|
||||
|
3 February 2015 White House New Data Spying Policy
http://icontherecord.tumblr.com/ Statement by Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco: Update on Implementation of Signals Intelligence Reform and Issuance of PPD-28 February 3, 2015 On January 17, 2014, President Obama directed a series of signals intelligence reforms designed to reassure every American that our nation’s intelligence activities are carried out with appropriate oversight and respect for civil liberties and privacy. That same day, he also signed Presidential Policy Directive – 28, Signals Intelligence Activities (PPD-28), which reaffirms long-standing collection principles, sets certain limitations on the use of signals intelligence collected in bulk, refines the process for collecting signals intelligence – including an annual Cabinet-level review of prioritization and an evaluation of risks and benefits – and establishes safeguards for personal information collected through signals intelligence. At the President’s direction, future implementation of these reforms will be the subject of an annual report. For the past year, the Administration has been working to implement the President’s guidance. Today, the Director of National Intelligence is releasing a report that highlights substantial progress and reflects an ongoing commitment to greater transparency. This report details, among other things, the Intelligence Community’s progress in implementing PPD-28, reforms regarding the collection of bulk telephony metadata records under Section 215 of the USA PATRIOT Act, the collection of intelligence under Section 702 of the Foreign Intelligence Surveillance Act, and the use of national security letters. In the coming days, a report will be released highlighting the progress the Administration has made in implementing the initiatives discussed in the May 2014 Big Data Report prepared by a working group led by Counselor to the President John Podesta. Beyond the initiatives discussed in these reports, the Administration has also been implementing recommendations made by the President’s Review Group on Intelligence and Communications Technologies. These reports and the progress made to date will be discussed in upcoming meetings with the Privacy and Civil Liberties Oversight Board, the Review Group on Intelligence and Communications Technologies, and others. As the President indicated in PPD-28, our signals intelligence activities must take into account that all persons have legitimate privacy interests in the handling of their personal information. At the same time, we must ensure that our Intelligence Community has the resources and authorities necessary for the United States to advance its national security and foreign policy interests and to protect its citizens and the citizens of its allies and partners from harm. As we continue to face threats from terrorism, proliferation, and cyber-attacks, we must use our intelligence capabilities in a way that optimally protects our national security and supports our foreign policy while keeping the public trust and respecting privacy and civil liberties.
http://icontherecord.tumblr.com/ppd-28/2015/overview SIGNALS INTELLIGENCE REFORM 2015 ANNIVERSARY REPORT • OVERVIEW • STRENGTHENING PRIVACY & CIVIL LIBERTIES • LIMITING SIGINT COLLECTION & USE
Over the course of the past eighteen months, the United States has undertaken a comprehensive effort to examine and enhance the privacy and civil liberty protections we embed in our signals intelligence (SIGINT) collection activities. As part of this process, we have sought — and benefited from — a broad cross section of views, ideas, and recommendations from oversight bodies, advocacy organizations, private companies, and the general public. This effort has resulted in strengthened privacy and civil liberty protections; new limits on signals intelligence collection and use; and increased transparency. On January 17, 2014, President Obama signed Presidential Policy Directive-28, Signals Intelligence Activities (PPD-28) and delivered an address at the Department of Justice on the steps we are taking to reform certain intelligence activities. As we mark the one-year anniversary of these events, it is a good time to report on the status of a range of ongoing reform efforts. As this report shows, the Intelligence Community has made significant progress implementing many reforms. However, our work is not done. To that end, the Office of the Director of National Intelligence will issue another public report in 2016 about the Intelligence Community’s on-going progress to implement these reforms.
There has been robust discussion, both here and abroad, about how the Intelligence Community protects privacy and civil liberties and how it can continue to ensure strong privacy protections while continuing to protect the nation and its partners as technology continues to advance. This discussion has included outreach to, among others, Congress, the Privacy and Civil Liberties Oversight Board, civil liberties and privacy advocates, the private sector, foreign partners, and the general public. It has benefited from several in-depth studies and reviews, resulting in publicly available reports and recommendations.
