Last week the Office of the Director of National Intelligence released its 2015 Signals Intelligence Reform Report, designed to highlight the intelligence community’s implementation of Presidential Policy Directive (PPD)-28. The document is a mixed bag: There’s some aspirational, high-altitude language; the report also reaffirms previously known intelligence community views regarding the legality of certain operations and the importance of balancing intelligence collection with civil liberties and American alliance concerns abroad.
But there’s also more eye-catching stuff in here, too. The document notes a number of important changes, some announced by the President last January and undertaken since, as well as some more recent changes. I highlight some, but by no means all, of these below.
Before doing so, some context (as summarized by Ben following President Obama’s speech last January): PPD-28 and the accompanying review of signals intelligence and privacy protections was not meant as an overhaul of American intelligence law or collection methods. Indeed, President Obama has been largely supportive of these, and of the work of the intelligence community more generally. The idea was different: Instead, the President noted in his speech that the intelligence community, in order to be effective in the long-term, must “maintain the trust of the American people, and people around the world.” This is the benchmark by which the results of the IC’s implementation efforts should be judged, not on whether the review led to tectonic shifts in American surveillance policy.
As to those efforts:
Civil Liberties and Privacy
Perhaps the most anticipated part of the report was what additional protections, if any, would be added to the telephony metadata collection program under Section 215 of the USA PATRIOT Act. The report here does not seem to announce any big-ticket changes---but instead reaffirms two tweaks announced by the President last year, in his speech and implemented shortly thereafter by intelligence officials.
Before the President’s address, “the basis for the reasonable, articulable suspicion finding had to be documented in writing and approved by specifically authorized NSA officials,” the DNI explains, referring to the standard required for analysts to query telephony metadata. The DNI’s report thus first re-affirms a fact we’ve known for some time: Owing to presidential instructions, the Foreign Intelligence Surveillance Court (FISC) has been involved in reviewing surveillance requests since PPD-28. With the exception of emergency situations, both FISC and the NSA must approve each query term before the data can be collected. (Wells wrote about the implications to greater ex ante FISC involvement in the procedural requirements last year.) The DNI report confirms that, as we've known, front-end FISC involvement is now a regular feature of surveillance practice.
It similarly highlights another adjustment to the call records program, implemented as a consequence of and around the time of the President’s surveillance speech. This concerns how many “hops”---or steps removed from a phone number that has been previously associated with a terrorist organization---can be collected:
Previously, NSA was permitted to query the information out to three “hops,” or links. Today, queries are limited to two hops. This means NSA is permitted to develop contact chains by starting with a target identifier (seed number) and, using telephony metadata records, see what identifiers communicated with that target (first hop) and which identifiers, in turn, communicated with the first-hop identifiers (second hop). The limitation to two hops reduces the number of potential results from each query.
There’s perhaps more to pore over in the report’s treatment of Section 702 of the FISA Amendments Act, which generally authorizes the targeting of non-U.S. persons reasonably believed to be located outside the United States, for purposes of acquiring foreign intelligence. In this regard, the DNI says the NSA, CIA and FBI will each be implementing new minimization procedures designed to impose more strict requirements on their ability to use a US person identifier to generate information about foreign citizens. Both the NSA and CIA will require a written statement of facts showing that a surveillance query is reasonably likely to return foreign intelligence information. The FBI also announced more stringent requirements regarding data retention on non-US persons, requiring the destruction of unevaluated information within five years if deemed non-pertinent for national security purposes.
These enhanced minimization procedures collectively represent a response to heavy criticism that Section 702 constitutes a “backdoor” that would allow the intelligence community to monitor the communications of American citizens, without a warrant, if these communications were incidentally collected as a result of surveillance on foreign persons.
Another key change announced with respect to the intelligence community’s implementation of Section 702 is that any information on US persons that is incidentally collected may not be used as evidence against that person in a criminal proceeding, except “(1) with the approval of the Attorney General, and (2) in criminal cases with national security implications or certain other serious crimes.”
This past Wednesday, in remarks delivered at the Brookings Institution, ODNI General Counsel Robert Litt shed additional light on what sort of criminal cases would pass muster under Section 702, such that the government could use collected evidence against that individual in a prosecution:
Under the new policy, in addition to any other limitations imposed by applicable law, including FISA, any communication to or from, or information about, a U.S. person acquired under Section 702 of FISA shall not be introduced as evidence against that U.S. person in any criminal proceeding except (1) with the prior approval of the Attorney General and (2) in (A) criminal proceedings related to national security (such as terrorism, proliferation, espionage, or cybersecurity) or (B) other prosecutions of crimes involving (i) death; (ii) kidnapping; (iii) substantial bodily harm; (iv) conduct that constitutes a criminal offense that is a specified offense against a minor as defined in 42 USC 16911; (v) incapacitation or destruction of critical infrastructure as defined in 42 USC 5195c(e); (vi) cybersecurity; (vii) transnational crimes; (or (vii) human trafficking.
Additionally, as mentioned above, and as Carrie Cordero explained this past week, the DNI announced that information collected on non-US persons must be destroyed within five years, unless the information has been deemed “relevant to, among other things, an authorized foreign intelligence requirement,” or if the DNI determines “that continued retention is in the interest of national security.” As Carrie mentioned, this destruction requirement suggests an effort to comfort foreign audiences.
The DNI report also mentions that this procedure aligns with the current protocols with respect to information that is collected about US persons, thus bringing some uniformity to the whole process. Additionally, intelligence agencies implementing PPD-28 are now obliged to take the specific privacy interests of non-US persons into account before disseminating the information to relevant government decision-makers.
Of course, the DNI opt-out clause should continue to give the intelligence community sufficient latitude to maintain information collected through signals intelligence, and one can certainly wonder whether this will usher in a real change in practice. Even so, as Ben has previously discussed, the fact that the United States has produced such a public document and has announced these specific procedures puts them ahead of the curve with respect to other countries’ intelligence practices. Indeed, expecting more rigid guidelines that did not provide sufficient flexibility for the DNI to respond to future threats as needed would be unrealistic.
Limits on the Use of Signals Intelligence Collected in Bulk
Regarding this central issue, which was developed in PPD-28, the report reiterates the directive’s requirement that the intelligence community may only use this information in six circumstances:
to counter espionage and other threats and activities of foreign powers or intelligence services against the U.S. and its interests; (ii) counterterrorism; (iii) counter-proliferation; (iv) cybersecurity; (v) to detect and counter threats to U.S. or allied armed forces or other U.S. or allied personnel; and (vi) to combat transnational criminal threats, including illicit finance and sanctions evasion.
No surprise here: The President’s directive had made clear that these were the only six situations in which signals intelligence can be used.
Odds and Ends
Some final notes: First, the DNI report touts the extent to which outside groups were consulted during the review process. These entities included Congress, the Privacy and Civil Liberties Oversight Board, individual and nongovernmental civil liberties advocates, and the private sector. The report stresses that these consultations allowed outside individuals and experts to have “unprecedented access” to classified documents and other materials about US surveillance methods. Many of these outside consultations led to published reports and recommendations, the fruits of which are discussed by DNI here.
Second, the report establishes new training requirements for intelligence community personnel, as well as new oversight and compliance mechanisms. For example, the oversight program requires any intelligence community member to report any compliance issue involving personal privacy or information directly to the DNI.
Third, the report stresses that the implementation process is just beginning. Paving the way forward, the DNI also has announced that they will issue another public report in January of 2016 to update the public about the “Intelligence Community’s ongoing progress to implement these reforms.”