Skip Navigation
Resource

Rethinking Intelligence: Interview with ​​​​​​Mary Ellen Callahan

Mary Ellen Callahan served as the Chief Privacy Officer and Chief Freedom of Information Officer of the Department of Homeland Security from 2009 to 2011. She is currently Chair of the Privacy and Information Governance Practice at Jenner and Block.

Published: August 4, 2014

Inter­view Tran­script

 

Q: Hi, I’m Mike German, I’m a fellow with the Bren­nan Center for Justice at NYU Law School and today I’m talk­ing with Mary Ellen Calla­han. Mary Ellen Calla­han is chair of the Privacy and Inform­a­tion Governance Program at Jenner & Block. From 2009 to August of 2012, served as the Chief Privacy Officer for the Depart­ment of Home­land Secur­ity. Can you tell me what the role of the Chief Privacy Officer in a secur­ity agency is and why it’s so import­ant to have some­body work­ing on privacy within these agen­cies?

CALLA­HAN: Sure. Home­land Secur­ity actu­ally was the first stat­utor­ily created privacy officer. And it embed­ded it within the Depart­ment of Home­land Secur­ity when Home­land Secur­ity was set up in 2002 because there was going to be a lot of inform­a­tion being collec­ted. And because they wanted to have some sort of aware­ness of what inform­a­tion was being collec­ted. The posi­tion itself is created as a policy posi­tion, but I also had super­vis­ory author­ity over all of the differ­ent programs, systems and privacy impact assess­ments — anything that collec­ted personal inform­a­tion from anyone, I had over­sight of and had to approve it. So that was great because it provided a system­ized over­sight. You have differ­ent segments of Home­land Secur­ity, TSA, Customs and Border Protec­tion. Intel­li­gence and analysis, all who look at the things only with their own myopic way and this way I could look across the issues, making sure we were consist­ent, making sure we were follow­ing privacy protec­tion.

With regard to why it’s import­ant in the intel­li­gence community in partic­u­lar, and I think we’ll talk about this more later, the intel­li­gence community by its nature is set up to be very secret­ive. You have to make sure that you protect those state secrets. And you needed to have people, and I had a whole lot of people, who had top-secret FBI clear­ance, who under­stood the issues, who were able to analyze the issues from the analysts’ perspect­ive, but also looked to try to embed privacy protec­tions.

Q: These were your staff?

CALLA­HAN: These were my staff who would work in a couple of differ­ent ways. We had reports on suspi­cious activ­it­ies. It wasn’t a SAR per se, but it was suspi­cious activ­it­ies that went to all the states and fusion centers. And in those types of scen­arios we reviewed them all and had to approve them before they went out. Now we did it in a timely fash­ion and we turned it around quickly. But I think it was really import­ant to make sure that you don’t use inflam­mat­ory language or you’re precise in what you’re talk­ing about the poten­tial threat is. Further­more, you’re not saying, “This was a dark skinned man and there­fore I’m concerned.” But there was a reasoned basis for the analysis to inform people on the state and local fusion center envir­on­ment.

Q: And what are the signi­fic­ant accom­plish­ments you feel like you achieved while you were there?

CALLA­HAN: At Home­land Secur­ity? So over­all I would that my whole goal when I was at DHS- first to be clear, I had a phenom­enal staff — and they were great, and they still are great.

Q: Now this is the third largest federal agency.

CALLA­HAN: Right.

Q: How big was your staff?

CALLA­HAN: When I star­ted, I had and I did both the FOIA — Free­dom of Inform­a­tion Act — as well as privacy, I had 18 people. And when I left, I had 47, because I changed the way the contracts were. So there were a lot of contract­ors who were there, but they weren’t neces­sar­ily beholden or embed­ded into the organ­iz­a­tion. And so I tried to expand it. So I had 47 direct reports. On the privacy side, there were 120 other staff through­out the depart­ment, which is by far the largest agency that has that. And then on the Free­dom of Inform­a­tion Act side we had about 380 addi­tional staff that were kind of dotted line to me.

