from the fixes-need-fixing dept
Cody Poplin at Lawfare points out that the Defense Department has just issued an update on rules governing its intelligence collection activities -- the first major update in over 30 years. These would directly affect the NSA, which operates under the Defense Department.
The most significant alteration appears to be to retention periods for US persons data. While everything is still assumed to be lawful under Executive Order 12333 and DoD Directive 5240.1, the point at which a record is deemed to be "collected" -- starting the clock on the retention period -- has changed.
Under the new rules, “collection” occurs “upon receipt,” whereas the previous manual defined “collection” as occurring when the information was “officially accept[ed] … for use.” The change ensures that all protections governing even the incidental collection of U.S. personal information (USPI) applies upon receipt of that information. The clock starts to run as soon as information is collected, meaning that collected information must be promptly evaluated to determine the proper retention period.
This should result in better minimization of incidentally-collected US persons info as the determination must be made shortly after harvesting, rather than waiting until the collected data is queried. This likely means the NSA may be making more efforts to head off incidental collection, as leaving things the way they are will now result in additional logistics headaches.
This doesn't necessarily mean incidentally-collected info will be swiftly disposed of. The DoD can still hold onto this data for five years. And, if the target of the incidental collection leaves the country during that retention period, the DoD can hold onto the data for a quarter-century.
Info on US persons/entities (still located in the US) is also being granted additional protections, including enhanced minimization procedures for dissemination of collected data to other agencies and other countries.
The NSA will also be expected to make additional trips to the FISA court.
[T]he new manual incorporates new physical search rules that reflect changes to the Foreign Intelligence Surveillance Act since 1982. These include requirements to obtain a FISA warrant for nonconsensual physical searches conducted inside the United States and for targeted collection of U.S. person information outside the United States.
Most of this appears to be changes for the better -- something that likely wouldn't have occurred without Snowden's leaked documents. The last change to these rules was made back in 1982 when no one had any idea the wealth of communications content and data that would be travelling around the globe in digital form.
But a closer look at the details -- especially the part pertaining to "special circumstances" that alter the rules of collection and retention -- suggests there still may be a few exploitable loopholes that would allow the NSA to target US persons and entities.
If DoD agencies wish to target a US person (whether at home or abroad), they're instructed to use the "least intrusive" method of surveillance: public sources. If the information sought can't be found there, the next step is to seek cooperation from other sources that may have the same info. This is basically a consensual search, but involving third parties. The last step is to seek top-level approval from the DoD's general counsel. This will provide some additional oversight, but still makes it a mostly "in-house" process -- something that's not exactly comforting.
The additional restrictions on the collection of US persons in the US seem to limit potential abuse/misuse of surveillance tools.
Other specific limitations apply to collection of USPI inside the United States, including that the information may be collected only if 1) the information is publicly available or 2) the source of the information is advised or otherwise aware that he or she is providing the information.
But the list of exceptions to these limitations appears to directly remove these two stipulations.
In the event that neither or the two previous requirements are met, the Defense Intelligence Component may employ collection methods that are directed at the United States if a) the foreign intelligence is significant and the collection is not undertaken for the purpose of acquiring information about a U.S. person’s domestic activities; b) the intelligence cannot be obtained publicly or from sources who are advised they are providing information to the DoD; or c) the Defense Intelligence Component head concerned or a single delegee has approved as being consistent with the manual and its outlined procedures the use of techniques other than the collection of publicly available information or from an informed source.
Reading these both together suggests that if the DoD can't obtain the info it's seeking from public/advised sources, it can use that limitation as a reason to deploy supposedly foreign-facing surveillance methods against US persons. If that's the correct reading (and the "or" -- rather than an "and" -- in the list of requirements suggests it is), the limitations on domestic surveillance are mostly meaningless.