Skip Navigation

The Privacy and Civil Liberties Oversight Board’s Disappointing Report on PPD-28 Implementation

The report falls short of what we should expect from the government’s only independent civil liberties watchdog

October 25, 2018

This article has been cross-posted from Just Secur­ity.

Edward Snowden’s revel­a­tions that the NSA engaged in massive spying oper­a­tions over­seas promp­ted outrage and polit­ical blow­back from our closest allies. In an attempt to manage this fallout, Pres­id­ent Obama in Janu­ary 2014 issued Pres­id­en­tial Policy Direct­ive 28 (PPD-28), which estab­lished prin­ciples to guide signals intel­li­gence activ­it­ies (basic­ally, elec­tronic surveil­lance) with an eye toward protect­ing the “legit­im­ate privacy interests” of foreign­ers. At the time, civil liber­ties advoc­ates — includ­ing the Bren­nan Center — praised the general prin­ciples that PPD-28 set forth, but cautioned that the devil was very much in the details of how it would be imple­men­ted.

There was reason to hope that the Privacy and Civil Liber­ties Board (PCLOB) would provide those details in its Report to the Pres­id­ent on the Imple­ment­a­tion of Pres­id­en­tial Policy Direct­ive 28, which was final­ized in Decem­ber 2016 but just became publicly avail­able last week follow­ing a Free­dom of Inform­a­tion Act request filed by New York Timesreporter Charlie Savage. After all, the PCLOB had conduc­ted an exhaust­ive invest­ig­a­tion into the Foreign Intel­li­gence Surveil­lance Act (FISA) Section 702 and secured the declas­si­fic­a­tion of an enorm­ous amount of inform­a­tion about how Section 702 oper­ates.

Unfor­tu­nately, the PPD-28 report fails to deliver. It adds surpris­ingly little new inform­a­tion to what was already in the public domain. It focuses largely on the agen­cies’ offi­cial inter­pret­a­tions of the direct­ive, as set forth in their public proced­ures, without digging in to the actual imple­ment­a­tion of these proced­ures. Its authors seem not to notice discrep­an­cies between the agency policies they describe and the direct­ive. And the report fails to address some of the most open-ended aspects of the direct­ive — the ones for which inform­a­tion about imple­ment­a­tion is most neces­sary. In short, the PPD-28 report is cut from a very differ­ent cloth than the PCLOB’s previ­ous major reports, and it falls short of what we should expect from the govern­ment’s only inde­pend­ent civil liber­ties watch­dog.

Restric­tions on Use of Bulk Collec­ted Inform­a­tion. One of the poten­tially signi­fic­ant advances contained in PPD-28 is its restric­tions on the use of signals intel­li­gence collec­ted in bulk. Under Section 2 of the direct­ive, such data may be used only to detect and counter:

(1) espi­on­age and other threats and activ­it­ies direc­ted by foreign powers or their intel­li­gence services against the United States and its interests; (2) threats to the United States and its interests from terror­ism; (3) threats to the United States and its interests from the devel­op­ment, posses­sion, prolif­er­a­tion, or use of weapons of mass destruc­tion; (4) cyber­se­cur­ity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied person­nel; and (6) transna­tional crim­inal threats, includ­ing illi­cit finance and sanc­tions evasion related to the other purposes named in this section.

The import of this provi­sion, however, turns in large part on the direct­ive’s defin­i­tion of “bulk collec­tion.” In a foot­note, the direct­ive states that use restric­tions on bulk-collec­ted data do not apply “to signals intel­li­gence data that is tempor­ar­ily acquired to facil­it­ate targeted collec­tion.” This raises a crit­ical ques­tion: what do agen­cies consider to be “tempor­ary” acquis­i­tion? For instance, the NSA collec­ted Amer­ic­ans’ phone records in bulk and retained them for 5 years, but it made use of the records only by running quer­ies tied to partic­u­lar targets. If the NSA were to conduct a similar program involving the bulk collec­tion of elec­tronic commu­nic­a­tions under Exec­ut­ive Order 12333, would it assert that PPD-28’s use restric­tions did not apply? If so, the restric­tions would lose much of their poten­tial force.

