U.S. Air Force Master Sgt. Vince Burden, annotates the serial number of a dropsonde on board a WC-130J Super Hercules aircraft over the Atlantic Ocean Sept. 17, 2010.

U.S. Air Force Master Sgt. Vince Burden, annotates the serial number of a dropsonde on board a WC-130J Super Hercules aircraft over the Atlantic Ocean Sept. 17, 2010. U.S. Air Force, Staff Sgt. Michael B. Keller

There’s a Big Loophole in the Pentagon’s Guide to Eavesdropping

The new rules reflect a shift in intel-gathering from phone-tapping to capturing conversations on the internet.

A privacy update to 1982 Defense Department rules for conducting surveillance on Americans contains a loophole that lets the National Security Agency continue eavesdropping on a wide swath of online conversations, critics say.      

"DOD Manual 5240.01: Procedures Governing the Conduct of DOD Intelligence Activities" was last issued when all email addresses could fit in a Parent Teacher Association-sized directory.    

The new rules reflect a shift in intelligence gathering from bugging an individual’s phone to netting communications in bulk from the global internet. The revision aims to address the reality that many, many conversations now occur online and should be shielded from government surveillance, intelligence and civil liberties experts agree.  

But the document creates a carveout that does not respect the privacy of data ferried along international communications wires, according to the New America Foundation's Open Technology Institute.     

The new manual is "making kosher the kind of upstream collection that allows for really widescale incidental collection, even if very time-limited collection, of Americans' information," said Robyn Greene, the institute's policy counsel.      

Unlike in the 1980s when transatlantic talk was cost-prohibitive (a 3-minute call between America and Western Europe cost up to $12.60), now the equivalent of several hundred Libraries of Congress worth of chatter traverses undersea cables everyday at a rate of a few cents per YouTube download.      

So, the word "collection" takes on new meaning in the policy to try ensure personal data is handled with discretion. In the past, information was considered captured only when officially accepted for use by an analyst. Now, information is considered captured "when it is received," according to the revised manual.       

"The clock starts to run as soon as information is collected, meaning that collected information must be promptly evaluated to determine the proper retention period," Cody Poplin, a former Brookings Institution researcher, commented in a Lawfare blog post.         

However, privacy advocates say the timer to preserve confidentiality starts too late.       

The new procedures do not consider short-term files like email contents and metadata swept up from the internet as "collections" that merit protection. The manual states: "Collected information does not include: Information that only momentarily passes through a computer system; information on the internet or in an electronic forum or repository outside the component that is simply viewed or accessed by a component employee but is not copied, saved supplemented or used."  

"It's great" that more stored communications will enjoy privacy protections, but the document "fails to address the core concerns that we have about bulk collection and the impact that has on Americans' privacy and on nontargeted foreigners' privacy," Greene said.    

Can't Touch This

It remains to be seen, or unseen, how U.S. spies are following the new data-handling guidelines in practice when scanning networks.

On Wednesday, Defense officials declined to comment on internet cable-tapping.

In response to the concerns raised, Pentagon spokesman Lt. Col. Eric Badger said in an email to Nextgov the "provision defining collection in the new manual, including the exclusions, does not diminish the protections that existed under the previous" guidelines.

He also said there is an existing classified annex containing "civil liberties and privacy protections for U.S. persons when conducting signals intelligence" that remains in effect until an update is issued.

“As to the hypothetical, we cannot comment,” Badger said.

The Aug. 8 rules apply to the entire Pentagon, including NSA. Defense Secretary Ash Carter and Justice Department head Loretta Lynch signed off on the manual, after consulting with Director of National Intelligence James Clapper. 

One intelligence community contractor says the policy reboot does a much better job at spelling out the dos and don'ts of siphoning Americans' data from the internet.    

The manual helps “clarify how that data could be used, how it’s going to be handled, how it’s going to be safeguarded, etc." said Justin Fier, director for cyber intelligence and analysis at Darktrace, where many on staff formerly served British and U.S. spy agencies.

"It allows Americans to feel OK with the fact that they can use the internet and the internet might be a collection platform," he said.

Five years is the cap for keeping data on Americans intentionally captured, as well as data "incidentally collected" while targeting a specific person in the United States, the manual says. Collateral data can be retained for up to 25 years if the target of the sweep is reasonably believed to be outside the United States, according to the policy.        

"The procedures require that, at the end of the maximum evaluation period" data on Americans "is deleted from intelligence databases unless affirmatively determined to meet the criteria for permanent retention," an accompanying Pentagon fact sheet reads.         

Civil liberties groups contend much of that data should not be retained to begin with, but reversing course would take changes to presidential policy. The manual is still undergirded by a Reagan-era executive order (E.O. 12333) that allows the government to Hoover up data on Americans from outside the United States, without the restrictions that limit stateside searches.      

"These new privacy protections don't narrow the scope of collection authorized under E.O. 12333 to prohibit the mass surveillance that the NSA currently engages in," Greene said. Until the order "is amended to address that problem, the NSA will still be able to use that authority to scoop up the communications of millions of innocent people."   

This week, NSA is dealing with an apparent counterespionage attack that perhaps leaked pieces of the spy agency’s hacking tool arsenal. Ex-intelligence contractor Edward Snowden, who exposed the bulk data interception at issue here, has suggested the Russian government spilled NSA’s malicious codes as part of an ongoing plot to tamper with the U.S. presidential elections.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.