PRIA Logo
Back to search
Defense & SecurityNational Security — Intelligence

Signals Intelligence (SIGINT) — NSA, Five Eyes, and the Three Legal Buckets

10 min read·Updated May 14, 2026

Signals Intelligence (SIGINT) — NSA, Five Eyes, and the Three Legal Buckets

The National Security Agency is simultaneously the U.S. government's largest intelligence agency by budget, its primary foreign surveillance apparatus, and the most operationally secret element of the Intelligence Community. The key structural fact that most coverage misses: NSA's collection authority is divided across three entirely separate legal frameworks — FISA Title I/III (targeted, court-ordered), FISA Section 702 (bulk collection from U.S. providers, court-supervised), and EO 12333 (foreign collection with no court involvement at all). The third bucket — EO 12333 — is larger by volume than the other two combined. The Snowden disclosures of 2013 revealed the scale of all three, but particularly the EO 12333 programs that had received no public attention. NSA's dual mission — foreign intelligence collection and information assurance for classified U.S. systems — is unique among IC elements, and the dual-hat arrangement with CYBERCOM (NSA Director = CYBERCOM Commander) combines offensive and defensive cyber capabilities under one leader.

  • 50 U.S.C. § 1801 et seq. (FISA Title I) — Foreign Intelligence Surveillance Act; governs targeted electronic surveillance of U.S. persons and foreign powers inside the United States; requires FISC court orders; also governs physical search (Title III)
  • 50 U.S.C. § 1881a (FISA Section 702) — Allows bulk collection of communications of non-U.S. persons located abroad from U.S. providers (Google, Microsoft, AT&T, etc.); FISC approves annual "certification" rather than individual targets; reauthorized 2024 with expanded "abouts" collection authority
  • Executive Order 12333 — Presidential directive governing foreign intelligence collection outside the United States; no statutory framework or court supervision; largest by volume of NSA's three collection authorities; amended by EO 13470 (2008) and other modifications
  • 50 U.S.C. § 3001 et seq. (National Security Act of 1947) — Establishes the Intelligence Community structure; authorizes NSA's overall mission
  • 50 U.S.C. § 3601 (Intelligence Reform and Terrorism Prevention Act, 2004) — Created the Director of National Intelligence (DNI) to coordinate the IC; governs NSA's relationship to ODNI

Key Mechanics

NSA's collection authority is divided across three separate legal frameworks — each with different oversight mechanisms and collection scope: (1) FISA Title I/III — targeted, court-ordered electronic surveillance and physical search of specific U.S. persons and foreign powers inside the United States; requires individual FISC orders; the most legally constrained bucket; smallest by volume; (2) FISA Section 702 — bulk collection from U.S. telecommunications providers of communications of non-U.S. persons located abroad; FISC approves annual "certifications" covering categories of collection (terrorism, weapons proliferation, cyber), not individual targets; "incidental collection" of U.S. persons' communications with foreign targets is permitted and stored; ~230,000 foreign targets annually; the FAA Section 702 program was the subject of the PRISM and Upstream disclosures in 2013; reauthorized in 2024 with expanded "abouts" collection; (3) Executive Order 12333 — collection of foreign communications overseas with no court involvement; the broadest authority by volume; covers NSA's collection from undersea cables, foreign telecommunications infrastructure, and other overseas sources; no FISC oversight; congressional oversight is less systematic than for FISA programs. NSA's dual mission: foreign intelligence collection (SIGINT) and protecting U.S. government classified communications and systems (information assurance); the dual-hat arrangement pairs the NSA Director position with command of U.S. Cyber Command (CYBERCOM), combining offensive SIGINT and offensive cyber capabilities under one commander. Five Eyes: the UKUSA Agreement (1946, officially acknowledged 2010) is the signals intelligence sharing arrangement between the U.S., UK, Canada, Australia, and New Zealand; partner agencies (GCHQ, CSE, ASD, GCSB) conduct parallel SIGINT collection under their respective domestic legal frameworks and share raw intelligence and finished products with NSA.

