SIGNALS INTELLIGENCE REFORM

2015
ANNIVERSARY REPORT

STRENGTHENING PRIVACY & CIVIL LIBERTIES PROTECTIONS

As the President said in his speech on January 17, 2014, “the challenges posed by threats like terrorism and proliferation and cyber-attacks are not going away any time soon … and for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world.” As a part of that effort, the President made clear that “our signals intelligence activities must take into account that all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside….”

This commitment is reflected in the direction the President issued that same day in Section 4 of Presidential Policy Directive-28, Signals Intelligence Activities (PPD-28), requiring all elements of the Intelligence Community to establish policy and procedures for safeguarding personal information collected from signals intelligence (SIGINT) activities. In addition, we are also seeking to provide new legislative remedies for potential privacy violations.

In addition, in response to the President’s direction and to the recommendations from both the President’s Review Group on Intelligence and Communications Technology and the Privacy and Civil Liberties Oversight Board, the Intelligence Community is strengthening privacy protections in our collection activities under Section 702 of Foreign Intelligence Surveillance Act and the Section 215 bulk telephony metadata program. Moreover, as directed by the President, the FBI will amend its non-disclosure policy for National Security Letters.

INTELLIGENCE COMMUNITY’S IMPLEMENTATION OF SECTION 4 OF PRESIDENTIAL POLICY DIRECTIVE / PPD-28, SIGNALS INTELLIGENCE ACTIVITIES

On January 17, 2014, the President issued Presidential Policy Directive-28, Signals Intelligence Activities (PPD-28), which “articulates principles to guide why, whether, when, and how the United States conducts signals intelligence activities for authorized foreign intelligence and counterintelligence purposes.”

In a speech that same day, the President made clear that the United States is committed to protecting the personal information of all people regardless of nationality and directed the Intelligence Community to take a number of steps to strengthen the privacy and civil liberty protections afforded to all people.

PPD-28 reinforces current practices, establishes new principles, and strengthens oversight, to ensure that in conducting signals intelligence (SIGINT) activities, the United States takes into account not only the security needs of our nation and our allies, but also the privacy of people around the world.

Section 4 of PPD-28 calls on each Intelligence Community element to update existing or issue new policies and procedures to implement principles for safeguarding all personal information collected through SIGINT, consistent with technical capabilities and operational needs.

Over the past year, the Intelligence Community has been working to implement this requirement within the framework of existing processes, resources, and capabilities, while ensuring that mission needs continue to be met.

In July 2014, the Director of National Intelligence provided the President an interim report on the status of our efforts that also evaluated, in coordination with the Department of Justice and the rest of the Intelligence Community, certain additional retention and dissemination safeguards that all Intelligence Community elements should follow as they adopt policies and procedures under PPD-28.

The Director of National Intelligence is pleased to report that, as required by PPD-28, all Intelligence Community elements have reviewed and updated their existing policies and procedures, or have issued new policies or procedures, to provide safeguards for personal information collected through SIGINT, regardless of nationality and consistent with national security, our technical capabilities, and operational needs.

Although similar in many respects, agency procedures are not identical. The differences reflect that not all agencies conduct SIGINT collection and that agencies have different mission requirements. Links to agency policies and procedures can be found below.

U.S. Intelligence Community Policies & Procedures to Safeguard Personal Information Collected Through SIGINT

What has PPD-28 changed?

The agency policies and procedures implementing Section 4 of PPD-28 include significant changes that strengthen privacy and civil liberty protections for all people. It is worthwhile to highlight a few of the most significant changes:

