Senators Ron Wyden and Martin Heinrich are raising concerns about a program of bulk data collection operated by the Central Intelligence Agency—one that permits the agency to store and search for information concerning Americans without the oversight or legal restrictions imposed by statues like the Foreign Intelligence Surveillance Act. A letter to intelligence chiefs written by Martin and Heinrich last April is one of several newly‐declassified documents concerning the program, which had been the subject of an unpublished “deep dive” analysis by the Privacy and Civil Liberties Oversight Board (PCLOB). Yet the documents tell us maddeningly little about the program beyond the fact of its existence—one reason that Martin and Heinrich’s primary demand is for greater transparency. Nevertheless, there are a few inferences we can draw from both the letter and the recommendations offered by PCLOB staff.
First, Wyden and Heinrich reference the history of legislative efforts to limit or prohibit the indiscriminate large‐scale collection of U.S. person records. Though a large chunk of text here remains redacted, it seems quite clear they are referencing such reforms as the USA FREEDOM Act of 2015, which ended the National Security Agency’s bulk telephony metadata program revealed by Edward Snowden. “And yet,” the senators write, “throughout this period, the CIA has secretly conducted its own bulk program [REDACTED]. It has done so entirely outside the statutory framework that Congress and the public believe govern this collection [.…]” So whatever CIA is doing, it is at least somewhat comparable to the NSA’s bulk telephone metadata program—sufficiently similar that the public and Congress would assume such activities had been addressed and regulated by recent legislative reforms.
Second, Wyden and Heinrich urge greater transparency concerning the CIA’s “relationship with its sources,” which implies that the records in question are provided voluntarily—or at least knowingly—to the CIA by some outside source, rather than obtained surreptitiously, via interception or exfiltration. In other words, these are records that are being sold or given to CIA by some other entities with which the agency has an ongoing relationship. (It would not make sense to speak of a “relationship with its sources” if, for instance, the CIA had collected this data by hacking into the networks of foreign governments or corporations.) Since the letter worries that the CIA’s collection does not involve judicial oversight—at least not of the type associated with collection under the Foreign Intelligence Surveillance Act—and only the FBI can issue National Security Letters, it does not sound as though these records are obtained by compulsory process. So, again, it sounds as though they are likely being either volunteered or purchased.
Third, the recommendations developed by PCLOB staff reference a pop‐up box that is displayed to analysts when they query the database for information “deemed by the system” to pertain to U.S. persons, reminding them that a legitimate foreign intelligence purpose is required for such queries (though not, as PCLOB staff noted, requiring them to document that purpose within the system). That suggests that the records themselves (and the queries that might be run against them) probably include information of a type that an automated system could use to infer whether the record or query pertains to a U.S. person, such as a physical address, Internet Protocol address, or telephone number.
Read the rest of this post →