From IC on the Record, October 17, 2014
By Robert Litt and Alexander W. Joel
As the President said in his speech on January 17, 2014, “the challenges posed by threats like terrorism, proliferation, and cyber-attacks are not going away any time soon, and for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world.”
As a part of that effort, the President made clear that the United States is committed to protecting the personal information of all people regardless of nationality. This commitment is reflected in the directions the President gave to the Intelligence Community on that same day, when he issued Presidential Policy Directive/PPD-28, Signals Intelligence Activities.
New Standards for Safeguarding Privacy
PPD-28 reinforces current practices, establishes new principles, and strengthens oversight, to ensure that in conducting signals intelligence activities, the United States takes into account not only the security needs of our nation and our allies, but also the privacy of people around the world.
The Intelligence Community already conducts signals intelligence activities in a carefully controlled manner, pursuant to the law and subject to layers of oversight, focusing on important foreign intelligence and national security priorities. But as the President recognized, “[o]ur efforts will only be effective if ordinary citizens in other countries have confidence that the United States respects their privacy too.”
To that end, the Intelligence Community has been working hard to implement PPD-28 within the framework of existing processes, resources, and capabilities, while ensuring that mission needs continue to be met.
In particular, PPD-28 directs intelligence agencies to review and update their policies and processes – and establish new ones as appropriate – to safeguard personal information collected through signals intelligence, regardless of nationality and consistent with our technical capabilities and operational needs.
Released Today – The PPD-28 Interim Report
As we work to meet the January 2015 deadline, PPD-28 called on the Director of National Intelligence to prepare an interim report on the status of our efforts and to evaluate, in coordination with the Department of Justice and the rest of the Intelligence Community, additional retention and dissemination safeguards.
The DNI’s interim report is now being made available to the public in line with our pledge to share as much information about sensitive intelligence activities as is possible, consistent with our national security.
The report is the product of many months of work within the Intelligence Community and with our partners in the other parts of the United States Government, and it draws on conversations agencies have held with outside stakeholders.
Key Privacy Principles for the Intelligence Community
We encourage you to read the whole report released today. It articulates key principles for agencies to incorporate in their policies and procedures, including some which afford protections that go beyond those explicitly outlined in PPD-28. These principles include the following:
- Ensuring that privacy and civil liberties are integral considerations in signals intelligence activities.
- Limiting the use of signals intelligence collected in bulk to the specific approved purposes set forth in PPD-28.
- Ensuring that analytic practices and standards appropriately require that queries of collected signals intelligence information are duly authorized and focused.
- Ensuring that retention and dissemination standards for United States person information under Executive Order 12333 are also applied, where feasible, to all personal information in signals intelligence, regardless of nationality.
- Clarifying that the Intelligence Community will not retain or disseminate information as “foreign intelligence” solely because the information relates to a foreign person.
- Developing procedures to ensure that unevaluated signals intelligence is not retained for more than five years, unless the DNI determines after careful evaluation of appropriate civil liberties and privacy concerns, that continued retention is in the national security interests of the United States.
- Reinforcing and strengthening internal handling of privacy and civil liberties complaints.
- Reviewing training to ensure that the workforce understands the responsibility to protect personal information, regardless of nationality. Successful completion of this training must be a prerequisite for accessing personal information in unevaluated signals intelligence.
- Developing oversight and compliance programs to ensure adherence to PPD-28 and agency procedures, which could include auditing and periodic reviews by appropriate oversight and compliance officials of the practices for protecting personal information contained in signals intelligence and the agencies’ compliance with those procedures.
- Publicly releasing, to the extent consistent with classification requirements, the procedures developed pursuant to PPD-28.
In the coming months, we will continue to work to complete this review. Taken together, these principles make meaningful progress towards the President’s goal of ensuring that ordinary citizens in other countries have confidence that the United States respects their privacy, too.