On Thursday, the Obama administration finalized new rules that allow the National Security Agency to share information it gleans from its vast international surveillance apparatus with the 16 other agencies that make up the U.S. intelligence community.
With the new changes, which were long in the works, those agencies can apply for access to various feeds of raw, undoctored NSA intelligence. Analysts will then be able to sift through the contents of those feeds as they see fit, before implementing required privacy protections. Previously, the NSA applied those privacy protections itself, before forwarding select pieces of information to agencies that might need to see them.
The updated procedures will multiply the number of intelligence analysts who have access to NSA surveillance, which is captured in large quantities and often isn’t subject to warrant requirements. The changes rankled privacy advocates, who oppose a broadening of surveillance powers—especially on the cusp of Donald Trump’s inauguration. Trump and Mike Pompeo, the president-elect’s nominee for CIA director, have made it clear that they think overzealous civil-liberties protections should be cleared away in favor of stronger surveillance laws.
But while the changes may subject more Americans to warrantless surveillance, the last-minute timing of the announcement actually might have been designed to cut future privacy losses. Susan Hennessey, a Brookings fellow and the managing editor of Lawfare, says firming up the changes before Trump takes office makes it harder for the incoming president to encroach even further on civil liberties.
I spoke with Hennessey, who was previously an attorney in the NSA general counsel’s office, about the lasting effects of the new intelligence-sharing procedures. A transcript of our conversation follows, lightly edited for clarity and concision.
Kaveh Waddell: First off, what do these changes mean for the intelligence community? Has a lack of information-sharing among agencies been holding back investigations?
Susan Hennessey: The origin of these changes dates back, honestly, to just after 9/11. There was this identified issue of “stovepiping”: Intelligence wasn’t being shared frequently or fast enough. Some modifications have already been made throughout the years.
Under Executive Order 12333 as it previously existed, NSA analysts had to make an initial determination and apply a set of privacy rules before sharing raw signals-intelligence information with other parts of the intelligence community. After this change, it doesn’t necessarily have to be an NSA analyst that makes that determination—that information can be shared with other parts of the intelligence community.
So it doesn’t change the substantive rules, it doesn’t change the scope of collection, it doesn’t change the types of protection, it doesn’t change the possible uses; it essentially just broadens the group of people who can apply those protections to the raw intelligence.
Waddell: And by extension, it broadens the group of people who get to see raw intelligence, before those rules are applied?
Hennessey: Yes. This is something that has been at the forefront of privacy and civil-liberties advocates’ minds when they’ve expressed concern with this type of collection. But it’s not accurate to say the rule change means it’s a raw signals-intelligence free-for-all, that anybody can get signals intelligence.
Intelligence agencies other than the NSA will have to provide justification for why they need access to that data. It can only be for foreign intelligence, or other enumerated purposes. So it’s not that those agencies will just be able to see whatever they want—it’s that they will be able to request, with particular justifications, access to more raw signals intelligence than they had before. Then, they will need to apply those minimization procedures for themselves.
The civil-liberties concern often surrounds the use of incidentally collected information. Under the new rule, the FBI could not obtain access to or search raw intelligence information for ordinary criminals in an ordinary criminal investigation against a U.S. person. However, if the FBI incidentally seized evidence of a crime, they are allowed to use that information. So that tends to be where the tension is for people who are concerned with the potential impacts that this change could have on U.S. persons.
Waddell: The fact that more Americans could potentially be subject to warrantless searches, just by virtue of being caught up in the raw signals intelligence that’s shared—is that something that concerns you?
Hennessey: No. Look, I think it’s important to understand that these minimization procedures are taken very seriously, and all other agencies that are handling raw signals intelligence are essentially going to have to import these very complex oversight and compliance mechanisms that currently exist at the NSA.
