Revisiting Legacy Restrictions on the Intelligence Community’s Handling of SIGINT Data on Non-Americans

Why are U.S. intelligence agencies still applying extraordinary safeguards to the incidentally collected communications of Chinese, Russian and Iranian citizens as well as the nationals of EU allies that refuse to offer similar privacy protections to Americans?

After answering that question, we will recommend that the administration conduct a comprehensive assessment of the actual mission, administrative and opportunity costs of restricting how the intelligence community handles data gleaned from the intercepted communications of non-Americans. Against the ongoing security costs of maintaining the status quo, the administration should weigh the potential commercial harm of a change in U.S. policy to American firms that rely on approved procedures for data transfers between the U.S. and the European Union (EU). Informed by this analysis, the administration should revisit the question of lifting these restrictions entirely or, at a minimum, amending U.S. policy to require reciprocal treatment of Americans’ personal information by any country that wants such privacy protections for its own citizens.

The History

In early 2014, President Obama issued Presidential Policy Directive—Signals Intelligence Activities (PPD-28) that, inter alia, imposed new restrictions on the intelligence community’s handling of signals intelligence (SIGINT) information concerning non-U.S. persons. PPD-28 responded to domestic and foreign criticism triggered by Edward Snowden’s unlawful disclosure of U.S. classified electronic surveillance programs. The directive was also informed by the findings and recommendations of an expert review group appointed to examine how the intelligence community collected and processed SIGINT information.

In his written order, as well as in accompanying public remarks, President Obama presented a strong national security and foreign policy justification for collecting SIGINT. He also acknowledged the widespread fear that large, powerful and highly secretive government organizations like the National Security Agency (NSA) were gathering and storing a significant volume of personal information unrelated to the United States’s security interests. In PPD-28, Obama therefore directed that the same safeguards developed to protect the constitutionally grounded privacy rights and civil liberties of Americans would henceforth be extended by U.S. intelligence agencies to all people “regardless of nationality.” This dramatic change in intelligence policy was not required by U.S. law but, rather, was undertaken voluntarily for diplomatic reasons. Indeed, the self-imposed restrictions on U.S. intelligence activities in PPD-28 contradict the charge in the intelligence community’s long-standing “charter”—Executive Order 12333—that “[a]ll reasonable and lawful means must be used to ensure that the United States will receive the best intelligence possible.”

The Office of the Director of National Intelligence (ODNI) complied fully with PPD-28’s requirements, including by publishing periodic reports on new procedures designed to ensure that whenever personal information about a foreigner is unintentionally or “incidentally” (in intelligence parlance) collected, it is treated in the same manner as data concerning a U.S. person. This means the data are treated according to the Constitution, U.S. statutes, executive orders and relevant agency regulations. These changes principally affected operations at the NSA, the Central Intelligence Agency, and the Federal Bureau of Investigation and changed how long a foreigner’s personal information could be retained (five years); how unique personal identifiers should be “minimized” or obscured before a report is sent to another agency; and how intelligence community agencies train their officers in these new requirements, monitor compliance and facilitate external oversight.

As the intelligence community was implementing PPD-28, the European Court of Justice (ECJ) invalidated the so-called Safe Harbor framework that had governed how U.S. businesses handle the personal information of their European customers. One concern expressed by the ECJ in its ruling was that data about EU citizens could too easily be obtained from these firms by U.S. intelligence agencies. Under intense pressure from technology firms, U.S. and European negotiators quickly agreed to a new data transfer agreement called Privacy Shield. The Europeans regard President Obama’s general rhetorical endorsement of privacy along with PPD-28’s specific safeguards for foreigners’ personal information as critical to the viability of Privacy Shield. To further reassure anxious Europeans, the U.S. Congress later passed the Judicial Redress Act of 2015 that allows citizens of designated EU states to challenge and seek redress for the U.S. government’s mishandling of their personal information.

Current Context

Media reporting in Europe on PPD-28 and President Obama’s remarks largely ignored the extension of privacy protections and focused instead on his clarification of when U.S. intelligence would target foreign leaders’ communications for collection. In the intervening years, no government in Europe or elsewhere, took up the cause of universal privacy rights that President Obama advanced with PPD-28. Privacy and civil liberties advocates in the U.S. welcomed PPD-28 for its normative value but reverted quickly to criticizing certain vague terms and alleged inconsistent procedures buried in the agencies’ public implementation reports.

Most observers expected that President Trump would act quickly to rescind the voluntary restrictions on lawful intelligence activities that his predecessor ordered in PPD-28. However, in responding to an oversight report on the directive, the ODNI reported that “[i]n 2017, the Trump Administration conducted an interagency review of PPD-28 and determined that it should remain in place[,] … it continues to have the force of law … [and] [c]ompliance remains mandatory.” Presumably, uncertainty over the EU’s reaction to changes in PPD-28 and fear of the potential disruption to U.S. business operations if Privacy Shield were undermined convinced the new administration to leave these policies in place. Notwithstanding PPD-28’s continued viability and the availability of the Judicial Redress Act, the Privacy Shield data transfer framework is once again under legal and regulatory attack in Europe.

