The Emergency EO 12333 Fix: Section 309
In a last minute amendment to the Intelligence Authorization, the House and Senate passed a new section basically imposing minimization procedures for EO 12333 or other intelligence collection not obtained by court order. (See Section 309)
(3) Procedures.–
(A) Application.–The procedures required by paragraph (1) shall apply to any intelligence collection activity not otherwise authorized by court order (including an order or certification issued by a court established under subsection (a) or (b) of section 103 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803)), subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person and shall permit the acquisition, retention, and dissemination of covered communications subject to the limitation in subparagraph (B).
(B) Limitation on retention.–A covered communication shall not be retained in excess of 5 years, unless–
(i) the communication has been affirmatively determined, in whole or in part, to constitute foreign intelligence or counterintelligence or is necessary to understand or assess foreign intelligence or counterintelligence;
(ii) the communication is reasonably believed to constitute evidence of a crime and is retained by a law enforcement agency;
(iii) the communication is enciphered or reasonably believed to have a secret meaning;
(iv) all parties to the communication are reasonably believed to be non-United States persons;
(v) retention is necessary to protect against an imminent threat to human life, in which case both the nature of the threat and
the information to be retained shall be reported to the congressional intelligence committees not later than 30 days after the
date such retention is extended under this clause;(vi) retention is necessary for technical assurance or compliance purposes, including a court order or discovery obligation, in which case access to information retained for technical assurance or compliance purposes shall be reported to the congressional
intelligence committees on an annual basis; or(vii) retention for a period in excess of 5 years is approved by the head of the element of the intelligence community responsible for such retention, based on a determination that retention is necessary to protect the national security of the United States, in which case the head of such element shall provide to the congressional intelligence committees a written certification describing–
(I) the reasons extended retention is necessary to protect the national security of the United States; (II) the duration for which the head of the element is authorizing retention;(III) the particular information to be retained; and
(IV) the measures the element ofthe intelligence community is taking toprotect the privacy interests of UnitedStates persons or persons locatedinside the United States.
The language seems to be related to — but more comprehensive than — language included in the RuppRoge bill earlier this year. That, in turn, seemed to arise out of concerns raised by PCLOB that some unnamed agencies had not revised their minimization procedures in the entire life of EO 12333.
Whereas that earlier passage had required what I’ll call Reagan deadenders (since they haven’t updated their procedures since him) to come up with procedures, this section effectively imposes minimization procedures similar to, though not identical, to what the NSA uses: 5 year retention except for a number of reporting requirements to Congress.
I suspect these are an improvement over whatever the deadenders have been using But as Justin Amash wrote in an unsuccessful letter trying to get colleagues to oppose the intelligence authorization because of the late addition, the section provides affirmative basis for agencies to share US person communications whereas none had existed.
Sec. 309 authorizes “the acquisition, retention, and dissemination” of nonpublic communications, including those to and from U.S. persons. The section contemplates that those private communications of Americans, obtained without a court order, may be transferred to domestic law enforcement for criminal investigations.
To be clear, Sec. 309 provides the first statutory authority for the acquisition, retention, and dissemination of U.S. persons’ private communications obtained without legal process such as a court order or a subpoena. The administration currently may conduct such surveillance under a claim of executive authority, such as E.O. 12333. However, Congress never has approved of using executive authority in that way to capture and use Americans’ private telephone records, electronic communications, or cloud data.
[snip]
In exchange for the data retention requirements that the executive already follows, Sec. 309 provides a novel statutory basis for the executive branch’s capture and use of Americans’ private communications. The Senate inserted the provision into the intelligence reauthorization bill late last night.
Which raises the question of what the emergency was to have both houses of Congress push this through at the last minute? Back in March, after all, RuppRoge was happy to let the agencies do this on normal legislative time.
I can think of several possibilities:
- The government is imminently going to have to explain some significant EO 12333 collection — perhaps in something like the Hassanshahi case or one of the terrorism cases explicitly challenging the use of EO 12333 data and it wants to create the appearance it is not a lawless dragnet (though the former was always described as metadata, not content)
- The government is facing new scrutiny on tools like Hemisphere, which the DOJ IG is now reviewing; if 27-year old data is owned by HIDTA rather than AT&T, I can see why it would cause problems (though again, except insofar as it includes things like location, that’s metadata, not content)
- This is Dianne Feinstein’s last ditch fix for the “trove” of US person content that Mark Udall described that John Carlin refused to treat under FISA
- This is part of the effort to get FBI to use EO 12333 data (which may be related to the first bullet); these procedures are actually vastly better than FBI’s see-no-evil-keep-all-data for up to 30 years approach, though the language of them doesn’t seem tailored to the FBI
Or maybe this is meant to provide the patina of legality to some other dragnet we don’t yet know about.
Still, I find it an interesting little emergency the intelligence committees seem to want to address.
Do you really think there may be a dragnet you don’t know about yet? And, when (and what) was the last “newly discovered dragnet” you learned about? Just curious.
To me, this reads like a significant expansion on even the bolder representations of EO12333 authority that we have heard so far. We don’t have any choice at this point but to make the most liberal and literal meaning of the words possible, right?
.
In that case, I think it might even be generous to say that this imposes “minimization procedures” similar to what the NSA (says it) uses. Retention and dissemination controls are only part of minimization. The other, and arguably more important, part is that NSA is only supposed to by *trying* to acquire foreign intelligence communications in the first place and is supposed to be making some reasonable effort to filter US-person communications at the acquisition stage.
.
But 309 first *authorizes* collection (including acquisition, retention, and dissemination) with no restriction at all. The fact that the word “incidental” is in the title isn’t inherently meaningful. It then only places (ridiculously weak) restrictions on the retention side, and only after 5 years have passed. Let’s just try re-ordering the words in 309 to put the subjects and predicates together in the usual order, since the section author has scattered them into back-and-forth loops of references.
.
“The adopt[ion by] each head of an element of the intelligence community of procedures approved by the Attorney General that ensure compliance with limitation on retention in excess of 5 years shall permit the acquisition, retention, and dissemination of any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication, including communications in electronic storage, [as part of] any intelligence collection activity that is reasonably anticipated to result in the acquisition of [such] communication to or from a United States person [and that is] not otherwise authorized by court order (including under the Foreign Intelligence Surveillance Act), subpoena, or similar legal process.”
Am I making some grammatical or syntactical mistake in thinking that I haven’t changed the meaning at all there?