The CIA’s New Guidelines for Handling Americans’ Information

In acknowledgment of the mass scale of modern electronic intelligence collection, the Central Intelligence Agency today released newly updated guidelines governing how it treats Americans’ data that are swept up in the agency’s overseas espionage efforts conducted under Executive Order 12333.

The requirements, set to go into effect on March 18, 2017, are designed to deal with the fact that so much of everyone’s life is spent in the digital space, that the sheer volume of data collected in 21st Century espionage means that Americans’ data will be collected by the agency — in a way that couldn’t be imagined when the previous guidelines were released decades ago.

The new guidelines (full text below), dubbed the Attorney General Guidelines, were developed by the offices of US Attorney General, Loretta Lynch and CIA Director, John Brennan, and they replace a heavily redacted set of predecessor rules that were implemented in 1982. While much of the new regulations are a consolidation of the 1982 documents — and subsequent CIA policy updates for handling Americans’ data that were developed in the years since — the rules announced today lay out several new requirements to deal with the fact that “inherently, there’s going to be more incidental collection” of Americans’ data, CIA Privacy and Civil Liberties Officer Ben Huebner said today during a small press briefing at CIA headquarters in Virginia.

Here’s a quick rundown of what’s new, apart from the fact that the entire document was released unclassified, per Huebner: 

Documentation: Section 5 of the 2017 guidelines require CIA employees to provide a full set of documentation explaining why and how they conducted “any bulk collection” operation or other operation that exceeds the agency’s ability to quickly sift out information involving Americans that the spies shouldn’t be looking at (see Section 7 of the guidelines below for a rundown of the kind of information that can be retained).

The documentation includes detailing “the location of the acquisition, including (when known) details regarding how data provided to CIA by an asset, foreign liaison partner, contractor, or other second party was originally acquired by that party.”

They must also explain what “reasonable steps” were taken to collect the smallest amount of data necessary to acquire the information the spies were seeking. Or in CIA-speak: “The collection technique(s) employed, including any reasonable steps that were or will be taken to limit the information to the smallest separable subset of data containing the information necessary to achieve the purpose of the collection.”

Officers don’t have to provide these details if the information they collect is deemed qualified “for retention in its entirety without individualized review of the data contained within the set of collected information.” This usually applies to data that is determined to have a low likelihood of containing Americans’ data. Again, see Section 7 for more information on what kind of data doesn’t need to be evaluated in an individualized way.

It’s worth noting that Huebner admitted not all of the documentation requirements listed above are new. He did not identify which were preexisting and for how long.

Handling the data: Section 6 of the guidelines places more restrictions on how CIA personnel can access and use “unevaluated data,” the agency’s term for the reams of collected information likely to contain information about “U.S. Persons” but haven’t yet been combed through for Americans’ data and had that data sifted out. Unless, of course, that data is deemed appropriate for the CIA’s intelligence gathering mission, in which case it’s kept. 

Under so-called “exceptional handling requirements,” only people who have been trained to view unevaluated data and have a “need to know” are allowed access to such information. Furthermore, the guidelines mandate that any queries — searches by agency personnel for reference to certain names, places, phrases, etc. — of unevaluated data are subject to periodic audit. This means that queries have to be documented with an explanation of how that search relates to the CIA’s mission, according to Huebner.  Just how frequently that happens is still being worked out according to CIA General Counsel Caroline Krass.   

Finally, unevaluated information that likely contains Americans’ information must be “deleted, purged from our systems” after five years, said Huebner. However, if an officer thinks with high-confidence that there is no U.S. Persons information in an unevaluated dataset, the agency can keep it for 25 years, according to Huebner. Certain business records from an overseas company may, for example, fall into this 25-year category, whereas large amounts of communications content would fall into the category of information that is likely to contain Americans’ information, he added. It’s worth noting that communications metadata will only sometimes be be subject to the exceptional handling requirements outlined in the previous paragraph.

It’s also worth noting that while the new guidelines took “years” to develop, according to Huebner and Krass, they can be revised or updated by future attorneys general or CIA directors.

This is meant to be an initial overview of what’s new and what’s been retained. Stay tuned for a deeper dive into this novel document.

CIA AG Guidelines Signed by Just Security on Scribd

Image: Alex Wong / Getty

 

About the Author(s)

John Reed

Managing Editor of Just Security Follow him on Twitter (@ReedJustSec).