What the Government Does with Americans' Data
After the attacks of September 11, 2001, the government’s authority to collect, keep, and share information about Americans with little or no basis to suspect wrongdoing dramatically expanded. While the risks and benefits of this approach are the subject of intense debate, one thing is certain: it results in the accumulation of large amounts of innocuous information about law-abiding citizens. But what happens to this data? In the search to find the needle, what happens to the rest of the haystack?
For the first time in one report, the Brennan Center takes a comprehensive look at the multiple ways U.S. intelligence agencies collect, share, and store data on average Americans. The report, which surveys across five intelligence agencies, finds that non-terrorism related data can be kept for up to 75 years or more, clogging national security databases and creating opportunities for abuse, and recommends multiple reforms that seek to tighten control over the government’s handling of Americans’ information.
The attacks of September 11, 2001, and the intelligence failures preceding them, sparked a call for greater government access to information. Across a range of laws and policies, the level of suspicion required before law enforcement and intelligence agencies could collect information about U.S. persons was lowered, in some cases to zero. Many restrictions on gathering information about First Amendment-protected activity have been similarly weakened. The result is not merely the collection of large amounts of information, but a presumptive increase in the quantity of information that reflects wholly innocuous, and in some cases constitutionally protected, activity.
While some publications address whether lowering the threshold for suspicion to collect information poses an undue risk to civil liberties, this report addresses a separate question: Regardless of whether the expansion of the government’s domestic information collection activity can be expected to yield enough additional “hits” to justify its various costs, how do federal agencies deal with the apparent “misses” — the stores of information about Americans that are swept up under these newly expanded authorities and that do not indicate criminal or terrorist behavior?
One might expect that this information would NOT be retained, let alone extensively shared among agencies. To the contrary, there are a multitude of laws and directives encouraging broader retention and sharing of information — not only within the federal government, but with state and local agencies, foreign governments, and even private parties. Policymakers remain under significant pressure to prevent the next 9/11, and the primary lesson many have taken from that tragedy is that too much information was kept siloed. Often lost in that lesson is that the dots the government failed to connect before 9/11 were generally not items of innocuous information, but connections to known al Qaeda or other foreign terrorist suspects. Meanwhile, the cost of data storage is plummeting rapidly while our technological capabilities are growing, making it increasingly cheap to store now and search later.
Of course, federal and state agencies must maintain databases to carry out legitimate governmental purposes, including the provision of services, the management of law enforcement investigations, and intelligence and counterterrorism functions. In addition, where law enforcement agencies have reasonable suspicion of possible criminal activity or intelligence components are acquiring information on foreign targets and activity, they must retain information to track investigations, carry out lawful intelligence functions, and ensure that innocent people are not repeatedly targeted.
History makes clear, however, that information gathered for any purpose may be misused. Across multiple administrations, individuals and groups have been targeted for their activism, and sensitive personal information has been exploited for both political and petty reasons. The combination of vastly increased collection of innocuous information about Americans, long-term retention of these materials, enhanced electronic accessibility to stored data, and expanded information-sharing exponentially increases the risk of misuse.
Against this backdrop, this report analyzes the retention, sharing, and use by federal law enforcement and intelligence agencies of information about Americans not suspected of criminal activity. It examines five distinct categories of information. The categories are Suspicious Activity Reports, assessments, National Security Letters, searches of electronics at the border, and information acquired by the National Security Agency.
Among these data sets, this report finds that in many cases, information carrying no apparent investigative value is treated no differently from information that does give rise to reasonable suspicion of criminal or terrorist activity. Basically, the chaff is treated the same as the wheat. In other cases, while the governing policies do set certain standards limiting the retention or sharing of non-criminal information about Americans, the restrictions are weakened by exceptions for vaguely-described law enforcement or national security purposes. Depending on the data set, presumptively innocuous information may be retained for periods ranging from two weeks to five years to 75 years or more.
And the effect of these extensive retention periods is magnified exponentially by both the technological ability and the legal mandate to share the information with other federal agencies, state and local law enforcement departments, foreign governments, and private entities.
To address these problems, this report recommends the following reforms:
- Ensure that policies governing the sharing and retention of information about Americans are accessible and transparent.
- Prohibit the retention and sharing of domestically-gathered data about Americans for law enforcement or intelligence purposes in the absence of reasonable suspicion of criminal activity, and impose further limitations on the dissemination of personally identifiable information reflecting First Amendment-protected activity.
- Reform the outdated Privacy Act of 1974, which has fallen far short of its goal of protecting the privacy of Americans’ personal information, through statutory amendments and establishment of an independent oversight board.
- Increase public oversight over the National Counterterrorism Center, a massive federal data repository that increasingly is engaged in large-scale aggregation, retention, and analysis of non-terrorism information about Americans.
- Require regular and robust audits of federal agencies’ retention and sharing of non-criminal information about Americans.
These measures will preserve the government’s ability to share critical information and safeguard the nation’s security while limiting the amount of innocuous information about innocent people that is kept and shared. This will reduce the risk of abuse and misuse, and prevent the government from drowning in data.
- 5 years: How long the National Security Agency keeps “metadata” about all Americans’ domestic and international phone calls without suspicion of wrongdoing
- 5 years: How long the National Counterterrorism Center can keep and search databases of non-terrorism information about Americans
- 5 to 20 years: Retention periods for databases that store at least some information from border searches of Americans’ laptops, phones, hard drives, and more
- 6 years: Time period, beginning with the start of surveillance, that the NSA can keep Americans’ incidentally gathered communications
- 20 to 30 years: Amount of time the FBI keeps information collected via assessments and National Security Letters, even when it is irrelevant to a current investigation
- 30 years: Time period that Suspicious Activity Reports with no nexus to terrorism are kept by the FBI
- 1 Billion and growing: Records in the FBI’s Investigative Data Warehouse
- 1,000,000 sq. ft.: Size of National Security Agency’s data center (opening in 2014)
- 41 billion: Communications records stored by NSA’s XKEYSCORE system every 30 days
How Americans' Data is Collected