The Intelligence Community provided the review groups with unprecedented
access to people, classified documents, and other sensitive Intelligence
Community information to support their efforts. In addition, many of these
reviews held open hearings and solicited input from the public. These in-depth
reviews included:
The Intelligence Community values the insights provided by these reviews. As discussed throughout this report, the Intelligence Community has implemented many of these recommendations and continues to identify additional opportunities to go beyond the recommendations in these reports. In short, the Intelligence Community has, and will continue to, carefully examine our activities to protect the privacy interest of all persons, regardless of nationality, while defending the nation and our partners and allies.
STRENGTHENING PRIVACY & CIVIL LIBERTIES PROTECTIONS As the President said in his speech on January 17, 2014, “the challenges posed by threats like terrorism and proliferation and cyber-attacks are not going away any time soon … and for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world.” As a part of that effort, the President made clear that “our signals intelligence activities must take into account that all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside….”
This commitment is reflected in the direction the President issued that same
day in Section 4 of Presidential Policy Directive-28, Signals Intelligence
Activities (PPD-28), requiring all elements of the Intelligence Community
to establish policy and procedures for safeguarding personal information
collected from signals intelligence (SIGINT) activities. In addition, we
are also seeking to provide new legislative remedies for potential privacy
violations.
In addition, in response to the President’s direction and to the
recommendations from both the President’s Review Group on Intelligence
and Communications Technology and the Privacy and Civil Liberties Oversight
Board, the Intelligence Community is strengthening privacy protections in
our collection activities under Section 702 of Foreign Intelligence Surveillance
Act and the Section 215 bulk telephony metadata program. Moreover, as directed
by the President, the FBI will amend its non-disclosure policy for National
Security Letters.
On January 17, 2014, the President issued Presidential Policy Directive-28, Signals Intelligence Activities (PPD-28), which “articulates principles to guide why, whether, when, and how the United States conducts signals intelligence activities for authorized foreign intelligence and counterintelligence purposes.” In a speech that same day, the President made clear that the United States is committed to protecting the personal information of all people regardless of nationality and directed the Intelligence Community to take a number of steps to strengthen the privacy and civil liberty protections afforded to all people. PPD-28 reinforces current practices, establishes new principles, and strengthens oversight, to ensure that in conducting signals intelligence (SIGINT) activities, the United States takes into account not only the security needs of our nation and our allies, but also the privacy of people around the world. Section 4 of PPD-28 calls on each Intelligence Community element to update existing or issue new policies and procedures to implement principles for safeguarding all personal information collected through SIGINT, consistent with technical capabilities and operational needs. Over the past year, the Intelligence Community has been working to implement this requirement within the framework of existing processes, resources, and capabilities, while ensuring that mission needs continue to be met. In July 2014, the Director of National Intelligence provided the President an interim report on the status of our efforts that also evaluated, in coordination with the Department of Justice and the rest of the Intelligence Community, certain additional retention and dissemination safeguards that all Intelligence Community elements should follow as they adopt policies and procedures under PPD-28. The Director of National Intelligence is pleased to report that, as required by PPD-28, all Intelligence Community elements have reviewed and updated their existing policies and procedures, or have issued new policies or procedures, to provide safeguards for personal information collected through SIGINT, regardless of nationality and consistent with national security, our technical capabilities, and operational needs. Although similar in many respects, agency procedures are not identical. The differences reflect that not all agencies conduct SIGINT collection and that agencies have different mission requirements. Links to agency policies and procedures can be found below. U.S. Intelligence Community Policies & Procedures to Safeguard Personal Information Collected Through SIGINT [All following links in Zipped file: http://cryptome.org/2015/02/ic-ppd-28-15-0203.zip 22MB] Office of the Director of National Intelligence What has PPD-28 changed?
