March 28, 2024 / by 

 

2008’s New and Improved EO 12333: Sharing SIGINT

As part of my ongoing focus on Executive Order 12333, I’ve been reviewing how the Bush Administration changed the EO when, shortly after the passage of the FISA Amendments Act, on July 30, 2008, they rolled out a new version of the order, with little consultation with Congress. Here’s the original version Ronald Reagan issued in 1981, here’s the EO making the changes, here’s how the new and improved version from 2008 reads with the changes.

While the most significant changes in the EO were — and were billed to be — the elaboration of the increased role for the Director of National Intelligence (who was then revolving door Booz executive Mike McConnell), there are actually several changes that affected NSA.

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

And a more subtle change goes even further. Section 2.5 of the EO delegates authority to the AG to “approve the use for intelligence purposes, within the United States or against a United States person abroad, of any technique for which a warrant would be required if undertaken for law enforcement purposes.” In both the original and the revised EO, that delegation must be done within the scope of FISA (or FISA as amended, in the revision). But in 1981, FISA surveillance had to be “conducted in accordance with that Act [FISA], as well as this Order,” meaning that the limits on US person collection and dissemination from the EO applied, on top of any limits imposed by FISA. The 2008 EO dropped the last clause, meaning that such surveillance only has to comply with FISA, and not with other limits in the EO.

That’s significant because there are at least three things built into known FISA minimization procedures — the retention of US person data to protect property as well as life and body, the indefinite retention of encrypted communications, and the broader retention of “technical data base information” — that does not appear to be permitted under the EO’s more general guidelines but, with this provision, would be permitted (and, absent Edward Snowden, would also be hidden from public view in minimization procedures no one would ever get to see).

Given that Section 2.5 would thus permit the collection of US person data so long as it was dubbed “technical data base information,” consider the way the intelligence mandate for a number of elements of the intelligence community (including DIA, FBI, DOD and its subcomponents generally, Coast Guard, NRO, NGA, and INR, in addition to NSA, but curiously not the CIA) were newly laid out. Each of these elements is permitted to collect intelligence to support national and departmental missions. Here’s how that language appears as it applies to the NSA:

Collect (including through clandestine means), process, analyze, produce, and disseminate signals intelligence information and data for foreign intelligence and counterintelligence purposes to support national and departmental missions;

[snip]

Provide signals intelligence support for national and departmental requirements and for the conduct of military operations;

Curiously, this change comes with the elimination of the 1981 clause authorizing NSA’s “Conduct of research and development to meet the needs of the United States for signals intelligence and communications security” (though there is a similar clause in the 2008 EO applying to both the Intelligence Community as a whole and DOD specifically, which would both apply to NSA). NSA still collects and uses the data it needs to conduct research to advance the SIGINT mission, it appears, but as it seems in the 2008 EO, it does so in the name of advancing the Department’s goals, not the nation’s.

In 1981, only DOD had such a departmental mandate. Extending it to these other agencies and departments seems to give them a recursive purpose, the mandate to collect intelligence to serve their own department.

And all this comes in an EO that seems to envision SIGINT playing a bigger role in US intelligence (which makes sense, given that’s what we know to have happened). The 1981 EO explicitly calls for a balance between, “technical collection efforts and other means.” The 2008 EO eliminates that.

In addition, the 2008 description of both the CIA and FBI’s roles limits their focus to human and human-enabled sources (which is particularly curious given that FBI actually has a key role in SIGINT collection).

(A) The Director of the Federal Bureau of Investigation shall coordinate the clandestine collection of foreign intelligence collected through human sources or through human-enabled means and counterintelligence activities inside the United States;

(B) The Director of the Central Intelligence Agency shall coordinate the clandestine collection of foreign intelligence collected through human sources or through human-enabled means and counterintelligence activities outside the United States;

At the same time, the revised EO designates the Director of NSA as the functional manager for SIGINT, seemingly both within and outside of the US.

As I said, none of that should be surprising: it reflects both what we knew before last June, and has been reinforced with much of what we’ve learned with the Snowden leaks. But it does reflect a codification of that change that I don’t think got much notice at the time, even in spite of the EO’s revision coming so quickly on the heels of FAA.

There are two more items of interest that affect the potential scope of information sharing, and this applies to both NSA and other elements of the intelligence community (including, to the extent permitted by law, CIA).

First, in one of the changes the Bush Administration hailed at the time, the EO envisions information sharing outside of the Federal government, to state, local, and tribal governments, and to the private sector.

(f) State, local, and tribal governments are critical partners in securing and defending the United States from terrorism and other threats to the United States and its interests. Our national intelligence effort should take into account the responsibilities and requirements of State, local, and tribal governments and, as appropriate, private sector entities, when undertaking the collection and dissemination of information and intelligence to protect the United States.

This language is repeated several times in the EO.

In a far more subtle change, section 2.6(d) allows intelligence entities to cooperate not just with domestic law enforcement, but also with “other civil authorities” so long as it is not otherwise legally precluded. I can only begin to grasp what the Bush Administration had in mind with this. But at least in the case of NSA, in the face of endless cyber-fearmongering, I can imagine it might support NSA partnering with civil agencies overseeing critical infrastructure (to the extent that that infrastructure is owned by civil authorities and not the private sector).

In 2008, even as the Bush Administration insisted that protections on US person data didn’t change with EO 12333’s revision, it appears they did change those protections to allow the dissemination of SIGINT on US persons, potentially even to local governments and private entities.

I suspect many, perhaps most, of the changes affecting NSA were not actually new changes. As we know, John Yoo had pixie dusted EO 12333 to hide what the Bush Administration was doing with SIGINT. And at least as late as December 2007, Sheldon Whitehouse believed that pixie dust to remain in effect. So I think it likely that the NSA-related changes simply reflect what Bush had been doing since 2001 in any case.

But in retrospect, the changes to EO 12333 might have raised more alarm about the growing role of the NSA and the dissemination of the data on US persons it collected.

Copyright © 2024 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/tag/apcma/