The Central Intelligence Agency has been carrying out a mass surveillance program on American soil, according to documents declassified at the request of two U.S. senators.
Details of the program are scarce, but Democrats Ron Wyden and Martin Heinrich—both of whom are on the Senate Intelligence Committee—said late Thursday that it involves the bulk collection of data and features “serious problems associated with warrantless backdoor searches of Americans.”
This appears to be the most significant exposure of an intelligence agency’s bulk data collection in the U.S. for nearly a decade. And it could not come at a worse time for the U.S.’s efforts to maintain Big Tech’s ability to keep serving European users.
In 2013, the first revelation to emerge from National Security Agency leaker Edward Snowden—before he even came forward as the source, and certainly before he told the world how the U.S. monitored foreigners—was that the NSA had been secretly collecting Verizon customers’ phone records within the U.S. That program was authorized under the Foreign Intelligence Surveillance Act (FISA), but this newly revealed operation is not.
Instead, the CIA program is authorized under Executive Order 12333, a Reagan-era order that hugely expanded the data-collecting capabilities of U.S. intelligence agencies. According to the senators, that means a lack of oversight from courts, Congress, and even the executive branch itself.
This raises concerns about “how secret interpretations of law undermine democratic oversight and pose risks to the long-term credibility of the Intelligence Community,” Wyden and Heinrich wrote in their now-declassified letter to Director of National Intelligence Avril Haines and CIA Director William Burns, requesting the declassification of a report about the program.
“Among the many details the public deserves to know are the nature of the CIA’s relationship with its sources and the legal framework for the collection; the kind of records collected [redacted] the amount of Americans’ records maintained; and the rules governing the use, storage, dissemination and queries (including U.S. person queries) of the records,” Wyden and Heinrich wrote.
In the end, all that got declassified was the senators’ letter to Haines and Burns, along with redacted recommendations from the Privacy and Civil Liberties Oversight Board (PCLOB), which wrote the still-classified Deep Dive II report. The recommendations say intelligence analysts should have to provide a written justification for data queries about Americans, and note that they are already systematically reminded that such queries require a foreign-intelligence purpose.
The recommendations also highlight a lack of guidelines around the collection of data and the length of time for which it is held, and suggest there is a lot of “legacy data”—containing information about U.S. citizens—that has been held since before 2017.
“The CIA should consider the adoption of automated tools to assist with the auditing, oversight, and compliance of matters or issues related to [redacted] especially with regard to U.S. Persons,” the final recommendation reads.
“CIA recognizes and takes very seriously our obligation to respect the privacy and civil liberties of U.S. persons in the conduct of our vital national security mission,” Kristi Scott, CIA privacy and civil liberties officer, told the Associated Press in a statement. “CIA is committed to transparency consistent with our obligation to protect intelligence sources and methods.”
“These reports raise serious questions about what information of ours the CIA is vacuuming up in bulk and how the agency exploits that information to spy on Americans,” tweeted the American Civil Liberties Union (ACLU). “This invasion of our privacy must stop.”
As the CIA’s secretive program appears to be primarily intended for the surveillance of foreigners, its revelation is likely to undermine Washington’s efforts to strike a new agreement with the European Union over the importation of Europeans’ personal data into the U.S.
The deal would be the third of its kind. The first two, named Safe Harbour and Privacy Shield, were struck down by the EU’s top court in 2015 and 2020 respectively. Snowden’s disclosures about NSA programs provided the spark. The Court of Justice said the agreements didn’t comply with European data protection law, because American companies are powerless to stop U.S. intelligence collecting and accessing the data they hold on Europeans, and because Europeans have no meaningful way in which to complain about and stop their surveillance.
Large and small U.S. businesses need such an agreement to keep serving European customers and users with minimal bureaucracy. But the European Commission cannot credibly agree to a new deal that contains the same flaws as the last two, as it would also be struck down. And the same issue about the power of U.S. intelligence agencies could also result in the cancellation this year of the more complex “standard contractual clauses” mechanism that Facebook parent Meta and other behemoths are using to maintain their transatlantic data flows.
Meta recently warned its investors that without a sound legal basis for its transfers of personal data from the EU to the U.S., it would “likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.”
A spokesperson for the European Commission told Fortune in an emailed statement that securing Privacy Shield’s successor was “a priority for us and our U.S. partners,” adding that “only an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic.”
However, the spokesperson did not specifically address the question of whether the revelation of the CIA program would have an impact on the negotiations.
Adding to the sense of a net closing in on the U.S.’s tech sector, France’s data protection authority on Thursday followed Austria in saying websites can’t use Google Analytics, the most commonly used toolkit for tracking site activity, because the service can’t keep the data it records safe from U.S. intelligence.
Politico reported Thursday that some were hoping for the new U.S.-EU data deal to be announced in May. With the revelation of yet another U.S. surveillance program that doesn’t have proper oversight—let alone a way for people to complain about their data being recorded—those hopes may have just been dashed.
Never miss a story: Follow your favorite topics and authors to get a personalized email with the journalism that matters most to you.