...if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.
“Incidental” collection may sound insignificant, but it is a legal loophole that can be stretched very wide. Remember that the NSA is building a data center in Utah five times the size of the U.S. Capitol building, with its own power plant that will reportedly burn $40 million a year in electricity.
“Incidental collection” might need its own power plant.
That's the strange upshot of an article in yesterday's Washington Post. In sum: Section 215 of the Patriot Act, which allows limited surveillance of phone and computer traffic within the US, has rightfully gotten lots of attention. But what we should be really worried about is Executive Order 12333, which allows unrestricted surveillance of any US citizen’s communications whatsoever that take place off of US soil. But that means pretty much everyone, because so many online services, such as email providers (and I imagine anyone at all providing the usual cloud services) mirror their data to overseas data centers. Thus qualifying them as communications on non-US soil.
It doesn't take a Snowden for us to figure out that we are being watched. The interesting question is exactly how, and how it's justified. Of course, Executive Order 12333 is only one of many possible ways to do this. How many other such loopholes do you think there are?