Governance & Risk Management , Government , Industry Specific
Senators: CIA Surveillance Program Involved Citizens' DataDeclassified Docs Point to 'Bulk Collection,' Lawmakers Call for Transparency
In a recently declassified letter to Central Intelligence Agency Director William J. Burns and Director of National Intelligence Avril Haines dated April 13, 2021, two U.S. senators urged transparency around alleged "bulk surveillance" conducted by the CIA. The lawmakers responded to now-declassified documents compiled by the Privacy and Civil Liberties Oversight Board, highlighting "problems with how the agency searches and handles Americans' information."
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In their letter to U.S. intelligence leaders, Sens. Ron Wyden, D-Ore., and Martin Heinrich, D-N.M., both members of the Senate Intelligence Committee, requested the declassification of a related report from PCLOB on what they called a "bulk collection program." PCLOB is an independent executive branch agency established in 2004 to advise the president and other high-ranking officials on privacy and civil liberties concerns in the U.S.
The letter, declassified late Thursday, suggests that the CIA "has secretly conducted its own bulk program," per authority under Executive Order 12333, rather than a congressionally passed framework.
As for the program, it is currently unclear how much information on U.S. citizens was collected and how, along with when the data was collected, how long collection persisted and other identifying information.
Executive Order 12333, issued in December 1981 by then-President Ronald Reagan, extended powers of U.S. intelligence agencies and directed federal agencies to cooperate with CIA requests. It was subsequently amended to strengthen the role of the director of national intelligence, an office now held by Haines.
Wyden and Heinrich, in their letter, claim the CIA program in question was "entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, congressional or even executive branch oversight that comes from [Foreign Intelligence Surveillance Act] collection."
FISA, passed during the Carter administration in 1978, outlined surveillance procedures and the collection of foreign intelligence tied to suspected espionage or terrorism. It created a court that reviews requests for surveillance warrants by federal law enforcement and intelligence agencies, and it was amended following the Sept. 11 attacks.
A spokesperson for the CIA tells Information Security Media Group: "In an effort to be transparent, CIA declassified certain information about two critical national security programs ... [which] are repositories of information about the activities of foreign governments and foreign nationals. CIA lawfully collected that ... information under the National Security Act of 1947 and Executive Order 12333. In the course of any lawful collection, CIA may incidentally acquire information about Americans who are in contact with foreign nationals. When [this occurs], it safeguards that information in accordance with procedures approved by the Attorney General."
They add: "CIA’s collection activities and the programs at issue in the two PCLOB reports are properly classified to prevent foreign adversaries from defeating CIA’s collection efforts. ... CIA has kept its congressional oversight committees and the PCLOB fully and currently informed of its classified activities related to these two programs."
'Warrantless, Backdoor Searches'
In a joint statement, however, Wyden and Heinrich say: "FISA gets all the attention because of the periodic congressional reauthorizations and the release of DOJ, ODNI and FISA Court documents. But what these documents demonstrate is that many of the same concerns that Americans have about their privacy and civil liberties also apply to how the CIA collects and handles information under executive order and outside the FISA law.
"In particular, these documents reveal serious problems associated with warrantless backdoor searches of Americans, the same issue that has generated bipartisan concern in the FISA context."
They add: "While we appreciate the release of the 'Recommendations from PCLOB Staff,' which highlights problems associated with the handling of Americans' information, our letter also stressed that the public deserves to know more about the collection of this information. The DNI and the CIA director have started this process. We intend to continue to urge them to achieve the transparency the American people deserve."
In the PCLOB recommendations document, the agency's suggestions include:
- The CIA should draft implementing guidance for the CIA's Attorney General Guidelines.
- CIA analysts should memorialize the Foreign Intelligence justification queries involving U.S. person -or USP - information in an easily reviewable manner.
- The Privacy and Civil Liberties Officer should, with mission personnel, design a framework sufficient to routinely identify, review and address issues related to USP information.
- CIA should determine how best to address the retention and use of legacy data that may include USP information.
- The CIA should conduct periodic efficacy assessments with the Counterterrorism Mission Center to analyze continuing value.
- The CIA should consider the adoption of automated tools to assist with auditing, oversight and compliance matters related to U.S. persons.
In their 2021 letter, Wyden and Heinrich respond to these points, saying: "Among the many details the public deserves to know are the nature of the CIA's relationship with its sources and the legal framework for the collection; the kind of records collected … the amount of Americans' records maintained; and the rules governing the use, storage, dissemination and queries … of the records."
In the redacted document, the senators write: "It is critical that Congress not legislate without awareness of a … CIA program, and that the American public not be misled into believing that the reforms in any reauthorization legislation fully cover the IC's [intelligence community's] collection of their records."
To some security experts, this "challenge" from legislators fulfills an important part of their oversight duties.
Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center, tells ISMG: "Modern governments have a significant challenge in balancing the need to counter terrorism or threats to themselves, and the privacy of their citizens. … Many laws, programs or regulations under which intelligence organizations, governments, or even local law enforcement are able to act, are outdated and not keeping pace with modern technology and data creation, storage or protection methods."
Kron, who is currently a security awareness advocate for the firm KnowBe4, adds: "Challenges such as those made by these senators are an important way to check the authority and operation of these programs."
The National Security Agency, which retains a focus in signals intelligence, or SIGINT, has been more closely associated with surveillance. According to the NSA, SIGINT is "derived from electronic signals and systems used by foreign targets such as communication systems, radars, and weapons systems."
The agency adds: "Our SIGINT mission is specifically limited to gathering information about international terrorists and foreign powers, organizations, or persons. NSA produces intelligence in response to formal requirements levied by those who have an official need for intelligence, including all departments of the Executive Branch."
The NSA has previously been mired in controversy over its surveillance programs. In 2013, former NSA contractor Edward Snowden blew the whistle on NSA activity, revealing, through leaks, the storage of communications on both global and U.S. citizens, along with movement tracking via cellphone metadata (see: Edward Snowden Is No Daniel Ellsberg).
Update [Feb. 11, 4:30 p.m. EST]: This article has been updated to include a response from a CIA spokesperson.