Internet Metadata Collection
The President's Speech and PPD-28: A Guide for the Perplexed
President Obama's speech on Friday and its accompanying Presidential Policy Directive (PDD-28) cover a lot of ground, announce a bunch of reforms, announce plans and direction for more, and kick still others over to Congress. The speech contained a surprisingly fierce defense of NSA, one that some of the agency's critics appear not to have noticed. Reactions to the speech have been curiously favorable from diverse quarters. I described the speech as a big win for the intelligence community, as did colleagues at this Brookings event and in this Lawfare Podcast. The New York Times opened its editorial on the speech by declaring:
In the days after Edward Snowden revealed that the United States government was collecting vast amounts of Americans’ data---phone records and other personal information---in the name of national security, President Obama defended the data sweep and said the American people should feel comfortable with its collection. On Friday, after seven months of increasingly uncomfortable revelations and growing public outcry, Mr. Obama gave a speech that was in large part an admission that he had been wrong.
Did they watch the same speech I saw?
In this post, I am going to go through both the speech and the PPD in some detail and at some length, spelling out what the President is doing in these complex documents---which really have to be read in conjunction with one another. I am going to try to demonstrate that the President's actions last week should really be understood as a strong and tactically clever defense of the intelligence community---a defense that signals a great deal more change spiritually than it promises in practical terms, but one that also has a few big wild cards that could, like a jack-in-a-box, spring out a few months from now as more substantial changes than they now appear to be.
Before turning to the substance of the speech and the PPD, we should pause a moment and consider the very fact that the President of the United States has issued, in public, a policy directive on signals intelligence at all. For, indeed, the first notable thing about the PDD is that it exists. My Brookings colleague Bruce Riedel, a longtime CIA veteran, focused on this---quite rightly, in my view---in our event on Friday, saying that the document "is in my judgment unprecedented. In two hours, I couldn't really check, but I don't think we've ever had a document like this that lays out the protocols and principles for American signals intelligence collection." Nor, I might add, do many other countries have public documents that lay out principles and doctrines of surveillance permission and restraint. In other words, the mere fact of this document puts the United States in a very forward-leaning place with respect to surveillance transparency---a place it was already coming to occupy with the big declassifications following the Snowden disclosures. How many of the countries that have been so quick to criticize US surveillance practices will follow suit and issue their own formal documents spelling out what they do and what they do not do both with regard to their own citizens and those of other countries?
Obama begins the speech by situating his discussion of the NSA controversies against the activities of the Sons of Liberty and Paul Revere in Boston in revolutionary times. "Throughout American history, intelligence has helped secure our country and our freedoms," he says. It is against this highly-favorable background---one in which intelligence is central to liberty, not in tension or at odds with it---that Obama mentions the birth of NSA. Indeed, the entire first portion of the speech offers a strong defense of NSA and its intelligence programs. While Obama acknowledges that intelligence gathering can be abused and has been abused, and while he reiterates that aspects of the post-9/11 response "contradicted our values," that is not the frame he uses for NSA's current activities.
To the contrary, when he came into office, he reports, he had a "healthy skepticism towards our surveillance programs" and ordered that they be reviewed. But the biggest problems had already been corrected "through a combination of action by the courts, increased congressional oversight, and adjustments by the previous Administration." So while in some cases, there were changes, "What I did not do is stop these programs wholesale---not only because I felt that they made us more secure; but also because nothing in that initial review, and nothing that I have learned since, indicated that our intelligence community has sought to violate the law or is cavalier about the civil liberties of their fellow citizens." In what will surely be one of the more important passages in the speech for many people in the intelligence community, Obama then says:
To the contrary, in an extraordinarily difficult job, one in which actions are second-guessed, success is unreported, and failure can be catastrophic, the men and women of the intelligence community, including the NSA, consistently follow protocols designed to protect the privacy of ordinary people. They are not abusing authorities in order to listen to your private phone calls, or read your emails. When mistakes are made---which is inevitable in any large and complicated human enterprise---they correct those mistakes. Laboring in obscurity, often unable to discuss their work even with family and friends, they know that if another 9/11 or massive cyber-attack occurs, they will be asked, by Congress and the media, why they failed to connect the dots.
With this statement, Obama squarely aligns himself with the intelligence community's own central narrative of recent events: Its activities are essential, the president says; its activities are lawful and non-abusive (mistakes notwithstanding); and the community's critics will hold it accountable for failures to connect the dots just as breezily as they now hold it accountable for the use of available tools to connect those dots.
That said, Obama goes on, we need changes. But Obama is careful to describe the reasons we need changes. It's not to rein in an out of control intelligence community. It's because "for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world." These are confidence-building steps for an apparatus that is essentially law-abiding.
