Privacy

First Take on Government's Surveillance Reform Update Report

By Carrie Cordero
Wednesday, February 4, 2015, 3:12 PM

As Wells noted yesterday the Administration released its report on the implementation of Presidential Policy Directive (PPD)-28. I am still reading through the documents, which include twelve new agency-specific procedures that implement Section 4 of PPD-28, as well as additional restrictions on the counterterrorism telephone metadata program. For now, this post provides observations on two items contained in the section of yesterday’s report entitled, “Strengthening Privacy and Civil Liberties.”

This section highlights four initiatives: the establishment of the Section 4 procedures for safeguarding personal information of all persons, regardless of nationality or location; proposing legislation to remedy privacy violations; strengthening privacy protections for collection pursuant to Section 702 of FISA; and amending FBI National Security Letter non-disclosure policy.

Given world events, and the need to maintain a robust foreign intelligence collection capability, particularly through the use of SIGINT where other methods of collection may be weak, attention should be given to whether changes being implemented to Section 702 collection have the potential to degrade the United States’ ability to counter threats.

Of particular interest, therefore, is that the new policy includes an enhanced destruction requirement for information concerning non-U.S. persons acquired via SIGINT:

Now Intelligence Community elements must delete non-U.S. person information collected through SIGINT five years after collection unless the information has been determined to be relevant to, among other things, an authorized foreign intelligence requirement, or if the Director of National Intelligence determines, after considering the views of the Office of the Director of National Intelligence Civil Liberties Protection Officer and agency privacy and civil liberties officials, that continued retention is in the interest of national security.

Five years is actually not a very long time. The key here is whether information has “been determined to be relevant.” A logical interpretation of this provision is that in order for information to be “determined to be relevant” it must be reviewed or analyzed in some way. But that would mean that, even today, this provision risks the possibility that information collected in 2010 that has not yet been analyzed but might concern the activities of terrorist networks in, say, Iraq, might now be nearing age-off duration. For leadership responsible for counterterrorism, I would think that would be a hard policy to submit to.

So the policy enables the DNI to waive this destruction requirement. In practice, therefore, what this new destruction requirement may mean is more internal governmental processes and procedures will exist so that there is a more robust decision making process to determine whether information should be retained for a period longer than five years.

There is no legal reason to include a destruction requirement for information obtained for foreign intelligence purposes according to a statutory framework established by Congress, when targeting, for foreign intelligence purposes, non-U.S. persons reasonably believed to be located outside the United States. Instead, the new requirement is likely intended to address foreign (in particular, the European Union civil liberties representatives') concerns about U.S. government retention of foreign persons’ personal information.

From that perspective, more process and ongoing consideration of whether information should be retained further may sound like a good thing. But it also may have been reasonable, practical and appropriate to identify categories---counterterrorism and proliferation of weapons of mass destruction, for example---where the mandatory destruction requirement would be greater than five years. And if the government were to adopt such categories, and to carve out exceptions to the destruction rule (a policy that would be appropriate given certain national security threats, in my view) then that much raises questions as to whether these new “reforms” are actually meaningful.

A second aspect of the policy that potentially risks process overtaking practicality is in the requirement for a “written statement of facts” showing that a query using a U.S. person identifier is reasonably likely to return foreign intelligence information. How oversight and operational personnel interpret this requirement could turn out to be consequential. A “written statement of facts” could be as little as one sentence, or as long as…well, as long as needed to satisfy oversight personnel.

By way of comparison, in order to demonstrate probable cause to conduct electronic surveillance of a target within the United States, for example, FISA requires executive branch personnel to submit “a statement of facts and circumstances” with respect to certain elements. See, e.g., 1804(a)(3). FISA practice has historically been such that these statements have been substantive, lengthy, and highly detailed. The facts justifying using an identifier (even a U.S. person one) to query information that has already been collected pursuant to a lawful, court-approved process, should be much, much less than the facts required to justify collecting constitutionally and statutorily protected information. Implementing the new approach will require a careful and hopefully deliberate plan for determining just how much of a statement of facts will be required, so that this policy directive does not turn into a fiction of legal requirement, over time.