December 12, 2007 / by emptywheel

 

All Your Data Belong to George

There’s a striking passage in one of the documents released in yesterday’s document dump.

Would NSA object to a legislative codification of E.O. 12333 minimization?

Yes because it can be difficult to change a statute if the procedures need to be changed in order to meet operational needs.

The passage refers to minimization, the process by which intelligence agencies protect the privacy of Americans whose communications are collected incidentally to their wiretapping activities. I find the passage striking, first of all, because it (indeed, the whole document) emphasizes the basis for minimization requirements in EO 12333, and not FISA. In response to a question about where minimization comes from, the document points to the EO.

Where does the need for minimization procedures come from?

The most direct answer is Executive Order 12333. Section 2.3 of that Order specifies that agencies in the Intelligence Community are authorized to collect, retain, or disseminate information concerning U.S. persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General.

This basically repeats that passage of EO 12333, which says,

Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order.

And then goes on to describe the kind of information that can be collected.

But why refer to an Executive Order, when FISA imposes a statutory requirement on minimization? And FISA’s minimization requirements provide more detail about what can and cannot happen with US person data.

(h) “Minimization procedures”, with respect to electronic surveillance, means—

(1) specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(2) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance;

(3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and

(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.

Now, the emphasis on EO 12333–and not FISA itself–may be innocuous. But given that George Bush went to the trouble of getting an OLC opinion stating he can turn any of his EOs into pixie dust, and given that Sheldon Whitehouse strongly implied that in some cases Bush had turned this particular EO into pixie dust, the emphasis on the EO doesn’t make me very comfortable.

And then there’s the continued refusal to consider subjecting the minimization procedures to some kind of oversight. As I have shown, DNI Mike McConnell appears to have abandoned the Democratic bills to amend FISA in August because they imposed some kind of review to ensure the NSA met its own minimization procedures.

And as the SSCI bill stands now, Sheldon Whitehouse (he who discovered the pixie dust Executive Orders) remains concerned about the minimization procedures.

The bills, as they are currently written, require the ICs to meet the minimization requirements in FISA, included above. But for some reason, the Administration remains really squeamish about any oversight into their minimization procedures. That’s not a good sign.

Update: Did you knew "data" is a plural? I did, but I forgot that until BobbyG reminded me.

Copyright © 2007 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2007/12/12/all-your-data-belongs-to-george/