The agency policies and procedures implementing Section 4 of PPD-28 include
significant changes that strengthen privacy and civil liberty protections
for all people. It is worthwhile to highlight a few of the most significant
changes:
JUDICIAL REDRESS FOR CITIZENS OF CERTAIN COUNTRIES In furtherance of its commitment to protecting privacy in the law enforcement context, the Administration is working with Members of Congress on legislation to give citizens of designated countries the right to seek judicial redress for intentional or willful disclosures of protected information, and for refusal to grant access or to rectify any errors in that information. NEW PRIVACY PROTECTIONS FOR BULK TELEPHONY METADATA COLLECTED UNDER SECTION 215 Section 215 of the USA PATRIOT Act authorizes the Government to make requests to the Foreign Intelligence Surveillance Court (FISC) for orders requiring production of documents or other tangible things (books, records, papers, documents, and other items) when they are relevant to an authorized national security investigation such as an investigation to protect against international terrorism or clandestine intelligence activities. The vast majority of orders issued under Section 215 do not seek information collected in bulk; rather, these orders require the production of a discrete and limited amount of information. This authority is also used to require certain telephone communications providers to produce in bulk telephony metadata, such as telephone numbers dialed and length of calls. This program was developed to fill an important intelligence gap identified by the report on the 9/11 attacks by allowing the Government to detect communications between terrorists who are operating outside the U.S. and potential operatives inside the U.S. This program does not permit the government to obtain or listen to the content of anyone’s telephone calls. Nor is the Government allowed to sift indiscriminately through the telephony metadata obtained under this program. Rather, since its inception, this program has been subject to strict controls and oversight, including: Requiring the metadata to be stored in secure databases accessible to only a limited number of trained analysts. Limiting the access to, and use of, the metadata only for counterterrorism purposes. Prohibiting querying the databases unless there is a reasonable, articulable suspicion that a particular target identifier (the “seed” number) is associated with particular foreign terrorist organizations. Limiting the access to and use of this metadata only for identifying the telephone identifiers that are in contact, directly or indirectly, with the seed number. Destroying the information after five years. New Protections for the Current Program In response to the President’s direction in January 2014, this program was modified by incorporating into the FISC orders authorizing the bulk collection two forms of enhanced privacy protection: Previously, the basis for the reasonable, articulable suspicion finding had to be documented in writing and approved by specifically authorized NSA officials. The Department of Justice conducted routine oversight of these decisions to ensure the standard was met. Today, except in emergency circumstances, reasonable, articulable suspicion findings must also be approved in advance by the FISC. Thus, except in emergency circumstances, only court-approved identifiers may be used to query the database. Previously, NSA was permitted to query the information out to three “hops,” or links. Today, queries are limited to two hops. This means NSA is permitted to develop contact chains by starting with a target identifier (seed number) and, using telephony metadata records, see what identifiers communicated with that target (first hop) and which identifiers, in turn, communicated with the first-hop identifiers (second hop). The limitation to two hops reduces the number of potential results from each query. In June 2014, the Office of the Director of National Intelligence released its first annual statistical transparency report on the use of national security authorities covering the year 2013. Later this year, the Director of National Intelligence will issue its second report covering the use of national security authorities in 2014. In advance of that report, it is appropriate to note that in 2014 there were 161 target identifiers approved by the FISC to be queried under NSA’s bulk telephony metadata program. New Protections to be Established by Legislation In his January 17, 2014 speech, the President directed the Department of Justice and the Intelligence Community to develop options for a new approach that would match the capabilities and fill the gaps that Section 215 was designed to address without the government holding the metadata itself. The Department of Justice and the Intelligence Community explored a number of options, including having the metadata held by a third party or leaving the metadata at the provider. Based on recommendations from the Department of Justice and the Intelligence Community, the President proposed that the government end bulk collection of telephony metadata under Section 215 of the USA PATRIOT Act, while ensuring that the government has access to the information it needs to meet its national security requirements. The Intelligence Community and the Department of Justice have since been working closely with Congress to develop legislation that would implement the President’s proposal by leaving the metadata at the provider. To that end, the Administration supported the USA FREEDOM Act, which, if enacted, would have prohibited bulk collection using (i) Section 215, (ii) the Pen Registers and Trap and Trace provisions of the Foreign Intelligence Surveillance Act, and (iii) National Security Letters while maintaining critical authorities to conduct more targeted collection. The Attorney General and the Director of National Intelligence stated that, based on communications providers’ existing data retention practices, the bill would retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection by the government under these legal authorities. The bill would also expressly authorize an independent voice in significant cases before the FISC. The Administration was disappointed that the 113th Congress ended without enacting this legislation. This legislation not only satisfies the President’s requirements, but also responds to the recommendations from the Privacy and Civil Liberties Oversight Board and the President’s Review Group on Intelligence and Communications Technology to end the bulk collection of telephony metadata records under Section 215 of USA PATRIOT Act as it currently exists. The Intelligence Community encourages Congress to quickly take up and pass legislation