The foot­note was the subject of intense scru­tiny and discus­sion within the civil liber­ties community; advoc­ates sought clari­fic­a­tion from intel­li­gence offi­cials without success. The PCLOB could have obtained the answer, but there is no indic­a­tion from the report that it even asked the ques­tion.

Leav­ing aside how narrowly or broadly the use restric­tions might apply, the PCLOB’s report fails to estab­lish that agen­cies are adher­ing to them. With regard to the NSA and CIA, the report simply notes that the agen­cies “memori­al­ized” PPD-28’s use restric­tions in their writ­ten proced­ures. Of course, the direct­ive required the agen­cies to complete this basic step, and because the writ­ten proced­ures are public, the public already knew they had done so. But the fact that the agen­cies updated their paper­work as required tells us noth­ing about how — or even whether — the restric­tions are being imple­men­ted. It is the agen­cies’ actions that matter here, not their words.

With regard to the FBI, the PCLOB — again citing the bureau’s writ­ten proced­ures — states that agents must focus their quer­ies on “intel­li­gence inform­a­tion respons­ive to an intel­li­gence require­ment or an author­ized law enforce­ment activ­ity.” The PCLOB seems satis­fied with this stand­ard, but it clearly fails to comply with PPD-28. Respons­ive­ness to an intel­li­gence require­ment is the bare minimum for foreign intel­li­gence-gath­er­ing activ­it­ies, not a special restric­tion. Although the require­ments them­selves (as set forth in the National Intel­li­gence Prior­it­ies Frame­work) are clas­si­fied, they are purportedly tailored to the threats iden­ti­fied in the World­wide Threat Assess­ment of the U.S. Intel­li­gence Community, which is public. A quick glance at that docu­ment shows that the threats it iden­ti­fies — which include “extreme weather,” “disease outbreaks,” and “economic woes” result­ing from decreased oil prices — go far beyond the six categor­ies iden­ti­fied in PPD-28. Simil­arly, “author­ized law enforce­ment activ­it­ies” would encom­pass every crim­inal act within the FBI’s juris­dic­tion, not the narrow categor­ies of crim­inal enter­prise reflec­ted in PPD-28’s six use restric­tions. In short, the FBI isn’t comply­ing with PPD-28 even on paper—a point the PCLOB fails to acknow­ledge.

Limits on reten­tion and dissem­in­a­tion. Another poten­tially signi­fic­ant aspect of PPD-28 is its require­ment that agen­cies apply the same limits on reten­tion and dissem­in­a­tion to both U.S. person and non-U.S. person inform­a­tion, “[t]o the maximum extent feas­ible consist­ent with the national secur­ity.” Civil liber­ties advoc­ates worried that the caveat could swal­low the rule.

And so it did. In their public proced­ures, the NSA and CIA adop­ted markedly differ­ent stand­ards for the dissem­in­a­tion of U.S. person and non-U.S. person inform­a­tion. The latter could be dissem­in­ated if “related to” an intel­li­gence require­ment; the former could be dissem­in­ated (with identi­fy­ing inform­a­tion intact) only if “neces­sary” to under­stand or assess the foreign intel­li­gence. In other words, the agen­cies did not inter­pret PPD-28’s national secur­ity caveat as an excep­tion that could be applied on a case-by-case basis; they decided instead that it wiped out the rule, allow­ing the agen­cies to apply differ­ent stand­ards across the board.

The PCLOB should have inquired whether this approach was consist­ent with both the letter and spirit of PPD-28. Even if it deemed the approach accept­able, it should have probed the agen­cies’ determ­in­a­tion that apply­ing the same rule to U.S. persons and non-U.S. persons would be incon­sist­ent with national secur­ity. What sort of inquiry did the agen­cies conduct? What facts informed their decision? Was their conclu­sion not only reas­on­able but consist­ent with the direct­ive’s mandate to apply the same stand­ard “to the maximum extent feas­ible”? There is no such analysis in the report — just one redac­ted sentence, in each of the para­graphs discuss­ing the differ­ing stand­ards for U.S. persons and non-U.S. persons, that presum­ably concludes (or states the agen­cies’ conclu­sion) that national secur­ity consid­er­a­tions warran­ted the outcome.

