The White House on Tuesday issued new rules that limit how intelligence agencies can collect data and how long that data can be retained.
The rules, released through the Office of the Director of National Intelligence in response to a January 17, 2014, Presidential Directive to limit bulk data collection, include a requirement that intelligence agencies must delete information collected about non-US persons after five years unless relevant to national security. Data related to US persons was already subject to this requirement.
The rules now state that information about a person may not be disseminated in an intelligence report solely because that person is not a US person. Instead, intelligence agencies are "specifically required to consider the privacy interests of non-U.S. persons when drafting and disseminating intelligence reports."
The rules also add oversight, training, and compliance requirements to ensure that intelligence officers understand their responsibilities. In this, intelligence agencies face requirements similar to industry regulations that affect corporations and other organizations inside and outside the government.
The way bulk telephony data can be collected through Section 215 of the Patriot Act has been modified. Previously, demands for documents based on national security concerns could be approved by authorized NSA officials. Going forward, Foreign Intelligence Surveillance Court (FISC) approval is also required, except in "emergency circumstances."
In addition, intelligence agencies have had their chain of potential Patriot Act queries shortened from three to two. Previously, an agency such as the NSA could identify a suspect's metadata, follow that to a second set of contacts, and then follow those contacts to a third set of contacts. Henceforth, agencies can only follow two hops: Data associated with the target and data associated with the target's contacts.
[ Check out what Google has planned for its new wireless service. Read Google's Wireless Service Taps WiFi and Cellular. ]
Section 702 of the Foreign Intelligence Surveillance Act (FISA) faces new limitations, including amended minimization procedures when foreign intelligence is sought through surveillance of a US person. The Department of Justice and the Director of National Intelligence will henceforth review decisions to retain data for national security purposes that would otherwise be deleted if non-pertinent. In addition, the rules dictate that intelligence gathered through Section 702 will not be used against US persons in court, except "for national security purposes or in prosecuting the most serious crimes."
Also, gag orders imposed by National Security Letters -- through which the FBI can secretly demand data from companies about individuals -- will be lifted after three years or at the conclusion of an investigation, whichever is sooner, unless the FBI can show cause to maintain the order.
On Monday, a coalition of organizations including the Berkman Center for Internet and Society, the Calyx Institute, the Electronic Frontier Foundation, and New York University’s Technology Law and Policy Clinic launched a website called Canarywatch.org as a form of protest against the nondisclosure requirement that accompanies almost all National Security Letters. Companies, advocacy organizations, and individuals have objected to National Security Letters on various grounds. In 2013, a District Court judge in California found one of the five statutes used to issue National Security Letters unconstitutional.
Canarywatch.org aggregates "warrant canaries," published statements by companies such as Pinterest, Reddit, and SpiderOak that they have not received a National Security Letter. The companies posting these statements do so to speak through the absence of their words – they intend to delete their statements if they ever receive a National Security Letter, thereby conveying to their customers what the law will not allow them to say outright.
Though it may be illegal to disclose receipt of a National Security Letter, advocates of warrant canaries argue that that government cannot compel companies or individuals to make false statements – which a denial of receipt would become following the delivery of such a letter.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.