that would allow the government to end bulk collection of telephony metadata records under Section 215, while ensuring that the government has access to the information it needs to meet its national security requirements. NEW PRIVACY PROTECTIONS FOR INFORMATION COLLECTED UNDER SECTION 702 Section 702 of the Foreign Intelligence Surveillance Act (FISA), which was added by the FISA Amendments Act of 2008, authorizes the acquisition of foreign intelligence information concerning non-U.S. persons reasonably believed to be located outside the United States. Under Section 702, the government cannot target anyone for collection unless it has a significant purpose to acquire foreign intelligence information, the foreign target is reasonably believed to be outside the United States, and the Government abides by FISC-approved targeting and minimization procedures. Section 702 cannot be used to intentionally target any U.S. citizen or any other U.S. person, to intentionally target any person known to be in the United States, or to target a person outside the United States if the purpose is to target a person inside the United States. Collection under Section 702 does not require individual judicial orders authorizing collection against each target. Instead, Section 702 requires that the FISC approve procedures to (i) ensure that only non-U.S. persons reasonably believed to be outside the U.S. are targeted, and (ii) minimize the acquisition, retention, and dissemination of incidentally acquired information about U.S. persons. Activities authorized by Section 702 are subject to oversight by the Judicial Branch through the Foreign Intelligence Surveillance Court, by the Executive Branch through the Department of Justice and the Office of the Director of National Intelligence, and by the Legislative Branch through the Intelligence and Judiciary Committees of Congress. Directives requiring the production of information to the Government can be challenged in the FISC by the recipients. In his January 17, 2014 address, the President asked the Department of Justice and the Intelligence Community to institute reforms with respect to the government’s ability to retain, search, and use in criminal cases communications between Americans and foreign citizens incidentally collected under Section 702. Subsequently, in July 2014, the Privacy and Civil Liberties Oversight Board issued a report on Section 702, concluding that the Section 702 program is lawful and valuable, and that “at its core, the program is sound” and making ten recommendations to help the program “strike a better balance between privacy, civil rights, and national security.” As noted above, in response to the President’s direction and recommendations from the Privacy and Civil Liberties Oversight Board, the Attorney General and Director of National Intelligence are placing additional restrictions on the government’s ability to retain, query, and use in evidence in criminal proceedings communications between Americans and foreign citizens incidentally collected under Section 702. First, FBI, CIA, and NSA each are instituting new requirements for using a U.S. person identifier to query information acquired under Section 702. As recommended by the Privacy and Civil Liberties Oversight Board, NSA’s minimization procedures will require a written statement of facts showing that a query is reasonably likely to return foreign intelligence information. CIA’s minimization procedures will be similarly amended to require a statement of facts for queries of content. In addition, FBI’s minimization procedures will be updated to more clearly reflect the FBI’s standard for conducting U.S. person queries and to require additional supervisory approval to access query results in certain circumstances. Second, the new policy re-affirms requirements that the government must delete communications to, from, or about U.S. persons acquired under Section 702 that have been determined to lack foreign intelligence value. In addition, the policy requires the Department of Justice and the Office of the Director of National Intelligence to conduct oversight over these retention decisions. This change will help ensure that the Intelligence Community preserves only that information that might help advance its national security mission. Third, consistent with the recommendation of the Privacy and Civil Liberties Oversight Board, information acquired under Section 702 about a U.S. person will not be introduced as evidence against that person in any criminal proceeding except (1) with the approval of the Attorney General, and (2) in criminal cases with national security implications or certain other serious crimes. This change will ensure that, if the Department of Justice decides to use information acquired under Section 702 about a U.S. person in a criminal case, it will do so only for national security purposes or in prosecuting the most serious crimes. The Intelligence Community has also agreed to address the Privacy and Civil Liberties Oversight Board’s other recommendations, including: Revising targeting procedures to require additional documentation of the foreign intelligence value of each target; A National Security Letter is an investigative tool, similar to a subpoena, which is used by the FBI in a national security-related investigation to obtain limited types of information from companies, such as telephone records and subscriber information. When the FBI issues a National Security Letter, by law a senior official, such as the Special Agent in Charge of a field office, may require that the recipient company not disclose the existence of the letter, if one or more statutory standards are met – that is, when disclosure may (i) endanger the national security of the United States, (ii) interfere with a criminal, counterterrorism or counterintelligence investigation, (iii) interfere with diplomatic relations, or (iv) endanger the life or physical safety of any person. In his January 17, 2014 remarks, the President directed the Attorney General “to amend how we use National Security Letters so that [their] secrecy will not be indefinite, and will terminate within a fixed time unless the government demonstrates a real need for further secrecy.” In response to the President’s new direction, the FBI will now presumptively terminate National Security Letter nondisclosure orders at the earlier of three years after the opening of a fully predicated investigation or the investigation’s close. Continued nondisclosures orders beyond this period are permitted only if a Special Agent in Charge or a Deputy Assistant Director determines that the statutory standards for nondisclosure continue to be satisfied and that the case agent has justified, in writing, why continued nondisclosure is appropriate.
