For more than two years, Americans have been reeling from revelations about the National Security Agency's mass surveillance programs. Now, newly release documents have raised questions about whether even more of Americans' data could be in the CIA’s hands, too.
Over the past two months, the American Civil Liberties Union has published 68 documents related to the CIA’s activities under Executive Order 12333, which governs foreign intelligence collection. The documents are part of a long-running Freedom of Information Act lawsuit brought by the ACLU and Yale Law School for information about government surveillance under EO 12333.
The widely discussed domestic surveillance programs – those permitted through the Patriot Act and the Foreign Intelligence Surveillance Act Amendments Act – both are operated under the supervision of Congress and the Foreign Intelligence Surveillance Court. EO 12333 is run purely under the auspices of the executive branch.
President Reagan issued the order in 1981 and subsequent presidents have amended it several times since. It came to widespread public attention when former State Department official John Napier Tye penned a Washington Post Op-Ed that accused the NSA of using a loophole in the order to scoop up millions of Americans’ data and search it without a warrant.
"Almost any American who uses the Internet has had their data swept up in this," Mr. Tye said in an interview, referring to foreign mass surveillance programs that the NSA operates under EO 12333.
The NSA uses authority granted to it under that order to collect millions of Americans’ wholly domestic communications overseas, Tye said.
While many of the NSA's mass surveillance programs are technically "foreign," those programs predictably ingest large amounts of US data. That’s easy in a world where an e-mail between Boston and Atlanta is likely stored at data centers in Europe and Asia by tech companies that span the globe. A provision in the executive order lets the NSA store and search that "incidentally collected" American data.
"They collect everything, they store it all in a database, they search it all, and only if they want to use something do they run it through the minimization procedures and the US person check," Tye said.
Under 12333, the CIA can also collect intelligence on people and organizations in the US as long as it is "incidentally acquired information." That has the ACLU and other privacy advocates worried.
"We know that EO 12333 is one of the NSA’s most important surveillance authorities, and that the agency relies on EO 12333 to conduct bulk surveillance abroad that sweeps up vast quantities of Americans’ communications," says Ashley Gorski, a fellow at the ACLU's National Security Project. "Although we don’t know the extent of the CIA's involvement in these dragnets, the CIA is no stranger to bulk collection."
Indeed, The Wall Street Journal reported in January 2014 that the CIA maintains a database of information on Americans’ international money transfers under Section 215 of the Patriot Act. Three months later, it also revealed that the CIA provided technical support for a US Marshals program that tracked suspects by mounting devices that simulate cellphone towers onto low-flying airplanes – scanning thousands of Americans’ cellphones in the process.
One document – a memorandum of understanding between the CIA and the FBI – contains a section regulating how the CIA can target US persons that is almost entirely redacted – as is a section detailing when and how the FBI can share information with the CIA and all of a one-page document titled "Collection Rules."
What isn’t redacted in the new documents show that EO 12333 bars the CIA from carrying out electronic surveillance within the US. However, the agency can ask the FBI or another intelligence agency to carry out electronic surveillance inside American borders on its behalf. It can also use a "monitoring device" inside the US "under circumstances in which a warrant would not be required for law enforcement purposes."
It’s unclear what a "monitoring device" is and how using it differs from "electronic surveillance" – the definition is redacted.
The newly released documents also suggest that the CIA might not be following its own internal guidelines for handling data on Americans. According to a 2002 report from the CIA Inspector General, agency components aren’t properly applying rules about the retention and dissemination of data about US persons "because of a general and widespread lack of understanding of the rules."
The CIA did not responded to questions concerning the documents it released to the ACLU.
"By direction of the president in Executive Order 12333 of 1981 and in accordance with procedures approved by the Attorney General, the CIA is restricted in the collection of intelligence information directed against US citizens," the agency says on its website. "Collection is allowed only for an authorized intelligence purpose; for example, if there is a reason to believe that an individual is involved in espionage or international terrorist activities."
The independent Privacy and Civil Liberties Oversight Board is currently completing a report about CIA and NSA surveillance involving US persons under EO 12333. It plans to issue the report by the end of the year, according to a statement.