HR 4681, the Intelligence Authorization Act for FY 2015 was signed into law on December 19th, 2014 and provides funding for the intelligence community until next September. The bill and now law contains one section – section 309 – that deals with the collection, retention and sharing of information collected by the intelligence community. Because Congress wanted to get out of D.C., this bill was not debated and it was voted on under a rules suspension that is used to push through non-controversial bills. Since no one wants to appear soft on terrorism, this bill fit into that category and it passed 325-100.
Section 309 was an effort to curtail some of the practices of mass data collection and retention of the intelligence community, but it seems to have a lot of wiggle room. The text of the bill can be found here.
Interestingly, most of the data collection that the intelligence community collects is not done under the Patriot Act or the Foreign Intelligence Surveillance Act, but rather, under a very dusty executive order that President Reagan signed in 1981 called EO 12333. A primer on the EO is available here. Since EOs are written by the executive branch with no oversight by Congress, they tend to formalize what the executive branch wants to do anyway and are typically one-sided. It covers, among other things, mass data collection and the minimization of data collected on U.S. citizens. Those rules are currently covered by a document called USSID SP0018 which is available here. In the preface it says that they need to balance the rights under the 4th amendment to the US Constitution against the needs of the government to collect intelligence. In concept that makes sense, but in the case of both the EO and the USSID, the fox is squarely in charge of guarding the hen house. EFF, a privacy watchdog, created a primer on it, which is linked to above and suggests that there are a lot of loopholes in these documents which allow for over collection, over retention and not much oversight. Section 309 was an attempt to begin to reign in some of those activities.
Since Congress did not take the time to debate this bill, there was not much consideration of what section 309 formally codifies. For the first time, there is a law that says that the intelligence community can collect, share and retain information on U.S. citizens.
It is a start. Section 309:
- It defines a covered communication as any electronic or telephone communication collected without the consent of a (only one) party to the communication.
- It requires that the heads of each part of the intelligence community create policies approved by the Attorney General within the next two years describing how they are going to comply with Section 309. That means that nothing is likely to change for at least two years and Congress won’t review these procedures.
- That intelligence collected (including mass intelligence) can only be kept for 5 years unless the fox guarding the hen house decides- in compliance with these procedures that are going to be written in the next two years – that it is (a) foreign intelligence, (b) reasonably believed to be evidence of a crime, (c) encrypted, (d) all parties are reasonably believed to be non US citizens, (e) retention is necessary to protect against an imminent threat to human life (in which case they have to tell Congress about it later), (f) retention is necessary for technical assurance or compliance reasons (in which case they have to write a dusty report every year to the Senate and House Intelligence Committees) or (g) the head of an intelligence community element decides it is necessary to protect the national security (in which case they have to report on some unstated frequency to the intelligence committees again).
So while section 309 is a reasonable start, it appears that there is a lot of wiggle room and, for the first time, legally says that the intelligence community can keep encrypted communications forever and that if they think the intercepted communication is reasonably believed to be evidence of a crime, they can share it with unspecified law enforcement agencies, without a warrant and with no guidelines as to what reasonable means. It also creates a process to keep that intelligence forever if something thinks it is important.
There is clearly no room for abuse in section 309. So, while I think this is a good start, we are definitely no where near done yet.