Robert Eatinger — the former CIA lawyer deeply implicated in torture who referred the authors of the Senate Intelligence Committee report on torture to DOJ for criminal investigation — has a curious column in The Cipher Brief. Eatinger purports to rebut commentators who have described “Executive Order 12333 as a sort of mysterious, open-ended authorization for U.S. intelligence agencies to engage in secret, questionable activities.” But mostly he addresses the Agency’s new Attorney General Guidelines under EO 12333 approved by Loretta Lynch on January 17.
Eatinger doesn’t explain what led to the adoption of new procedures. He does at least admit that the CIA had been operating on procedures written in 1982, a year after EO 12333 mandated such procedures. He also admits that those procedures did not reflect, “advances in collection methods due to changes in technology and privacy interests unforeseen in 1982, which did not contemplate the ubiquitous use of mobile phones, computers, and other digital media devices or evolving views of privacy and thus did not seek to address ‘big data’ or ‘bulk’ collection.” But readers who didn’t know better might conclude from Eatinger’s piece that the CIA just decided out of the blue to start protecting Americans’ privacy.
The proximate change to the procedures was likely a desire to finally expand data sharing under Obama’s new EO 12333 sharing rules, a final step before accessing a firehose of data from the NSA (curiously, Eatinger doesn’t mention that these new procedures will probably enable the expanded intake of vast amounts of bulk data including US person information). It also (as I’ll explain) belatedly responds to a mandate from Congress.
But in reality, the change comes in response to over three years of nagging from the Privacy and Civil Liberties Oversight Board, which asked James Clapper and Eric Holder to make agencies update these procedures back in August 2013, pointing out how much technology had changed in the interim. Which is another way of saying that, for the entire time when Eatinger was a top CIA lawyer, CIA was perfectly happy to operate on 35-year old procedures not reflecting current technology.
Among the procedures limiting CIA’s (newly expanded) access to bulk data, Eatinger highlights the five year restriction on retention of information including US person data.
These sections also satisfy the requirements to create procedures that limit to five years the retention of any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication except in defined circumstances (Section 309).
Section 6 creates two different types of handling requirements for unevaluated information; one for “routine” handling and one for “exceptional” handling. Exceptional handling requirements apply to intelligence collections either of nonpublic communications that were acquired without the consent of a party to the communication, or that are anticipated to contain U.S. person identifying information that is significant in volume, proportion, or sensitivity. The exceptional requirements include segregating the unevaluated information, limiting access to CIA employees who receive special training, creating an auditable record of activity, and importantly, requiring such information to be destroyed no later than five years after collection, permitting extensions in limited circumstances.
The five-year limit in Section 6 is but one example of how specifics in the new procedures attempt to find the right balance of intelligence and privacy interests. Each procedure involves an effort to find the right tradeoffs to allow lawful intelligence collection and protect privacy and civil liberty rights and interests. The tradeoff was between the risk to a loss in intelligence capabilities by destroying information at five years against the risk to compromising privacy interests by keeping the information longer.
It’s not until nine paragraphs after Eatinger introduces this requirement, which he notes arises from “Section 309” in paragraph 8, that he explains where it comes from in paragraph 17, from Congress.
The five-year retention period in Section 6 was not set by the CIA, DNI, or Attorney General, however, it was set by Congress through Section 309.
Which is another way of saying that for over two years after Congress passed this law mandating the destruction of bulk data including US person data after five years, CIA hadn’t updated its EO 12333 procedures to reflect that requirement (this was after Eatinger left CIA, so we can’t blame him for the tardiness).
Now, Eatinger helpfully confirms something I’ve long believed but hadn’t confirmed: rather than sorting through and deleting the US person data in the collection, which would be all the law requires, the CIA instead destroys the entire data set at the five year interval, effectively extending the privacy protections passed to cover US persons to foreigners as well (you’re welcome, Europe). Eatinger does so in a passage laying out the trade-offs to deleting data after five years.
Deleting all unevaluated information specifically concerning U.S. persons has little to no intelligence downside because intelligence agencies will never want or have reason to search their intelligence holdings. The five-year period to destroy all unevaluated information, however, will remove not only information concerning U.S. persons but also any information potentially concerning valid intelligence targets, such as international terrorists, from the intelligence agencies holdings. In this latter case, however, intelligence agencies will want and may have a reason to search its holdings for information on these targets. The deletion of that information could thus have an adverse intelligence impact, particularly on counterterrorism and counterproliferation intelligence reporting, as well as on the conduct of human intelligence operations, all of which are important activities of the CIA.
The CIA could be expected to search all of its holdings upon receiving intelligence identifying a previous unknown person as a suspected terrorist or proliferator. Under the five-year retention period, when the CIA conducts the search, any unevaluated information on that person that may have been acquired during a bulk collection activity over five years ago will have been deleted; CIA’s search will not retrieve that information. Thus, CIA might gain an incomplete or misleading understanding of the individual, his place in a terrorist network, and his contacts. Or, CIA may send intelligence officers to conduct dangerous human intelligence operations to collect information it once had. The loss of five-year old information could also adversely impact the spotting, assessing, recruiting, and running of human sources. [my emphasis]
This is how Eatinger introduces Congress’ role in requiring CIA to destroy data after five years: to blame them for limiting the CIA’s ability to sit on bulk data on Americans and foreigners for 25 years. To his credit, Eatinger does describe Congress as “the right body” to “impose” a “single retention period … on the entire intelligence community.” Given his direct attacks on Congressional oversight of the torture program, though, I wonder precisely in what spirit he intended this comment.
In any case, Eatinger also emphasizes that CIA doesn’t have to abide by this “single retention period … imposed on the entire intelligence community.” After suggesting that some agencies might be able to abide by the Congressional mandate, he asserts unnamed other agencies may not be able to.
Some intelligence entities likely could accomplish their mission and destroy unevaluated information in less than five years. Others may need to retain information longer than five years.
He then notes that Congress has given agencies an out.
Congress has provided that intelligence agency heads may retain information longer than five years if the head determines a longer retention “is necessary to protect the national security of the United States” and certifies in writing to the intelligence committees the reasons for that determination, the new retention period, the particular information to be retained; and the measures that will be taken to protect the privacy interests of U.S. persons and persons located inside the United States.
That out is laid out in CIA’s procedures at 188.8.131.52, but rather than stating the intelligence committees must get notice, the section says only that, “Upon such extension, the [CIA Director] shall complete any notifications required by statute, Executive Order, or other Presidential decree” which, given the way the Bush Administration ignored FISA based on Presidential decree, doesn’t inspire confidence that Congress would get the notice mandated under Section 309.
In any case, we have reason to believe the CIA is just one month into receiving an expanded firehose of data, including a great deal of data on Americans. And Eatinger sure seems to suggest the CIA may never give the data obtained via that firehose up.