PRIA Logo
Back to search
Defense & SecurityNational Security — Legal Authorities

Executive Order 12333 — The Intelligence Order You've Never Heard Of That Authorizes More Surveillance Than FISA

8 min read·Updated May 14, 2026

Executive Order 12333 — The Intelligence Order You've Never Heard Of That Authorizes More Surveillance Than FISA

FISA and Section 702 get most of the public attention. Executive Order 12333 — signed by President Reagan on December 4, 1981, and amended in 2008 and 2012 — authorizes far more surveillance than FISA does, with far less oversight. EO 12333 is the foundational executive order governing all U.S. intelligence activities; it assigns intelligence functions to each IC element, defines collection authorities, and establishes the primary legal basis for NSA's collection of foreign communications outside the United States. Unlike FISA, there is no FISA Court, no judicial approval, and no statutory framework — oversight is purely internal (ODNI, DOJ, and agency Inspectors General) and congressional only in theory. The programs revealed by Edward Snowden in 2013 that most alarmed civil liberties experts — XKeyscore, the UPSTREAM backbone collection, the bulk metadata programs not covered by Section 215 — operated primarily under EO 12333, not FISA.

  • 50 U.S.C. § 3001 et seq. — National Security Act of 1947: establishes the statutory framework for the intelligence community; EO 12333 is the implementing executive order for intelligence activities not separately governed by FISA or other statutes
  • 50 U.S.C. § 3024 — Intelligence Reform and Terrorism Prevention Act: grants the Director of National Intelligence authority to coordinate the intelligence community; EO 12333 as amended in 2008 incorporates this DNI authority
  • 50 U.S.C. § 3035 — Director of Central Intelligence / CIA authorities: the CIA's covert action and foreign intelligence collection authorities, exercised under EO 12333's framework
  • U.S. Const. Art. II — Commander in Chief and foreign affairs powers: the constitutional basis for the President's executive order authority over foreign intelligence activities; EO 12333 is grounded in the President's inherent Article II authority, not a specific congressional authorization

Key Mechanics

EO 12333 operates in three parts: Part 1 assigns intelligence missions to each IC element (CIA, NSA, DIA, NRO, etc.); Part 2 establishes the framework for U.S. person protections (requiring "procedures" to minimize collection and use of U.S. person information); and Part 3 sets general provisions. NSA's foreign signals intelligence collection under EO 12333 — collection from cables, satellites, and other platforms outside U.S. borders — does not require FISA Court approval and is subject only to procedures approved by the Attorney General and DNI (called "procedures" or "PPDs"). Part 2's restrictions on targeting U.S. persons apply to the collection direction itself; incidental collection of U.S. person communications in foreign-focused operations is permitted under specific retention and dissemination rules.

What EO 12333 Does

FunctionProvisionEffect
Assigns IC missionsPart 1Each IC element's mission and collection authority defined
NSA SIGINT executive1.7(b)NSA designated lead for signals intelligence collection
CIA covert action1.7(a)CIA designated lead for covert action under Title 50
U.S. person protectionsPart 2Restricts (but does not prohibit) collection targeting U.S. persons
Assassination ban2.11"No person employed by or acting on behalf of the United States Government shall engage in, or conspire to engage in, assassination"
IC oversightPart 3Attorney General oversight; Inspector General roles

EO 12333 is structured in three parts: Part 1 defines IC goals and IC element missions. Part 2 establishes the rules governing intelligence collection activities — including the key protections for U.S. persons. Part 3 establishes oversight responsibilities for the Attorney General, ODNI, and agency IGs.

The Core Authority: Foreign Collection Without Court Order

50 U.S.C. § 1801 (FISA) governs collection inside the United States or targeting U.S. persons. EO 12333 governs the much larger universe: collection of communications outside the United States against foreign persons.

Under EO 12333 § 2.3, IC elements may collect foreign intelligence information through signals intelligence, human intelligence, and technical means — subject to Attorney General-approved procedures. For NSA specifically, the key authority is EO 12333 § 1.7(b): NSA is the SIGINT executive, responsible for collection of "foreign intelligence information" from foreign communications.