LIMITING SIGINT COLLECTION AND USE Principles of Collection Section 1 of PPD-28 reinforces four long-standing principles for the collection of signals intelligence: The collection of SIGINT shall be authorized by statute or Executive Order, proclamation, or other Presidential directive, and undertaken in accordance with the Constitution and applicable statutes, Executive Orders, proclamations, and Presidential directives. Privacy and civil liberties shall be integral considerations in the planning of U.S. SIGINT activities. The United States shall not collect SIGINT for the purposes of suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion. SIGINT shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions and not for any other purpose. The collection of foreign private commercial information or trade secrets is authorized only to protect the national security of the United States or its partners and allies. It is not an authorized foreign intelligence or counterintelligence purpose to collect such information to afford a competitive advantage to U.S. companies and U.S. business sectors commercially. SIGINT activities shall be as tailored as feasible. In determining whether to collect SIGINT, the United States shall consider the availability of other information, including from diplomatic and public sources. Such appropriate and feasible alternatives to SIGINT should be prioritized. These principles are based on the understanding that, while the collection of SIGINT is necessary to protect national security, to advance foreign policy interests, and to protect U.S. citizens and interests, as well as the citizens of its allies and partners, from harm, it carries multiple risks to our relationships with other nations; our commercial, economic, and financial interests; the credibility of our commitment to an open, interoperable, and secure global internet; and the protection of intelligence sources and methods. Accordingly, these principles, which reflect our commitment to privacy and civil liberties, are incorporated in the PPD-28 procedures of each Intelligence Community element that collects SIGINT. In addition to including these four principles in their procedures, Intelligence Community elements are taking steps to ensure that privacy and civil liberties are integral considerations in the planning of U.S. SIGINT activities. For example, NSA has established a dedicated Civil Liberty and Privacy Officer and CIA has expanded its Privacy and Civil Liberties office. And in response to PPD-28, these offices are working to ensure that privacy and civil liberties are integral considerations in the planning of SIGINT activities. For example, NSA is developing a privacy and civil liberties assessment process to analyze what data it collects and how it uses the data to better understand the privacy and civil liberties risks associated with a new and novel collection activity. Refined Process on SIGINT Targeting As the President indicated on January 17, 2014, SIGINT collection raises special concerns given rapidly evolving changes in technology and the unique nature of the collection itself. Consequently, PPD-28 directed changes to the process for selecting the targets of SIGINT collection to ensure that these concerns are considered alongside other risks and benefits. To do this, the Intelligence Community, in partnership with the National Security Council, has elevated the process by which SIGINT requirements and priorities are identified, so that the heads of the relevant departments and agencies can better evaluate SIGINT collection in light of its potential risks to national interests and our law enforcement, intelligence, and diplomatic relationships abroad. The review process of SIGINT collection covered almost seven dozen countries and organizations and resulted in restrictions on the current SIGINT collection posture. These restrictions are now part of the Director of National Intelligence’s collection priorities guidance to the Intelligence Community through the National Intelligence Priorities Framework. In addition, the Director of National Intelligence has revised Intelligence Community Directive 204 to reflect the requirement for greater policymaker oversight of the intelligence priorities process. Finally, the NSA has enhanced its processes to ensure that targets are regularly reviewed, and those targets that are no longer providing valuable intelligence information in support of these senior policy-maker approved priorities are removed. New Limits on Use of SIGINT Collected in Bulk As affirmed in PPD-28, the United States must collect some information in bulk in certain circumstances in order to locate new and emerging