National Security Surveillance in the United States: Laws, Institutions, and Safeguards

November 15, 2023

Executive Summary

  • Introduction. The United States is the world’s leading intelligence power.  Its intelligence agencies boast large workforces, generous funding, and elite technical prowess.
    • Their work informs American policymakers, security agencies, military leaders, and allies about a broad range of global threats and challenges.
    • The United States’ unusually broad intelligence priorities are driven by its global military presence, worldwide interests, diversified and globally integrated economy, and by the counterintelligence risks generated by the openness of its economy and society.
  • Agencies that conduct national-security surveillance. The agencies with primary responsibility for conducting electronic surveillance and SIGINT for national security purposes are the National Security Agency, the Federal Bureau of Investigation, and the Central Intelligence Agency.  Each agency’s activities are bounded by its legal authorities—statutes or executive orders that empower the agency or constrain it.
    • The National Security Agency, which is part of the Department of Defense, is the lead agency for collecting signals intelligence (that is for collecting foreign intelligence from communications and information systems).
      • NSA’s SIGINT activities are characterized by an elite level of technical sophistication and geographic reach, bolstered by the United States’ worldwide alliance network and military footprint.
      • NSA’s partner services in the other “Five Eyes” nations (the UK, Canada, Australia, and New Zealand) are known as “second-party” partners. They collectively maintain a unique level of technical cooperation and intelligence sharing.
      • NSA is a foreign-intelligence agency, and a focus on foreign targets is embedded in its legal authorities and internal culture. However, NSA also participates in surveillance conducted in the United States under the Foreign Intelligence Surveillance Act (FISA).
    • The Federal Bureau of Investigation, which is part of the Department of Justice, has primary responsibility for clandestine national-security surveillance inside the United States.
      • The Bureau uses electronic surveillance to support all aspects of its tripartite mission: investigating violations of federal criminal law, protecting the United States from threats to the national security, and using clandestine means to collect foreign intelligence inside the United States.
    • The Central Intelligence Agency collects human intelligence (HUMINT) and produces all-source intelligence analysis. In the digital age, however, its HUMINT and analytic missions require it to collect, manage, and analyze large datasets, and CIA has invested heavily in its digital capabilities.
  • Process and standards for approving surveillance. Whether surveillance targets must be approved by a court, or can be approved internally within an agency, depends on the legal authority under which the surveillance is conducted.
    • For “traditional” FISA surveillance of targets in the United States, the government must first demonstrate to the Foreign Intelligence Surveillance Court “probable cause” to believe that the target is a foreign power (which includes a terrorist group) or “agent of a foreign power.”
      • Historically most applications were approved, though defenders of the Court argued that the lopsided numbers obscured informal exchanges between the Court and the government that often elicited changes before an application was granted.
      • Published statistics now break out modifications and partial denials. The latest figures suggest that almost half of all proposed orders are either modified in part before being approved or partially denied, with a smaller number of outright rejections.
      • FISA cannot be used for bulk collection.
    • Section 702 of FISA permits the government to monitor non-U.S. persons located abroad whose data traverses digital infrastructure in the United States.
      • 702 monitoring does not require an individualized court order. Instead, once each year, the Foreign Intelligence Surveillance Court (or “FISA Court”) approves the broad rules under which Section 702 surveillance will be conducted and the purposes for which it can be used.
      • 702 cannot be used for unselected bulk collection.
    • Overseas surveillance is typically conducted by authority of Executive Order 12,333, rather than statute. For surveillance of foreign targets under EO 12,333, targets are approved by agency officials rather than a court.
      • Bulk collection under Executive Order 12,333 is can only be used for purposes specified in Executive Order 14,086.
    • Electronic surveillance targeting Americans traveling abroad, however, requires an order from the FISA Court.
  • Oversight. Many institutions oversee the U.S. government’s use of national-security surveillance.
    • The most powerful and important oversight bodies are in Congress: the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence.
      • The committees pass legislation related to U.S. intelligence programs, approve nominations to senior positions in the Intelligence Community, and oversee U.S intelligence activities.
      • The committees’ oversight is aided by a broad statutory requirement that intelligence agencies keep the committees “fully and currently informed of all intelligence activities … .”
      • The intelligence committees’ staff and facilities are cleared to handle classified information.
      • The House and Senate Judiciary and Armed Services Committees also play important roles in overseeing certain intelligence programs.
    • Many entities within the Executive Branch also oversee national-security surveillance.
      • Civil Liberties and Privacy Officers within each intelligence agency help enforce rules, build cultures of compliance, and advise agency leaders on privacy considerations.
      • Through its National Security Division, the Department of Justice represents the government before the FISA Court and conducts oversight of other agencies’ surveillance activities.
      • Independent Inspectors General in each intelligence agency periodically issue important oversight reports about compliance with the law, whistleblower claims, and other concerns.
      • The independent, bipartisan Privacy and Civil Liberties Oversight Board reviews major intelligence and counterterrorism programs to ensure that they comply with the law and appropriately consider privacy and civil liberties. The Board also advises agencies on incorporating such concerns as they develop new programs.
      • The President’s Intelligence Advisory Board, part of the Executive Office of the President, serves as a presidential sounding board on the efficacy and utility of intelligence programs.
      • The new Data Protection Review Court, created by President Biden’s Executive Order 14,086, will provide an independent, quasi-judicial “redress” mechanism to correct any errors in the implementation of intelligence programs that affect residents of certain “qualifying states.”
