H/t: Emptywheel: https://twitter.com/emptywheel/status/834446983624552449 and @thecipherbrief https://twitter.com/thecipherbrief/status/834434575837360129 New CIA guidelines set restrictions for incidentally collected intelligence on U.S. persons after 5 years (Technology Advances Prompt Changes in CIA Collection Procedures) Robert J. Eatinger, Jr., Former Senior Deputy General Counsel, CIA In the final few days of the Obama Administration, CIA Director John Brennan, after consulting with the Director of National Intelligence, brought years of CIA and interagency efforts to a close by updating the CIA’s decades-old procedures for collecting, retaining, or disseminating information concerning United States (U.S.) persons. These updated procedures are promulgated in a document entitled, Central Intelligence Agency Intelligence Activities: Procedures Approved by the Attorney General Pursuant to Executive Order 12333. In a departure from the past, Director Brennan made these procedures available to the public on the CIA’s Office of Privacy and Civil Liberties webpage. Before discussing those changes, it may be helpful to start with a basic understanding of the requirement for these procedures. A few commentators have portrayed Executive Order 12333 as a sort of mysterious, open-ended authorization for U.S. intelligence agencies to engage in secret, questionable activities outside of any judicial or congressional oversight regime. In other words, some have intimated that it is intended to facilitate and hide intelligence abuses. It is, in fact, the opposite. Its purpose is to avoid abuses. Executive Order 12333 is the latest in a string of executive orders that began in 1976 when President Gerald Ford issued Executive Order 11905 in response to the findings and recommendations of congressional investigations into alleged abuses of Americans’ rights by U.S. intelligence agencies (frequently identified as the Church and Pike Committees). Among the findings was that a fundamental flaw in the governance of the U.S. intelligence community permitted intelligence abuses. Executive Order 11905 defines the powers of each intelligence community entity, thereby limiting them. It then imposes some limits on how those powers may be exercised. Every President since has either promulgated his own executive order, or adopted or amended the existing order. Executive Order 12333, was issued in 1981 by President Ronald Reagan and significantly amended in 2008 by President George W. Bush. None of these executive orders were classified and all were published in The Federal Register. Executive Order 12333 sets the basic mission statement of the intelligence community, which includes following the law and respecting rights. It requires the elements to collect reliable intelligence that provides the President and national leadership “with the necessary information on which to base decisions concerning the development and conduct of foreign, defense, and economic policies, and the protection of United States national interests from foreign security threats.” Executive Order 12333 further directs the intelligence community to collect that intelligence using “[a]ll means, consistent with applicable Federal law and this order, and with full consideration of the rights of United States persons,” and reminds the community of its “solemn obligation . . . to protect fully the legal rights of all United States persons, including freedoms, civil liberties, and privacy rights guaranteed by Federal law.” Executive Order 12333 limits the types of and methods by which information concerning U.S. persons may be collected, retained, or disseminated. It then authorizes elements to engage in such collection, retention, and dissemination only as permitted by procedures approved by the Attorney General. The Attorney General formally approved CIA’s 12333 Procedures on January 17, 2017. The CIA’s 12333 Procedures supersede procedures that had been written in 1982 and sparingly updated since. The changes made in the updated procedures reflect not only developments in U.S. law and policy, but also advances in collection methods due to changes in technology and privacy interests unforeseen in 1982, which did not contemplate the ubiquitous use of mobile phones, computers, and other digital media devices or evolving views of privacy and thus did not seek to address “big data” or “bulk” collection. Sections 5 and 6 in CIA’s 12333 Procedures contain procedures specifically addressed to these developments. These sections also satisfy the requirements to create procedures that limit to five years the retention of any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication except in defined circumstances (Section 309). Section 5 and 6 also contain new procedures to address privacy interests implicated by foreign intelligence collection methods required in a globally interconnected digital world that did not exist in 1982. As the CIA Statement notes, in 1982, “a clandestine operation may have resulted in the CIA collecting a limited number of hard copy documents. Today, in addition to traditional intelligence scenarios, a single storage device may contain the equivalent of millions of pages of information, hours of video, thousands of photos, or more.” The dominance of the digital environment has resulted in circumstances in which foreign intelligence on terrorists, proliferators, and other foreign intelligence targets reside within data streams and digital repositories that also contain substantial volumes of information concerning U.S. persons. In order to find the foreign intelligence information, however, intelligence agencies at times must capture the entire data stream or digital repository (“bulk collection”) because technical, practical, or operational realities do not permit targeted collection. Such collection captures not only the information of intelligence value that the intelligence agency wants, but also the information concerning U.S. persons that the intelligence agency does not want. In such cases, the U.S. person information in the bulk collection is considered to be “incidental collection,” because its acquisition was not the purpose of the collection operation. While such incidentally acquired U.S. person information is presumed not to be of foreign intelligence interest or value, its residence on an intelligence agency server raises privacy concerns. The Sections 5 and 6 procedures