Within the NSA, those are extremely strong and protective mechanisms. I think people should feel reassured that the rules cannot be violated—certainly not without it coming to the attention of oversight and compliance bodies. I am confident that all of the agencies in the U.S. intelligence community will discharge those very same obligations with the same level of diligence and rigor, adhering to both the spirit and the letter of the law.
That said, there are potentially broader reforms that might be undertaken. I don’t think that they necessarily need to be linked to the sharing of data. But it’s reasonable to at least engage in a conversation about whether or not it’s appropriate to have particular post-collection reforms, like for example imposing an obligation for law enforcement to obtain a warrant in particular circumstances.
That’s a long way of saying that nothing about this particular rule change exposing Americans to additional privacy risks. However, that doesn’t mean that there are not still reasonable and responsible reforms which might take place.
Waddell: I found it interesting that you said the change could, in one way, actually be viewed as a “huge source of comfort.” I think you were referring to the timing of the change. Why is that?
Hennessey: These changes have actually been in process for eight or nine years. One of the things that I think individuals who had insight into intelligence activities and were concerned about the election of Donald Trump—specifically, some of the statements he’s made about adherence to the rule of law—a lot of those people’s minds went very quickly to these procedures.
It’s important to understand the distinction between Executive Order 12333 and the Foreign Intelligence Surveillance Act: One very oversimplified way to think about it is that FISA is a statute that governs collection that takes place within the United States, but that is aimed at a foreign target; 12333 collection is aimed at a foreign target, and takes place outside the United States. That’s shorthand that glosses over some technical and legal nuance, but those are the broad buckets people should be thinking about.
FISA is a statute, so you’d need congressional action to change those rules, and you have a built-in check there. But 12333 is not constrained by statute; it’s constrained by executive order. In theory, a president could change an executive order—that’s within his constitutional power. It’s not as easy as just a pen stroke, but it’s theoretically possible.
Executive Order 12333 requires that this series of protective procedures exist and are adhered to. The procedures are kind of where the rubber meets the road on privacy. They’re the details, the nitty-gritty: What can you actually see? What can you share? What do you have to minimize? So they’re really, really important in terms of what the relationship between U.S. citizens and the intelligence community looks like.
When they were in rewrites, they were sort of vulnerable. There was the possibility that an incoming administration would say, “Hey! While you’re in the process of rewriting, let’s go ahead and adjust some of the domestic protections.” And I think a reasonable observer might assume that while the protections the Obama administration was interested in putting into place increased privacy protections—or at the very least did not reduce them—that the incoming administration has indicated that they are less inclined to be less protective of privacy and civil liberties. So I think it is a good sign that these procedures have been finalized, in part because it’s so hard to change procedures once they’re finalized.
Waddell: Is that why we just went through an eight- or nine-year process to get here?
Hennessey: Exactly. For questions both of genuine complexity and just government bureaucracy, the time horizon here is longer than a single term of the presidency.
So I don’t think that it’s necessarily true that the intelligence community or the Department of Justice was rushing to get these procedures passed; if anything, they’re a little bit late. But I think the bottom line is that it’s comforting to a large national-security community that these are procedures that are signed off by Director of National Intelligence James Clapper and Attorney General Loretta Lynch, and not by the DNI and attorney general that will ultimately be confirmed under the Trump Administration.
Waddell: Is there anything else we should be thinking about with these new changes?
Hennessey: People sometimes focus on the top-line stuff and end up missing the things that aren’t necessarily the symbolic expressions of privacy—the things that make us feel good—but are the functional elements of privacy and civil liberties. What rules do people apply day-to-day and how? There’s going to be a need moving forward to have disciplined conversations about the legal protections that really matter.
If there is a silver lining to some of the anxieties that the incoming administration has produced, I think it’s the potential to move the conversation into a much more productive place. But that opportunity will end up being lost if the responses are the same old same. That’s my last shred of optimism, and I’m hanging on to it.
We want to hear what you think about this article. Submit a letter to the editor or write to email@example.com.