Yesterday, the Central Intelligence Agency released newly updated guidelines regarding the treatment of American data collected pursuant to Executive Order 12333. John Reed has already highlighted some key aspects of the guidelines here. I write separately with five brief observations.
First, the fact that these are fully unclassified and made public is a big deal. It’s a stark contrast to the heavily redacted release of the 1982 documents, which were kept secret for well over two decades, and has entire pages blacked out. This is a welcome change—one that will help foster and encourage informed debate. It is also good policy, helping to protect against the spread of misinformation and speculation that fosters distrust and ultimately works to the disadvantage of our intelligence community and their mission.
Second, they reflect a long-overdue reflection of the fact that whereas the information available to the CIA of the 1980s was limited to a finite number of hard documents, now even a single storage device can contain the equivalent of millions of files. This has two key implications: First, it takes longer to review. In recognition of this fact, the guidelines specifically address the presumably large quantity of so-called “under-evaluated information” and include specific storage, access, and destruction requirements. And second, the sheer scope of collection (coupled with the way in which electronic communications transit the globe) means that it is much more likely that the CIA will, in the course of its overseas operations, gather incidentally collected information on U.S. persons (defined to include U.S. citizens, legal permanent residents, unincorporated associations substantially composed of U.S. citizens or legal permanent residents, and corporations incorporated in the United States, so long as they are not directed or controlled by a foreign government). The guidelines incorporate a number of provisions that both acknowledge and seek to address that fact.
Third, the additional requirements that apply to under-evaluated information operate regardless of where the data was initially collected, unless “the CIA obtains specific information to the contrary” (See ¶ 3.2) Putting aside that final caveat (and with the admission that I don’t fully understand when it would apply), this is actually a significant acknowledgement. According to at least one train of thought, data collected overseas is and should be subject to different (laxer) rules than data or other property collected from within the United States. This document implicitly rejects that position, at least as a matter of policy, not law. Under-evaluated information—and the incidentally acquired information included—is subject to equivalent protections regardless of the location of collection.
Fourth, and much less encouraging, the querying of CIA information repositories is not considered collection, and thus not subject to the relevant approval requirements and other protections that govern collection (See ¶ 4.1). If the database includes under-evaluated information subject to “exceptional handling requirements” (basically all non-consented to electronic communications), queries are subject to initial limits. Such databases can only be queried by a trained CIA employee. And if the databases are queried with the purpose of retrieving U.S. person information, the query is “to the extent practicable” to be accompanied by a statement of purpose. If, however, the data has been reviewed and deemed to meet the specific retention criteria (See Sec. 7) – which among many other things unsurprisingly permits the retention of foreign intelligence information – it can be queried without any requirement of specialized approval or required statement of purpose.
This is unfortunate. As Steve Vladeck and I argue in a forthcoming book chapter, the act of collection and the act of querying should be understood as two separate events, subject to independent analysis and review. Even if collection and retention is justified, it doesn’t necessarily mean that subsequent query ought to be permitted as well. At a minimum, it seems that the agents should, to the extent possible, be required to provide a statement of the purpose for the query, regardless of what database is being used. This is, among other things, essential for effective monitoring and oversight.
Fifth, this isn’t at all new, but it’s interesting to note that so-called “special collection” is defined as those techniques that would require a warrant under the Fourth Amendment if employed inside the United States for a law enforcement purpose (see ¶ 4.4; see also Section 2.5 of Executive Order 12333). Such special collection requires additional approval and, consistent with Executive Order 12333, requires written documentation that there is probable cause to believe that the person or entity being targeted is an agent of a foreign power or an officer or employee of a foreign power, and that the information sought is significant foreign intelligence or counterintelligence, if directed at a U.S. person outside the United States.
I bring this up as a reminder of how much is unsettled. While electronic surveillance (thanks to the Sixth Circuit’s opinion in U.S. v. Warshak) and physical searches are clearly covered under the definition of special collection, there is – as the guidelines themselves note – a lot of gray, and thus wiggle room, elsewhere. The extent to which real-time geolocation tracking is covered by the Fourth Amendment is, for example, deeply contested, with courts offering an array of answers to the question depending on the duration and technique used. Whether, to what extent, and in what areas the third party doctrine eliminates the need for a warrant is the subject of ongoing litigation and debate. I imagine it is relatively easy for both the CIA and the Department of Justice to interpret the lack of legal clarity in a way to avoid the required finding of probable cause.
There is, of course, a lot more to these documents, including the approval and documentation requirements for bulk collection, the array of retention and dissemination rules, and rules on coordination with the FBI. I expect that others will chime in the coming days as well. . . .