For example, Max Schrems, the privacy advocate whose suit invalidated Safe Harbor, has brought another case, this time challenging Facebook’s use of standard contractual clauses to transfer data. Schrems again alleges that U.S. surveillance laws breach European citizens’ fundamental privacy rights by enabling too easy access for U.S. intelligence agencies to Europeans’ personal data. PPD-28 has proved central to the EU’s legal defense of Privacy Shield. In explaining U.S. surveillance laws to the court, experts have testified to PPD-28’s safeguards and limitations on U.S. intelligence. The ECJ’s advocate general stated that he will issue a nonbinding opinion in the case on Dec. 12. The ECJ will then likely issue its decision, which could significantly affect Privacy Shield, in early 2020. In addition, several French privacy groups have brought a suit focused specifically on Privacy Shield. This litigation is on hold until the ECJ issues its decision in Schrems II.

A Way Forward

PPD-28 usefully clarifies and defends the U.S. practice of targeting, collecting and retaining foreign communications that are needed to warn of threats and inform difficult national security decisions. PPD-28’s explanation of why, whether, when and how the intelligence community targets foreign communications offers beneficial transparency for the U.S. public into otherwise opaque intelligence activities and (arguably) some limited reassurance for foreign governments that are under pressure from voters to defend their rapidly eroding privacy.

However, President Obama’s embrace of a universal right to privacy and decision to restrict the dissemination and retention of personal information lawfully collected by the intelligence community was an exaggerated response to a mostly cynical complaint by our European allies following the Snowden disclosures. After PPD-28 extended uniquely American privacy protections to EU citizens, their governments went mute. Indeed, since PPD-28 was issued, no government in Europe has reciprocated by offering similar privacy protections to Americans. Outside of Europe, the autocratic leaders in Moscow, Beijing and Tehran presumably regard PPD-28’s gift of American-style civil liberties to their citizens with suspicion, disbelief and/or confusion.

Correcting this flawed policy five years after the fact will not be a straightforward matter. To start the process, the administration should conduct a classified review to assess more comprehensively the actual security costs of implementing PPD-28’s provisions regarding foreigners’ data. An honest effort to capture the hours spent by intelligence community officers reviewing incoming signals, identifying protected personal information, minimizing the text of reports and monitoring compliance with the directive will be a good start. But PPD-28 also imposes opportunity costs because these highly trained officers are spending their time dutifully implementing PPD-28’s restrictions rather than engaging in more productive intelligence tasks during the work day. These costs, while important for purposes of analysis, will be more difficult to measure. It is simply not true that imposing new intelligence regulations is ever cost free or “security neutral.” The most difficult security cost to assess is the possible loss of factual evidence when an analyst’s name trace request does not return any positive results because biographic information on a foreigner who was not originally targeted for collection but now is of intelligence interest was earlier purged from intelligence community databases under PPD-28. Finally, it will be nearly impossible to measure the potential cultural shift of diminished aggressiveness signaled by PPD-28. We expect these administrative, mission and opportunity costs will outweigh the scant diplomatic gains registered with the European governments at whom this gesture was directed.

The more challenging aspect of our proposed reappraisal of PPD-28 concerns Privacy Shield. It was a mistake to link U.S. intelligence and national security policies to a commercial negotiation over the data-handling practices of transatlantic businesses. Separating the actions that our intelligence agencies take to keep us safe from the terms under which U.S. companies serve their customers in Europe will be difficult—if not impossible—at this point. Indeed, as of this month, nearly 5,000 separate organizations were signed up to the Privacy Shield framework.

The commercial risk may well prove too great, or simply too uncertain, for the administration to annul fully PPD-28’s restrictions on handling non-U.S. person data. This is especially the case given the domestic political repercussions that could accompany a lengthy disruption in transatlantic operations involving U.S. technology firms.

If PPD-28’s restrictions cannot be rescinded at this time for commercial reasons, the administration should, at least, amend the directive to make these extraordinary privacy protections available on a reciprocal basis only to those foreign states that provide similar, credible safeguards for Americans’ personal information. The Judicial Redress Act is a useful example of how to enforce reciprocity on foreign states that receive specific privacy assurances from the U.S. government.

Indeed, in a 2016 transition paper on surveillance policy, the Center for a New American Security (CNAS) recommended phased implementation of such a reciprocity requirement. The CNAS proposal would allow foreign governments wishing to preserve PPD-28’s privacy protections for their citizens one year to enact comparable safeguards for Americans’ personal information.

It is not too late to revisit the risks and benefits of restricting the intelligence community’s handling of information it acquires concerning foreign nationals. The Trump administration should endeavor to fully assess the security costs of the Obama administration’s effort to extend privacy rights globally. Based on this analysis, we suspect the prudent approach will be either to rescind the restrictions in full or, if the commercial risks of such a step are judged too great at this time, to amend PPD-28 to require that foreign governments respect our citizens’ privacy in equal measure.