The databases could be queried using an identifier such as an email address only when an analyst had a reasonable and articulable suspicion that the email address was associated with certain specified foreign terrorist organizations that were the subject of FBI counterterrorism investigations. The basis for that suspicion had to be documented in writing and approved by a limited number of designated approving officials identified in the Court’s Order. Moreover, if an identifier was reasonably believed to be used by a United States person, NSA’s Office of General Counsel would also review the determination to ensure that the suspected association was not based solely on First Amendment-protected activities.
EO 12333 strikes againThe newly public document cites two legal authorities that govern foreign data collection: Section 702 of the FISA Amendments Act and the Special Procedures Governing Communications Metadata Analysis (SPCMA), which sits under Executive Order (EO) 12333. Section 702 largely governs content collection wholly outside the United States (it’s what PRISM falls under). Meanwhile, EO 12333, which ex-government officials (including Snowden himself) have complained about, is a broad Reagan-era authority that allows data collection on Americans even when Americans aren’t specifically targeted. Without this executive order, such actions would be forbidden under the Foreign Intelligence Surveillance Act (FISA) of 1978. who spoke with Ars in August 2014, EO 12333 has the potential to be abused as it could “incidentally” collect foreign-held data on Americans. “12333 is used to target foreigners abroad, and collection happens outside the US,” he told Ars. “My complaint is not that they’re using it to target Americans, my complaint is that the volume of incidental collection on US persons is unconstitutional.” Tye continued:
There are networks of servers all over the world and there have been news stories on Google and Yahoo—the minute the data leaves US soil it can be collected under 12333. That’s true not just for Google and Yahoo, that’s true for Facebook, Apple iMessages, Skype, Dropbox, and Snapchat. Most likely that data is stored at some point outside US or transits outside the US. Pretty much every significant service that Americans use, at some point it transits outside the US. Hypothetically, under 12333 the NSA could target a single foreigner abroad. And hypothetically if, while targeting that single person, they happened to collect every single Gmail and every single Facebook message on the company servers not just from the one person who is the target, but from everyone—then the NSA could keep and use the data from those three billion other people. That’s called ‘incidental collection.’ I will not confirm or deny that that is happening, but there is nothing in 12333 to prevent that from happening.UPDATE Saturday 12:55pm ET: Tye also e-mailed Friday evening, adding:
Yes, this is consistent with what I’ve been saying. One of the key points is that section 215 provides only a small part of the data that the NSA collects on US persons; most such data is collected outside the borders of the US under EO 12333. There is a lot more than even the Savage article explains. We’re beginning to scratch the surface.