Internet Metadata Collection

DNI Releases Update on PPD-28 Implementation

By Tara Hofbauer
Wednesday, October 22, 2014, 6:57 PM

On Friday, the Director of National Intelligence (DNI) released an update on the implementation of Presidential Policy Directive/PPD-28, regarding signals intelligence activities. Issued on January 17 by President Obama, PPD-28 “directs intelligence agencies to review and update their policies and processes ... to safeguard personal information collected through signals intelligence.”  (In January, Ben unpacked both the directive and President Obama’s speech regarding it.)

Among other things, PPD-28 required the DNI to work with both the Justice Department and the broader Intelligence Community to release an interim report regarding the status of the directive's implementation. According to a summary released by the DNI, the newly released interim document outlines “principles for agencies to incorporate in their policies and procedures[,]" including some that reach beyond minimums set by PPD-28.  The principles include:

  • Ensuring that privacy and civil liberties are integral considerations in signals intelligence activities.
  • Limiting the use of signals intelligence collected in bulk to the specific approved purposes set forth in PPD-28.
  • Ensuring that analytic practices and standards appropriately require that queries of collected signals intelligence information are duly authorized and focused.
  • Ensuring that retention and dissemination standards for United States person information under Executive Order 12333 are also applied, where feasible, to all personal information in signals intelligence, regardless of nationality.
  • Clarifying that the Intelligence Community will not retain or disseminate information as “foreign intelligence” solely because the information relates to a foreign person.
  • Developing procedures to ensure that unevaluated signals intelligence is not retained for more than five years, unless the DNI determines after careful evaluation of appropriate civil liberties and privacy concerns, that continued retention is in the national security interests of the United States.
  • Reinforcing and strengthening internal handling of privacy and civil liberties complaints.
  • Reviewing training to ensure that the workforce understands the responsibility to protect personal information, regardless of nationality. Successful completion of this training must be a prerequisite for accessing personal information in unevaluated signals intelligence.
  • Developing oversight and compliance programs to ensure adherence to PPD-28 and agency procedures, which could include auditing and periodic reviews by appropriate oversight and compliance officials of the practices for protecting personal information contained in signals intelligence and the agencies’ compliance with those procedures.
  • Publicly releasing, to the extent consistent with classification requirements, the procedures developed pursuant to PPD-28.

The Intelligence Community is tasked with implementing PPD-28 by January 2015.