For several weeks now analysts in the civil liberties community have been trying to make out the details of what appears to be a secret CIA bulk data collection program. At least we know, thanks to the efforts of Senators Ron Wyden (D-OR) and Martin Heinrich (D-NM), that such a program exists.
We also know, thanks to declassified documents, that the Privacy and Civil Liberties Oversight Board (PCLOB) has done “deep dive” analyses of this program. But beyond that, we can only see the shape and the shadow of a major CIA program that can somehow store and search Americans’ information without the pesky restrictions of the Foreign Intelligence Surveillance Act and other statutes.
To the relief of the civil liberties community, Julian Sanchez, CATO scholar, gives us a better idea of the scope and character of this secret CIA surveillance program and what it might mean in terms of the law and policy. Like a skilled detective, Sanchez teases out insights into the CIA program.
It’s Definitely About Bulk Data: Sanchez casts a spotlight on how Senators Wyden and Heinrich in their letter to leaders of the intelligence community referenced the history of legislative efforts to limit or prohibit the indiscriminate large-scale collection of U.S. person records. Their letter also refers to the CIA secretly conducting its own bulk program “entirely outside the statutory framework that Congress and the public believe govern this collection.” All this strongly suggests that the contours of the program are what they appear to be, i.e., large-scale bulk collection of records on millions of Americans.
Companies Are Giving or Selling Our Data to the CIA: Sanchez notes that the two senators reference a CIA “relationship with sources.” The CIA cannot compel the production of such records with National Security Letters like the FBI can. So it seems that the CIA is buying data from digital and telecom companies, or purchasing it from data brokers.
This is not unprecedented. Sanchez reminds us that in 2013 The New York Times reported that the CIA paid AT&T $10 million a year for access to call records, including some that included a U.S. endpoint.
The CIA Program Drives a Mack Truck Through a Loophole in the Law: The Electronic Communications Privacy Act includes a carveout, §2511(f), that exempts foreign intelligence from the need to follow a statutory process, even if the program involves U.S. citizens. The CIA appears to be predicating its program on Executive Order 12333 – which requires the CIA to have a legitimate foreign intelligence purpose for gathering information about Americans according to internal rules approved in consultation with the attorney general. In other words, the program is authorized by no law and is subject to no oversight by Congress.
If this program ever winds up before the U.S. Supreme Court, however, it would smack into a precedent – Carpenter v. United States. In that case, location data taken from a large-scale search of cellular records was deemed a “search,” and therefore requires a probable cause warrant. But what is the likelihood this heavily classified program will ever be reviewed by the Supreme Court?
Maggie Wheeler, the prolific blogger behind emptywheel.net, notes how little has changed despite the revelations of mass bulk surveillance of Americans by Edward Snowden. She writes: “There’s been a whole lot of self-congratulation since Snowden ... Because EO 12333 was always out there, and it was always possible to do virtually all of what Snowden exposed in the Section 215 program via EO 12333.”
Congress allowed Section 215 of the Patriot Act, which gave government agencies ready access to business records, to expire. But EO 12333 lives on as an excuse for the government to ignore the Fourth Amendment at will. Wheeler also points out that PCLOB is restricted to being a watchdog of counterterrorism programs. It has no idea, and nor do we, what similar programs may be afoot in counterintelligence.
Sanchez and Wheeler have performed a public service in discerning some details in the dark. Sharon Bradford Franklin, the privacy expert who has just assumed her role as PCLOB chair, should now get to work to push as much information about this program as possible into the public domain. And Members of Congress should hold hearings about the government’s purchasing of Americans’ personal data from data brokers. This would prepare the way for passage of Sen. Wyden’s The Fourth Amendment Is Not for Sale Act, which would restrict the ability of the government to buy data as an end-run around the Fourth Amendment.