  • Limits on retention: We have imposed new limitations on the retention of personal information about non-U.S. persons. Before PPD-28, Intelligence Community elements had disparate restrictions on how long information about non-U.S. persons could be retained. PPD-28 changes these retention practices in significant ways to afford strengthen privacy protections. Now Intelligence Community elements must delete non-U.S. person information collected through SIGINT five years after collection unless the information has been determined to be relevant to, among other things, an authorized foreign intelligence requirement, or if the Director of National Intelligence determines, after considering the views of the Office of the Director of National Intelligence Civil Liberties Protection Officer and agency privacy and civil liberties officials, that continued retention is in the interest of national security. This new retention requirement is similar to the requirements applicable to information about U.S. persons. Thus these new retention rules will more uniformly limit the retention of any personal information by the Intelligence Community.
  • Dissemination Restrictions: Intelligence Community elements have always disseminated intelligence information because it is relevant to foreign intelligence requirements. All agency policies implementing PPD-28 now explicitly require that information about a person may not be disseminated solely because he or she is a non-U.S. person and the Office of the Director of National Intelligence has issued a revised directive to all Intelligence Community elements to reflect this requirement. Intelligence Community personnel are now specifically required to consider the privacy interests of non-U.S. persons when drafting and disseminating intelligence reports.
  • Oversight, Training & Compliance Requirements: Intelligence Community elements have always had strong training, oversight, and compliance programs to ensure we were protecting the privacy and civil liberties of U.S. persons. In response to PPD-28, Intelligence Community elements have added new training, oversight, and compliance requirements. They are developing mandatory training programs to ensure that intelligence officers know and understand their responsibility to protect the personal information of all people, regardless of nationality. We are also adding new oversight and compliance programs to ensure that these new rules are being followed properly. The oversight program includes a new requirement to report any significant compliance incident involving personal information, regardless of the person’s nationality, to the Director of National Intelligence.

JUDICIAL REDRESS FOR CITIZENS OF CERTAIN COUNTRIES

In furtherance of its commitment to protecting privacy in the law enforcement context, the Administration is working with Members of Congress on legislation to give citizens of designated countries the right to seek judicial redress for intentional or willful disclosures of protected information, and for refusal to grant access or to rectify any errors in that information.

NEW PRIVACY PROTECTIONS FOR BULK TELEPHONY METADATA COLLECTED UNDER SECTION 215

Section 215 of the USA PATRIOT Act authorizes the Government to make requests to the Foreign Intelligence Surveillance Court (FISC) for orders requiring production of documents or other tangible things (books, records, papers, documents, and other items) when they are relevant to an authorized national security investigation such as an investigation to protect against international terrorism or clandestine intelligence activities. The vast majority of orders issued under Section 215 do not seek information collected in bulk; rather, these orders require the production of a discrete and limited amount of information.

This authority is also used to require certain telephone communications providers to produce in bulk telephony metadata, such as telephone numbers dialed and length of calls. This program was developed to fill an important intelligence gap identified by the report on the 9/11 attacks by allowing the Government to detect communications between terrorists who are operating outside the U.S. and potential operatives inside the U.S. This program does not permit the government to obtain or listen to the content of anyone’s telephone calls. Nor is the Government allowed to sift indiscriminately through the telephony metadata obtained under this program. Rather, since its inception, this program has been subject to strict controls and oversight, including:

  • Requiring the metadata to be stored in secure databases accessible to only a limited number of trained analysts.
  • Limiting the access to, and use of, the metadata only for counterterrorism purposes.
  • Prohibiting querying the databases unless there is a reasonable, articulable suspicion that a particular target identifier (the “seed” number) is associated with particular foreign terrorist organizations.
  • Limiting the access to and use of this metadata only for identifying the telephone identifiers that are in contact, directly or indirectly, with the seed number.
  • Destroying the information after five years.

New Protections for the Current Program

In response to the President’s direction in January 2014, this program was modified by incorporating into the FISC orders authorizing the bulk collection two forms of enhanced privacy protection:

  • Previously, the basis for the reasonable, articulable suspicion finding had to be documented in writing and approved by specifically authorized NSA officials. The Department of Justice conducted routine oversight of these decisions to ensure the standard was met. Today, except in emergency circumstances, reasonable, articulable suspicion findings must also be approved in advance by the FISC. Thus, except in emergency circumstances, only court-approved identifiers may be used to query the database.
  • Previously, NSA was permitted to query the information out to three “hops,” or links. Today, queries are limited to two hops. This means NSA is permitted to develop contact chains by starting with a target identifier (seed number) and, using telephony metadata records, see what identifiers communicated with that target (first hop) and which identifiers, in turn, communicated with the first-hop identifiers (second hop). The limitation to two hops reduces the number of potential results from each query.