AuthorityLegal BasisCourt OversightPrimary Target
Targeted content collectionFISA Title I (50 U.S.C. § 1805)FISC order requiredForeign powers/agents in U.S.
Targeted non-content (metadata)FISA Title III (pen registers)FISC order requiredDomestic communications metadata
Bulk collection from providersFISA § 702 (50 U.S.C. § 1881a)FISC annual certificationNon-U.S. persons abroad via U.S. providers
Foreign collectionEO 12333NoneNon-U.S. persons outside U.S.

Bucket 1: FISA Title I — Targeted Wiretaps

FISA Title I (50 U.S.C. § 1805) authorizes the FISC to issue orders for electronic surveillance of foreign powers and their agents. The government must show probable cause that the target is a foreign power or agent; the FISC issues the order; the collection occurs. This is the most familiar framework — it's what most people think of when they hear "FISA court." It covers:

  • Surveillance of foreign embassies and diplomatic facilities in the U.S.
  • Surveillance of foreign intelligence operatives (spies) in the U.S.
  • Surveillance of U.S. persons who are agents of foreign powers

Volume: relatively small. FISC receives a few hundred applications per year; approval rate is high (>99%), though the government does sometimes withdraw applications.

Bucket 2: FISA Section 702 — Bulk Collection from U.S. Providers

Section 702, added by the FISA Amendments Act of 2008 and reauthorized most recently in April 2024, is the authority for NSA's largest domestic-facing collection program. The key provision: NSA can compel U.S. communications providers (Google, Microsoft, Apple, Facebook, telecom carriers) to provide communications of non-U.S. persons located abroad — without an individual FISC order for each target. The FISC instead approves an annual "certification" covering broad categories of foreign intelligence targets.

PRISM: NSA collects from provider-provided data — the provider receives a Section 702 directive and provides responsive communications. PRISM was the program first revealed by Snowden (June 2013 Washington Post/Guardian stories); it had operated since approximately 2007.

UPSTREAM: NSA collects from Internet backbone infrastructure — the fiber optic cables and switching equipment that carry Internet traffic through the U.S. Upstream collection occurs at telecommunications facilities; carriers are compelled to cooperate. "About collection" (collecting communications that mention a foreign target, not just communications of the target) was a controversial Upstream feature; NSA ended about collection for U.S.-origin communications in 2017 after compliance problems.

U.S. person data: Section 702 is targeted at foreign persons abroad, but the communications of those foreign persons with U.S. persons are "incidentally collected" — NSA retains them. FBI, CIA, and NSA can query these databases for U.S. person information for foreign intelligence purposes. The 2024 reauthorization included new restrictions on FBI's ability to conduct U.S. person queries without additional approval, but preserved the core collection authority.

Bucket 3: EO 12333 — Foreign Collection Without Court Order

EO 12333 authorizes NSA to collect communications of non-U.S. persons outside the United States — with no FISC order, no judicial oversight, and no statutory framework. This is the largest collection authority by volume. EO 12333 collection includes:

  • Collection from undersea fiber optic cables outside U.S. territory
  • Collection from foreign telecommunications infrastructure
  • MUSCULAR program: collection from the private internal network links between data centers operated by U.S. companies (Google, Yahoo) outside the U.S. — revealed by Snowden; involved tapping fiber links between data centers in Asia and Europe without company knowledge or legal orders

For full detail on EO 12333, see the Executive Order 12333 page.