What this means in practice: If two people in foreign countries communicate — even if the communication transits U.S. telecommunications infrastructure — NSA can collect it under EO 12333 with no court order. If a foreign person sends an email to a U.S. person and that email transits a U.S. data center, the foreign side of the communication is EO 12333 collection; the U.S. person's side is "incidentally collected." EO 12333 has no statutory floor for how much incidental collection is acceptable.

U.S. Person Protections — and the Gaps

EO 12333 § 2.3 limits — but does not prohibit — collection involving U.S. persons:

What is prohibited under EO 12333:

  • Surveillance targeting a U.S. person abroad based solely on First Amendment-protected activities
  • Physical surveillance of a U.S. person abroad without Attorney General approval

What is permitted under EO 12333:

  • Collection of foreign intelligence information "incidentally" involving U.S. persons — there is no limit on how much incidental collection occurs
  • Queries of databases containing U.S. person information if the query is for foreign intelligence purposes (subject to procedures that vary by agency)
  • Collection targeting a foreign person who is in contact with U.S. persons

The critical gap: "incidental collection" is not a volume limit. NSA can collect the communications of a foreign person who communicates extensively with U.S. persons — all of those U.S. person communications are "incidentally collected" and may be retained and queried. FISA's minimization procedures impose some limits on how long U.S. person data can be retained; EO 12333 procedures are agency-specific and classified.

The 2008 and 2012 Amendments

2008 amendment (Bush/Mukasey): The most significant change since Reagan's original order. Attorney General Michael Mukasey signed amendments that:

  • Allowed NSA to share raw signals intelligence (unminimized data) with other IC elements
  • Authorized collection against "foreign powers" with broader definitions
  • Streamlined procedures for sharing EO 12333-collected data across the IC

The 2008 amendments significantly expanded the NSA's ability to push raw SIGINT data — including data that had not yet had U.S. person information removed — to CIA, DIA, FBI, and other IC elements. This created the legal basis for what became controversial post-Snowden: FBI agents querying NSA databases for information about U.S. persons.

2012 amendment (Obama): Technical amendments to modernize the order's language; less substantively significant than 2008.

The Snowden Revelations and EO 12333

The 2013 Snowden disclosures revealed the scale of EO 12333 collection. Key programs:

XKeyscore: A global surveillance system allowing analysts to search the content of Internet communications collected under EO 12333. Snowden described it as a "Google for surveillance" — analysts could search emails, browsing history, and online activities of foreign targets and, incidentally, their contacts. XKeyscore operates primarily under EO 12333, not FISA.

MUSCULAR: A joint NSA-GCHQ program that collected data from Google and Yahoo's internal network links — the private fiber connections between data centers — rather than from the public Internet. This collection occurred outside the U.S. on foreign infrastructure and was authorized under EO 12333, not FISA. The companies were not informed; it was separate from PRISM (which involves legal orders to providers).

UPSTREAM: NSA collection from Internet backbone providers — the fiber optic cables and switching equipment that carry Internet traffic. Some UPSTREAM collection is authorized under FISA Section 702; a significant portion occurs outside the U.S. under EO 12333.

After Snowden, President Obama issued Presidential Policy Directive 28 (PPD-28) in January 2014, which added some limits to EO 12333 collection: a requirement that bulk signals intelligence collection be used only for specific national security purposes (not general intelligence gathering), and a requirement to consider the privacy interests of non-U.S. persons abroad. PPD-28 was executive guidance, not law — it could be revoked by executive order and has been modified by subsequent administrations.

No Judicial Oversight

The most important structural difference between EO 12333 and FISA: EO 12333 surveillance has no court oversight at all.