Q: So you feel like you had the staff to do the work?

CALLA­HAN: Yeah I think so. You could always have more staff, but what I tried to do with my staff was to first get it embed­ded into the processes and the bureau­cra­cies of the depart­ment, making sure it reviews these reports we talked about that were going out to fusion centers; that it reviewed all of the inter­na­tional agree­ments for inform­a­tion shar­ing; that it was part of the inform­a­tion shar­ing review process for any new policy decisions that may have privacy implic­a­tions; at least even indir­ectly, that we were part of that review and analysis. That hadn’t taken place before. Before, we relied on personal rela­tion­ships and someone pick­ing up the phone and saying, “Hey Mary Ellen, this is going on. You should be aware.” But what I tried to do is system­at­ize it, because bureau­cracy loves bureau­cracy and if you’re in the process, then it’s much harder to get you removed than it is to rely on personal rela­tion­ships.

Q: And you can’t wait till the phone to ring some­times?

CALLA­HAN: Right, exactly. And what putting into the bureau­cracy helped do was to high­light where the issues were, and also to high­light that my staff and I were will­ing to try to find solu­tions. So I would have guys who would come up to me and say” We need to stop terror­ists.” Great, we want you to do that. How do you plan to do that? And they would say things for example, collect facial recog­ni­tion on every person in the United States. Well, that might be a little bit too much to stop terror­ists. So let’s try to figure out what your author­ity is, what you’re supposed to do, how you’re supposed to do it and how you can do it in a more privacy protect­ive way.

Q: And what were some of the imped­i­ments that affected privacy?

CALLA­HAN: So I will say we had a lot of senior support for the privacy office, and I think that was in part because we were being creat­ive and we were help­ing find solu­tions. We weren’t just saying no. But the imped­i­ments were human nature. One would be that it’s such a big organ­iz­a­tion, their largest depart­ment, that there was a lot of diffused activ­it­ies going on. And so it was hard to neces­sar­ily know what was going on. In addi­tion, you know, people’s initial reac­tions were such that they would say “Oh I’m not, I’m not going to pay atten­tion to you, you’re wrong, you’re trying to help the terror­ists.” I’ve said this before in public, which is, I got called a terror­ist every month that I was there. I got called [that] more early in the time, but I defin­itely got it called at the end. That was by my DHS colleagues, by members of the intel­li­gence community and by others who were in the process. Because the knee jerk reac­tion is, if you’re trying to put in some obstacles or slow this down, the terror­ists are going to win. Are you trying to aid and abet the terror­ists? Obvi­ously I wasn’t trying to do that, and obvi­ously I wasn’t trying to slow things down, but I was trying to make things more tightly hewn and more privacy protect­ive.

Q: And it seems that in every other element of our govern­ment and even of our lives, it’s sort of having some­body look­ing over your shoulder and check­ing your work is considered import­ant and essen­tial to actu­ally doing a good job at what you’re going to accom­plish, but it seems in the intel­li­gence community they tend to want to avoid that kind of over­sight?

CALLA­HAN: Well I would actu­ally argue that in our daily lives, we don’t want someone look­ing over our shoulders. You don’t want someone second guess­ing you, you don’t want someone being crit­ical, you don’t want your boss to come down on you. But it does happen. And so parents look at chil­dren, bosses look at subor­din­ates and colleagues look at each other’s work, even though our instinct is to not want that. And so that was the point I was saying is when they would get mad at me, it was very much an instinctual response, that I don’t want you to ques­tion what I’m doing. But, once you talk to them and try to get them to under­stand the value propos­i­tion you provided, how you could be help­ful and help solve some of the prob­lems they had, then all of a sudden they real­ize that addi­tional review actu­ally benefited not just me person­ally, but their product as well as the depart­ment. And that’s where, I think we got to at the end, was to go and say, “Listen, this is a real value-add.” And you have to have some­body within the system to be able to do that, to build up the trust, to build up the repeat processes, to under­stand the issues.

