Obama administration signs off on wider data-sharing for NSA

The Obama Department of Justice (DOJ) has signed off on new rules to let the National Security Agency (NSA) share globally intercepted personal information with the country’s other 16 intelligence agencies, before it applies privacy protection to or minimizes the raw data.

Or, as Patrick Toomey, a lawyer for the American Civil Liberties Union (ACLU), put it in an interview with the New York Times, 17 intelligence agencies are now going to be “rooting… through Americans’ emails with family members, friends and colleagues, all without ever obtaining a warrant”.

The new rules mean that the FBI, the CIA, the DEA, and intelligence agencies of the US military’s branches and more, will be able to search through raw signals intelligence (SIGINT): intercepted signals that include all manner of people’s communications, be it via satellite transmissions, phone calls and emails that cross network switches abroad, as well as messages between people abroad that cross domestic network switches.

The director of national intelligence, James Clapper, signed the rules on December 15. Attorney-general Loretta Lynch followed suit on January 3, according to a 23-page, largely declassified copy of the procedures that the NYT first reported on and released last week.

The new rules significantly weaken longstanding limits on what the NSA may do with the vast troves of information it gathers with its surveillance machinery – machinery that’s both powerful and largely unregulated by US wiretapping laws.

The changes usher in two sweeping surveillance powers for the-soon-to-be President Trump: Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows the government to carry out mass surveillance on US soil, including both the so-called PRISM and Upstream programs revealed by Edward Snowden, and Executive Order 12333.

That sounds concerning, but observers point out that Obama’s move could in fact limit Trump’s ability to compromise people’s privacy. Susan Hennessy, a fellow at Brookings, told The Atlantic:

“I think a reasonable observer might assume that while the protections the Obama administration was interested in putting into place increased privacy protections—or at the very least did not reduce them—that the incoming administration has indicated that they are less inclined to be less protective of privacy and civil liberties. So I think it is a good sign that these procedures have been finalized, in part because it’s so hard to change procedures once they’re finalized.”

Executive Order 12333 is the primary authority under which the NSA conducts surveillance. It covers a “dizzying array of warrantless, high-tech spying programs”, according to Toomey.

Unlike Section 215 of the Patriot Act, EO 12333 has no protection for US people if the relevant SIGINT occurs outside US borders.

12333 isn’t a statute. It’s “never been subject to meaningful oversight from Congress or any court”, according to John Napier Tye, who was working for the State Department during the Reagan era when 12333 was passed.

While 12333 is mostly targeted at foreigners, the NSA has used it to hoover up plenty of Americans’ information, Toomey points out, including:

The NYT has filed a Freedom of Information Act lawsuit seeking details about how EO 12333 was revised in 2008 under President George W Bush. The case wound up last February, but many questions were left unanswered, the NYT said, including …

…when analysts would be permitted to use Americans’ names, email addresses or other identifying information to search a 12333 database and pull up any messages to, from or about them that had been collected without a warrant.

The way critics see it, the newly signed rules relaxing NSA sharing of raw SIGINT are also opening the door to law enforcement searching the data for ordinary criminal cases, allowing military intelligence powers to creep into everyday law enforcement.

The new rules specify that the intelligence agencies’ access to raw SIGINT comply with the Fourth Amendment, which prohibits unreasonable search and seizures, and that it be done in a manner that “protects the privacy of US persons”.

And just what are the safeguards being put in place for that? Those concerned with privacy – or with the rule of law, or the Constitution, or civil rights – have been keen to find out.

Robert Litt, general counsel of the Office of the Director of National Intelligence, has noted that data-sharing will only occur with intelligence agencies (as opposed to state and local law enforcement), and that it can only occur for foreign intelligence and counter-terrorism purposes.

Analysts can also search the data for Americans only if other conditions have been met, including that the American being investigated is an agent of a foreign power. Under the new rules, if analysts find evidence that an American has committed a crime, that evidence will be sent to the Justice Department.

But plenty of questions remain. Jake Laperruque, writing for the Just Security forum, is one of those who’ve questioned whether law enforcement use of the data will truly be limited, and how, as well as how oversight will be conducted.

Will access be screened or limited to personnel that work exclusively on intelligence operations, who will then be barred from discussing it with personnel who serve law enforcement functions?

If not, how will the government ensure that agencies do not use data from bulk collection for broad law enforcement purposes, and then mask this use through parallel construction, a practice the DEA reportedly has a unit devoted to achieving?

Parallel construction is when an agency secretly uses NSA data when identifying or tracking a criminal suspect, then cooks up a plausible alternative story, with evidence, to give to a court about the investigation’s origin.

A 2013 Reuters report detailed how the DEA’s Special Operations Division, or SOD, teaches agents to cover up vital tips. Reuters obtained a DEA document showing that federal agents are trained to conceal essential intelligence obtained via wiretaps, informants or other surveillance methods by crediting it to another source.

Nate Cardozo, an attorney with the Electronic Frontier Foundation, told Wired that the rule change opens the door to yet more of this type of tactical cover-up.

It used to be that if NSA itself saw the evidence of a crime, they could give a tip to the FBI, and the FBI would engage in parallel construction. Now FBI will be able to get into the raw data themselves and do what they will with it.