In June 2014, the Office of the Director of National Intelligence released its first annual statistical transparency report on the use of national security authorities covering the year 2013. Later this year, the Director of National Intelligence will issue its second report covering the use of national security authorities in 2014. In advance of that report, it is appropriate to note that in 2014 there were 161 target identifiers approved by the FISC to be queried under NSA’s bulk telephony metadata program.

New Protections to be Established by Legislation

In his January 17, 2014 speech, the President directed the Department of Justice and the Intelligence Community to develop options for a new approach that would match the capabilities and fill the gaps that Section 215 was designed to address without the government holding the metadata itself. The Department of Justice and the Intelligence Community explored a number of options, including having the metadata held by a third party or leaving the metadata at the provider.

Based on recommendations from the Department of Justice and the Intelligence Community, the President proposed that the government end bulk collection of telephony metadata under Section 215 of the USA PATRIOT Act, while ensuring that the government has access to the information it needs to meet its national security requirements. The Intelligence Community and the Department of Justice have since been working closely with Congress to develop legislation that would implement the President’s proposal by leaving the metadata at the provider.

To that end, the Administration supported the USA FREEDOM Act, which, if enacted, would have prohibited bulk collection using (i) Section 215, (ii) the Pen Registers and Trap and Trace provisions of the Foreign Intelligence Surveillance Act, and (iii) National Security Letters while maintaining critical authorities to conduct more targeted collection.

The Attorney General and the Director of National Intelligence stated that, based on communications providers’ existing data retention practices, the bill would retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection by the government under these legal authorities. The bill would also expressly authorize an independent voice in significant cases before the FISC.

The Administration was disappointed that the 113th Congress ended without enacting this legislation. This legislation not only satisfies the President’s requirements, but also responds to the recommendations from the Privacy and Civil Liberties Oversight Board and the President’s Review Group on Intelligence and Communications Technology to end the bulk collection of telephony metadata records under Section 215 of USA PATRIOT Act as it currently exists.

The Intelligence Community encourages Congress to quickly take up and pass legislation that would allow the government to end bulk collection of telephony metadata records under Section 215, while ensuring that the government has access to the information it needs to meet its national security requirements.

NEW PRIVACY PROTECTIONS FOR INFORMATION COLLECTED UNDER SECTION 702

Section 702 of the Foreign Intelligence Surveillance Act (FISA), which was added by the FISA Amendments Act of 2008, authorizes the acquisition of foreign intelligence information concerning non-U.S. persons reasonably believed to be located outside the United States.

Under Section 702, the government cannot target anyone for collection unless it has a significant purpose to acquire foreign intelligence information, the foreign target is reasonably believed to be outside the United States, and the Government abides by FISC-approved targeting and minimization procedures.

Section 702 cannot be used to intentionally target any U.S. citizen or any other U.S. person, to intentionally target any person known to be in the United States, or to target a person outside the United States if the purpose is to target a person inside the United States.

Collection under Section 702 does not require individual judicial orders authorizing collection against each target. Instead, Section 702 requires that the FISC approve procedures to (i) ensure that only non-U.S. persons reasonably believed to be outside the U.S. are targeted, and (ii) minimize the acquisition, retention, and dissemination of incidentally acquired information about U.S. persons.

Activities authorized by Section 702 are subject to oversight by the Judicial Branch through the Foreign Intelligence Surveillance Court, by the Executive Branch through the Department of Justice and the Office of the Director of National Intelligence, and by the Legislative Branch through the Intelligence and Judiciary Committees of Congress. Directives requiring the production of information to the Government can be challenged in the FISC by the recipients.

In his January 17, 2014 address, the President asked the Department of Justice and the Intelligence Community to institute reforms with respect to the government’s ability to retain, search, and use in criminal cases communications between Americans and foreign citizens incidentally collected under Section 702.

