National Security

Most of NSA’s data collection authorized by order Ronald Reagan issued

The flags at the National Security Agency's Threat Operations Center in Ft. Meade, Maryland
The flags at the National Security Agency's Threat Operations Center in Ft. Meade, Maryland Baltimore Sun/MCT

The National Security Agency’s collection of information on Americans’ cellphone and Internet usage reaches far beyond the two programs that have received public attention in recent months, to a presidential order that is older than the Internet itself.

Approved by President Ronald Reagan in 1981, Executive Order 12333 (referred to as “twelve-triple-three”) still governs most of what the NSA does. It is a sweeping mandate that outlines the duties and foreign intelligence collection for the nation’s 17 intelligence agencies. It is not governed by Congress, and critics say it has little privacy protection and many loopholes. What changes have been made to it have come through guidelines set by the attorney general or other documents.

The result is a web of intelligence law so complicated that it stymies even those tasked with interpreting it. As one former executive official said, “It’s complicated stuff.”

Confusing though it may be, the order remains the primary authority under which the country’s intelligence agencies conduct the majority of their operations.

Neither the office of Attorney General Eric Holder nor that of Director of National Intelligence James Clapper would comment about 12333.

Under its provisions, agencies have the ability to function outside the confines of a warrant or court order, if approved by the attorney general. Its Section 2.5 effectively gives the attorney general the right to authorize intelligence agencies to operate outside the confines of judicial or congressional oversight, so long as it’s in pursuit of foreign intelligence – including collecting information of Americans.

“The Attorney General hereby is delegated the power to approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required,” 12333 reads.

Monitoring the actual content of Americans’ communications still requires a warrant under 12333, but metadata – the hidden information about a communication that tells where a person is, who he’s communicating with, even the number of credit cards used in a transaction – can be swept up without congressional or court approval.

The impact of 12333 is enormous – and largely unknown. Documents leaked by former NSA contractor Edward Snowden suggest that less than half of the metadata the NSA has collected has been acquired under provisions of the USA Patriot Act and the Foreign Intelligence Surveillance Act, the two laws that have received the most attention for permitting NSA programs.

Gen. Keith Alexander, the NSA director, has ratified that impression, saying that the majority of NSA data is collected “solely pursuant to the authorities provided by Executive Order 12333.”

At the time the order was written, the nation’s intelligence community was dealing with a shattered reputation after decades of widespread abuses. The Church Committee – a special congressional panel tasked in the 1970s with investigating intelligence abuses – had revealed CIA efforts to cover up the Watergate scandal, the CIA’s opening of Americans’ mail, and the agency’s efforts to assassinate Cuba’s Fidel Castro.

Executive Order 12333 was intended to bolster a reeling intelligence community and further define its authority to conduct foreign intelligence gathering.

The global telecommunications network didn’t exist, and collecting foreign communications posed little risk for Americans’ data to be swept up in the dragnet.

But in the three decades since 12333 was written, global communications have changed dramatically. The order, however, has not.

“In 1996, when (12333) was 15 years old, we said, ‘Gee, this probably ought to be revised.’ Now we’re more than 15 years after that,” said John Bellinger, a former legal adviser to the National Security Council during the presidency of George W. Bush. Still, the order hasn’t undergone any major change, “in part, because it’s so difficult and complex to change it,” he said.

The National Security Act of 1947 requires that Congress be kept “fully and currently informed” about “significant” intelligence activities. But 12333 activities receive little oversight. The problem, legal experts and lawmakers say, is that only the executive branch – and the intelligence agencies that are part of it – determines what “fully and currently informed” means and what details it needs to share with Congress.

“There’s no clear definition,” said House Intelligence Committee member Adam Schiff, D-Calif., who recently sparred with fellow committee members over whether the NSA had briefed the panel on its monitoring of German Chancellor Angela Merkel’s cellphone. “We need to have a bigger discussion of what our mutual understanding is of what we want to be informed of.”

Schiff isn’t alone in raising questions about how well informed Congress is kept of activities undertaken under 12333 authorities. Sen. Dianne Feinstein, D-Calif., who chairs the Senate Intelligence Committee, has called for a broad review of what’s taking place under 12333, noting that the order authorizes phone and email metadata collection beyond what the Foreign Intelligence Surveillance Act does.

Feinstein has consistently defended the NSA’s collection of domestic cellphone metadata, saying the program under which it is doing so is overseen by both the courts and Congress. But even she has said the 12333 programs skirt similar protections.

“The other programs do not (have the same oversight as FISA). And that’s what we need to take a look at,” she said, adding that her committee has not been able to “sufficiently” oversee the programs run under the executive order. “Twelve-triple-three programs are under the executive branch entirely.”

Feinstein has also said the order has few, if any, privacy protections. “I don’t think privacy protections are built into it,” she said. “It’s an executive policy. The executive controls intelligence in the country.”

Intelligence officials have said that each respective agency’s 12333 collection is governed by supplemental guidelines written by the attorney general and that those guidelines protect Americans’ data. But intelligence officials have admitted that most of those guidelines have not been revisited in decades and that they don’t offer the same protections as the metadata collection programs authorized under the Patriot Act and the Foreign Intelligence Surveillance Act.

A glimpse of those classified guidelines emerged at a hearing convened earlier this month of the Privacy and Civil Liberties Oversight Board, which Congress created in 2004 to oversee the government’s expanded intelligence collection operations, but that until that meeting had never held a substantive hearing.

Pressing a panel of intelligence community lawyers, board members asked what evidence is required before U.S. intelligence agents are allowed to sift through metadata collected under 12333. They learned that virtually none is required.

Jim Dempsey, a member of the board who is the vice president for public policy at the Center for Democracy and Technology, a Washington-based organization encouraging free and open Internet, asked whether it was right that 12333 records can be searched without establishing a “reasonable, articulable suspicion,” the standard needed for searching records collected under the Patriot Act or FISA.

The NSA’s deputy general counsel, Rajesh De, acknowledged that that standard might not apply. “I think, yeah,” he said. But he declined to say what rules might apply, referring by using jargon. “I don’t know if we’ve declassified sort of minimization procedures,” he said. “But there are different rules that apply.”

Even those rules – whatever they are – can be broken, both intentionally and unintentionally. When they are, there is no requirement that the violation be reported outside the executive branch.

According to an internal memo leaked by Snowden and published in August, the NSA saw more than 2,000 compliance violations with its 12333 programs in the span of a year, from March 2011 to March 2012. For comparison, the agency tracked just over 700 violations in the same period in the telephone and Internet metadata collection programs that have received so much attention.

The 12333 violations were not reported to the congressional intelligence committees.

Intelligence community leaders have been loath to address 12333 issues when testifying before Congress. During a recent House Judiciary Committee hearing into metadata collections, Director of National Intelligence Clapper refused to answer when asked about specific violations.

“The subject matter of the hearing was Section 215 and 702,” said Clapper, referring to sections of the Patriot Act and the Foreign Intelligence Surveillance Act, respectively. “And these violations . . . (occurred) under the auspices of Executive Order 12333.”

Feinstein has said publicly that she thinks more attention needs to be paid to what takes place under 12333. A bill recently approved by the Senate Intelligence Committee would require increased congressional oversight of 12333, including more detailed reporting of what guidelines govern access to information collected under it and violations of those guidelines.

Related stories from McClatchy DC