Q: And the privacy office is just one element to the over­sight of intel­li­gence agen­cies and other govern­ment agen­cies. How well did your office work with the other compon­ents, Inspect­ors General, and partic­u­larly Congres­sional over­sight? Did they look at you as an ally?

CALLA­HAN: That’s an inter­est­ing ques­tion. We did not work with IGs all that much. They were some­what separ­ate. There were a couple of times where I actu­ally invest­ig­ated the
Inspector General because they had a data breach where they didn’t follow DHS policy, and they inspec­ted them­selves. And I layered on it a privacy review of what the privacy concerns were. And there a couple of other times where we worked with the IG on stuff, but not that often. The IG pretty much stands alone. At Home­land Secur­ity, the Office for Civil Rights and Civil Liber­ties, we worked with very closely. For example CRCO would do help do those reviews of intel­li­gence reports that I mentioned earlier. So it was the two of us, along with the Office of General Coun­sel who would review the products before they would go out.

With regard to Congres­sional Over­sight, it’s an inter­est­ing ques­tion, because as you know, Home­land Secur­ity has whatever it is, 120 differ­ent commit­tees and sub-commit­tees that it reports to. From my perspect­ive as a Privacy Officer, I was brought on to the Hill every two months saying “What are you doing now? What are you doing now?” from the privacy people. In a similar vein, the intel­li­gence commit­tees wanted noth­ing to do with me. They had no interest in talk­ing to me. And in fact there were several times during my tenure that the House Intel­li­gence Commit­tee and the Senate Intel­li­gence Commit­tee brought intel­li­gence and analysis from Home­land Secur­ity down and said ‘Why are you guys delay­ing inform­a­tion shar­ing? I hear from the intel­li­gence community that you’re delay­ing inform­a­tion shar­ing and that you are grossly negli­gent in your inform­a­tion shar­ing respons­ib­il­it­ies, why is that?’ The answer to that was because we had been work­ing on an agree­ment and because we had been worried about the privacy protec­tions.  The answer was, the intel­li­gence community elements just went and complained to the Hill. So the Hill would go and say, “Why are you doing that, you know, are you a terror­ist? Are you aiding and abet­ting terror­ists?” So my point on that is each sub-section of Congres­sional over­sight thought their section was the most import­ant and there­fore, “why are you not doing more on privacy, why are you doing too much on privacy?” were the ques­tions we were getting on the Hill pretty much monthly.

Q: And did you feel like that the reports that your office produced were relied on.

CALLA­HAN: Well there are a lot of reports that are stat­utor­ily required. Nobody ever read those. I mean they went and admit­ted as much to us.

Q: Right, of course.

CALLA­HAN: Or they would say, “Oh your Section 803 report which is about basic­ally privacy incid­ents, when you did disclos­ures and stuff, it’s better writ­ten now. Okay, thank you.” But there was a lot of those stat­utor­ily required reports that weren’t all that useful. I tried to make our annual report a really substant­ive piece. That may have gotten a little out of hand, but trying to be trans­par­ent and trying to have more disclos­ures. And I think that some of my invest­ig­a­tions — I mentioned the Inspector Gener­a­tion invest­ig­a­tion — that that was well received. The DHS privacy officer is the only officer within the federal govern­ment, only privacy officer within the Federal govern­ment, who had inde­pend­ent invest­ig­at­ory author­ity. And that actu­ally helped me a lot.

Q: And would that be some­thing you would recom­mend the other privacy officers get?

