Domestic Spying: CIA guidelines out-of-compliance for 2 years after Congress passed Section 309

[Razer]

H/t: Emptywheel: 
https://twitter.com/emptywheel/status/834446983624552449 and 
@thecipherbrief https://twitter.com/thecipherbrief/status/834434575837360129

New CIA guidelines set restrictions for incidentally collected 
intelligence on U.S. persons after 5 years
(Technology Advances Prompt Changes in CIA Collection Procedures)

Robert J. Eatinger, Jr., Former Senior Deputy General Counsel, CIA

In the final few days of the Obama Administration, CIA Director John 
Brennan, after consulting with the Director of National Intelligence, 
brought years of CIA and interagency efforts to a close by updating the 
CIA’s decades-old procedures for collecting, retaining, or disseminating 
information concerning United States (U.S.) persons.  These updated 
procedures are promulgated in a document entitled, Central Intelligence 
Agency Intelligence Activities: Procedures Approved by the Attorney 
General Pursuant to Executive Order 12333.  In a departure from the 
past, Director Brennan made these procedures available to the public on 
the CIA’s Office of Privacy and Civil Liberties webpage.

Before discussing those changes, it may be helpful to start with a basic 
understanding of the requirement for these procedures.

A few commentators have portrayed Executive Order 12333 as a sort of 
mysterious, open-ended authorization for U.S. intelligence agencies to 
engage in secret, questionable activities outside of any judicial or 
congressional oversight regime.  In other words, some have intimated 
that it is intended to facilitate and hide intelligence abuses.  It is, 
in fact, the opposite.  Its purpose is to avoid abuses.

Executive Order 12333 is the latest in a string of executive orders that 
began in 1976 when President Gerald Ford issued Executive Order 11905 in 
response to the findings and recommendations of congressional 
investigations into alleged abuses of Americans’ rights by U.S. 
intelligence agencies (frequently identified as the Church and Pike 
Committees).  Among the findings was that a fundamental flaw in the 
governance of the U.S. intelligence community permitted intelligence 
abuses. Executive Order 11905 defines the powers of each intelligence 
community entity, thereby limiting them.  It then imposes some limits on 
how those powers may be exercised.

Every President since has either promulgated his own executive order, or 
adopted or amended the existing order. Executive Order 12333, was issued 
in 1981 by President Ronald Reagan and significantly amended in 2008 by 
President George W. Bush.  None of these executive orders were 
classified and all were published in The Federal Register.

Executive Order 12333 sets the basic mission statement of the 
intelligence community, which includes following the law and respecting 
rights.  It requires the elements to collect reliable intelligence that 
provides the President and national leadership “with the necessary 
information on which to base decisions concerning the development and 
conduct of foreign, defense, and economic policies, and the protection 
of United States national interests from foreign security threats.” 
Executive Order 12333 further directs the intelligence community to 
collect that intelligence using “[a]ll means, consistent with applicable 
Federal law and this order, and with full consideration of the rights of 
United States persons,” and reminds the community of its “solemn 
obligation . . . to protect fully the legal rights of all United States 
persons, including freedoms, civil liberties, and privacy rights 
guaranteed by Federal law.”

Executive Order 12333 limits the types of and methods by which 
information concerning U.S. persons may be collected, retained, or 
disseminated.  It then authorizes elements to engage in such collection, 
retention, and dissemination only as permitted by procedures approved by 
the Attorney General. The Attorney General formally approved CIA’s 12333 
Procedures on January 17, 2017.

The CIA’s 12333 Procedures supersede procedures that had been written in 
1982 and sparingly updated since.  The changes made in the updated 
procedures reflect not only developments in U.S. law and policy, but 
also advances in collection methods due to changes in technology and 
privacy interests unforeseen in 1982, which did not contemplate the 
ubiquitous use of mobile phones, computers, and other digital media 
devices or evolving views of privacy and thus did not seek to address 
“big data” or “bulk” collection. Sections 5 and 6 in CIA’s 12333 
Procedures contain procedures specifically addressed to these 
developments.  These sections also satisfy the requirements to create 
procedures that limit to five years the retention of any nonpublic 
telephone or electronic communication acquired without the consent of a 
person who is a party to the communication except in defined 
circumstances (Section 309).

Section 5 and 6 also contain new procedures to address privacy interests 
implicated by foreign intelligence collection methods required in a 
globally interconnected digital world that did not exist in 1982.  As 
the CIA Statement notes, in 1982, “a clandestine operation may have 
resulted in the CIA collecting a limited number of hard copy documents.  
Today, in addition to traditional intelligence scenarios, a single 
storage device may contain the equivalent of millions of pages of 
information, hours of video, thousands of photos, or more.”  The 
dominance of the digital environment has resulted in circumstances in 
which foreign intelligence on terrorists, proliferators, and other 
foreign intelligence targets reside within data streams and digital 
repositories that also contain substantial volumes of information 
concerning U.S. persons.

In order to find the foreign intelligence information, however, 
intelligence agencies at times must capture the entire data stream or 
digital repository (“bulk collection”) because technical, practical, or 
operational realities do not permit targeted collection.  Such 
collection captures not only the information of intelligence value that 
the intelligence agency wants, but also the information concerning U.S. 
persons that the intelligence agency does not want.  In such cases, the 
U.S. person information in the bulk collection is considered to be 
“incidental collection,” because its acquisition was not the purpose of 
the collection operation.  While such incidentally acquired U.S. person 
information is presumed not to be of foreign intelligence interest or 
value, its residence on an intelligence agency server raises privacy 
concerns.  The Sections 5 and 6 procedures seek to address these concerns.

