The NSA is not allowed to gather intel on US citizens (at least not without a FISA court order), but there is an obscure Reagan era loophole--Executive Order 12333, or Twelve Triple Three--that allows NSA to scoop up data on millions of Americans and store these data (about 350 billion searchable records—that’s “billion” with a “B”) for up to five years.


There are no limitations on the NSA for spying on foreign nationals outside the country. If, say, you’re a British subject living in London, you’re fair game. If you’re a US citizen living in New York, the NSA can’t spy on you (without a FISA court order).

Let’s say NSA has determined that our Londoner is a foreign intelligence target and our Londoner uses, for example, Google’s various online services such as picture storage, document storage, email, and so on. Let’s say too that our New Yorker also uses Google’s online services. All these pictures, emails, etc. are stored on servers located in Google data centers. These data centers are not just located at Google’s headquarters in Silicon Valley, but all over the world (Ireland, Finland, and Hong Kong, just to name a few). And here’s where Twelve Triple Three comes into play. If our Londoner’s data are stored on a Google server off of American soil in, say, Finland and our New Yorker’s data are stored on the same server, the New Yorker’s data can be “incidentally” collected and stored. In a Washington Post op-ed, John Napier Tye, a former State Department official explains it thus:

"[T]he executive order authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

“Incidental” collection may sound insignificant, but it is a legal loophole that can be stretched very wide. Remember that the NSA is building a data center in Utah five times the size of the U.S. Capitol building, with its own power plant that will reportedly burn $40 million a year in electricity.

“Incidental collection” might need its own power plant.

A legal regime in which U.S. citizens’ data receives different levels of privacy and oversight, depending on whether it is collected inside or outside U.S. borders, may have made sense when most communications by U.S. persons stayed inside the United States. But today, U.S. communications increasingly travel across U.S. borders — or are stored beyond them. For example, the Google and Yahoo e-mail systems rely on networks of “mirror” servers located throughout the world. An e-mail from New York to New Jersey is likely to wind up on servers in Brazil, Japan and Britain. The same is true for most purely domestic communications.

Executive Order 12333 contains nothing to prevent the NSA from collecting and storing all such communications — content as well as metadata — provided that such collection occurs outside the United States in the course of a lawful foreign intelligence investigation. No warrant or court approval is required, and such collection never need be reported to Congress.

Most Americans probably wouldn’t be too concerned about NSA spying on the citizens of other countries. On the other hand, many Americans might be concerned that their emails and whatnot are being scooped up indiscriminately and stored along with the data of the bad guys. Ain’t it ironic?

Some Americans might even say, well, in order to protect us from terrorists, maybe it’s ok to give up my Fourth Amendment rights (and my First Amendment rights too—if you know your emails are being read by some unknown person you’ll be more careful about what you say in your emails because, ya never know, something you say in an email might be misconstrued as something a terrorist might say and suddenly find yourself in some place like Gitmo). You’re not doing anything wrong so you have nothing to hide—you’re not a terrorist, you don’t sell drugs, and you don’t have a security clearance so you’re about as far from all this James-Bond-cloak-and-dagger stuff as you can get.

Ah, but the plot thickens. Ryan Gallagher of The Intercept published an article on 25 August 2014 outlining ICREACH which is a “’Google-like’ search engine built to share more than 850 billion records about phone calls, emails, cellphone locations, and internet chats.” Again that’s 850 billion with a “B” and to try to wrap your head around how many records that is, take a look at the graphic above from Gallagher’s article (click the source link if it is too small to read here—you’ll have to scroll down the article to find the graphic). "ICREACH contains information on the private communications of foreigners and, it appears,” the article said, “millions of records on American citizens who have not been accused of any wrongdoing."

The classified documents provided to The Intercept by Edward Snowden "provide the first definitive evidence that the NSA has for years made massive amounts of surveillance data directly accessible to domestic law enforcement agencies," according to Gallagher’s article. "ICREACH can be used to track people’s movements, map out their networks of associates, help predict future actions, and potentially reveal religious affiliations or political beliefs."

In an interview with Michael Hayden, former Director of the NSA (1999-2005) in the documentary film We Steal Secrets: The Story of WikiLeaks(2013), Hayden says, “Look, everyone has secrets. Some of the activities that nation states conduct in order to keep their people safe and free need to be secret in order to be successful. If they are broadly known, you cannot accomplish your work. Now, I'm going to be very candid, right? We steal secrets; we steal other nations' secrets.” This should be obvious to most Americans. Most Americans understand that the United States Intelligence Community and foreign intelligence services steal each other’s secrets. We get it. The activities of United States Intelligence Community are a necessary evil we hope will prevent the next Pearl Harbor or 9/11.