CALLA­HAN: Abso­lutely. I would abso­lutely do. I didn’t use it often, I used it three times, because it’s hard to invest a lot of invest­ig­a­tions, but I’ll tell you what, each time I used it, I was right. And each time I used it, it funda­ment­ally changed the way the Depart­ment was doing stuff. One was on, as I said, data breaches, one was on inform­a­tion — excuse me — on use of social media and we had a manage­ment direct­ive that was derived out of that; and the third one was related to misuse of inform­a­tion by the Customs and Border Protec­tion Internal Affairs Officer, who has subsequently been removed from his job. So it was all judi­cious use of author­ity, but just having that sword helps when people say, “Well, why should I help you? Why should I talk to you?” Well, because I can demand whatever inform­a­tion is neces­sary.

Q: You mentioned inform­a­tion shar­ing, and after 9/11, inform­a­tion shar­ing became the cent­ral element of what we needed to do differ­ently to make sure that all agen­cies had all the inform­a­tion. But of course that their inform­a­tion prac­tices, which I know you know very well, include an element which says if the govern­ment collects inform­a­tion for one purpose it should­n’t share that for another purpose without noti­fy­ing. So is the inform­a­tion shar­ing that modern intel­li­gence agen­cies require incom­pat­ible with the Fair Inform­a­tion Prac­tice?

CALLA­HAN: I think they are to a certain extent and I don’t think that that issue has been fully weighed or analyzed. So as you poin­ted out, the Privacy Act requires you to say okay, disclose routine uses, and the routine uses must be compat­ible with the original collec­tion. The first part when inform­a­tion shar­ing star­ted right after 9/11 it was shar­ing what I called bad guy data, shar­ing bad guy data between bad guy data­bases, and I don’t think anyone has a prob­lem with that. There’s a ques­tion about data qual­ity, right? That’s a differ­ent issue.

Q: And when you say bad guy data, you mean law enforce­ment type?

CALLA­HAN: Law enforce­ment data, known or suspec­ted terror­ists, some sort of predic­ate. We can debate on what the level of predic­ate should be but some sort of way of like, hey you might want to pay atten­tion to this issue, or we’re seeing this pattern or prac­tice. And so that type of inform­a­tion shar­ing on its face makes sense. But then you get to the next ques­tion which is one that I have seri­ous prob­lems with, which is data that’s collec­ted in the ordin­ary course of the govern­ment doing its job, border cross­ing inform­a­tion, small busi­ness loans, whatever it may be, adop­tion applic­a­tions. This is a role that the govern­ment has played since there were govern­ments. And that inform­a­tion is collec­ted. And it’s collec­ted for a partic­u­lar civil non-liti­gi­ous, non-terror­ist base purpose. And now the way that the, partic­u­larly the intel­li­gence community is think­ing about the inform­a­tion shar­ing, all of those assets should be analyzed for the possib­il­ity of find­ing a terror­ist nexus. And one, I don’t think that the terror­ist nexus is there. Two, I don’t think that the intel­li­gence community has the abil­ity to analyze a small busi­ness loan or any of the other things, border cross­ing inform­a­tion. The farther removed you get from the data, the worse the data qual­ity. And it funda­ment­ally changes the way the govern­ment inter­acts with the citizens.

Q: And to be clear, the agen­cies, the law enforce­ment agen­cies, the FBI, that I worked for always had the abil­ity — if I suspec­ted there were docu­ments within this data set that were relev­ant to an invest­ig­a­tion — to obtain those.

CALLA­HAN: Abso­lutely.

Q:  With subpoenas or other legal process, but we’re talk­ing about taking the entire data­base.

CALLA­HAN: Right. My concern with this inform­a­tion shar­ing, is the bulk inform­a­tion shar­ing without a predic­ate, so I’m going to absorb or take the whole data­base without analyz­ing it and then compar­ing it to some other data­base in order to determ­ine a poten­tial pattern or process. My concern is unfiltered bulk shar­ing.

