As we continue to read through documents released on February 3 that collectively detail the intelligence community's efforts to implement Presidential Policy Directive-28, (PPD-28), we thought it would be helpful to overview briefly, and to compare. implementing documents issued by three agencies in particular: NSA, CIA, and FBI.
Overall, there is a great deal of overlap between the three agencies' implementation policies. But they differ from each other in interesting ways, both with regard to retention and dissemination of information, and with regard to permitted departures from general rules contemplated by the policies themselves.
A quick look at the three agencies' PPD-28 implementation materials follows below.
NSA's procedures for implementing PPD-28 are contained in USSID SP0018.
First things first. Unsurprisingly, departures from the general procedures set forth elsewhere in the document are authorized. Such deviations are permitted in "unanticipated or extraordinary circumstances" if the NSA Director or a designee, after consultation with ODNI, the National Security Division of the DOJ, and the Office of the Secretary of Defense, approves of the departure; or in emergency situations, at the sole behest of the NSA Director or the Director's senior representative present.
Next, the document describes the regulatory terrain on which it operates. Recognizing that sometimes legitimate intelligence activity may result in the acquisition of communications that contain personal information of non-U.S. persons, the document specifies that such information will either be regulated by FISA or, if FISA doesn't regulate the collection, by procedures described in the document itself.
USSID SP0018 also sets forth limits on bulk collection, consistent with the larger rules handed down in PPD-28. When the NSA collects nonpublic communications without the use of a "selection term"---for example, without a specific email address linked to a terrorist organization targeted for collection---that data may only be used to detect and counter espionage, terrorism, weapons of mass destruction, cybersecurity threats, threats to U.S. or allied armed forces and personnel, and "transnational criminal threats, including illicit finance and sanctions evasion" related to the previous items on the list. Those limits, however, do not apply to signals intelligence data "that is temporarily acquired to facilitate targeted collection."
Next, the NSA guidance discusses parameters for retention of collected data. Consistent with principles announced in the DNI's implementation report, a nonpublic communication that contains personal information about non-U.S. persons can be retained for up to five years, unless the DNI expressly certifies that continued retention is in the national security interests of the United States. There are four exceptions to this. The five year rule may be waived if the information is: (i) publicly available; (ii) related to an authorized foreign intelligence requirement; (iii) related to a crime that has been, is being, or is about to be committed, or (iv) indicates a threat to the safety of any person or organization, it can be retained indefinitely in original or transcribed form. (For analysis of the five year rule, see Carrie's February 4 post.)
Lastly, the document issues guidelines for dissemination of data. If intelligence containing personal information was obtained through the consent of a non-U.S. person, then it can be disseminated in accordance with the terms of their consent. If there is no consent, then signals intelligence containing personal information may be disseminated if it falls into any of the four categories listed in the prior paragraph about retention.
[T]he Agency shall not collect SIGINT unless authorized to do so by statute or Executive Order, proclamation, or other Presidential directive, and such collection shall be undertaken in accordance with the Constitution and applicable statutes, Executive Orders, proclamations, Presidential directives, Agency regulatory issuances, and implementing guidance.
One interesting tidbit: the CIA's rules for departing from the norms described in "Signals Intelligence Activities" seem looser than NSA's equivalent rules: the CIA Director need only approve of exceptions to the document's policies, and "notify, and if practicable consult in advance," the ODNI and National Security Division of the DOJ. That's somewhat less demanding (at least on paper) than the NSA's approach.
As for retention of personal information, the CIA and NSA differ here too. Both require personal information to be destroyed within five years unless the DNI expressly certifies that continued retention is in the national security interests of the United States. But for signals intelligence collected by the CIA, information is eligible for retention, to the extent it comes within one of the following broad categories (which mirror the categories in Section 2.3 of Executive Order 12333):
- "information constituting foreign intelligence or counterintelligence";
- "information obtained in the course of a lawful foreign intelligence, counterintelligence, international drug or terrorism investigation";
- information needed to protect safety of individuals or organizations;
- "information needed to protect foreign intelligence or counterintelligence sources, methods and activities from unauthorized disclosure";
- information concerning individuals who might become intelligence sources;
- information arising from a lawful security investigation;
- information "acquired by overhead reconnaissance not directed at specific U.S. persons";
- information obtained "incidentally" that indicates involvement in activities that may violate domestic or foreign laws;
- "information necessary for administrative purposes."
The Agency may also disseminate information in the above categories if the Agency has lawfully collected the information in accordance to FISA or Executive Order 12333 and PPD-28. Dissemination to a foreign government, though, is only permitted if the dissemination is "in the interests of the United States" and complies with applicable laws, Executive Orders, and policies.
Like its companions, the FBI's implementing document bears an anodyne title: "Presidential Policy Directive 28: Policies and Procedures"). But it nevertheless suggests a rather different approach, naturally enough given the agency's particular mission: "Although the FBI does not conduct 'signals intelligence activities,' the FBI is applying the relevant provisions of PPD-28 to information it collects pursuant to FISA section 702" to further principles for safeguarding personal information, according to the document.