Domestic Spying: CIA guidelines out-of-compliance for 2 years after Congress passed Section 309
Razer
g2s at riseup.net
Wed Feb 22 10:41:42 PST 2017
H/t: Emptywheel:
https://twitter.com/emptywheel/status/834446983624552449 and
@thecipherbrief https://twitter.com/thecipherbrief/status/834434575837360129
New CIA guidelines set restrictions for incidentally collected
intelligence on U.S. persons after 5 years
(Technology Advances Prompt Changes in CIA Collection Procedures)
Robert J. Eatinger, Jr., Former Senior Deputy General Counsel, CIA
In the final few days of the Obama Administration, CIA Director John
Brennan, after consulting with the Director of National Intelligence,
brought years of CIA and interagency efforts to a close by updating the
CIA’s decades-old procedures for collecting, retaining, or disseminating
information concerning United States (U.S.) persons. These updated
procedures are promulgated in a document entitled, Central Intelligence
Agency Intelligence Activities: Procedures Approved by the Attorney
General Pursuant to Executive Order 12333. In a departure from the
past, Director Brennan made these procedures available to the public on
the CIA’s Office of Privacy and Civil Liberties webpage.
Before discussing those changes, it may be helpful to start with a basic
understanding of the requirement for these procedures.
A few commentators have portrayed Executive Order 12333 as a sort of
mysterious, open-ended authorization for U.S. intelligence agencies to
engage in secret, questionable activities outside of any judicial or
congressional oversight regime. In other words, some have intimated
that it is intended to facilitate and hide intelligence abuses. It is,
in fact, the opposite. Its purpose is to avoid abuses.
Executive Order 12333 is the latest in a string of executive orders that
began in 1976 when President Gerald Ford issued Executive Order 11905 in
response to the findings and recommendations of congressional
investigations into alleged abuses of Americans’ rights by U.S.
intelligence agencies (frequently identified as the Church and Pike
Committees). Among the findings was that a fundamental flaw in the
governance of the U.S. intelligence community permitted intelligence
abuses. Executive Order 11905 defines the powers of each intelligence
community entity, thereby limiting them. It then imposes some limits on
how those powers may be exercised.
Every President since has either promulgated his own executive order, or
adopted or amended the existing order. Executive Order 12333, was issued
in 1981 by President Ronald Reagan and significantly amended in 2008 by
President George W. Bush. None of these executive orders were
classified and all were published in The Federal Register.
Executive Order 12333 sets the basic mission statement of the
intelligence community, which includes following the law and respecting
rights. It requires the elements to collect reliable intelligence that
provides the President and national leadership “with the necessary
information on which to base decisions concerning the development and
conduct of foreign, defense, and economic policies, and the protection
of United States national interests from foreign security threats.”
Executive Order 12333 further directs the intelligence community to
collect that intelligence using “[a]ll means, consistent with applicable
Federal law and this order, and with full consideration of the rights of
United States persons,” and reminds the community of its “solemn
obligation . . . to protect fully the legal rights of all United States
persons, including freedoms, civil liberties, and privacy rights
guaranteed by Federal law.”
Executive Order 12333 limits the types of and methods by which
information concerning U.S. persons may be collected, retained, or
disseminated. It then authorizes elements to engage in such collection,
retention, and dissemination only as permitted by procedures approved by
the Attorney General. The Attorney General formally approved CIA’s 12333
Procedures on January 17, 2017.
The CIA’s 12333 Procedures supersede procedures that had been written in
1982 and sparingly updated since. The changes made in the updated
procedures reflect not only developments in U.S. law and policy, but
also advances in collection methods due to changes in technology and
privacy interests unforeseen in 1982, which did not contemplate the
ubiquitous use of mobile phones, computers, and other digital media
devices or evolving views of privacy and thus did not seek to address
“big data” or “bulk” collection. Sections 5 and 6 in CIA’s 12333
Procedures contain procedures specifically addressed to these
developments. These sections also satisfy the requirements to create
procedures that limit to five years the retention of any nonpublic
telephone or electronic communication acquired without the consent of a
person who is a party to the communication except in defined
circumstances (Section 309).
Section 5 and 6 also contain new procedures to address privacy interests
implicated by foreign intelligence collection methods required in a
globally interconnected digital world that did not exist in 1982. As
the CIA Statement notes, in 1982, “a clandestine operation may have
resulted in the CIA collecting a limited number of hard copy documents.
Today, in addition to traditional intelligence scenarios, a single
storage device may contain the equivalent of millions of pages of
information, hours of video, thousands of photos, or more.” The
dominance of the digital environment has resulted in circumstances in
which foreign intelligence on terrorists, proliferators, and other
foreign intelligence targets reside within data streams and digital
repositories that also contain substantial volumes of information
concerning U.S. persons.
In order to find the foreign intelligence information, however,
intelligence agencies at times must capture the entire data stream or
digital repository (“bulk collection”) because technical, practical, or
operational realities do not permit targeted collection. Such
collection captures not only the information of intelligence value that
the intelligence agency wants, but also the information concerning U.S.
persons that the intelligence agency does not want. In such cases, the
U.S. person information in the bulk collection is considered to be
“incidental collection,” because its acquisition was not the purpose of
the collection operation. While such incidentally acquired U.S. person
information is presumed not to be of foreign intelligence interest or
value, its residence on an intelligence agency server raises privacy
concerns. The Sections 5 and 6 procedures seek to address these concerns.
