In late February, The New York Times reported that the administration was preparing to expand sharing of the mass signals intelligence collected by NSA pursuant to Executive Order 12333. This measure would grant access to raw data by other intelligence agencies, including the FBI, raising a number of civil liberties concerns highlighted by both privacy advocates and members of Congress.
In his post last week, ODNI General Counsel Robert Litt provided more detail about these new information sharing procedures and the safeguards that will be in place. Litt’s post directly responds to several concerns about military intelligence powers creeping into law enforcement. For example, he notes that sharing will only occur with intelligence agencies (as opposed to state and local law enforcement), and that it can only occur for foreign intelligence and counterterrorism purposes.
These are important protections and civil liberties advocates should applaud them. But critical questions and concerns remain.
Will Law Enforcement Use Truly Be Limited?
While the measures Litt describes seem designed to safeguard against use of EO 12333 raw data — collected by a military agency pursuant to the President’s Commander-in-Chief powers — for domestic law enforcement purposes, it is unclear how comprehensive these protections will be. The new procedures “will authorize sharing only with elements of the Intelligence Community,” but this includes the FBI and DEA, which have dual intelligence and domestic law enforcement functions. And while Litt emphasizes that the procedures will permit sharing “only for authorized foreign intelligence and counterintelligence purposes,” this does not necessarily preclude broader law enforcement use once the raw data is accessed.
A key question remains: Will any limits exist on law enforcement use of EO 12333 raw data that is accessed or shared in compliance with the procedures? If not, we risk the FBI and DEA accessing Americans’ private communications and data (which are inevitably incidentally collected under EO 12333, especially pursuant to bulk collection programs that can sweep up private conversations on a national scale) and then using these data for domestic law enforcement purposes based upon what they find.
In order to truly address the concern of military surveillance creeping into law enforcement, use limits should be enacted. Of course, these limits could be balanced by exceptions for crimes relating to foreign intelligence (using that term in a narrower sense than the government often does, i.e., for espionage and other illegal actions by agents of foreign powers) and imminent threats. At a minimum, the procedures should contain the same use limits for criminal prosecution that ODNI last year placed on foreign intelligence collection under Section 702, although stronger limits on evidentiary and investigative use would prevent activities like parallel construction, and more fully encapsulate Fourth Amendment protections.
How Will Existing Limits Under PPD-28 Be Enforced?
There is an important area where use limits already exist for information collected pursuant to EO 12333: Presidential Policy Directive 28 (PPD-28) enumerates six purposes for which signals intelligence that is collected in bulk (i.e., via a method that does not use individual targets or selectors; PPD-28’s definition of “bulk collection” does not cover the untargeted temporary “acquisition” of data to facilitate targeted collection) can be used. But this raises another major question regarding the new raw data sharing procedures: How will we uphold PPD-28 when raw data is shared with agencies that have dual law enforcement and intelligence purposes?
If the FBI or DEA access raw data obtained via EO 12333 bulk collection under the new procedures, PPD-28 prohibits many law enforcement uses of this data. Will access be screened or limited to personnel that work exclusively on intelligence operations, who will then be barred from discussing it with personnel who serve law enforcement functions? If not, how will the government ensure that agencies do not use data from bulk collection for broad law enforcement purposes, and then mask this use through parallel construction, a practice the DEA reportedly has a unit devoted to achieving? If the important protections enacted by PPD-28 are to have credibility, these questions should be answered.
How Will Oversight Be Conducted?
These concerns raise a final question: What sort of oversight will ensure compliance with existing rules and proper limits? Even putting aside the possibility of misuse, loosened restrictions on information sharing raise the specter of mistakes occurring — and going unnoticed — thereby undermining civil liberties protections. That’s an especially troubling prospect given the Fourth Amendment rights of US persons that are implicated here. Ideally, compliance would be ensured through judicial oversight, and along these lines, Nathan White of Access recently proposed a warrant requirement to search for information about US persons in these data. If independent oversight is not integrated into the system, the administration should provide additional information explaining how PPD-28 and the limits described by Litt will be effectively enforced.
* * *
All these questions highlight the importance of a public dialogue on this subject. While the clarity Litt provided is commendable and will hopefully continue, according to The New York Times, the administration has been “developing the new framework and system for years,” seemingly largely absent public input. If the proposed framework and system does encroach on privacy and civil liberties — a determination that shouldn’t be made without the perspective of experts outside government — it would better serve our democracy for the government to convince the public up front that the changes it’s making are necessary. Far too often we are forced to advocate that civil liberties protections be restored after their secret removal. Greater discourse on such important issues will not only increase trust in government, it will facilitate policy that better protects both privacy and security.