seek to address these concerns. Section 5 protects privacy interests by establishing procedures to minimize the use of bulk collection to circumstances in which it is necessary and ensure proper audit, thereby seeking to prevent CIA from acquiring unwanted U.S. person information in the first place, except when necessary. Section 5 requires the preparation of specific documentation prior to or as soon as practicable after any intelligence activity that results in bulk collection or acquires more information than the CIA’s can evaluate promptly, or qualifies for retention without individualized review. The documentation must contain certain information necessary for identified senior officials to determine whether to approve the collection. Assuming the collection has been determined to be permissible, Section 6 addresses privacy concerns by establishing handling requirements and retention limits for the portion of the bulk collection containing U.S. person information of no intelligence value or interest: the unevaluated information. Section 6 creates two different types of handling requirements for unevaluated information; one for “routine” handling and one for “exceptional” handling. Exceptional handling requirements apply to intelligence collections either of nonpublic communications that were acquired without the consent of a party to the communication, or that are anticipated to contain U.S. person identifying information that is significant in volume, proportion, or sensitivity. The exceptional requirements include segregating the unevaluated information, limiting access to CIA employees who receive special training, creating an auditable record of activity, and importantly, requiring such information to be destroyed no later than five years after collection, permitting extensions in limited circumstances. The five-year limit in Section 6 is but one example of how specifics in the new procedures attempt to find the right balance of intelligence and privacy interests. Each procedure involves an effort to find the right tradeoffs to allow lawful intelligence collection and protect privacy and civil liberty rights and interests. The tradeoff was between the risk to a loss in intelligence capabilities by destroying information at five years against the risk to compromising privacy interests by keeping the information longer. Deleting all unevaluated information specifically concerning U.S. persons has little to no intelligence downside because intelligence agencies will never want or have reason to search their intelligence holdings. The five-year period to destroy all unevaluated information, however, will remove not only information concerning U.S. persons but also any information potentially concerning valid intelligence targets, such as international terrorists, from the intelligence agencies holdings. In this latter case, however, intelligence agencies will want and may have a reason to search its holdings for information on these targets. The deletion of that information could thus have an adverse intelligence impact, particularly on counterterrorism and counterproliferation intelligence reporting, as well as on the conduct of human intelligence operations, all of which are important activities of the CIA. The CIA could be expected to search all of its holdings upon receiving intelligence identifying a previous unknown person as a suspected terrorist or proliferator. Under the five-year retention period, when the CIA conducts the search, any unevaluated information on that person that may have been acquired during a bulk collection activity over five years ago will have been deleted; CIA’s search will not retrieve that information. Thus, CIA might gain an incomplete or misleading understanding of the individual, his place in a terrorist network, and his contacts. Or, CIA may send intelligence officers to conduct dangerous human intelligence operations to collect information it once had. The loss of five-year old information could also adversely impact the spotting, assessing, recruiting, and running of human sources. Safe and effective source operations are enhanced by the amount of information available to CIA and the handling officer(s). How often the five-year retention limit might result in a loss of important information is unknowable. The five-year retention period in Section 6 was not set by the CIA, DNI, or Attorney General, however, it was set by Congress through Section 309. Certainly, differing mission requirements among the individual intelligence community elements translate into differing retention needs. Some intelligence entities likely could accomplish their mission and destroy unevaluated information in less than five years. Others may need to retain information longer than five years. Without question, the congressional intelligence committees sought and considered the input of the intelligence community entities before setting a retention limit. Congress has provided that intelligence agency heads may retain information longer than five years if the head determines a longer retention “is necessary to protect the national security of the United States” and certifies in writing to the intelligence committees the reasons for that determination, the new retention period, the particular information to be retained; and the measures that will be taken to protect the privacy interests of U.S. persons and persons located inside the United States. Given the uncertainties of adequately assessing the relative risks to intelligence operations and privacy, and the diversity of considerations among intelligence agencies, if a single retention period was to be imposed on the entire intelligence community, the right body to do so was the one comprised of the People’s representatives: the Congress. The Author is Robert J. Eatinger, Jr. Bob is the founding Principal of SpyLaw Consulting for Business, LLC. Previously, Bob was the Senior Deputy General Counsel of the Central Intelligence Agency. He served as CIA’s Acting General Counsel from October 2013 to March 2014. Before being named the Senior Deputy General Counsel, he served as CIA’s Deputy General Counsel for Operations from September 2009 to June 2013. Bob also served on active duty in the United States Navy, Judge Advocate General’s Corps, and retired in 2013 as a Captain with 30 years of service. https://www.thecipherbrief.com/column/network-take/technology-advances-promp...