And that brings us to the changes that Obama announces---beginning with those in the PPD.
The PPD is an exceedingly-clever document, one that conveys and writes into policy a great deal of values without constraining a great deal of practice. It does this by, in essence, using values-based statements as justifications for policies that already exist, at least de facto, for purely functional reasons. PPD-28 is long on rhetoric about how "all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and [how] all persons have legitimate privacy interests in the handling of their personal information." It comes back to this theme over and over again. And the theme is genuinely important. The United States is now on record as a formal matter of presidential policy announcing that it respects the privacy of non-citizens abroad and takes that into account when it conducts espionage; it doesn't just disseminate and retain information about people willy nilly with no regard for the information's importance relative to that material's value to foreign intelligence. That's an amazing statement. But it actually does not require a revolution---or even much change---in intelligence affairs to implement.
Section 1 of the PPD contains a set of high-altitude principles that all either reflect current policy and practice, are consistent with it, or are easily harmonized with it. First, it requires that SIGINT collection has to be authorized by some law and undertaken in a fashion consistent with applicable law. Second, it requires that "privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities" and that the US will not engage in SIGINT to repress dissent or to disadvantage people based on race or nationality or religion or other invidious bases; rather, it should only be used for legitimate foreign intelligence purposes. Third, it forbids economic espionage for non-national security purposes like advantaging US industry. And fourth, it directs that the US should use SIGINT only in as tailored a fashion as possible, considering alternatives to it like public source information. Much of this---though not all---is already policy or law. To the extent it's not, it doesn't seem to require much change in practice, as it amounts to an instruction to do SIGINT only for authorized, legitimate purposes, only when it's necessary, and only with reasonable consideration of alternatives and privacy interests.
Section 2 then moves on to lay out principles for bulk SIGINT acquisition---that is, collection of purportedly comprehensive databases of material. Again, the principles are framed as "limits intended to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside." But they do not, as an empirical matter, preclude anything I can imagine the US government would actually want to do. In short, bulk SIGINT collection may now proceed only for detecting and countering espionage, terrorism, WMD proliferation, cybersecurity threats, threats to US or allied forces, or transnational criminal threats. It can't be used to disadvantage people for invidious reasons or to suppress dissent or to afford a competitive advantage to US industry. In other words, bulk SIGINT can be used only for legitimate and identified national security purposes. If you work for a SIGINT group that's collecting material in bulk for no discernible reason, this may be a problem, but I don't think that's really happening. What's more, to ensure that this list is adequately flexible, Section 2 also calls for regular, at-least-annual reviews of the list of approved purposes for SIGINT to see if additions or removals from the list are necessary. Importantly, that list shall be kept public to the "maximum extent feasible, consistent with national security."
Section 3 then refines the senior-level bureaucratic process for approval of SIGINT priorities and requirements, demanding that the heads of each agency that helps define these priorities annually review them and advise the DNI whether they should be maintained or changed. The idea here is to create a process for evaluating whether politically-sensitive surveillance practices are, in an ongoing way, really needed---so they don't continue in perpetuity by bureaucratic default. The section also requires that these determinations consider both the costs and benefits of each program.
Section 4 is really the heart of the PPD. It opens with the following statement:
All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information. U.S. signals intelligence activities must, therefore, include appropriate safeguards for the personal information of all individuals, regardless of the nationality of the individual to whom the information pertains or where that individual resides.
It then goes on to require that each intelligence component adopt policies and procedures applying principles for safeguarding personal information. "To the maximum extent feasible consistent with the national security," the PPD states, "these policies and procedures are to be applied equally to the personal information of all persons, regardless of nationality." The caveat here is important. The message is that the United States does take into consideration the legitimate privacy interests of foreigners and will, absent some good reason, treat that data similarly to the way it treats data about its own citizens. But the language gives the agencies a fair bit of wiggle room to the extent this general principle interferes with legitimate intelligence gathering.
More importantly, the principles Section 4 lays out, also seem easily harmonized with current practice: Section 4 requires data security in handling sensitive personal information; what intelligence agency wouldn't want that? It also requires data quality; duh! It requires oversight; people don't believe this, but the intelligence community has a huge amount of oversight, including of its data handling, and it lives with it every day.
The only principle Section 4 outlines that even seems challenging is minimization, which is traditionally the way the intelligence community handles US person data as distinct from non-US person data. But here, the PPD once again essentially assigns a principled reason for what is de facto happening anyway. The policies must allow that "Personal information shall be disseminated only if the dissemination of comparable information concerning U.S. persons would be permitted under section 2.3 of Executive Order 12333," the PPD says. That may sound like a real restriction, but section 2.3 actually puts forth a long list of broad subjects that constitute legitimate bases for dissemination. They include just about any reason an intelligence agency might legitimately want to disseminate material. What can be retained and disseminated?