Q: And part of the issue with that unfiltered bulk shar­ing is whether it’s actu­ally effect­ive to find those very few bad guys that are within the data. Part of the stat­utory report require­ments are privacy impact assess­ments that your office had to do. The Privacy and Civil Liber­ties Over­sight Board recently came out with a report and one of their recom­mend­a­tions for the intel­li­gence community was to actu­ally have meth­ods to determ­ine the effect­ive­ness of your programs and it was sort of shock­ing to see that. Were you aware of whether they were doing that sort of research and analysis to find empir­ical evid­ence to support that these programs actu­ally worked? In other words, you had to find the privacy impact of them, but you weight that against the effect­ive­ness.

CALLA­HAN: So I guess the way I would answer that ques­tion is part of the privacy analysis is whether or not the approach would actu­ally be effect­ive. And so, when analyz­ing partic­u­larly bulk inform­a­tion shar­ing, I think any good privacy officer would have asked for examples, you know, success stor­ies, why this was neces­sary. I believe that there is a quote for me that chal­lenged some of those meth­ods, that’s in the public domain. That may be worth­while to look at, because I kept saying, “Why is this new proposal differ­ent from what you can do right now?” and the examples they gave me were irrel­ev­ant. But they were all that they could point to. And again, defin­ing how this could be effect­ive is some­thing that partic­u­larly in the post-9/11 scen­ario, was not a prior­ity in the intel­li­gence community. They wanted more data is what they wanted to do and I get why and I under­stand that. But if you have so much data that you can’t filter it, you have to go and say, “Well, if this piece of this data or this piece of data? Which one is going to be effect­ive?” And there was nobody doing that. Small busi­ness loans versus border cross­ings. I’m going to prob­ably bet that border cross­ings is going to be better for that, but it’s also more, so is that relev­ant and should we factor that in? And having some stat­ist­ics or examples or even some sort of relev­ancy stand­ard would be really import­ant.

Q: And of course, one of the prob­lems that a lot of civil liber­ties groups, and even some groups that are just talk­ing about the effect­ive­ness and the cost of these programs, talk about with data is that too much data actu­ally creates its own prob­lems. And I thought it was inter­est­ing that two exam­in­a­tions of the Boston Mara­thon bomb­ing, the watch list­ing system actu­ally worked. Tamer­lan Tsarnaev was put on the watch list. The watch list pinged at the appro­pri­ate lines. The appro­pri­ate DHS and FBI agents at the Joint Terror­ism Task Force were informed about poten­tial travel, but simply didn’t react. And one of the reports sugges­ted that there were so many people on the watch list trav­el­ing that day that that’s why there wasn’t a reac­tion. There was too many on the watch list. So is that an example of how this, is some­thing that has a privacy concern because there are so many people on the watch list. Also if we’re not eval­u­at­ing how effect­ive it is, it’s actu­ally serving less of a secur­ity purpose than we want.

CALLA­HAN: So I can’t speak to the watch list because FBI holds the watch list and NCTC nomin­ates people. DHS elements can nomin­ate but I wasn’t involved in that. But I’ve certainly seen examples where too much data leads to too much noise. And you can see that in every­day lives, you know. Why am I getting ads for teen­age boys’ things? I’m not a teen­age boy. I don’t have one. But some data­base has that. I do think that partic­u­larly in the intel­li­gence community too much data and data too far removed from its actual source are both going to be prob­lems as they try to identify what seems to be an innoc­u­ous trend versus what seems to be a nefar­i­ous one.

Q: You had already mentioned secrecy, and the secrecy demands in law enforce­ment and intel­li­gence work. How did that impact your abil­ity to get inform­a­tion that you needed to do your assess­ments?

