CIA’s Bulk Collection of American Records

Senators Ron Wyden and Martin Heinrich are raising concerns about a program of bulk data collection operated by the Central Intelligence Agency—one that permits the agency to store and search for information concerning Americans without the oversight or legal restrictions imposed by statues like the Foreign Intelligence Surveillance Act. A letter to intelligence chiefs written by Martin and Heinrich last April is one of several newly‐​declassified documents concerning the program, which had been the subject of an unpublished “deep dive” analysis by the Privacy and Civil Liberties Oversight Board (PCLOB). Yet the documents tell us maddeningly little about the program beyond the fact of its existence—one reason that Martin and Heinrich’s primary demand is for greater transparency. Nevertheless, there are a few inferences we can draw from both the letter and the recommendations offered by PCLOB staff.First, Wyden and Heinrich reference the history of legislative efforts to limit or prohibit the indiscriminate large‐​scale collection of U.S. person records. Though a large chunk of text here remains redacted, it seems quite clear they arreferencing such reforms as the USA FREEDOM Act of 2015, which ended the National Security Agency’s bulk telephony metadata program revealed by Edward Snowden. “And yet,” the senators write, “throughout this period, the CIA has secretly conducted its own bulk program [REDACTED]. It has done so entirely outside the statutory framework that Congress and the public believe govern this collection [.…]” So whatever CIA is doing, it is at least somewhat comparable to the NSA’s bulk telephone metadata program—sufficiently similar that the public and Congress would assume such activities had been addressed and regulated by recent legislative reforms.Second, Wyden and Heinrich urge greater transparency concerning the CIA’s “relationship with its sources,” which implies that the records in question are provided voluntarily—or at least knowingly—to the CIA by some outside source, rather than obtained surreptitiously, via interception or exfiltration. In other words, these are records that are being sold or given to CIA by some other entities with which the agency has an ongoing relationship. (It would not make sense to speak of a “relationship with its sources” if, for instance, the CIA had collected this data by hacking into the networks of foreign governments or corporations.) Since the letter worries that the CIA’s collection does not involve judicial oversight—at least not of the type associated with collection under the Foreign Intelligence Surveillance Act—and only the FBI can issue National Security Letters, it does not sound as though these records are obtained by compulsory process. So, again, it sounds as though they are likely being either volunteered or purchased.Third, the recommendations developed by PCLOB staff reference a pop‐​up box that is displayed to analysts when they query the database for information “deemed by the system” to pertain to U.S. persons, reminding them that a legitimate foreign intelligence purpose is required for such queries (though not, as PCLOB staff noted, requiring them to document that purpose within the system). That suggests that the records themselves (and the queries that might be run against them) probably include information of a type that an automated system could use to infer whether the record or query pertains to a U.S. person, such as a physical address, Internet Protocol address, or telephone number.As it happens, there has indeed been public reporting of a CIA bulk collection program fitting this description: Back in 2013, The New York Times reported that CIA was paying AT&T $10 million annually for access to call records, including both foreign‐​to‐​foreign calls carried by AT&T’s network and international calls with one endpoint in the United States. They’re able to do this thanks to a somewhat obscure loophole in federal privacy law.The Foreign Intelligence Surveillance Act (FISA) provides the “exclusive means” by which intelligence agencies may conduct domestic “electronic surveillance” for foreign intelligence purposes. The Electronic Communications Privacy Act (ECPA) governs how law enforcement agencies may conduct wiretaps or obtain telecommunications records. But tucked into a corner of ECPA, at 18 USC §2511(f), is a little carve out that leaves one type of information collection unregulated: Acquisition of information that pertains to either foreign or international (one end domestic) communications, for foreign intelligence purposes, that does not constitute “electronic surveillance” within the meaning of FISA. Wiretapping a phone call or Internet message is “electronic surveillance,” but that term is not understood as covering the production of business records containing telecommunications metadata. While ECPA requires law enforcement agencies to follow a statutory process in order to obtain such records—and forbids telecommunications companies from just handing them over to the government—§2511 exempts foreign intelligence from those rules. In effect, that means CIA vacuuming up such records falls in a gap between ECPA and FISA, regulated by neither statute. Collection falling in that gap isn’t regulated by laws Congress enacted, but instead by Executive Order 12333, first issued by President Ronald Reagan in 1981. And 12333 is pretty lax. In essence, it says that spy agencies must have some legitimate foreign intelligence purpose for gathering information about Americans, and must do so according to rules approved by their directors in consultation with the attorney general.As it happens, the §2511(f) loophole is addressed by a piece of legislation sponsored by Sen. Wyden, the Fourth Amendment Is Not For Sale Act, which seeks to regulate the purchase of private information by law enforcement and intelligence agencies, ensuring that they cannot circumvent judicially supervised means of obtaining private information simply by opening their wallets.While this is necessarily speculative, that’s a fair amount of circumstantial evidence suggesting that the bulk program referenced in these documents is, if not the bulk telephone records program reported by the Times in 2013, then at any rate something fairly similar. (It would not, for instance, be surprising if CIA had similar arrangements with various Internet providers or platforms.) If so, there’s good cause for concern.