U.S. Constitution exists.

Part I provides a general introduction to signals intelligence by broadly walking through the U.S. electronic surveillance system, including key definitions.[19] Part II provides a foundation for understanding EO 12333’s legal-policy framework by summarizing existing congressional oversight of Executive Branch surveillance activities and the associated laws. This broader, cross-policy approach is necessary because the core surveillance authorities—Title I of the Foreign Intelligence Surveillance Act (“FISA”) of 1978, Title VII’s section 702 of FISA, and EO 12333—do not operate in silos. Part III outlines the origins of EO 12333. It discusses the executive order’s antecedents and describes the various iterations of the executive order leading up to its present form. Part III then describes EO 12333 and its implementing procedures. Part IV explores the known electronic surveillance programs associated with EO 12333 and argues that the order’s permissive targeting standards allow for large-scale acquisitions of enormous amounts of U.S. person information. Such collection is exacerbated by permissive processing methods prescribed in EO 12333’s implementing procedures, originally intended to protect U.S. person privacy.[20] This Article argues that these processing procedures fail to adequately preserve U.S. person privacy in the event that U.S. person information is mistakenly collected.[21] The activities described in Part IV combine to form a complex surveillance regime that collects significant amounts of information to, from, and about U.S. persons, despite its original focus on foreign intelligence information.[22] The Article concludes by offering potential reforms for EO 12333. These include proposals to narrow the aperture of surveillance, increase privacy standards for storing information, and exert more stringent transparency and accountability requirements over EO 12333. Potential non-U.S. person reforms are beyond the scope of this paper.[23]

In short, the presidential spying occurring under EO 12333 faces little oversight by Congress and collects a tremendous amount of U.S. person information, which ends up in the NSA’s—and other agencies’—databases despite EO 12333 primarily directing its surveillance outside the United States and against non-U.S. persons for foreign and counter intelligence information. This Article explores the large-scale data acquisitions authorized by EO 12333, the explicit authorization of collecting U.S. person information, and the use of broad EO 12333 foreign intelligence selectors that inevitably collect U.S. person information. The analysis and collection of U.S. person information at such a scale and scope demands closer inspection and robust public debate.

---

[*] Mark M. Jaycox, Policy Counsel, Google. Prior to this, the author served as the Civil Liberties Legislative Lead at the Electronic Frontier Foundation, where he specialized on consumer privacy issues, cybersecurity, electronic surveillance, and national security law. B.A., Reed College; J.D., UC Berkeley School of Law. The author would like to thank the Professor who oversaw the initial drafts of this paper at Berkeley, Jim Dempsey. He would also like to thank Lee Tien, Jonathan Mayer, Ashkan Soltani, Neema Singh Guliani, and many more for their critical insights, discussions, and debates on this topic.

[1] See Glenn Greenwald, NSA Collecting Phone Records of Millions of Verizon Customers Daily, The Guardian (Jun. 6, 2013), https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order [https://perma.cc/FYK7-NN9S]; Barton Gellman & Askhan Soltani, NSA Collects Millions of E-Mail Address Books Globally, Wash. Post (Oct. 14, 2013), https://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html [https://perma.cc/VR2K-5V2R].

[2] Charlie Savage, Eileen Sullivan, & Nicolas Frandos, House Extends Surveillance Law, Rejecting New Privacy Safeguards, N.Y. Times (Jan. 11, 2018), https://www.nytimes.com/2018/01/11/us/politics/fisa-surveillance-congress-trump.html [https://perma.cc/CJ8S-6HPG].

[3] See Signals Intelligence, Nat’l Sec. Agency (May 3, 2016), https://www.nsa.gov/what-we-do/signals-intelligence/ [https://perma.cc/3UFS-L8W2]; 50 U.S.C. §§ 1801–1813; 50 U.S.C § 1881a (2017); Laura Donahue, Section 702 and the Collection of International Telephone and Internet Content, 38 Harv. J.L. & Pub. Pol’y 117, 139 (2015); Priv. and C. L. Oversight Bd., Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act 6 (2014), https://documents.pclob.gov/prod/Documents/OversightReport/823399ae-92ea-447a-ab60-0da28b555437/702-Report-2.pdf [https://perma.cc/52U9-YQ68].