Section 5 protects privacy interests by establishing procedures to
minimize the use of bulk collection to circumstances in which it is
necessary and ensure proper audit, thereby seeking to prevent CIA from
acquiring unwanted U.S. person information in the first place, except
when necessary. Section 5 requires the preparation of specific
documentation prior to or as soon as practicable after any intelligence
activity that results in bulk collection or acquires more information
than the CIA’s can evaluate promptly, or qualifies for retention without
individualized review. The documentation must contain certain
information necessary for identified senior officials to determine
whether to approve the collection.
Assuming the collection has been determined to be permissible, Section 6
addresses privacy concerns by establishing handling requirements and
retention limits for the portion of the bulk collection containing U.S.
person information of no intelligence value or interest: the
unevaluated information.
Section 6 creates two different types of handling requirements for
unevaluated information; one for “routine” handling and one for
“exceptional” handling. Exceptional handling requirements apply to
intelligence collections either of nonpublic communications that were
acquired without the consent of a party to the communication, or that
are anticipated to contain U.S. person identifying information that is
significant in volume, proportion, or sensitivity. The exceptional
requirements include segregating the unevaluated information, limiting
access to CIA employees who receive special training, creating an
auditable record of activity, and importantly, requiring such
information to be destroyed no later than five years after collection,
permitting extensions in limited circumstances.
The five-year limit in Section 6 is but one example of how specifics in
the new procedures attempt to find the right balance of intelligence and
privacy interests. Each procedure involves an effort to find the right
tradeoffs to allow lawful intelligence collection and protect privacy
and civil liberty rights and interests. The tradeoff was between the
risk to a loss in intelligence capabilities by destroying information at
five years against the risk to compromising privacy interests by keeping
the information longer.
Deleting all unevaluated information specifically concerning U.S.
persons has little to no intelligence downside because intelligence
agencies will never want or have reason to search their intelligence
holdings. The five-year period to destroy all unevaluated information,
however, will remove not only information concerning U.S. persons but
also any information potentially concerning valid intelligence targets,
such as international terrorists, from the intelligence agencies
holdings. In this latter case, however, intelligence agencies will want
and may have a reason to search its holdings for information on these
targets. The deletion of that information could thus have an adverse
intelligence impact, particularly on counterterrorism and
counterproliferation intelligence reporting, as well as on the conduct
of human intelligence operations, all of which are important activities
of the CIA.
The CIA could be expected to search all of its holdings upon receiving
intelligence identifying a previous unknown person as a suspected
terrorist or proliferator. Under the five-year retention period, when
the CIA conducts the search, any unevaluated information on that person
that may have been acquired during a bulk collection activity over five
years ago will have been deleted; CIA’s search will not retrieve that
information. Thus, CIA might gain an incomplete or misleading
understanding of the individual, his place in a terrorist network, and
his contacts. Or, CIA may send intelligence officers to conduct
dangerous human intelligence operations to collect information it once
had. The loss of five-year old information could also adversely impact
the spotting, assessing, recruiting, and running of human sources. Safe
and effective source operations are enhanced by the amount of
information available to CIA and the handling officer(s). How often the
five-year retention limit might result in a loss of important
information is unknowable.
The five-year retention period in Section 6 was not set by the CIA, DNI,
or Attorney General, however, it was set by Congress through Section
309. Certainly, differing mission requirements among the individual
intelligence community elements translate into differing retention
needs. Some intelligence entities likely could accomplish their mission
and destroy unevaluated information in less than five years. Others may
need to retain information longer than five years. Without question,
the congressional intelligence committees sought and considered the
input of the intelligence community entities before setting a retention
limit. Congress has provided that intelligence agency heads may retain
information longer than five years if the head determines a longer
retention “is necessary to protect the national security of the United
States” and certifies in writing to the intelligence committees the
reasons for that determination, the new retention period, the particular
information to be retained; and the measures that will be taken to
protect the privacy interests of U.S. persons and persons located inside
the United States.
Given the uncertainties of adequately assessing the relative risks to
intelligence operations and privacy, and the diversity of considerations
among intelligence agencies, if a single retention period was to be
imposed on the entire intelligence community, the right body to do so
was the one comprised of the People’s representatives: the Congress.
The Author is Robert J. Eatinger, Jr.
Bob is the founding Principal of SpyLaw Consulting for Business, LLC.
Previously, Bob was the Senior Deputy General Counsel of the Central
Intelligence Agency. He served as CIA’s Acting General Counsel from
October 2013 to March 2014. Before being named the Senior Deputy
General Counsel, he served as CIA’s Deputy General Counsel for
Operations from September 2009 to June 2013. Bob also served on active
duty in the United States Navy, Judge Advocate General’s Corps, and
retired in 2013 as a Captain with 30 years of service.
https://www.thecipherbrief.com/column/network-take/technology-advances-prompt-changes-cia-collection-procedures-1091
More information about the cypherpunks
mailing list