This afternoon, we published an op-ed in the Washington Post explaining some of the basics of "unmasking" in an effort to offer a bit of context to the headlines. While it is written for a general interest audience, Lawfare readers may be interested in our explanation of the basic unmasking process:
In intelligence, one crucial form of protection is the “minimization” of incidentally collected information on U.S. persons. To understand how minimization works, it helps to think about how intelligence analysts work. Intelligence analysis typically starts with a topic, such as counterterrorism, or a target, who is almost always a foreign person. Usually, an analyst ignores information that seems unlikely to be of intelligence value. When she finds information worthy of including in a report, she begins to assess other people involved in the communication. If any identifiers (people talking, or people being talked about) appear likely to be associated with a U.S. person, then the analyst works to protect that information from being disclosed unless it is necessary to understand or assess the intelligence. That is the key standard.
An intelligence report on a foreign target might read, “Bob, a non-U. S. person, communicated his interest in acquiring precursors for making weapons of mass destruction.” In that case, there isn’t any need to reference a U.S. person at all, because the report focuses on what Bob said, and not who he might have said it to.
A different report might say, “Bob talked to [US Person #1] about his intention to import precursors for making weapons of mass destruction.” Here, it is necessary to refer to the fact that there was another person involved to accurately convey the intelligence. Because the person Bob was speaking to was a U.S. person, however, the U.S. person’s identity would typically be masked in the report. This enables government officials who need to see foreign intelligence to perform their duties without unnecessarily compromising the privacy of Americans.
Consider a somewhat different type of report: “Bob and Fred talked about their belief that [US Person #1] was actively selling precursors for weapons of mass destruction, and that [US Person #1] would be willing to sell to Bob and Fred.” In this case, the identity of the U.S. person is masked, but one of the U.S. government offices or agencies who are authorized to receive classified intelligence reports might decide that they need to know the identity of the U.S. person to understand the intelligence. Knowing who U.S. Person #1 is allows them to evaluate the nature of the threat — is this someone who is actually in a position to obtain the materials? A similar decision might be made if a foreign intelligence operative is in communication with a U.S. person; that intelligence report has an entirely different meaning if the U.S. person in question is just a random person than if he is a government contractor with access to sensitive military secrets.
At this point, the official who needs more information can request that the identity of U.S. Person #1 be “unmasked.” If the request is granted, the official will receive a new report from the intelligence agency that reads “Bob and Fred talked about their belief that Jane was actively selling precursors for weapons of mass destruction, and that Jane would be willing to sell to Bob and Fred.”
As for what Rice might or might not have done, there is nothing inherently improper or unusual about requesting that NSA provide an “unmasked” name. Requests can only be made where it is necessary to understand the foreign intelligence information; personal curiosity or political purposes would fail to satisfy the stringent requirements for unmasking. Relatively few people in the executive branch are authorized to request unmasking, though the national security adviser would certainly qualify. Furthermore, no unmasking decision is unilateral: The system provides checks to verify proper requests, and requests must be approved by the director of the FBI or the director of the NSA, or their designees. Recently, NSA Director Admiral Mike Rogers testified that only 20 senior-level officials in the entire NSA have the authority to approve such requests, which is an indication of how seriously this responsibility is taken.
These requests are documented and subject to internal and external oversight and review. When an unmasking request is approved, the unmasked identity is released only to the person who requested it, not to everyone who might have seen the original version of the report.
It is also important to distinguish unmasking requests from instances in which it is appropriate to identify the U.S. person at the outset. “Minimization” and “masking” are not identical things: “minimization” is the process, while “masking” is often — but not always — the result of that process. Information can be properly minimized and include a U.S. person’s identity if the identity is necessary to understand or assess the intelligence.
We also flagged a recent ODNI transparency report, that includes some statistics on unmasking:
Recipients of NSA reporting can request that NSA provide the true identity of a masked U.S. person referenced in an intelligence report, but this information is released only if the recipient has a legitimate need to know the identity and dissemination of the U.S. person’s identity has been determined to be necessary to understand foreign intelligence information or assess its importance, contains evidence of a crime, or indicates a threat of death or serious bodily injury. Under NSA policy, NSA is allowed to unmask the identity for the specific requesting recipient only under certain conditions and where specific additional controls are in place to preclude its further dissemination, and additional approval has been provided by a designated NSA official. In 2015, NSA released 654 U.S. person identities in response to such requests.
Our full article can be read here.