[4] See generally Nat’l Sec. Agency, Legal Fact Sheet: Executive Order 12333 (2013), https://www.aclu.org/files/assets/eo12333/NSA/Legal%20Fact%20Sheet%20Executive%20Order%2012333.pdf [https://perma.cc/S647-QR9P].

[5] Exec. Order No. 12,333, 46 Fed. Reg. 59,941 (1981).

[6] Id.

[7] See id.

[8] See Mark M. Jaycox, A Primer on Executive Order 12333: The Mass Surveillance Starlet, Elec. Frontier Found. (Jun. 2, 2014), https://www.eff.org/deeplinks/2014/06/primer-executive-order-12333-mass-surveillance-starlet [https://perma.cc/25QD-EMES]. See also Nat’l Sec. Agency, Legal Compliance and U.S. Person Minimization Procedures (2011); Nat’l Sec. Agency, SIGINT Authority Decision Tree, https://img.washingtonpost.com/wp-apps/imrs.php?src=https://img.washingtonpost.com/blogs/the-switch/files/2014/07/12333flowchart.jpg&w=1484 [https://perma.cc/7WJ5-3DCT]; Nat’l Sec. Agency, OVSC1100, Lesson 2 – Conventional Collection 4 (2007), https://www.aclu.org/files/assets/eo12333/NSA/Overview%20of%20Signals%20Intelligence%20Authorities.pdf [https://perma.cc/T7DC-3UG4].

[9] While some documents concerning CIA 12,333 surveillance have been released, this paper focuses on EO 12333’s electronic surveillance programs operated by the NSA. For the CIA’s procedures, see generally Central Intel. Agency, Annex A—Guidance for CIA Activities Outside the United States (2013), https://www.cia.gov/library/readingroom/docs/DOC_0006235714.pdf [https://perma.cc/WJ5C-YUV3]; Electronic surveillance by CIA may be increasing in light of recent restructuring, but the CIA’s actions are still largely classified. See, e.g., Greg Miller, CIA Looks to Expand Its Cyber Espionage Capabilities, Wash. Post (Feb. 23, 2015), https://www.washingtonpost.com/world/national-security/cia-looks-to-expand-its-cyber-espionage-capabilities/2015/02/23/a028e80c-b94d-11e4-9423-f3d0a1ec335c_story.html [https://perma.cc/L4ZK-DZ6T]; Procedures also likely exist for electronic surveillance conducted by Air Force drones in furtherance of foreign intelligence missions. Memorandum from the Dep’t of the Air Force, Air Force Guidance Memorandum to Air Force Instruction 14-104, Oversight of Intelligence Activities (Oct. 4 2018), https://fas.org/irp/doddir/usaf/afi14-104.pdf [https://perma.cc/59YG-WKNK].

[10] Def. Intel. Agency, Intelligence Law Handbook: Defense HUMINT Service § 3-7(a) (2004), https://www.aclu.org/files/assets/eo12333/DIA/Intelligence%20Law%20Handbook%20Defense%20HUMINT%20Service.pdf [https://perma.cc/KH5W-5A2S].

[11] Id.

[12] See Barton Gellman, Julie Tate, & Askhan Soltani, In NSA-intercepted Data, Those Not Targeted Far Outnumber the Foreigners Who Are, Wash. Post (July 5, 2014), https://www.washingtonpost.com/world/national-security/in-nsa-intercepted-data-those-not-targeted-far-outnumber-the-foreigners-who-are/2014/07/05/8139adf8-045a-11e4-8572-4b1b969b6322_story.html [https://perma.cc/63HU-SB66]; Dominic Rushe, Spencer Ackerman, & James Ball, Reports That NSA Taps Into Google and Yahoo Data Hubs Infuriate Tech Giants, Wash. Post (Oct. 31, 2013), https://www.theguardian.com/technology/2013/oct/30/google-reports-nsa-secretly-intercepts-data-links [https://perma.cc/4ZZY-336G].