NSA's Organizational Structure

NSA headquarters is at Fort Meade, Maryland (NSA/CSS — Central Security Service). The Central Security Service designation encompasses NSA's partnership with the military services' cryptologic organizations. Key components:

  • Signals Intelligence Directorate: Conducts SIGINT collection and analysis
  • Cybersecurity Directorate: Defends classified U.S. government networks; provides cybersecurity guidance for critical infrastructure; CISA partnership
  • Research Directorate: Technical cryptographic research; developing encryption algorithms; advising on cryptographic standards (NIST standards)
  • National Security Operations Center (NSOC): 24/7 watch floor; the operational center for NSA intelligence reporting

NSA employs approximately 30,000–40,000 personnel (classified); budget is the largest in the IC NIP. The Director is a military officer (traditionally a 3-star or 4-star), dual-hatted as CYBERCOM Commander.

The CYBERCOM Dual-Hat Controversy

Since NSA/CSS's merger of offensive signals intelligence collection with the defensive Information Assurance mission, and since CYBERCOM's creation in 2010, the NSA Director has been dual-hatted as CYBERCOM Commander. This creates a structural conflict:

  • NSA's intelligence mission benefits from leaving adversary vulnerabilities unexploited — if NSA can read an adversary's communications through a vulnerability in their system, disclosing or patching that vulnerability would end the intelligence access
  • CYBERCOM's offensive mission benefits from exploiting vulnerabilities — using them for offensive cyber effects
  • NSA's defensive mission (protecting U.S. systems) benefits from disclosing and patching vulnerabilities in U.S. systems

One person cannot simultaneously optimize for all three. The Vulnerabilities Equities Process (VEP) — a White House-led process to decide whether to disclose discovered vulnerabilities — is the formal mechanism for managing this tension, but critics argue the dual-hat makes systematic disclosure of vulnerabilities less likely because the offensive intelligence equities are built into NSA leadership.

The Rogers Commission (2020), the NDAA FY2025 debates, and multiple PCLOB recommendations have called for splitting the dual-hat. It has survived every review cycle.

Five Eyes and UKUSA Agreement

The UKUSA Agreement (1946, formalized 1955) is the signals intelligence sharing arrangement among five English-speaking countries: United States, United Kingdom, Canada, Australia, New Zealand — collectively the "Five Eyes." Under UKUSA:

  • Each country designates certain collection targets as "shared" and provides raw or finished SIGINT to partners
  • The NSA's partner agencies are: GCHQ (UK), CSE (Canada), ASD (Australia), GCSB (New Zealand)
  • "Second-party" status (Five Eyes members) means intelligence is shared more freely than with "third-party" allies
  • The U.S. has a network of NSA collection sites at partner facilities and vice versa

The most significant civil liberties concern about Five Eyes: U.S. law restricts NSA from targeting U.S. persons. GCHQ has different rules. In theory, the U.S. could ask GCHQ to collect on a U.S. person and share the product — achieving collection that would be illegal if NSA did it directly. Post-Snowden reforms and intelligence-sharing agreements include provisions against this "Five Eyes workaround," but critics remain skeptical that the prohibition is technically enforceable.

Snowden Revelations (2013) and Their Legacy

Edward Snowden, an NSA contractor, disclosed documents revealing the scale of NSA collection to the Washington Post and Guardian in June 2013. Key programs revealed:

  • Section 215 phone metadata: NSA was collecting the call detail records (metadata, not content) of all Americans in bulk under Section 215 of the PATRIOT Act — every call, who called whom, duration, location. The FISC had approved this under a classified interpretation of "relevant to a terrorism investigation." Ended by USA FREEDOM Act (2015), replaced with provider-retention model requiring specific query to access.
  • PRISM: NSA collection from U.S. Internet companies under Section 702 — revealed the companies named, the categories of data, and the volume
  • XKeyscore: An NSA analytical tool allowing analysts to search the content of Internet communications collected under EO 12333 — described as allowing an analyst to see "nearly everything" a target does online
  • MUSCULAR: Collection from Google/Yahoo internal data center links outside U.S.

The Snowden disclosures drove: the USA FREEDOM Act (2015); PPD-28 (2014 presidential directive on SIGINT); the PCLOB's Section 215 and Section 702 reports; and a sustained public debate about the balance between intelligence collection and civil liberties.

