Outside the pages of Just Security and a handful of other places, it’s hard to find much debate over the NSA’s overseas surveillance activities. The same lawmakers and pundits who were incensed over the bulk collection of Americans’ telephone records are largely silent on programs that collect much larger amounts of information — including phone and Internet metadata, as well as communications content — under Executive Order 12333.

Does the lack of public outcry reflect a considered judgment that EO 12333 programs strike the appropriate balance between security needs and privacy interests? That seems unlikely. There is relatively little publicly available information about these programs. Many of the applicable regulations and guidelines remain secret; the ones that are publicly available — assuming they are current — create an impenetrable thicket of rules marked by counterintuitive definitions and internal inconsistencies. The far more likely reason that EO 12333 has received so little attention inside the US is a misconception that overseas foreign intelligence surveillance has little impact on Americans.

A new Brennan Center report, Overseas Surveillance in an Interconnected World (authored by Amos Toh, Faiza Patel, and myself), aims to spark a more rigorous debate on EO 12333 surveillance in three ways. First, the report examines several reported EO 12333 programs, and illustrates the ways in which these programs may be gathering Americans’ data and communications. For instance, under a program codenamed SOMALGET, any American vacationing in Bermuda will have her telephone conversations recorded and stored for a 30-day period. That same American could have her location tracked using cell site data under a program codenamed CO-TRAVELER. Indeed, most of the significant programs that have been reported are likely to pull in a substantial amount of Americans’ data. Even wholly domestic communications are vulnerable, given the frequency with which digital information is routed or stored overseas.

Second, the report attempts attempts to distill and make sense of the multiple directives, policies, and guidance governing EO 12333 surveillance activities. In doing so, the report finds that there are major gaps in the privacy and human rights protections for Americans and foreign nationals alike. To name a few:

  • Bulk collection, which Congress sought to prohibit when performed domestically, is a standard practice when the NSA operates overseas — even if the NSA is ultimately collecting much of the same data. While President Obama recently placed restrictions on how bulk collection is used, his administration defines “bulk collection” to exclude situations in which the data is stored “temporarily” — no time periods are specified — to facilitate searches.
  • When the NSA performs “targeted” collection, it is not limited to searching for communications to or from particular people or groups, or even communications about particular people or groups. It can conduct searches based on the content of the communications. According to the ODNI’s General Counsel, all searches must be expected to yield foreign intelligence that is responsive to priorities derived from the National Intelligence Priorities Framework (NIPF). While the framework is classified, much of it (according to the General Counsel) is reflected in the DNI’s annual Worldwide Threat Assessment (WTA), which includes extremely broad topics of current public interest. Thus, at least in theory, anyone who writes an e-mail that happens to discuss the conflict in Syria may be subject to surveillance.
  • With such permissive standards for gathering information, one might expect strict limits on how that information — particularly Americans’ communications — may be used. In fact, the NSA has significant discretion in decisions about the retention and sharing of data. While there is a default five-year limit on retention, there is an extensive list of exceptions, including an exception for encrypted communications — despite the fact that encryption is becoming increasingly commonplace. Current rules give the NSA wide latitude to share certain data with law enforcement, and The New York Times reported that other agencies may soon be able to access raw data. Easy access to data acquired overseas could become an attractive alternative to obtaining a warrant in domestic criminal cases, creating an end-run around the Fourth Amendment’s protections.

Finally, the report assembles a long list of “known unknowns”: information about EO 12333 that was not disclosed by Snowden or pried loose (yet) in FOIA lawsuits. Much of the law governing EO 12333 operations, including agency procedures that implement the order and legal interpretations by the Justice Department’s Office of Legal Counsel, remains secret. What do the agencies consider to be the limits of EO 12333 surveillance? How much of the information gathered overseas is information to, from, or about Americans? What proportion of selectors used in “targeted” programs identifies individuals or groups, and what proportion identifies larger populations? What rules govern joint intelligence-gathering operations with other nations, and what prevents the NSA from using these arrangements to avoid legal constraints? How do the NSA and other agencies that use EO 12333 data monitor compliance with the applicable rules?

In a different era, Americans might have felt little need to concern themselves with the rules by which the US government intercepted satellite transmissions to determine the Soviets’ military strategy. Today is not that world. Technology has revolutionized communications and surveillance, rendering our own personal information — as well as the personal information of private citizens around the world — susceptible to overseas surveillance. Existing directives and guidelines allow the NSA to access a tremendous amount of this information and to use or share it for a wide array of purposes. And there is still much we do not know. We need to have a robust, well-informed public debate in order to make a democratic choice about surveillance authorities that affect us all. We hope that our report makes a contribution to that debate.

Update: Bob Litt contacted me and expressed concern that I misrepresented his remarks about the Worldwide Threat Assessment in an earlier version of this post. He emphasizes that his remarks about the Worldwide Threat Assessment had nothing to do with “selectors,” but instead related to “the kinds of topics about which intelligence (of any kind) can be collected.” I have no desire to misrepresent him, so let me offer this clarification.

Here’s what I said in an earlier version of this post:

When the NSA performs “targeted” collection, it is not limited to searching for communications to or from particular people or groups, or even communications about particular people or groups. It can search for entire topics of conversation. According to the ODNI’s General Counsel, these topics are similar to those contained in the DNI’s annual Worldwide Threat Assessment. That means anyone who writes an e-mail that happens to discuss the conflict in Syria may be subject to surveillance.

To the extent this language implied to any readers that Bob Litt said that the NSA uses the topics in the Worldwide Threat Assessment as selectors, that was not my intended meaning. What Bob said in his speech was that the president sets yearly priorities for foreign intelligence collection; the DNI translates these into the National Intelligence Priorities Framework (NIPF), “much of [which] is reflected annually in the DNI’s unclassified Worldwide Threat Assessment [WTA].” From there, an organization called the National Signals Intelligence Committee reviews agencies’ requests for collection to ensure that they are consistent with the NIPF and assigns them priorities; and, at the end of that process, trained NSA personnel identify selectors “that are expected to collect foreign intelligence responsive to these priorities.” In his speech, Bob identified “telephone numbers or e-mail addresses” as examples of selectors, but US Signals Intelligence Directive 18 is quite clear that selection terms may be based on “the content of the communication … rather than on the basis of the identity of the COMMUNICANT or the fact that the communication mentions a particular individual.”

Combining USSID-18 with the information from Bob’s speech, it appears that trained NSA officials are authorized to develop search terms keyed to priorities derived from the NIPF (much of which is reflected in the WTA), and these search terms can be based on the content of the communications rather than the identity of the communicants. On its face, this scheme permits searches for keywords corresponding to the topics reflected the WTA. That is our conclusion, however, and should not be attributed to Bob. Moreover, as we state in our report, there is very little public information about what types of searches the NSA actually performs, which is why we call for more transparency in the final section of the report.

I therefore offered more precise (albeit more wordy) phrasing found in the latest version of this post, which reaches the same conclusion but with a more granular description of how Bob’s speech contributed to it.

Editors’ note: This post was updated to clarify the fact that NSA’s intelligence collection effort are undertaken with the expectation of yielding information corresponding to the National Intelligence Priorities Framework.