A privacy update to 1982 Defense Department rules for conducting surveillance on Americans contains a loophole that lets the National Security Agency continue eavesdropping on a wide swath of online conversations, critics say.
“DOD Manual 5240.01: Procedures Governing the Conduct of DOD Intelligence Activities” was last issued when all email addresses could fit in a Parent Teacher Association-sized directory.
The new rules reflect a shift in intelligence gathering from bugging an individual’s phone to netting communications in bulk from the global internet. The revision aims to address the reality that many, many conversations now occur online and should be shielded from government surveillance, intelligence and civil liberties experts agree.
But the document creates a carveout that does not respect the privacy of data ferried along international communications wires, according to the New America Foundation’s Open Technology Institute.
The new manual is “making kosher the kind of upstream collection that allows for really widescale incidental collection, even if very time-limited collection, of Americans’ information,” said Robyn Greene, the institute’s policy counsel.
Unlike in the 1980s when transatlantic talk was cost-prohibitive (a 3-minute call between America and Western Europe cost up to $12.60), now the equivalent of several hundred Libraries of Congress worth of chatter traverses undersea cables everyday at a rate of a few cents per YouTube download.
So, the word “collection” takes on new meaning in the policy to try ensure personal data is handled with discretion. In the past, information was considered captured only when officially accepted for use by an analyst. Now, information is considered captured “when it is received,” according to the revised manual.
“The clock starts to run as soon as information is collected, meaning that collected information must be promptly evaluated to determine the proper retention period,” Cody Poplin, a former Brookings Institution researcher, commented in a Lawfare blog post.
However, privacy advocates say the timer to preserve confidentiality starts too late.
The new procedures do not consider short-term files like email contents and metadata swept up from the internet as “collections” that merit protection. The manual states: ”Collected information does not include: Information that only momentarily passes through a computer system; information on the internet or in an electronic forum or repository outside the component that is simply viewed or accessed by a component employee but is not copied, saved supplemented or used.”
“It’s great” that more stored communications will enjoy privacy protections, but the document “fails to address the core concerns that we have about bulk collection and the impact that has on Americans’ privacy and on nontargeted foreigners’ privacy,” Greene said.
Can’t Touch This
It remains to be seen, or unseen, how U.S. spies are following the new data-handling guidelines in practice when scanning networks.
On Wednesday, Defense officials declined to comment on internet cable-tapping.
In response to the concerns raised, Pentagon spokesman Lt. Col. Eric Badger said in an email to Nextgov the “provision defining collection in the new manual, including the exclusions, does not diminish the protections that existed under the previous” guidelines.
He also said there is an existing classified annex containing “civil liberties and privacy protections for U.S. persons when conducting signals intelligence” that remains in effect until an update is issued.
“As to the hypothetical, we cannot comment,” Badger said.
The Aug. 8 rules apply to the entire Pentagon, including NSA. Defense Secretary Ash Carter and Justice Department head Loretta Lynch signed off on the manual, after consulting with Director of National Intelligence James Clapper.
One intelligence community contractor says the policy reboot does a much better job at spelling out the dos and don’ts of siphoning Americans’ data from the internet.
The manual helps “clarify how that data could be used, how it’s going to be handled, how it’s going to be safeguarded, etc.” said Justin Fier, director for cyber intelligence and analysis at Darktrace, where many on staff formerly served British and U.S. spy agencies.
“It allows Americans to feel OK with the fact that they can use the internet and the internet might be a collection platform,” he said.
Five years is the cap for keeping data on Americans intentionally captured, as well as data “incidentally collected” while targeting a specific person in the United States, the manual says. Collateral data can be retained for up to 25 years if the target of the sweep is reasonably believed to be outside the United States, according to the policy.
“The procedures require that, at the end of the maximum evaluation period” data on Americans “is deleted from intelligence databases unless affirmatively determined to meet the criteria for permanent retention,” an accompanying Pentagon fact sheet reads.
Civil liberties groups contend much of that data should not be retained to begin with, but reversing course would take changes to presidential policy. The manual is still undergirded by a Reagan-era executive order (E.O. 12333) that allows the government to Hoover up data on Americans from outside the United States, without the restrictions that limit stateside searches.
“These new privacy protections don’t narrow the scope of collection authorized under E.O. 12333 to prohibit the mass surveillance that the NSA currently engages in,” Greene said. Until the order “is amended to address that problem, the NSA will still be able to use that authority to scoop up the communications of millions of innocent people.”
This week, NSA is dealing with an apparent counterespionage attack that perhaps leaked pieces of the spy agency’s hacking tool arsenal. Ex-intelligence contractor Edward Snowden, who exposed the bulk data interception at issue here, has suggested the Russian government spilled NSA’s malicious codes as part of an ongoing plot to tamper with the U.S. presidential elections.