(a) Information that is publicly available or collected with the consent of the person concerned;
(b) Information constituting foreign intelligence or counterintelligence, including such information concerning corporations or other commercial organizations. Collection within the United States of foreign intelligence not otherwise obtainable shall be undertaken by the FBI or, when significant foreign intelligence is sought, by other authorized agencies of the Intelligence Community, provided that no foreign intelligence collection by such agencies may be undertaken for the purpose of acquiring information concerning the domestic activities of United States persons;
(c) Information obtained in the course of a lawful foreign intelligence, counterintelligence, international narcotics or international terrorism investigation;
(d) Information needed to protect the safety of any persons or organizations, including those who are targets, victims or hostages of international terrorist organizations;
(e) Information needed to protect foreign intelligence or counterintelligence sources or methods from unauthorized disclosure. Collection within the United States shall be undertaken by the FBI except that other agencies of the Intelligence Community may also collect such information concerning present or former employees, present or former intelligence agency contractors or their present or former employees, or applicants for any such employment or contracting;
(f) Information concerning persons who are reasonably believed to be potential sources or contacts for the purpose of determining their suitability or credibility;
(g) Information arising out of a lawful personnel, physical or communications security investigation;
(h) Information acquired by overhead reconnaissance not directed at specific United States persons;
(i) Incidentally obtained information that may indicate involvement in activities that may violate federal, state, local or foreign laws; and
(j) Information necessary for administrative purposes.
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.
In other words, the agencies are now required to have minimization procedures that forbid dissemination of non-US person data unless there's some valid reason to want to disseminate it. Again, since good intelligence agencies aren't in the business of disseminating information for fun or for smears or just because, this actually won't necessitate much change in practice.
Similarly, the minimization requirements are supposed to block retention of non-US person material if it could not be retained under 2.3 and requires that material be purged if no determination has been made for five years unless there's a particular reason to retain it. Again, I think this largely describes what's happening anyway. Because non-US person data is mixed in with US person data which, when unprocessed, is already subject to the five-year retention limit, it tends to get thrown out when it hasn't been specifically identified as having some foreign intelligence value. The minimization requirements in Section 4, in other words, are largely serving to reframe a lot of current practice in terms of privacy. And that actually makes sense. Good intelligence analysis, after all, is all about discrimination between what's important and what's not. Privacy is a values name we give to a very similar form of discrimination---only framed from the point of view of the individual. The PPD has identified a wide area of overlap in the Venn diagrams of these two forms of information discrimination, and it gives that area of overlap the civil liberties-protective name. That's smart, especially because it happens to reflect a reality many people choose not to accept.
Section 4 contains one big wildcard, which is contained in the following paragraph:
Additionally, within 180 days of the date of this directive, the DNI, in coordination with the Attorney General, the heads of other elements of the IC, and the heads of departments and agencies containing other elements of the IC, shall prepare a report evaluating possible additional dissemination and retention safeguards for personal information collected through signals intelligence, consistent with technical capabilities and operational needs.
Nobody is quite sure what this means---or what its impact will be. The Review Group made a number of recommendations that this could encompass, some of them pretty dramatic. And one could imagine, six months from now, this sleeper passage morphing into a highly-consequential set of reforms that go well beyond those in the current PPD. I'm not holding my breath for this, however. The assignment is to the DNI, who hardly has a great interest in slapping a broad set of new restraints on his own community. And the passage asks only for a "report evaluating" the possibilities here. It is also by its terms limited by "operational needs." There is a lot of room here for dramatic reforms to be evaluated and reported on to an unceremonious bureaucratic death.
Section 4 closes with some bureaucratic changes: A new State Department official responsible for international information technology, coordinators at OMB and the national security staff to work on privacy and civil liberties, and a requirement that each IC element report (publicly, if feasible) on their new policies within a year. This last item strikes me as a very big deal. It means that each intelligence community component will likely have public minimization procedures with respect to collection against non-US persons overseas. How many countries that whine about NSA collection have public rules about how their intelligence agencies handle data aboutour citizens?
Obama's speech announces reforms and changes beyond those outlined in the PPD. The president announces more routine declassification review of FISC opinions---which is both good and unsurprisingly. He also announces, in a carefully-worded part of the speech, that he is "calling on Congress to authorize the establishment of a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court." The wording here is important. Obama stops short of endorsing the Public Advocate idea, which has constitutional difficulties and to whose strong form the Judicial Conference has objected. By describing these lawyers as "outside government," he seems to be leaning more towards an amicus model of adding adversarial process to FISC proceedings. But he leaves this point a bit vague, intentionally I think. And basically kicks the matter to Congress.
