A Washington Post article reveals that the National Security Agency has been siphoning off data from the links between Yahoo! and Google data centers, which include the fiber optic connections between company servers at various points around the world. While the user may have an encrypted connection to the website, the internal data flows were not encrypted and allowed the NSA to obtain millions of records each month, including both metadata and content like audio, video and text. This is not part of the PRISM collection under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act or the business records program under Section 215 of the Patriot Act, but a separate program called MUSCULAR under what appears to be Executive Order 12333 ("12333").
News Articles Reveal Use of Executive Order to Spy
The new article comes off of another recent Washington Post report on another piece of data the NSA collects about innocent Americans: contacts from their address books and buddy lists. The information is in addition to Americans' calling records, phone calls, emails, and any other information publicly available on the Internet. And it's yet another sign that the NSA will stop at nothing to collect innocent Americans' information—all in the name of protecting us from foreign threats.
The details from the Washington Post reveal the NSA's collection is "likely to be in the millions or tens of millions" of Americans' contacts. The NSA is helped, in a way, because your contacts aren't always encrypted when you sync them from your laptop or mobile devices to your online account. The Post's articles provide a vital supplement to a recent New York Times story, which revealed NSA using Americans metadata collected under its spying programs to map social networks.
What's most unnerving about these collections is that the NSA is using Executive Order 12333, which lays out guidelines for spying outside the authority granted by Congress in the Foreign Intelligence Surveillance Act. The order was created in the 1980s, is publicly available, and has been updated several times since then.
But Executive Order 12333 relies on Executive oversight. And we all know how well that works. When it comes to Congress, Senator Diane Feinstein, the Chair of the Senate Intelligence Committee—the committee that's supposed to oversee the intelligence community—ruled 12333 collection as "not fall[ing] within the focus of the committee." General Keith Alexander, Director of the NSA, agrees. At a Judiciary Committee hearing earlier this month, he couldn't even confirm that the oversight committees of Congress were informed of 12333 collection.
The Few (Known) Uses of Executive Order 12333
The NSA is using 12333 in at least two different ways (and probably many more). It's using the supposed authority the order grants to collect information like the data center links, and Americans' address books and contacts because that information is considered "foreign intelligence." The definition is used in both FISA and in 12333, and is an incredibly broad term.
The Administration is also using 12333 to create secret guidelines—without the approval of Congress—for when, why, and how the NSA can use Americans' information outside of the oversight of the FISA Court. One such guideline is called the Special Procedures Governing Communications Metadata Analysis. It's a boring title, but the procedures supposedly "allow" the NSA to use the metadata collected under Section 215 and Section 702 to create social networks of Americans—and anyone else—for any "foreign intelligence" purpose. The New York Times reports that there are no restrictions on the use of such data.
The guidelines were revealed last week when the Chair of the Senate Judiciary Committee, Senator Patrick Leahy, asked General James Clapper, the Director of National Intelligence, if the NSA compiled "profiles or dossiers on American people through the use of its intelligence authorities?" Gen. Clapper answered (video) "in every case for valid foreign intelligence purposes." Gen. Alexander followed up explaining NSA only uses "foreign information to understand what the foreign nexus is of a problem set that we're looking at." Unlike Gen. Clapper, what Gen. Alexander left unsaid was that "foreign information" includes your contacts and address books.
Likewise, the substantive limit on what the NSA might collect from internal data transfers in Google and Yahoo! is found in this loose "foreign intelligence" definition. Since the operation takes place overseas, the NSA believes it is entitled to presume the communications are foreign.
What are the Other Uses of Executive Order 12333?
Put together, these revelations show users how NSA thinks it can collect any and all information—including innocent Americans' information. At first we learned about calling records. Then we learned about phone calls and emails. It turns out the NSA wasn't satisfied and also collects contacts, address books, and buddy lists. The NSA already gets huge swaths of information from service providers through PRISM, but—again—NSA was not satisfied, and decided to acquire information directly from the datacenter traffic.
What else are they collecting—or have collected in the past—with 12333? It appears no one knows. But what we do know is that the Snowden leaks are providing Congress with more information about what the intelligence community is doing than either the President, the agencies, or the responsible Congressional committees.
Congress must scrutinize the use of 12333 more closely. If it's being used to collect, data mine, and/or analyze innocent Americans' information, it must be stopped with legislation by Congress. The stories show how the NSA is using laws, policies, and procedures to completely skirt the Constitution. Congress must step in as the major oversight branch of the US government. It can do this by beginning a full-scale investigation into the NSA's surveillance authorities by a special Congressional committee. More questions than answers continue to be raised by the ongoing leaks. And it's time for Congress to act.