CALLA­HAN: So when I got there and I only had tempor­ary secret clear­ance. I had two people in partic­u­lar say, “Well I can’t talk to you. You don’t have three stars. You only have one.” And I said, “Well could you tell me the secret level?’ And no, no, hush, hush. So the day I got three stars, I knocked on the door and I said, “Hi, I have three stars now, I can hear about it.” And what they told me was not signi­fic­antly differ­ent from what it was, but it’s that concept of you’ve got to keep it super-secret. But then, from an abil­ity to analyze it, I needed to make sure that my staff and every­body else had the same abil­ity to analyze signi­fic­ant inform­a­tion. But then I think the third point is that the fact that everything is so secret raises the level of self-import­ance of the inform­a­tion and so there­fore, you’ve got this snow­ball of, like “I can’t tell you because you don’t know.” Now you know you’ve got to be beholden to a higher stand­ard which is fine but you can’t tell anyone else, which is not neces­sar­ily fine depend­ing on what the issue and then you’ve got these little pock­ets of inform­a­tion that you can’t talk to other people about and say, “DOJ privacy officer, hey, State Depart­ment privacy officer, do you know about this?” And that can be a real burden, as well as obvi­ously the public trans­par­ency elements.

Q: And how import­ant would it be when you have a privacy issue that you see as a prob­lem but there isn’t any public aware­ness of that? How does that play in your abil­ity to raise the concerns you have with the appro­pri­ate audi­ence, whether within the DHS or Congress?

CALLA­HAN: Well that’s a fair ques­tion. So my respons­ib­il­ity as Home­land Secur­ity Privacy Officer is to the Secret­ary of Home­land Secur­ity. And there were times — five times — I brought issues up to Secret­ary level and five times I won, and then I lost in the inter­agency once. But you had to pick and choose and under­stand when to bring it up, and you also needed to have the support of your super­visor, in this cases the Secret­ary.

Q: And you felt you had that support?

CALLA­HAN: Yeah, abso­lutely. I abso­lutely did, and I honestly think that one of the reas­ons why I had that support was because DHS has been criti­cized for privacy so many times that it actu­ally made people more aware of it. And that people had had bumps and bruises in 2003 and then in 2005. And you know, there was a recog­ni­tion of the value even though that wasn’t neces­sar­ily the case in other depart­ments.  That has changed in the past year and that’s been very inter­est­ing to watch. But I think that you have to have the support of your super­visor, you have to have visib­il­ity across the agency, and you have to have candidly the infra­struc­ture to be able to do some­thing with it. I would posit that no other privacy officer whether we’re talk­ing intel­li­gence community or in the cabinet level privacy officers has the level of support that DHS does. We’ve got a separ­ate line item. We have our own staff. I’m a direct report and I have this invest­ig­at­ory author­ity I mentioned to you. Nobody else does. Section 802 of the 9/11 Commis­sion Recom­mend­a­tion says that there needs to be privacy officers in the cabinet level agen­cies. They need to have certain author­ity. They need to be able to deal with redress and they need to report to the head of the agency. I’m not sure that any other privacy officer with the excep­tion of possibly the DOJ, meets those stand­ards. And that’s a real gap.

Q: Did you ever feel pres­sure either within the agency from other intel­li­gence community compon­ents to water down your criti­cism or to ignore certain prob­lems?

CALLA­HAN: So I think the ques­tion is, how would the criti­cisms be mani­fes­ted? So you asked, did you feel like you could bring issues to people’s atten­tion, and I did. As I said, I brought them up to the Secret­ary. I got asked a couple of times, did I really need to be so strident and if I said yes, and people backed off and so that’s a good thing. But it’s also not like I could get a bully pulpit and say, “Hey Amer­ica… here’s what’s going on.” And so you had to figure out differ­ent ways to do it. I didn’t go to Congress all that often for the reas­ons we talked about. I was there a lot anyways. But, and at times they were help­ful, effect­ive. At the time, PCLOB was not stood up yet, and PCLOB is going to be a good safety belt for a lot of privacy officers, Home­land Secur­ity and others, that if there’s an issue that they’re not getting exec­ut­ive level atten­tion within a depart­ment or it’s an inter-agency one that they can’t deal with, PCLOB should be able to help.

Q: And do you feel the employ­ees within DHS felt that they could come to your office or come to one of the other IG’s?