With respect to the FBI, the PCLOB simply states the FBI’s posi­tion: “FBI contends that all personal inform­a­tion of non-U.S. persons was obtained in the course of a lawful foreign intel­li­gence, coun­ter­in­tel­li­gence, or inter­na­tional terror­ism invest­ig­a­tion and there­fore may be dissem­in­ated under PPD-28 and the ODNI guid­ance.” The PCLOB does not state whether it finds this “conten­tion” to be accur­ate. Nor does it mention whether the FBI applies the same stand­ard when dissem­in­at­ing U.S. person and non-U.S. person inform­a­tion, as PPD-28 directs, or an entirely differ­ent stand­ard. It is hard to imagine a thin­ner inquiry into imple­ment­a­tion of this provi­sion.

On the issue of reten­tion, the report is even more disap­point­ing. PPD-28 states that agen­cies may retain only inform­a­tion that is determ­ined to meet certain criteria, which should be the same for U.S. persons and non-U.S. persons. It then states: “Inform­a­tion for which no such determ­in­a­tion has been made shall not be retained for more than 5 years, unless the DNI expressly determ­ines that contin­ued reten­tion is in the national secur­ity interests of the United States.”

With respect to the NSA, the PCLOB states that the NSA was already apply­ing its five-year limit­a­tion on reten­tion of U.S. person inform­a­tion to non-U.S. person inform­a­tion. The PCLOB fails to note, however, that the NSA’s five-year limit­a­tion, which is set forth in U.S. Signals Intel­li­gence Direct­ive 18 (USSID 18), applies only to “[u]nenciphered commu­nic­a­tions not thought to contain secret mean­ing.” USSID 18 clearly contem­plates that encryp­ted commu­nic­a­tions — which have become increas­ingly common­place — may be retained for a longer period. But PPD-28 makes no excep­tion for encryp­ted commu­nic­a­tions. How has the NSA resolved this tension? Did the DNI determ­ine that the NSA’s contin­ued reten­tion of all encryp­ted commu­nic­a­tions is in the national secur­ity interests of the United States? The PCLOB report does­n’t say.

As for the FBI, the PCLOB once again simply recites the bureau’s conten­tion: “FBI indic­ated that the give-year reten­tion period is not a change in prac­tice for FISA Section 702 data because the FBI’s FISA Section 702 minim­iz­a­tion proced­ures already impose a five-year reten­tion limit for inform­a­tion that has never been reviewed.” In fact, the FBI’s 5-year limit for unre­viewed mater­ial contains an express excep­tion for encryp­ted commu­nic­a­tions. The minim­iz­a­tion rules also waive the 5-year limit for commu­nic­a­tions that have been reviewed, but for which no determ­in­a­tion about their foreign intel­li­gence value has been made. This longer reten­tion period for inde­term­in­ate commu­nic­a­tions is plainly incon­sist­ent with PPD-28, under which the absence of any determ­in­a­tion about a commu­nic­a­tion’s intel­li­gence value affirm­at­ively trig­gers, rather than waives, the 5-year limit­a­tion. The PCLOB, however, appears to have simply accep­ted the FBI’s incom­plete char­ac­ter­iz­a­tion of its minim­iz­a­tion proced­ures.

Turn­ing broad prin­ciples into prac­tice. One of the real wasted oppor­tun­it­ies in this report is its fail­ure to exam­ine how agen­cies are imple­ment­ing Section 1 of PPD-28, setting forth “Prin­ciples Govern­ing the Collec­tion of Signals Intel­li­gence.” These prin­ciples are salut­ary but not self-execut­ing, and their prac­tical value — as distin­guished from whatever symbolic value they may have — depends entirely on how they have been oper­a­tion­al­ized.

