Minimization Reforms

Minimization is the broad term that covers how the intelligence agencies may access, use, retain, and share collected data. Section 702 requires the government to adopt minimization procedures “to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.”¹ The minimization procedures must be approved by the FISA Court on an annual basis. Each participating intelligence agency has adopted its own Section 702 minimization procedures, which generally include use limitations, retention limits, and rules regarding dissemination or sharing of information.

Collection and minimization under EO 12333 are governed by rules promulgated by the federal intelligence agencies and approved by the attorney general. As noted above, because the NSA sits within the DoD, the minimization procedures for most signals intelligence under EO 12333 are found in DoD Manual 5240.01,² as well as the SIGINT Annex.³

Throughout the Schrems II decision, the CJEU refers to the U.S. intelligence agencies’ “mass processing” of EU citizens’ personal data as an infringement upon GDPR, which suggests that use limitations could be helpful in mitigating its concerns. Therefore, the U.S. government should adopt more robust and transparent limits on how collected information regarding specific individuals—regardless of nationality—may be used. For example, for data collected under EO 12333, the government should restrict all use of non-U.S. persons’ information to the six purposes laid out for bulk collection under PPD-28, as described above. For information collected under Section 702, the intelligence agencies should only be permitted to use information in connection with the approved foreign intelligence purpose—namely the subject of the particular certification approved by the FISA Court—for which it was collected.

One of the key techniques that the Intelligence Community employs to review and analyze collected signals intelligence is to conduct “queries.” This process involves inputting search terms into digital tools that will then comb through, or “query,” the applicable databases to locate information containing the search terms. Query terms may be based on a particular subject matter, but often the terms involve identifiers that are associated with a particular person. When query terms relate to a specific U.S. citizen or legal permanent resident, the Intelligence Community refers to the process as conducting a “U.S. person query,” and there are rules that govern both the standard and the process for conducting such queries. However, most of these rules do not apply to non-U.S. person queries.

Under Section 702, the querying procedures for both the NSA and the Central Intelligence Agency (CIA) provide that all queries, regardless of the search terms used, “must be reasonably likely to retrieve foreign intelligence information, as defined by FISA, unless otherwise specifically excepted in these procedures.”⁴ The Section 702 querying procedures of the Federal Bureau of Investigation (FBI) add an additional permissible purpose of reasonably likely to retrieve “evidence of a crime.”⁵ For U.S. person queries, there are also certain procedural requirements designed to impose some rigor to the process. When either the NSA or CIA seeks to conduct a U.S. person query, the agent must produce “a statement of facts showing that the use of that query term” will be reasonably likely to return foreign intelligence information. For the NSA, the procedures also require that any U.S. person query term must first be approved by the NSA’s Office of General Counsel, and such approvals will expire after one year unless they are renewed during that time. The FBI’s querying procedures are somewhat more complicated but generally require that the FBI produce a statement of facts showing that the query term meets the standard before an agent may review information returned from conducting a U.S. person query. In some limited circumstances, the FBI must obtain an order from the FISA Court before they access the information.⁶

By contrast, when any of these agencies conduct Section 702 queries using terms associated with a particular non-U.S. person, there are no similar documentation or process requirements. For non-U.S. person queries, no agency is required to prepare a written statement of facts showing that the query meets the “reasonably likely to return” standard. Nor is there any requirement, like the one the NSA applies for U.S. person query terms, for prior approval of non-U.S. person query terms.

Under EO 12333, the DoD procedures include a high-level purpose requirement, namely that agents may only conduct queries that are “relevant to the intelligence mission or other authorized purposes.”⁷ Although this language is contained within a section outlining protections for U.S. person information, its broad drafting suggests that this purpose requirement arguably applies to all queries. Moreover, the CIA may also collect electronic communications information, and its rules under EO 12333 require that any query of unevaluated information must be “reasonably designed to retrieve information related to a duly authorized activity of the CIA.”⁸

As with Section 702, there are more rigorous requirements for U.S. person queries of information acquired under EO 12333 than for other queries. For U.S. person queries, the DoD manual also requires that queries should be designed to minimize the amount of non-pertinent information returned, and that agencies should develop procedures for documenting the basis for such queries.⁹ In addition, the SIGINT Annex contains specific limits on conducting U.S. person queries, and permits such queries only if one of a list of conditions is met. These include that the query subject has been approved as a target of surveillance under FISA, and procedures also outline certain circumstances under which approval must be received from the director of the NSA or the U.S. attorney general in order to conduct a U.S. person query. By contrast, beyond the broad “relevant to an authorized purpose” rule, the DoD procedures and SIGINT Annex do not contain any specific requirements for queries using terms associated with a specific non-U.S. person, unless that individual is physically present in the United States.

Queries are a critical tool through which U.S. intelligence agencies process data, and processing safeguards for non-U.S. persons are direly needed.

There has been a significant amount of debate in the United States over strengthening the standards for when it is permissible to conduct U.S. person queries, and it is still critical that the government strengthen those standards.¹⁰ But, to respond to the Schrems II decision, the U.S. government should also raise the bar for queries seeking information about residents of other countries. Queries are a critical tool through which U.S. intelligence agencies process data, and processing safeguards for non-U.S. persons are direly needed.

