Senators Ron Wyden and Martin Heinrich are raising concerns about a program of bulk data collection operated by the Central Intelligence Agency—one that permits the agency to store and search for information concerning Americans without the oversight or legal restrictions imposed by statues like the Foreign Intelligence Surveillance Act. A letter to intelligence chiefs written by Martin and Heinrich last April is one of several newly‐​declassified documents concerning the program, which had been the subject of an unpublished “deep dive” analysis by the Privacy and Civil Liberties Oversight Board (PCLOB). Yet the documents tell us maddeningly little about the program beyond the fact of its existence—one reason that Martin and Heinrich’s primary demand is for greater transparency. Nevertheless, there are a few inferences we can draw from both the letter and the recommendations offered by PCLOB staff.

First, Wyden and Heinrich reference the history of legislative efforts to limit or prohibit the indiscriminate large‐​scale collection of U.S. person records. Though a large chunk of text here remains redacted, it seems quite clear they are referencing such reforms as the USA FREEDOM Act of 2015, which ended the National Security Agency’s bulk telephony metadata program revealed by Edward Snowden. “And yet,” the senators write, “throughout this period, the CIA has secretly conducted its own bulk program [REDACTED]. It has done so entirely outside the statutory framework that Congress and the public believe govern this collection [.…]” So whatever CIA is doing, it is at least somewhat comparable to the NSA’s bulk telephone metadata program—sufficiently similar that the public and Congress would assume such activities had been addressed and regulated by recent legislative reforms.

Second, Wyden and Heinrich urge greater transparency concerning the CIA’s “relationship with its sources,” which implies that the records in question are provided voluntarily—or at least knowingly—to the CIA by some outside source, rather than obtained surreptitiously, via interception or exfiltration. In other words, these are records that are being sold or given to CIA by some other entities with which the agency has an ongoing relationship. (It would not make sense to speak of a “relationship with its sources” if, for instance, the CIA had collected this data by hacking into the networks of foreign governments or corporations.) Since the letter worries that the CIA’s collection does not involve judicial oversight—at least not of the type associated with collection under the Foreign Intelligence Surveillance Act—and only the FBI can issue National Security Letters, it does not sound as though these records are obtained by compulsory process. So, again, it sounds as though they are likely being either volunteered or purchased.

Third, the recommendations developed by PCLOB staff reference a pop‐​up box that is displayed to analysts when they query the database for information “deemed by the system” to pertain to U.S. persons, reminding them that a legitimate foreign intelligence purpose is required for such queries (though not, as PCLOB staff noted, requiring them to document that purpose within the system). That suggests that the records themselves (and the queries that might be run against them) probably include information of a type that an automated system could use to infer whether the record or query pertains to a U.S. person, such as a physical address, Internet Protocol address, or telephone number.

As it happens, there has indeed been public reporting of a CIA bulk collection program fitting this description: Back in 2013, The New York Times reported that CIA was paying AT&T $10 million annually for access to call records, including both foreign‐​to‐​foreign calls carried by AT&T’s network and international calls with one endpoint in the United States. They’re able to do this thanks to a somewhat obscure loophole in federal privacy law.

The Foreign Intelligence Surveillance Act (FISA) provides the “exclusive means” by which intelligence agencies may conduct domestic “electronic surveillance” for foreign intelligence purposes. The Electronic Communications Privacy Act (ECPA) governs how law enforcement agencies may conduct wiretaps or obtain telecommunications records. But tucked into a corner of ECPA, at 18 USC §2511(f), is a little carve out that leaves one type of information collection unregulated: Acquisition of information that pertains to either foreign or international (one end domestic) communications, for foreign intelligence purposes, that does not constitute “electronic surveillance” within the meaning of FISA. Wiretapping a phone call or Internet message is “electronic surveillance,” but that term is not understood as covering the production of business records containing telecommunications metadata. While ECPA requires law enforcement agencies to follow a statutory process in order to obtain such records—and forbids telecommunications companies from just handing them over to the government—§2511 exempts foreign intelligence from those rules. In effect, that means CIA vacuuming up such records falls in a gap between ECPA and FISA, regulated by neither statute. Collection falling in that gap isn’t regulated by laws Congress enacted, but instead by Executive Order 12333, first issued by President Ronald Reagan in 1981. And 12333 is pretty lax. In essence, it says that spy agencies must have some legitimate foreign intelligence purpose for gathering information about Americans, and must do so according to rules approved by their directors in consultation with the attorney general.