threats vital to the national security. Section 2 of the PPD articulated limits on the use of SIGINT collected in bulk. Before PPD-28, an Intelligence Community element could use SIGINT collected in bulk for any authorized reason connected to that element’s mission. Today, Intelligence Community elements are only permitted to use SIGINT collected in bulk for six specific purposes: (i) to counter espionage and other threats and activities of foreign powers or intelligence services against the U.S. and its interests; (ii) counterterrorism; (iii) counter-proliferation; (iv) cybersecurity; (v) to detect and counter threats to U.S. or allied armed forces or other U.S. or allied personnel; and (vi) to combat transnational criminal threats, including illicit finance and sanctions evasion. These specific limits require the Intelligence Community to carefully consider and confirm that all use of SIGINT collected in bulk is for a permissible purpose.
Transparency has been a significant focus for the Intelligence Community. We have declassified and made publicly available a substantial amount of information over the past 18 months, particularly regarding the government’s use of Foreign Intelligence Surveillance Act (FISA) authorities. This effort has included: Developing IC on the Record; Releasing documents about the government’s intelligence activities, including compliance and oversight assessments; Releasing opinions and orders from the Foreign Intelligence Surveillance Court; Publishing the first annual Intelligence Community transparency report disclosing statistics on the government’s use of National Security Letters and Foreign Intelligence Surveillance Act authorities; Declassifying aggregate FISA data so that communications providers can make public additional information about FISA orders they receive; Releasing unclassified reports on NSA’s implementation of Section 702 of the Foreign Intelligence Surveillance Act and its Civil Liberties and Privacy Protections for Targeted SIGINT Activities under Executive Order 12333; Establishing Principles of Intelligence Transparency for the Intelligence Community to solidify these practices; and Making numerous speeches and appearances by Intelligence Community leadership to explain our activities to the public Since the launch of IC on the Record on August 20, 2013, the Intelligence Community has posted more than 250 declassified documents (comprising more than 4,500 pages) about Intelligence Community activities. The majority of the declassified documents relate to NSA’s bulk telephony metadata program under Section 215 of the USA PATRIOT Act (Section 501 of FISA); Section 702 of FISA); and NSA’s now-discontinued bulk internet metadata collection program under Section 401 of FISA (i.e., the Pen Register/Trap and Trace program). Many of the documents posted about these programs relate to proceedings before the Foreign Intelligence Surveillance Court, including applications by the government to authorize or reauthorize programs and significant court opinions. Other documents that have been posted include NSA training slides for personnel with access to bulk telephone metadata and U.S. District Court documents relating to legal challenges to the bulk telephony metadata collection program. The Intelligence Community has also released documents associated with the Foreign Intelligence Surveillance Court of Review’s opinion upholding the constitutionality of the now-discontinued surveillance program under the Protect America Act and a number of documents about the activities conducted under the previous Administration’s Terrorist Surveillance Program. In addition to releasing documents, the Intelligence Community has posted to IC on the Record other information to give context to those documents. These include videos, audio recordings, and text transcripts of public engagements and Congressional testimony by senior Intelligence Community officials; fact sheets; and, recently, a live, online question-and-answer session between a senior Intelligence Community official and members of the public. The release of this information has facilitated public debate about Intelligence Community policies and practices, and has established a precedent for transparency going forward. In particular, the Director of National Intelligence has issued principles to guide our transparency efforts and has established a senior working group to continue these transparency efforts and proactively identify new ones. The Intelligence Community recognizes that continued public support for our activities to protect our nation and our partners requires the public trust that can only be achieved with greater transparency.
|