Section 5 protects privacy interests by establishing procedures to 
minimize the use of bulk collection to circumstances in which it is 
necessary and ensure proper audit, thereby seeking to prevent CIA from 
acquiring unwanted U.S. person information in the first place, except 
when necessary.  Section 5 requires the preparation of specific 
documentation prior to or as soon as practicable after any intelligence 
activity that results in bulk collection or acquires more information 
than the CIA’s can evaluate promptly, or qualifies for retention without 
individualized review.  The documentation must contain certain 
information necessary for identified senior officials to determine 
whether to approve the collection.

Assuming the collection has been determined to be permissible, Section 6 
addresses privacy concerns by establishing handling requirements and 
retention limits for the portion of the bulk collection containing U.S. 
person information of no intelligence value or interest:  the 
unevaluated information.

Section 6 creates two different types of handling requirements for 
unevaluated information; one for “routine” handling and one for 
“exceptional” handling.  Exceptional handling requirements apply to 
intelligence collections either of nonpublic communications that were 
acquired without the consent of a party to the communication, or that 
are anticipated to contain U.S. person identifying information that is 
significant in volume, proportion, or sensitivity.  The exceptional 
requirements include segregating the unevaluated information, limiting 
access to CIA employees who receive special training, creating an 
auditable record of activity, and importantly, requiring such 
information to be destroyed no later than five years after collection, 
permitting extensions in limited circumstances.

The five-year limit in Section 6 is but one example of how specifics in 
the new procedures attempt to find the right balance of intelligence and 
privacy interests.  Each procedure involves an effort to find the right 
tradeoffs to allow lawful intelligence collection and protect privacy 
and civil liberty rights and interests. The tradeoff was between the 
risk to a loss in intelligence capabilities by destroying information at 
five years against the risk to compromising privacy interests by keeping 
the information longer.

Deleting all unevaluated information specifically concerning U.S. 
persons has little to no intelligence downside because intelligence 
agencies will never want or have reason to search their intelligence 
holdings.  The five-year period to destroy all unevaluated information, 
however, will remove not only information concerning U.S. persons but 
also any information potentially concerning valid intelligence targets, 
such as international terrorists, from the intelligence agencies 
holdings.  In this latter case, however, intelligence agencies will want 
and may have a reason to search its holdings for information on these 
targets. The deletion of that information could thus have an adverse 
intelligence impact, particularly on counterterrorism and 
counterproliferation intelligence reporting, as well as on the conduct 
of human intelligence operations, all of which are important activities 
of the CIA.

The CIA could be expected to search all of its holdings upon receiving 
intelligence identifying a previous unknown person as a suspected 
terrorist or proliferator.  Under the five-year retention period, when 
the CIA conducts the search, any unevaluated information on that person 
that may have been acquired during a bulk collection activity over five 
years ago will have been deleted; CIA’s search will not retrieve that 
information. Thus, CIA might gain an incomplete or misleading 
understanding of the individual, his place in a terrorist network, and 
his contacts.  Or, CIA may send intelligence officers to conduct 
dangerous human intelligence operations to collect information it once 
had.  The loss of five-year old information could also adversely impact 
the spotting, assessing, recruiting, and running of human sources.  Safe 
and effective source operations are enhanced by the amount of 
information available to CIA and the handling officer(s).  How often the 
five-year retention limit might result in a loss of important 
information is unknowable.

The five-year retention period in Section 6 was not set by the CIA, DNI, 
or Attorney General, however, it was set by Congress through Section 
309.  Certainly, differing mission requirements among the individual 
intelligence community elements translate into differing retention 
needs.  Some intelligence entities likely could accomplish their mission 
and destroy unevaluated information in less than five years.  Others may 
need to retain information longer than five years.  Without question, 
the congressional intelligence committees sought and considered the 
input of the intelligence community entities before setting a retention 
limit. Congress has provided that intelligence agency heads may retain 
information longer than five years if the head determines a longer 
retention “is necessary to protect the national security of the United 
States” and certifies in writing to the intelligence committees the 
reasons for that determination, the new retention period, the particular 
information to be retained; and the measures that will be taken to 
protect the privacy interests of U.S. persons and persons located inside 
the United States.

Given the uncertainties of adequately assessing the relative risks to 
intelligence operations and privacy, and the diversity of considerations 
among intelligence agencies, if a single retention period was to be 
imposed on the entire intelligence community, the right body to do so 
was the one comprised of the People’s representatives: the Congress.


The Author is Robert J. Eatinger, Jr.

Bob is the founding Principal of SpyLaw Consulting for Business, LLC. 
Previously, Bob was the Senior Deputy General Counsel of the Central 
Intelligence Agency. He served as CIA’s Acting General Counsel from 
October 2013 to March 2014.  Before being named the Senior Deputy 
General Counsel, he served as CIA’s Deputy General Counsel for 
Operations from September 2009 to June 2013.  Bob also served on active 
duty in the United States Navy, Judge Advocate General’s Corps, and 
retired in 2013 as a Captain with 30 years of service.

https://www.thecipherbrief.com/column/network-take/technology-advances-prompt-changes-cia-collection-procedures-1091