CALLA­HAN: Yes.

Q: That they would be protec­ted if they came.

CALLA­HAN: Yes.

Q: —retali­ation… I don’t know if you have any… were any retali­ated against?

CALLA­HAN: That came to me? No, I mean,  I can’t speak to the IG’s but the people who came to me, whether it was in a whis­tleblower capa­city or not, were all protec­ted, I’m pretty sure that’s right. I recently checked.

Q: So this ques­tion might be more in your current role in private prac­tice, but obvi­ously the Amer­ican public has learned over the last 15 months, the scope of some of the spying activ­it­ies that have happened, not so much at DHS but certainly the other intel­li­gence agen­cies. How has that affected the tech industry, the comput­ing and commu­nic­a­tions industry?

CALLA­HAN: Well first the vast scope of it was kind of breath­tak­ing and it goes to that collect-first mental­ity — collect it and then maybe someday it will be useful — which I find to be a pretty imma­ture approach to things. But also what it has done is, it has made people suspi­cious of anything, whether it be the intel­li­gence community, Depart­ment of Home­land Secur­ity, tech­no­logy compan­ies. And this sense of suspi­cion has really, it clearly has affected inter­na­tional busi­ness in terms of work­ing in the EU, but it also has affected people’s confid­ence, and I would say it affects their confid­ence in the govern­ment which is very alarm­ing and gener­ally in busi­ness. They don’t trust that their inform­a­tion isn’t being shared without some predic­ate and that is some­thing that we’re going to have to deal with for a pretty long time, to try and over­come that.

Q: And you mentioned the imma­tur­ity of want­ing to collect it all and figure out how we’re going to make sense of it later. But is the fail­ure to look at that long-term consequence part of the prob­lem?

CALLA­HAN: So part of the prob­lem is that there wasn’t anyone who asked that ques­tion. Like, people at NSA are patri­ots. They are trying to do the right thing. They are work­ing really hard at it. They’re really smart and there was no one who said, “Is collect­ing every single phone number dialed in the United States, is that too much?” There was nobody who did that ex-ante analysis and that’s the role of a privacy officer. NSA has a great compli­ance officer but he was in, “Are we doing the right thing?” after the fact, and I actu­ally think putting in a Privacy and Civil Liber­ties Officer at NSA will help a lot and I know she is help­ing a lot because she’s asking those ques­tions up front. The fact that nobody asks it is disap­point­ing, but there was nobody who had that as their spec­trum or fulcrum to consider things.

Q: If a member of the public wants to know more about these issues, what mater­i­als would you suggest they read?

CALLA­HAN: There’ve been a lot of mater­i­als in the past year. The PCLOB reports I actu­ally think are very good. They’re pretty dense. I thought that the Pres­id­ent’s Review Group was pretty good. Prob­ably I would do a busman’s tour of the issues; it went a little bit all over the map. And I think that those are useful. As much as I like my privacy impact assess­ments and system of records notices, those may be a little hard to parse because they deal with you know, discrete elements. But I will say that the one thing that surprised me is the change from since June of 2013, is the fact that the Privacy Act may get changed and we may deal with deal­ing with non-U.S. citizens on the same level as U.S. citizens. I would never have predicted that, in a hundred years, that that would happen, because it deals with the intel­li­gence community and it deals with access and redress. And that was why it was origin­ally only for U.S. citizens and legal perman­ent resid­ents. So, that’s the one that the past year that surprised me a lot.

Q: And I imagine you see that as a good thing.

CALLA­HAN: Oh I do see that as a good thing. It’s more trans­par­ent, it’s more upfront and it’s fair, candidly, in this world. The inter­est­ing ques­tion is how does intel­li­gence collec­tion you know recon­cile itself with this?

Q: Well hope­fully with people like you, on the inside, asking these hard ques­tions. I really appre­ci­ate it.

CALLA­HAN: Thank you.