  • FISA Title I (targeted wiretaps): FISC order required
  • FISA Section 702 (bulk collection from providers): FISC approves annual certifications
  • EO 12333 (foreign collection outside U.S.): No court involved

Oversight mechanisms for EO 12333 collection:

  1. Attorney General: Reviews and approves agency procedures under EO 12333; classified
  2. ODNI: Reviews compliance; issues Intelligence Community Directives
  3. Agency Inspectors General: Investigate compliance violations; reports partially public
  4. Congressional oversight: Gang of Eight notification for most sensitive programs; SSCI/HPSCI cleared staff oversight; but many EO 12333 programs are not specifically disclosed to committees
  5. PCLOB: Has reviewed some EO 12333 programs (PPD-28 review, 2017); reports are the most accessible public accounting

How It Affects You

<!-- pria:personalize type="impact" -->

If you are a citizen or voter: EO 12333 is the primary basis for bulk foreign intelligence collection that is not subject to FISA court oversight. If you communicate with people abroad — business partners, family, colleagues — your communications may be "incidentally collected" under EO 12333. Unlike FISA Section 702 (which has statutory minimization procedures and congressional reporting requirements), EO 12333 procedures are classified and agency-specific. The PCLOB's 2017 PPD-28 report and the ODNI's Statistical Transparency Report are the most accessible public information about how these authorities are applied. The PCLOB found that EO 12333 collection, while the largest surveillance authority by volume, has the least public transparency.

If you work in intelligence, national security, or related government work: EO 12333 procedures govern how your agency collects, retains, and disseminates foreign intelligence. CIA, NSA, DIA, and other IC elements each have classified EO 12333 procedures approved by the Attorney General — these are the operational rules for collection, retention periods for U.S. person data, and query restrictions. The 2008 amendments that allowed raw SIGINT sharing mean that data collected under NSA EO 12333 procedures may be available in CIA, DIA, or FBI analytical systems with different access controls. Compliance with EO 12333 procedures is an IG audit priority; violations can result in mandatory reporting to ODNI and congressional oversight committees.

If you are a journalist, researcher, or civil liberties advocate: EO 12333 is the least litigated and least publicly documented major intelligence authority. Unlike FISA (which has a statutory text and published FISC opinions), EO 12333 procedures are agency-specific and largely classified. The PCLOB's 2017 PPD-28 report is the most detailed public analysis. The EO 12333 text itself is public (available at fas.org). Post-Snowden, the ACLU and EFF have filed challenges to EO 12333 programs; courts have largely declined jurisdiction on standing grounds, since it is difficult to prove that a specific U.S. person's communications were collected. This makes judicial oversight essentially unavailable, reinforcing the importance of congressional and PCLOB oversight.

If you are a technology company or have infrastructure that handles foreign communications: If your infrastructure — data centers, fiber optic routes, cloud services — passes through or is located in areas where NSA has collection capabilities, EO 12333 collection may occur on your infrastructure without your knowledge or a legal order. The MUSCULAR program (collecting from Google and Yahoo internal fiber links abroad) demonstrated this. Companies operating international communications infrastructure have since invested in encryption of internal data links; this is a direct response to EO 12333 collection capabilities disclosed by Snowden. FISA Section 702 requires U.S. providers to cooperate with orders; EO 12333 collection abroad requires no such cooperation.

<!-- /pria:personalize -->

Recent Developments

  • 1981 — EO 12333 signed by Reagan (December 4, 1981); replaced EO 11905 (Ford) and EO 12036 (Carter)
  • 2008 — Mukasey amendments allowing raw SIGINT sharing across IC; most significant expansion since original EO
  • 2012 — Obama technical amendments
  • 2013 — Snowden revelations expose XKeyscore, MUSCULAR, UPSTREAM; EO 12333's role as the largest surveillance authority becomes public
  • 2014 — PPD-28 adds some collection limits in response to Snowden; requires "legitimate national security purposes" for bulk collection
  • 2017 — Final Obama NSA rule (PCLOB-recommended) allows raw EO 12333 SIGINT sharing with 16 IC elements; implemented January 12, 2017
  • 2017 — PCLOB publishes PPD-28 review — the most comprehensive public analysis of EO 12333 implementation
  • 2025 — New administration EO review; PPD-28 status uncertain; civil liberties organizations monitoring for changes to EO 12333 procedures

At My Address

See how Executive Order 12333 — The Intelligence Order You've Never Heard Of That Authorizes More Surveillance Than FISA plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address