Subsequently, in July 2014, the Privacy and Civil Liberties Oversight Board issued a report on Section 702, concluding that the Section 702 program is lawful and valuable, and that “at its core, the program is sound” and making ten recommendations to help the program “strike a better balance between privacy, civil rights, and national security.”

As noted above, in response to the President’s direction and recommendations from the Privacy and Civil Liberties Oversight Board, the Attorney General and Director of National Intelligence are placing additional restrictions on the government’s ability to retain, query, and use in evidence in criminal proceedings communications between Americans and foreign citizens incidentally collected under Section 702.

  • First, FBI, CIA, and NSA each are instituting new requirements for using a U.S. person identifier to query information acquired under Section 702. As recommended by the Privacy and Civil Liberties Oversight Board, NSA’s minimization procedures will require a written statement of facts showing that a query is reasonably likely to return foreign intelligence information. CIA’s minimization procedures will be similarly amended to require a statement of facts for queries of content. In addition, FBI’s minimization procedures will be updated to more clearly reflect the FBI’s standard for conducting U.S. person queries and to require additional supervisory approval to access query results in certain circumstances.
  • Second, the new policy re-affirms requirements that the government must delete communications to, from, or about U.S. persons acquired under Section 702 that have been determined to lack foreign intelligence value. In addition, the policy requires the Department of Justice and the Office of the Director of National Intelligence to conduct oversight over these retention decisions. This change will help ensure that the Intelligence Community preserves only that information that might help advance its national security mission.
  • Third, consistent with the recommendation of the Privacy and Civil Liberties Oversight Board, information acquired under Section 702 about a U.S. person will not be introduced as evidence against that person in any criminal proceeding except (1) with the approval of the Attorney General, and (2) in criminal cases with national security implications or certain other serious crimes. This change will ensure that, if the Department of Justice decides to use information acquired under Section 702 about a U.S. person in a criminal case, it will do so only for national security purposes or in prosecuting the most serious crimes.

The Intelligence Community has also agreed to address the Privacy and Civil Liberties Oversight Board’s other recommendations, including:

  • Revising targeting procedures to require additional documentation of the foreign intelligence value of each target;
  • Making available to the FISC additional information to help the Court evaluate the annual certifications in support of collection under Section 702;
  • Initiating studies to ensure that the Intelligence Community is using the best filtering technology and techniques to prevent inadvertent collection;
  • Publicly releasing the minimization procedures of the CIA, NSA, and the FBI;
  • Evaluating whether NSA can track and publicly release additional statistics on its collection and use of information obtained pursuant to Section 702;
  • Supporting the Privacy and Civil Liberties Oversight Board’s ongoing effort examine efforts across the Intelligence Community to assess the efficacy and relative value of counterterrorism programs.

NATIONAL SECURITY LETTERS

A National Security Letter is an investigative tool, similar to a subpoena, which is used by the FBI in a national security-related investigation to obtain limited types of information from companies, such as telephone records and subscriber information.

When the FBI issues a National Security Letter, by law a senior official, such as the Special Agent in Charge of a field office, may require that the recipient company not disclose the existence of the letter, if one or more statutory standards are met – that is, when disclosure may (i) endanger the national security of the United States, (ii) interfere with a criminal, counterterrorism or counterintelligence investigation, (iii) interfere with diplomatic relations, or (iv) endanger the life or physical safety of any person.

In his January 17, 2014 remarks, the President directed the Attorney General “to amend how we use National Security Letters so that [their] secrecy will not be indefinite, and will terminate within a fixed time unless the government demonstrates a real need for further secrecy.”

In response to the President’s new direction, the FBI will now presumptively terminate National Security Letter nondisclosure orders at the earlier of three years after the opening of a fully predicated investigation or the investigation’s close.

Continued nondisclosures orders beyond this period are permitted only if a Special Agent in Charge or a Deputy Assistant Director determines that the statutory standards for nondisclosure continue to be satisfied and that the case agent has justified, in writing, why continued nondisclosure is appropriate.

Back to Top