How It Affects You

<!-- pria:personalize type="impact" -->

If you are a citizen or voter: The three-bucket structure means that the scope of NSA surveillance on U.S. persons depends heavily on which legal authority applies. FISA Title I requires an individual order targeting a foreign agent in the U.S. — the highest protection. Section 702 protects U.S. persons as targets but allows incidental collection of their communications with foreign persons; FBI can query those databases for U.S. person information under restrictions updated in 2024. EO 12333 has no statutory protection for U.S. persons' communications that are incidentally collected abroad. The ODNI's Statistical Transparency Report (published annually) provides aggregate numbers on FISA orders and Section 702 targets — the most accessible public accounting of the scale of collection. PCLOB.gov publishes the most detailed public analysis of how these authorities work.

If you work in technology, communications, or have international operations: Section 702 requires U.S. communications providers to comply with NSA directives for targeted foreign intelligence collection. The providers covered: "electronic communication service providers" — a statutory category that includes Internet service providers, cloud service providers, and telecommunications carriers. Foreign companies (including foreign subsidiaries of U.S. companies) receive different treatment. If you operate cloud services or communications infrastructure, your legal obligations depend on whether you qualify as an ECSP and whether you receive a Section 702 directive. The Cybersecurity Directorate's advisories and vulnerability disclosures are publicly available at nsa.gov — these are genuine public goods from NSA's defensive mission.

If you are a journalist or researcher: The most useful public NSA resources: the ODNI Statistical Transparency Report (annual FISA numbers), PCLOB reports on Section 702 and PPD-28, the FISC opinions made public under 50 U.S.C. § 1803(f) (a post-Snowden transparency requirement), and the EFF's Surveillance Self-Defense guide. For historical material: NARA's Snowden-era documents (those released by government), the Church Committee's NSA report (partially declassified), and NSA's own declassified historical records. Section 702 reauthorization debates — the most recent in April 2024 — produce the most detailed congressional record of how the program works.

If you are a foreign government official or have international business dealings: Non-U.S. persons outside the United States receive essentially no legal protection under U.S. surveillance law. EO 12333 allows collection of their communications with no court order; Section 702 allows collection from U.S. providers without an individual order. PPD-28 (2014) added some protections — restricting use of bulk collected SIGINT against certain foreign persons — but these are executive policy, not law. The EU-U.S. Data Privacy Framework (2023) attempts to address European concerns about U.S. surveillance of EU persons; its sustainability in European courts (following Schrems I and Schrems II) is an ongoing legal question.

<!-- /pria:personalize -->

Recent Developments

  • 2013 — Snowden disclosures; revealed Section 215, PRISM, XKeyscore, MUSCULAR
  • 2015 — USA FREEDOM Act ended bulk phone metadata collection; replaced with targeted query system
  • 2017 — NSA ended "about collection" for UPSTREAM after compliance problems; disclosed to FISC; resulted in deletion of previously collected data
  • 2018 — CYBERCOM elevated to full combatant command; dual-hat with NSA continues
  • 2023 — PCLOB Section 702 report; recommended reforms to U.S. person query procedures
  • 2024 (April) — FISA Section 702 reauthorized for 2 years by the Reforming Intelligence and Securing America Act (RISAA), signed April 20, 2024 (Pub. L. 118-49); new restrictions on FBI U.S. person queries; debate over "abouts collection" reauthorization (not included); passed after contentious House floor debate
  • 2025 — Ongoing CYBERCOM/NSA dual-hat review; NDAA FY2026 discussions on separation
  • April 19, 2026 — Section 702's two-year RISAA sunset reached; Congress moved a 3-year extension that passed the House in May 2026

At My Address

See how Signals Intelligence (SIGINT) — NSA, Five Eyes, and the Three Legal Buckets plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address