    • Courts also provide some ex-post oversight. The Foreign Intelligence Surveillance Court engages in an ongoing dialogue with the government over compliance errors and remedial errors ordered by the Court.
      • That role is unusual for an American court and is in some tension with constitutional limits on the “judicial Power of the United States.”
  • Relevant Law
    • The U.S. Constitution does not explicitly address surveillance, but various provisions allocate and limit federal power in relevant ways.
      • Most notably, the Fourth Amendment prohibits “unreasonable” searches and seizures and sets forth minimum requirements for warrants.
    • Federal statutes constitute key intelligence agencies and authorize certain intelligence activities. But they also regulate and prohibit certain intelligence activities.
      • Key laws structuring the U.S. intelligence enterprise include the National Security Act of 1947, which created the CIA, Department of Defense, and National Security Council, and the Intelligence Reform and Terrorism Prevention Act of 2004, which created the Director of National Intelligence and National Counterterrorism Center.
      • Statutes conferring and limiting specific surveillance powers include FISA, which sets forth a detailed system for conducting foreign-intelligence surveillance in the United States, and the Electronic Communications Privacy Act, which establishes the process for intercepting communications and obtaining stored data in criminal investigations.
      • Other statutes allow the FBI to issue “national security letters,” administrative subpoenas that compel private entities to provide certain types of non-content subscriber or transactional information.
          • National Security Letters cannot be used for bulk collection.
    • Much surveillance is conducted under presidential authority rather than statute. Such programs are governed by executive orders, which are essentially presidential decrees exercising powers conferred by the Constitution or by statute.
        • The most important is Executive Order 12,333, which assigns roles and responsibilities to the agencies of the intelligence community and mandates certain protections for Americans’ privacy.
        • Since 2014, Presidents (first President Obama, in Presidential Policy Directive 28, now President Biden, in Executive Order 14,086) have used their authority to mandate comparable privacy protections for citizens of other countries.
    • Below the level of Executive Orders, internal agency procedures and guidance documents provide more detailed rules applicable to each agency’s distinctive mission and internal structures.
  • Compliance in practice. Within agencies, compliance depends on institutional safeguards that supervise operators and help them find lawful ways to achieve their goals.
    • Such safeguards include:
      • Compliance and audit units within agencies.
      • Technical mechanisms, such as access controls, audit and logging systems, and system defaults designed to reduce the risk of noncompliant actions by users.
      • Lawyers deployed in operational units to provide real-time legal advice to operators.
    • Some agencies’ internal controls are more effective than others’.
      • NSA has a solid compliance architecture and sophisticated technical systems in place to ensure that analysts’ use of data complies with the rules.
      • The FBI, by contrast, continues to have difficulty engineering systems that effectively drive compliance and enable the Justice Department to oversee its workforce in near-real-time.
  • Transparency. There is now a great deal of publicly available information about U.S. surveillance practices, laws, and institutions.
    • The fundamental legal architecture for U.S. national-security surveillance is public, from statutes and executive orders down to agency implementing procedures.
    • Since the Snowden disclosures, the government has also provided significant transparency about how these programs are implemented.
      • The Intelligence Community produces a detailed Annual Statistical Transparency Report, with granular data about its use of FISA and other legal authorities.
      • The Administrative Office of the U.S. Courts also issues an annual statistical report on the activities of the Foreign Intelligence Surveillance Court.
    • The USA Freedom Act of 2015, enacted in the aftermath of the Snowden leaks, made various important enhancements to transparency practices. For example, it:
      • Required the government to promptly redact, declassify, and release important new decisions by the FISA Court.
      • Allowed companies to provide the public with greater detail about the surveillance orders they receive.
  • U.S. law offers strong protections to whistleblowers who have followed the approved process for reporting waste, fraud, abuse, or illegality to inspectors general or Congress.
    • The law does not, however, protect intelligence community employees or contractors who, like Edward Snowden, illegally remove classified material from their workplaces and provide it to journalists or other uncleared people.
  • Reforms. U.S. intelligence law has historically been shaped by moments of scandal and crisis that led to major reforms.  Examples include the Church and Pike Committees of the 1970s, the Reagan-era Iran-Contra Affair, 9/11, and the Snowden leaks of 2013.
    • “Sunset” clauses have, to some extent, decoupled surveillance legislation from these cycles of crisis and response.
      • In particular, the five-year sunsets attached to reauthorizations of Section 702 have made debate over surveillance reforms a regular feature of American lawmaking rather than a once-in-a-generation rarity.
  • Other Important Factors
    • Defense commitments. The American approach to electronic surveillance and SIGINT is heavily influenced by the United States’ unique geopolitical circumstances.
      • The United States is committed by treaty to the defense of the 31 member states of NATO and other vulnerable allies in the Pacific.
      • American defense commitments to many treaty allies extend to the use of nuclear weapons.
      • Managing the risk that arises from these commitments creates a ceaseless need for accurate intelligence to provide warning of emerging threats and potential hostile acts.
    • Domestic vulnerabilities. The United States’ diversified, technologically advanced economy and open society combine to present an inviting attack surface for foreign espionage.
    • Political polarization. In recent years, views of intelligence and law-enforcement agencies have become polarized along partisan lines.  Weakening political support endangers the legal authorities and funding on which the agencies’ work depends.

Download Full Paper

Adam Klein

Director, Strauss Center for International Security and Law, The University of Texas at Austin