Because I need a hobby, I’m knee deep in tracking how EO 12333 got changed in 2008. Part of the impetus came from Congress, some members of which were furious that OLC had given the President authority to pixie dust EO 12333 in secret.
But the bigger impetus came from the Intelligence Community.
That’s why this document — an NSA OGC memo on the sharing of raw SIGINT through database access released as part of ACLU’s FOIA for EO 12333 documents — is so interesting.
It captures a July 12, 2007 discussion about whether or not NSA could share its data with other agencies by making it available in databases.
You have asked us to conduct a legal review in order to set out the limits — and the rationale associated with the limits — on allowing personnel from other agencies access to NSA databases under the existing rules governing such access, and the advisability of changes to the Executive Order that would allow other agencies access to SIGINT databases.
While the memo adopts a cautious approach, recommending “case-by-case” access to SIGINT, it does embrace making SIGINT available by bringing Intelligence Committee partners into the production cycle (CIA and FBI both have people stationed at NSA), and finding ways to expand access to both phone and Internet metadata.
There are substantial and well-grounded legal limits on NSA’s ability to provide its partners and customers with access to raw SIGINT databases, both those that contain content and those that contain only metadata. Within those limits, NSA has lawfully expanded that access in two ways: with respect to content, we have expanded access by bringing IC partners within the SIGINT production chain in carefully defined circumstances. With respect to metadata, we have aggressively pushed telephony metadata to IC partners, and have plans in place to increase dramatically both the types and the completeness of the metadata we share.
Remember the timing of this: As The Intercept has reported, during precisely this period in 2007, NSA was implementing ICREACH — a sharing tool that would make metadata available to other agencies.
“The ICREACH team delivered the first-ever wholesale sharing of communications metadata within the U.S. Intelligence Community,” noted a top-secret memo dated December 2007. “This team began over two years ago with a basic concept compelled by the IC’s increasing need for communications metadata and NSA’s ability to collect, process and store vast amounts of communications metadata related to worldwide intelligence targets.”
ICREACH is likely what the Deputy General Counsel mean when by the reference to “plans in place to increase dramatically both the types and completeness of the metadata we share.”
But the memo helps to explain two more developments that happened in the year following this memo.
First, we know that starting in the fall, NSA started rolling out ways to chain through US person identities; Attorney General Michael Mukasey would sign off on that on January 3, 2008. The reasoning behind the change specifically involved making it easier to share metadata with CIA. That memo probably eliminated one of the problems with sharing US person phone records (not to mention Email records).
The memo provides interesting background to another change. While this memo did not advocate changing rules on sharing SIGINT under EO 12333, those rules nevertheless did change almost exactly a year after this memo came out. One of the significant changes to EO 12333 Bush implemented in July 2008 permitted the sharing of SIGINT content under Attorney General approved procedures.
the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.
The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,
In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.
The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.
In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.
Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it!
In other words, while the memo released strikes the tone of conservatism, we know the limits it invoked (at least in the unredacted parts) were eliminated over the next year, even for SIGINT content.