In a big win for the FBI, he endorses only very modest reforms of NSLs---reforms that do not include prospective judicial review. And sounding very much like FBI Director Comey, he signals opposition to that idea on grounds that "I have concerns that we should not set a standard for terrorism investigations that is higher than those involved in investigating an ordinary crime."
In what is the second big wild card of the speech, he then kicks another series of issues to the DNI and the Attorney General:
Third, we will provide additional protections for activities conducted under Section 702, which allows the government to intercept the communications of foreign targets overseas who have information that’s important for our national security. Specifically, I am asking the Attorney General and DNI to institute reforms that place additional restrictions on government’s ability to retain, search, and use in criminal cases, communications between Americans and foreign citizens incidentally collected under Section 702.
This seems to be an effort to punt Recommendation 12 of the Review Group report (which I analyzed here) for further study. It is totally unclear what it will mean, because it says nothing about how many "additional restrictions" or of what type will get imposed. So again, this could be a sleeper if the administration turns out to be inclined towards the sort of new restrictions the Review Group suggested. But again, I sort of doubt the intelligence community is going to slap all kinds of new restrictions on itself in this area. So it seems more like a way of studying these ideas to death to me.
Obama kicks a few other things to Congress too: broader reforms of NSLs and greater reform of the FISA court system. The message here is that these are areas in which Obama is not going to put his own prestige at issue, but if Congress wants to take them on, he'll engage. That seems right to me. Neither of these areas represents the core of the Snowden-era problems. Neither is worth the administration's energy or the President's clout.
That brings us to Obama's proposals for 215---a subject that has gotten so much attention that I am going to skimp on it here. A few brief notes, however. The president's basic innovation is to try to implement some change on his own right away and to punt the larger question---with a certain amount of guidance and direction---for further study and to Congress. I'm sympathetic to this approach, but I don't know that it's going to work. For one thing, while Obama can, on his own, require that NSA use only two hops, instead of three, it's not at all clear to me that he can just order the agency to seek judicial approval for queries. In fact, I rather doubt the FISC is going to play ball with that idea, and I don't think it has statutory authority to do so. Moreover, I agree with Tim Edgar that there is a Guantanamo-like risk of announcing an end to the 215 program when the only clear way forward you can advance is "to develop options for a new approach that can match the capabilities and fill the gaps that the Section 215 program was designed to address without the government holding this metadata." There's a real possibility that these options will prove limited and that the apparently-dramatic change of ending the program will end up not happening. Obama could, in other words, end up here stuck with a program he purports to want to end.
That would be different here than it is with Guantanamo, because unlike Guantanamo---which genuinely embarrasses Obama---he ultimately defends 215 on the merits. Indeed, it is notable that Obama insists on retaining the capability of querying metadata and insists as well that the authority has not been intentionally abused. Even after many months of political pounding on this issue, this president is not willing to give up this power, though he is asking for changes to it. So maybe getting stuck with it would not be that bad.
Finally, Obama turns to the subject of spying on foreign leaders. And here his speech is, I think, a big wink---and appropriately so. He makes no apologies for past conduct, which is good. He does say, however, that "the leaders of our close friends and allies deserve to know that if I want to learn what they think about an issue, I will pick up the phone and call them, rather than turning to surveillance." That sounds all very reassuring, except that Obama does not define "close friends and allies," so it's not clear which foreign leaders other than Angela Merkel can take it as a promise to lay off their cell phones. What's more, there are important caveats: "unless there is a compelling national security purpose," Obama says, "we will not monitor the communications of heads of state and government of our close friends and allies." So there's an out if we ever really need to spy on a friend. And Obama says candidly that "our intelligence agencies will continue to gather information about the intentions of governments . . . around the world, in the same way that the intelligence services of every other nation does." Translation: We may not spy on heads of states, but their closest aides are fair game. (UPDATE: In response to this paragraph, Paul makes the very good point that "At least according to this article from Europe, a senior US government official is briefing Europeans that the promise not to eavesdrop applies to 'dozens of foreign leaders.' Note the plural. If this is the case than we have now declared off-limits something greater than 25 foreign leaders." To be clear, I did not mean to suggest that this change is unimportant or inconsequential, just that there are significant outs for situations that require them.)
All in all, it was a very strong performance---in my opinion the best speech Obama has given on national security matters in his presidency. It will not quell the controversies. There are too many of them. There is too much passion behind them. And they involve too many serious issues about which we simply lack consensus domestically or internationally. And it comes very late. All that said, it's a heck of a good start---dramatically better in all respects than I was expecting. The administration, at least, now has a set of positions that are not purely reactive to whatever last appeared in the Guardian or the Washington Post.