At a minimum, under Section 702, the U.S. government should extend the requirement for a supporting statement of facts to cover all queries seeking information about any specific person, regardless of that person’s nationality or location.¹¹ As noted above, NSA and CIA personnel are already required to document the basis for their U.S. person queries, and the government should expand application of this rule to all agencies participating in Section 702 and to non-U.S. person queries. The rationale for mandating documentation is that it induces agents to think through, and support with facts, their assessment that using the query term will actually meet the query standard. A requirement for a statement of facts in support of query terms will therefore help ensure that queries actually meet the standard—“reasonably likely to return” foreign intelligence information—that already applies to all queries under Section 702. Further, the U.S. government should apply this same standard and documentation requirement to queries of SIGINT data collected under EO 12333, whenever the query uses a term associated with a specific person, regardless of nationality. This will help ensure that all queries of surveillance data collected under EO 12333 are designed to be reasonably likely to return foreign intelligence information.

The privacy rights of both U.S. and non-U.S. persons can also be improved by addressing the data retention policies that apply to information gathered by the intelligence agencies. Generally speaking, the privacy risks increase the longer a piece of information is held. If some data has been deleted, it obviously cannot thereafter be inappropriately accessed or misused. This is why it is important for standard retention periods to be no longer than is necessary to serve the purpose for which the data was collected. Although intelligence agencies assert that they never know when a piece of information may turn out to be helpful, default retention periods for data that has not been identified as relevant to foreign intelligence purposes should be shortened. Agencies should have an obligation to review collected intelligence information and determine what data meets retention standards and what data can and should be purged, in a timely manner.

The default retention period for data collected by the U.S. government under both Section 702 and EO 12333 is five years in most cases.¹² The FBI is authorized to retain Section 702 data for up to 15 years in certain circumstances and with some additional safeguards.¹³ In general, data that has been identified as “foreign intelligence” can be retained indefinitely, but data that has not been reviewed, or has been reviewed but not identified as foreign intelligence information, will age off at the end of the default retention period. Lowering the default time period to three years under both authorities will better protect personal data by removing it from the government’s systems faster. In at least one context, government officials have already found that a three-year retention period for surveillance information is sufficient to preserve data during its period of maximum effectiveness.¹⁴ Moreover, it is important to recognize that decreasing the default retention period does not prevent the intelligence agencies from retaining information indefinitely when they have already assessed that the particular data constitutes foreign intelligence information.

In addition, each agency’s Section 702 minimization procedures contain exceptions to the default retention rule that should be examined and narrowed. For example, most of the agencies have exceptions for encrypted information or for information necessary to pursue the broadly stated “authorized foreign intelligence or counterintelligence requirements.”

Further, when intelligence agency personnel actually review collected information and do not affirmatively assess it to qualify as foreign intelligence information, they should be required to purge that data rather than waiting until expiration of the default retention period. Disturbingly, the FBI’s Section 702 minimization procedures actually take the opposite approach—if information has been reviewed but “not identified as information that reasonably appears to be foreign intelligence information, to be necessary to understand foreign intelligence information or assess its importance, or to be evidence of a crime,” this is still sufficient to extend the default retention period to 10 years or, with certain additional controls in place, up to 15 years.¹⁵ By contrast, the NSA’s Section 702 minimization procedures state that they require purging data regarding U.S. persons “at the earliest practicable point” at which the NSA can determine that the information is “clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information); or, as not containing evidence of a crime.”¹⁶ Purging data that does not qualify as foreign intelligence information can be a critical safeguard for civil liberties.¹⁷ However, the NSA’s rule only applies to information regarding U.S. persons and, in practice, “most collected communications are not reviewed for the purging of non-foreign intelligence matters upon collection, or at any set time thereafter prior to use.”¹⁸

We recognize that significant quantities of information will likely not be reviewed before the data ages off under the applicable default retention period. However, when intelligence analysts or agents actually review collected information, they should be required to make a determination as to whether or not the data qualifies as foreign intelligence information that the agency is authorized to retain. Any information that does not meet the applicable standard should be purged. This purge requirement should apply to all collected information that fails to qualify as foreign intelligence information (or, for the FBI, as evidence of a crime), regardless of the nationality of the person who is the subject of the information. The FBI’s and CIA’s procedures should be amended to incorporate an obligation to assess the value of information when conducting a review of collected data. The minimization procedures for all intelligence agencies participating in the Section 702 program should also be updated to reflect the purging requirement, and it should be fully enforced, for both U.S. and non-U.S. persons, with proper oversight.

In addition, the FBI’s broad authorization for 10- and 15-year default retention periods should be eliminated. Information that has been assessed to constitute foreign intelligence information or evidence of a crime may already be retained beyond the default period. If the FBI seeks to extend the retention period for any information not yet assessed to meet this standard, the FBI should be required to make a showing to the FISA Court demonstrating the reason why longer retention periods for this data—which has not been assessed to constitute foreign intelligence or evidence of a crime—is necessary, and how the longer retention period will meet the authorized purpose for the data collection.