The legal basis for wide-scale Internet spying on foreigners is set out in black and white in the Foreign Intelligence Surveillance Act (FISA). FISA allows collection of "foreign intelligence information," a grant of authority which goes well beyond counterterrorism or national security to include "information with respect to a foreign power or foreign territory that relates to ... the conduct of the foreign affairs of the United States." In the original version of FISA, individuals could only be targeted if they were "agents of foreign powers," but 2008 amendments to the statute did away with that limitation. Thus, FISA as it now stands authorizes warrantless surveillance of any non-U.S. individual reasonably believed to be located abroad, allowing for the interception of the most private kind of information so long as it "relates to" U.S. foreign affairs. That language is broad enough to allow the U.S. to seize almost any sort of foreign communication, on the grounds that a communication might relate in some way to a foreign-affairs interest of the United States.
For foreigners who don't regularly read American surveillance statutes, this all came as an unpleasant surprise. And the details of how the NSA administers the mass surveillance programs do not make the surprise any more palatable. Individuals subject to NSA surveillance are almost never notified. The proceedings authorizing the surveillance are secret. The orders and directives are classified. The Internet companies that respond to the U.S. government's information demands are under gag order, or otherwise obligated not to disclose. And from a foreigner's perspective, all this happens at the request of a government they can't hold to account and is approved by a secret foreign court they can't petition.
In addition to its broad legal authority to spy on foreigners, the U.S. now has a distinct technological advantage in doing so. In the past, the nature of the telecommunications infrastructure meant that NSA commonly had to operate abroad to intercept in real-time phone calls between non-Americans. But today, most communications flow over the Internet and a very large percentage of key Internet infrastructure is in the United States. Thus, foreigners' communications are much more likely to pass through U.S. facilities even when no U.S. person is a party to a particular message. Think about a foreigner using Gmail, or Facebook, or Twitter -- billions of these communications originate elsewhere in the world but pass through, and are stored on, servers located in the U.S.
With so few legal or technical checks on the U.S. government's power to snoop, Internet users look to U.S. Internet companies to serve as gatekeepers. Fortunately, some U.S.-based Internet companies also have a pro-privacy streak, and view themselves as critical checkpoints in the surveillance infrastructure. Here are just two examples: In 2007, Yahoo unsuccessfully challenged the Protect America Act, a precursor law to the updated FISA. More recently, an unknown company brought a case before the FISA court which resulted in a secret 2011 holding that the NSA had violated the Fourth Amendment.