What Americans might not be aware of is a process called “parallel construction.” According to the Gallagher Article:

Parallel construction involves law enforcement agents using information gleaned from covert surveillance, but later covering up their use of that data by creating a new evidence trail that excludes it. This hides the true origin of the investigation from defense lawyers and, on occasion, prosecutors and judges—which means the legality of the evidence that triggered the investigation cannot be challenged in court.

In practice, this could mean that a DEA agent identifies an individual he believes is involved in drug trafficking in the United States on the basis of information stored on ICREACH. The agent begins an investigation but pretends, in his records of the investigation, that the original tip did not come from the secret trove. Last year, Reuters first reported details of parallel construction based on NSA data, linking the practice to a unit known as the Special Operations Division, which Reuters said distributes tips from NSA intercepts and a DEA database known as DICE.

Tampa attorney James Felman, chair of the American Bar Association’s criminal justice section, told The Intercept that parallel construction is a “tremendously problematic” tactic because law enforcement agencies “must be honest with courts about where they are getting their information.” The ICREACH revelations, he said, “raise the question of whether parallel construction is present in more cases than we had thought. And if that’s true, it is deeply disturbing and disappointing.”

The Perils of Big Data

On Thursday, 4 September 2014, the Electronic Frontier Foundation posted an announcement that EFF and Access (an international open and secure communications advocacy non-profit) filed public comments with the Privacy and Civil Liberties Oversight Board (PCLOB) last week to urge “the PCLOB to expand its investigation into EO 12333.” Included in the issues discussed in the letter is the “adequacy of surveillance programs and the problem of using big data analysis as a seminal aspect of these programs.”

In a recent article Hank Campbell discusses some of the issues of big data. ICREACH is described as “’a one-stop shopping tool’ for analyzing communications,” according to Gallagher article. "Using ICREACH," the article says, "the NSA planned to boost the amount of communications “events” it shared with other U.S. government agencies from 50 billion to more than 850 billion, bolstering an older top-secret data sharing system named CRISSCROSS/PROTON, which was launched in the 1990s and managed by the CIA." If a domestic law enforcement investigation is triggered by a tip based on information stored in ICREACH as the Gallagher article alleges, the issues of big data come into play. The EFF/Access letter describes these issues:

Big data analytics is central to the government's "collect it all" mentality. The PCLOB should be skeptical about claims made regarding the value of big data. For big data analysis to be valid, one must follow rigorous statistical practices. Simply “collecting it all” and then trying to extract useful information from the data by finding correlations is likely to lead to incorrect (and, depending on the particular application, harmful or even dangerous) results.

We look forward to the PCLOB investigating how well the intelligence community is using big data analytics. Many have used the Google Flu Trends example as a failure of big data. Such criticisms—and the public discourse it provokes—are only possible because Google commendably put its program in the public eye. Is the intelligence community hiding comparable failures? And what are the economic and privacy costs of such work? The incredible power big data analytics has to infringe upon privacy requires a public justification of its use by intelligence agencies and the PCLOB should serve as a robust institutionalized advocate for the public's right to know.

While we do not argue that big data analysis cannot sometimes be accurate and effective, there are two major technical problems with big data analysis that we wish to highlight below in light of the PCLOB's effort to work with the intelligence community to establish a methodology for evaluating the adequacy and appropriateness of counterterrorism programs.

The first technical problem is that correlation is not causation; and sometimes, correlation is not even correlation. While big data may allow one to discover new correlations in the underlying data, it doesn't follow that those correlations are meaningful. One should always be suspicious about taking any action based strictly on correlation that was not explicitly being tested for, no matter how convincing it may seem.

Big data analytics inherently involves more information, but this means there will be more false information in any given data set. This is especially true when intelligence agencies are overcollecting innocuous information involving innocent users. The collection described above contributes to a "multiple-comparisons" problem: if you have a large enough data set with enough comparisons, some comparisons that are flukes will appear statistically significant.

If, as Campbell points out, Big Data can bedevil the rigorous physical sciences such as particle physics, what adverse effects does it have on the much less rigorous social sciences, law enforcement, and spy craft?