Secret Government Report Shows Gaping Holes in Privacy Protections From U.S. Surveillance
On Tuesday, in response to Freedom of Information Act requests, a federal privacy watchdog released an important report about how the U.S. government handles people鈥檚 personal information that it sweeps up in its surveillance. Despite requests from Senator Ron Wyden and the European Union, the Trump administration had refused to make the report public 鈥 until now. The report addresses government agencies鈥 implementation of 鈥淧PD-28,鈥 President Obama鈥檚 2014 policy directive on government spying and the treatment of 鈥減ersonal information,鈥 which includes communications like emails, chats, and text messages.
The release of this report, which the Privacy and Civil Liberties Oversight Board finalized in December 2016, was long overdue. The report makes clear that PPD-28鈥檚 protections are weak in practice and rife with exceptions. And it will likely only add to concerns European regulators already have about the ways in which U.S. surveillance harms the privacy rights of Europeans 鈥 jeopardizing an important transatlantic data-sharing agreement. Here are three key takeaways:
The report confirms just how modest the directive鈥檚 privacy protections are.
For the most part, PPD-28 simply prompted the intelligence community to memorialize existing practices. For example, it expressly allows agencies to use information collected in bulk for six purposes, which include detecting and countering 鈥渁ctivities directed by foreign powers鈥 and 鈥渢ransnational criminal threats.鈥 These are broad and elastic categories 鈥 indeed, so broad that PPD-28 didn鈥檛 prompt the NSA to change its practices at all.
There has been significant uncertainty 鈥 and inconsistency 鈥 among agencies about what spying activities the directive covers.
The report states that 鈥渢he lack of a common understanding as to the activities to which PPD-28 applies has led to inconsistent interpretation and could lead to compliance traps, especially as [intelligence community] elements engage in information sharing.鈥
One example is the FBI鈥檚 approach to communications collected under the Foreign Intelligence Surveillance Act (FISA). The report raises questions about whether the FBI is fully complying with PPD-28 as well as whether it鈥檚 seeking to carve out certain surveillance activities from the directive鈥檚 modest requirements:
Although the report recites the FBI鈥檚 鈥渞ationale鈥 for exempting certain communications from the directive鈥檚 protections, it doesn鈥檛 explain why that rationale would justify these exemptions. It is true that certain types of surveillance under FISA are based on an individualized finding of probable cause that a target is a foreign power or an agent of a foreign power. But that should have no bearing on whether the directive applies to private communications acquired under those provisions.
To address these inconsistencies, the privacy board recommended that the National Security Council and the Office of the Director of National Intelligence 鈥渋ssue criteria for determining which activities or types of data will be subject to PPD-28鈥檚 requirements.鈥 It is unclear whether these agencies ever issued those much-needed clarifications about the directive鈥檚 scope.
There are reasons to be concerned about the NSA鈥檚 information-sharing practices and other agencies鈥 exploitation of intercepted communications.
Finally, the board was concerned about how agencies would apply the directive in light of an upcoming of the NSA鈥檚 power to share 鈥渞aw,鈥 unreviewed communications with 16 other agencies, like the Drug Enforcement Administration and the Department of Homeland Security.
Historically, the NSA had always reviewed and redacted some types of sensitive data from intercepted communications before sharing them with other agencies. But at the end of 2016, the Obama administration implemented new rules that allowed the NSA to broadly share raw information, including with agencies that had no prior experience handling this kind of intelligence. The Privacy and Civil Liberties Oversight Board explained that these agencies (called 鈥淚C elements鈥) may need to take additional measures to comply with the directive:
It鈥檚 not clear whether, after this report, agencies appropriately updated their information technology systems to purge unreviewed communications after five years, as required by the directive. Nor is it clear whether agency personnel received the training necessary to comply with this directive. More generally, there are still significant questions about how much raw data the NSA is sharing, for what purposes, and how the directive applies to this data in practice.
This new report is yet more evidence that the future of the central U.S.鈥揈U data-sharing agreement 鈥 known as Privacy Shield 鈥 is in doubt.
Privacy Shield allows American tech firms operating in Europe to easily and lawfully transfer data to the United States, and it鈥檚 predicated on the idea that the U.S. 鈥渁dequately鈥 protects Europeans鈥 communications. The European Commission approved Privacy Shield in part because it believed that Obama鈥檚 directive provided meaningful protection. recognized that 鈥渁ll persons have legitimate privacy interests in the handling of their personal information鈥 鈥 and it explicitly extended some very modest privacy protections to non-Americans abroad.
Although the directive was a step in the right direction, we鈥檝e explained elsewhere why it does not provide adequate protection for EU persons鈥 data and is too weak to serve as the legal basis for Privacy Shield. This report makes it even clearer that the directive fails to cure the fundamental problems with U.S. surveillance law.
In short, the U.S. government is exploiting the personal information it gathers using these spying activities more broadly than ever, but the report reveals just how anemic PPD-28鈥檚 protections are in practice. It also raises serious questions about whether the directive has been implemented fully and consistently across the intelligence community.
The European Commission鈥檚 second annual review of Privacy Shield is already , and the EU鈥檚 highest court will likely soon have the opportunity to rule on the legality of the agreement. Both the commission and the court will have to grapple with the fundamental weaknesses of PPD-28 and with these new signs that its safeguards do not go nearly far enough.