For instance, Section 1 states: “The United States shall not collect signals intel­li­gence for the purpose of suppress­ing or burden­ing criti­cism or dissent, or for disad­vantaging persons based on their ethni­city, race, gender, sexual orient­a­tion, or reli­gion.” How do agen­cies ensure that this prohib­i­tion is honored? Presum­ably, agency employ­ees are informed of it during train­ing, and the agen­cies’ privacy officers review proposed collec­tion activ­it­ies for compli­ance. Once the activ­it­ies are under­way, however, who ensures that they adhere to this limit­a­tion in prac­tice? What guidelines inform this assess­ment? If intel­li­gence activ­it­ies have a signi­fic­ant dispar­ate impact on some ethni­cit­ies or reli­gions, is this considered to raise any red flags? Do the agen­cies make any effort to determ­ine the relat­ive impact of their activ­it­ies on differ­ent ethni­cit­ies, races, or reli­gions?

Section 1 also states, “Signals intel­li­gence activ­it­ies shall be as tailored as feas­ible.  In determ­in­ing whether to collect signals intel­li­gence, the United States shall consider the avail­ab­il­ity of other inform­a­tion, includ­ing from diplo­matic and public sources.  Such appro­pri­ate and feas­ible altern­at­ives to signals intel­li­gence should be prior­it­ized.” How is this prin­ciple put into prac­tice? Is there a require­ment, for instance, to identify avail­able altern­at­ives to signals intel­li­gence collec­tion in writ­ing? Is there a process in place for consid­er­ing those altern­at­ives, culmin­at­ing in a writ­ten determ­in­a­tion that is — or at least can be — reviewed at high levels within the agency? Or is this merely an ethos that the agen­cies believe that their employ­ees already possess? How do the NSA’s current bulk collec­tion programs square with PPD-28’s require­ment that collec­tion be “as tailored as feas­ible”?

Assess­ing agen­cies’ adher­ence to general prin­ciples is more diffi­cult than assess­ing compli­ance with specific bench­marks like a 5-year reten­tion limit on collec­ted data. Moreover, much of what can be found in Section 1 reit­er­ates prin­ciples contained in long­stand­ing agency guidelines or direct­ives. That does not make it less import­ant to review these prin­ciples’ imple­ment­a­tion. No inde­pend­ent civil liber­ties over­sight body has ever previ­ously examined whether agen­cies have mech­an­isms for trans­lat­ing these prin­ciples into prac­tice, or whether they remain mere lofty words on a piece of paper. That is exactly the sort of inform­a­tion one would hope the PCLOB would provide.

The PCLOB’s PPD-28 report is not without value. It flags the need for guid­ance on what PPD-28 means by “signals intel­li­gence” so that agen­cies know when to apply the direct­ive. It reveals that the CIA has opted to be over­in­clus­ive in its applic­a­tion of PPD-28 to multi-sourced systems. (Rachel Brand and Elisa­beth Collins wrote a separ­ate state­ment express­ing their dismay at the notion that civil liber­ties protec­tions might be applied where not strictly neces­sary — a reminder of why PLCOB should be comprised of people with back­grounds in, and demon­strated commit­ment to, civil liber­ties.) Perhaps most usefully, it notes the import­ance of faith­ful PPD-28 imple­ment­a­tion by agen­cies receiv­ing access to raw signals intel­li­gence for the first time under new 2017 guidelines, and it recom­mends that those agen­cies update their prac­tices, proced­ures, and train­ings before receiv­ing such data. None of these contri­bu­tions, however, substi­tutes for a robust invest­ig­a­tion into how agen­cies are imple­ment­ing PPD-28.

I continue to believe that the PCLOB is a vitally import­ant body, and I hope that Congress moves quickly to confirm the remain­ing two nomin­ees (partic­u­larly since the board will other­wise be oper­at­ing with a signi­fic­ant ideo­lo­gical imbal­ance). Even though I disagreed with the PCLOB’s recom­mend­a­tions in its Section 702 report, I felt that the board provided a tremend­ous public service by obtain­ing the declas­si­fic­a­tion of so much detailed inform­a­tion. In this case, though, the PCLOB seems to have shied away from asking hard ques­tions about what the agen­cies’ policies looked like in prac­tice, choos­ing to accept the agency’s own char­ac­ter­iz­a­tions even when they were plainly wrong. I hope they get back to the gumshoe detect­ive work in their next invest­ig­a­tion.

(Image: Daren McCollester/Getty)