[13] See Rushe et al., supra note 12.

[14] Ryan Gallagher & Henrik Moltke, The Wiretap Rooms: The NSA’s Hidden Spy Hubs in Eight U.S. Cities, The Intercept (Jun. 25, 2018), https://theintercept.com/2018/06/25/att-internet-nsa-spy-hubs/ [https://perma.cc/NKH3-FL2J].

[15] See U.S. Dep’t of Def., Supplemental Procedures Governing Communications Metadata Analysis 278 (2008), https://www.dni.gov/files/documents/0909/DoD%20Supplemental%20Procedures%2020080314.pdf [https://perma.cc/6Z35-MBSG].

[16] This paper focuses on the large-scale acquisitions occurring under EO 12333 and not individualized and particularized surveillance. By individualized and particularized, this paper means acquisitions that target a discrete individual selector on a discrete personal device, such as a mobile telephone number used by an adversarial world leader.

[17] See Exec. Order No. 12,333, 46 Fed. Reg. 59,941 (Dec. 4, 1981).

[18] The Article does not delve into the potential definitional inconsistencies of certain Executive Branch documents. For instance, a valiant attempt at deciphering inconsistent terms such as collection, acquisition, and interception has already been attempted. See generally Diana Lee, Paulina Perlin, & Joseph Schottenfeld, Gathering Intelligence: Drifting Meaning and the Modern Surveillance Apparatus, 10 J. Nat’l Sec. L. & Pol’y 77 (2019).

[19] While this part focuses on the practical process of surveillance, for an in-depth look at the culture of the intelligence community through an ethnography, see generally Bridget Rose Nolan, Information Sharing and Collaboration in the United States Intelligence Community: An Ethnographic Study of the National Counterterrorism Center (2013) (Ph.D. dissertation, University of Pennsylvania) (ProQuest), https://repository.upenn.edu/dissertations/AAI3565195/ [https://perma.cc/SX66-M62L].

[20] See Nat’l Sec. Agency, USSID 18 Legal Compliance and U.S. Person Minimization Procedures § 6 (2011) [hereinafter USSID 18] http://www.dni.gov/files/documents/1118/CLEANEDFinal%20USSID%20SP0018.pdf [https://perma.cc/3MSU-EAWS].

[21] The intelligence community argues USSID 18 preserves privacy because the procedures only allow analysts to intentionally target a U.S. person selector with Attorney General (AG) approval and mandate the use of generic labels to minimize U.S. person information, like substituting a person’s name with “U.S. Person One.” See Press Release, Office of the Director of Nat’l Intel., NSA’s Activities: Valid Foreign Intelligence Targets Are the Focus (Oct. 3, 2013), https://icontherecord.tumblr.com/post/65656690222/nsas-activities-valid-foreign-intelligence [https://perma.cc/HAD7-SKRC].

[22] This Article doesn’t argue that EO 12333 intentionally targets U.S. persons indiscriminately. It is well settled that EO 12333 generally targets non-U.S. persons outside the United States, and allows for certain specific targeting of U.S. persons. See, e.g., David S. Kris & J. Douglas Wilson, National Security Investigations & Prosecutions § 7:17 (2d ed. 2012).

[23] Such a topic deserves its own dedicated paper. This is especially so in light of the recent Schrems II decision. See Case C-311/18, Data Prot. Comm’r v. Facebook Ir. Ltd. and Maximillian Schrems, ECLI:EU:C:2020:559 (July 16, 2020) (striking down the EU-U.S. Privacy Shield Framework for insufficient protections of EU citizen data in personal data transfers).