As it happens, the §2511(f) loophole is addressed by a piece of legislation sponsored by Sen. Wyden, the Fourth Amendment Is Not For Sale Act, which seeks to regulate the purchase of private information by law enforcement and intelligence agencies, ensuring that they cannot circumvent judicially supervised means of obtaining private information simply by opening their wallets.

While this is necessarily speculative, that’s a fair amount of circumstantial evidence suggesting that the bulk program referenced in these documents is, if not the bulk telephone records program reported by the Times in 2013, then at any rate something fairly similar. (It would not, for instance, be surprising if CIA had similar arrangements with various Internet providers or platforms.) If so, there’s good cause for concern.

The FISA framework, codifying rules for intelligence surveillance and establishing a dedicated judicial body to oversee it, grew out of the realization that unregulated intelligence agencies had systematically abused their powers over many decades. The most shocking revelations involving domestic civil liberties involved the FBI, but CIA, while theoretically wholly foreign‐​focused, was shown to have played a part as well, via programs such as Operation CHAOS. Moreover, the nature of 21st century communications means that even a nominally foreign‐​focused agency is inevitably going to collect large and growing amounts of U.S. person data. Surveillance, like water, takes the path of least resistance: If some types of collection are significantly less regulated than others, we can expect greater reliance on those mechanisms to the extent they are roughly substitutable. And, of course, CIA, like NSA, routinely disseminates intelligence reporting to other agencies. The abuses carried out by FBI in the 1960s and 70s were supported by streams of intelligence gathered by their foreign‐​facing counterparts. All of which is to say that, while there are obvious reasons we impose the strictest safeguards on surveillance that explicitly targets Americans, the radical asymmetry in regulation of domestic and foreign intelligence activities is increasingly hard to justify in the 21st century.

It’s also important to recognize a changed legal landscape. In the 1970s, a series of dubious Supreme Court rulings established what came to be known as the “Third Party Doctrine”—which was understood as declaring a sort of Fourth Amendment open season on records of telecommunications metadata held in the custody of businesses (or “third parties). In 2018, however, the Supreme Court held in Carpenter v. United States that the large‐​scale acquisition of cellular records over a long period of time, allowing the government to track the location of a cell phone’s owner, could in fact qualify as a “search” within the meaning of the Fourth Amendment. In other words, it is no longer clear that the Fourth Amendment has nothing to say about the large scale collection of at least some types of third‐​party records.

Moreover, we know that intelligence agencies engage in the large scale collection and long‐​term storage and analysis of such records on a scale far beyond what ordinary law enforcement does. Even where the underlying authority under which records are collected has been held to pass Fourth Amendment muster, we know there are occasions on which even the highly deferential Foreign Intelligence Surveillance Court has found the implementation of those authorities “unreasonable” under the Fourth Amendment. Of course, this occurred only because the FISC is able to review the implementation of those programs. But the FISC has no ability to review the constitutionality of CIA’s record collection and database querying practices pursuant to EO 12333. Nor, in practice, does any other court: These programs are classified, and their purpose is to gather intelligence, not to produce evidence for use in criminal prosecution, at which point a defendant might have an opportunity to raise constitutional challenges.

We have, in sum, the large scale, long‐​term collection of certain records—very likely telephony or other telecommunications records—by the CIA. We know that the Supreme Court has recently held that precisely this sort of practice may violate the Constitution, at least under certain circumstances. And yet no court actually has the opportunity to decide whether this program is, in fact, constitutional. We are expected to content ourselves with the constitutional assessment of lawyers employed by the intelligence agencies themselves. That is not good enough, and Congress should say so.