IC ON THE RECORD

Protecting U.S. Person Identities in FISA Disseminations

November 20, 2017

We are releasing today reports that review how intelligence agencies protect the identities of U.S. persons when disseminating information collected under the Foreign Intelligence Surveillance Act (FISA). These reports were prepared, at the direction of the Director of National Intelligence (DNI), by the civil liberties and privacy officers for the Office of the Director of National Intelligence (ODNI), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Central Intelligence Agency (CIA).

The reports collectively document the rigorous and multi-layered framework – including a robust oversight regime and a strong compliance record – that safeguards the privacy of U.S. person information in FISA disseminations. To begin with, individuals may be subject to FISA surveillance only if certain specific conditions are met.

• For example, to conduct electronic surveillance targeting someone inside the United States, FISA requires that the Foreign Intelligence Surveillance Court (FISC) find that there is probable cause to believe that the target is a foreign power or an agent of a foreign power.
• Section 702 of FISA may be used only to target non-U.S. persons reasonably believed to be located outside the United States, who are expected to possess, receive, and or likely to communicate foreign intelligence information responsive to a FISC-approved certification executed by the Director of National Intelligence and the Attorney General. Section 702 may not be used to target anyone in the United States; nor may it be used to target a U.S. person anywhere in the world.

In addition, FISA requires agencies to follow procedures designed to minimize the collection, retention, and dissemination of U.S. person information, including information from communications that are incidentally collected between a U.S. person and a FISA target.

• These are known as “minimization procedures,” and FISA requires that they be adopted by the Attorney General and approved by the FISC. The FISC has specifically approved NSA, FBI, CIA, and NCTC to directly receive unminimized information collected under FISA. These agencies must in turn abide by minimization procedures directly applicable to each (as further described in the reports).
• These procedures require layers of protections that apply before dissemination, including training requirements, retention limitations, and access and query controls.

The minimization procedures include specific protections concerning disseminations. For example:

• Agencies may disseminate information only to authorized recipients.
• In general, for non-public information concerning an unconsenting U.S. person, agencies may only include the identity of the U.S. person if it itself constitutes foreign intelligence, is necessary for the recipient to understand the foreign intelligence being transmitted, or is evidence of a crime. Agency minimization procedures generally provide for the substitution of a generic phrase or term, such as “U.S. person 1” or “a named U.S. person” when including the identity of the U.S. person does not meet dissemination criteria. This is informally referred to as “masking” the identity of the U.S. person. 
  
• Agency policy and practice can include additional protections. For example, NSA, as a matter of policy, in many cases requires that U.S. person identities be masked, with the identity provided only after a request by an authorized recipient and approval by a senior official. This is true even if including the identity in the original report would have been permitted by the minimization procedures. 
  
• Information collected under FISA is classified, and the unauthorized disclosure of that information is prohibited and may result in criminal liability.
  
• A robust and multi-layered compliance and oversight framework, involving all three branches of the government, ensures that the minimization procedures are followed. 
  

The procedures, processes, and practices described in these reports provide robust privacy protections for U.S. person information in intelligence disseminations. These reviews provide additional transparency so that the public can better understand how these protections work.

ODNI Report on Protecting U.S. Person Identities in Disseminations under FISA

Annex 1 - The National Security Agency’s (NSA) Report 

Annex 2 - The Federal Bureau of Investigation’s (FBI) Report 

Annex 3 - The Central Intelligence Agency’s (CIA) Report 

Annex 4 - The National Counterterrorism Center’s (NCTC) Report