Published by The Lawfare Institute
in Cooperation With
Author’s note: Although I consulted with CIA and NSA officials regarding the accuracy of certain portions of this article (and I am grateful for their assistance), and although the article was reviewed by the government to ensure that it does not contain classified information, the views expressed are solely my own, and errors solely my responsibility.
On January 18, 2017, the CIA declassified and released new internal Central Intelligence Agency Activities: Procedures Approved by the Attorney General Pursuant to Executive Order 12333, approved by the Attorney General under Section 2.3 of Executive Order 12333. These new guidelines will be known as Agency Regulation (AR) 2-1 when they take effect on March 18, 2017. They will replace AR 2-2, including Annexes A and B, which were originally issued in 1987, most recently revised in 2012, and released to the public in 2015. The new CIA guidelines were part of a larger effort by the Obama administration, commenced before 2013 and completed two days before President Trump’s inauguration, to update Intelligence Community (IC) guidelines.
One of the most interesting and important aspects of the new CIA guidelines concerns the acquisition, retention, use and dissemination of publicly available (or open-source) information concerning U.S. persons. As I have written elsewhere, the increasing availability of such information, including in social media, will be among the most significant challenges and opportunities for U.S. intelligence and counter-intelligence in the coming years. The new CIA guidelines provide some insight into how the Intelligence Community intends to address those challenges and opportunities, at least pending significant policy changes by President Trump.
This paper has three parts. It begins in Part I with background on IC agency guidelines in general, explaining their role in the paradigm of intelligence under law that has governed the U.S. Intelligence Community since the revelation of widespread misconduct in the 1970s. Part I also reviews briefly the history of CIA’s elements that were and are charged with collecting publicly available information. Part II focuses on the new CIA guidelines and their treatment of publicly available information and related issues, including bulk collection, querying, retention and dissemination, and undisclosed participation in organizations inside the United States. It reviews briefly the treatment of publicly available information in U.S. constitutional and statutory law, and it also compares CIA’s guidelines to their counterparts governing DOD intelligence components, which were finalized and released in August 2016. Part III is a short conclusion.
A. History of Abuse Leads to Regulation
Current Intelligence Community guidelines emerge from a history of abuse revealed in the mid-1970s. Beginning after World War II, the U.S. Intelligence Community engaged widely in extraordinarily abusive and illegal activity violating the rights of Americans. As I have written elsewhere, “[a]buses included routine opening and reading of vast amounts of first-class mail and telegrams and drug experiments conducted on unwitting American subjects,” as well as illegal wiretapping, break-ins, infiltration of and covert action attempting to influence domestic political groups. Targets included the “Women’s Liberation Movement” and “’every Black Student Union and similar group regardless of their past or present involvement in disorders,’” as well as judges, Members of Congress, and political candidates. Intelligence collection was used for partisan political purposes. Human experimentation – for example, administering LSD to assess its effects – was performed on unwitting Americans, sometimes with tragic results. David S. Kris & J. Douglas Wilson, National Security Investigations and Prosecutions §§ 2:3-2.5 (2d ed. 2012) [hereinafter NSIP] (quoting Final Report of the Select Committee to Study Governmental Operations with Respect to Intelligence Activities, United States Senate, 94th Cong., 2d Sess. Book I (1976) [hereinafter Church Report Book I]).
There was essentially no formal legal restriction on this activity, and no attempt even to pretend it was lawful. For example, here is how one internal CIA memorandum described the agency’s approved strategy for dealing with a potential revelation of its illegal mail-opening program (Church Report Book II at 148):
Since no good purpose can be served by an official admission of the violation, and existing Federal statutes preclude the concoction of any legal excuse for the violation, it must be recognized that no cover story is available to any Government Agency . . . Unless the charge is supported by the presentation of interior items from the Project, it should be relatively easy to “hush up” the entire affair . . . Under the most unfavorable circumstances . . . it might be necessary . . . to find a scapegoat to blame for unauthorized tampering with the mails.
The key response to this abuse, recommended by a Committee headed by Senator Frank Church that investigated and documented it thoroughly, was a new paradigm of intelligence under law. “Establishing a legal framework for agencies engaged in domestic security investigation,” the Committee concluded in a report issued in 1976, “is the most fundamental reform needed to end the long history of violating and ignoring the law.” Church Report Book II at 296. The Committee also recommended that the Attorney General of the United States, as the country’s “chief legal officer,” be “charged with ensuring that the intelligence agencies conduct their activities in accordance with the law.” Id. at 332. I have argued that the “grafting of legal culture onto national security culture had profound, substantive effects on the way this country’s secret agents function.” NSIP § 2:7.
In 1976, President Ford issued Executive Order 11905, the first executive order designed comprehensively to organize and limit the conduct of the U.S. Intelligence Community. President Ford’s order replaced NSCID-1, which had been issued in 1947 (and updated over the ensuing years), including in a 1971 memorandum on the “Organization and Management of the U.S. Foreign Intelligence Community.” Section 5 of President Ford’s order, entitled “Restrictions on Intelligence Activities,” observed with some understatement that “[r]ecent events have clearly indicated the desirability of government-wide direction which will ensure a proper balancing” of the government’s need for foreign intelligence and “established concepts of privacy and our civil liberties.” It directed each relevant “department and agency . . . [to] promptly issue internal directives to implement this section with respect to its foreign intelligence and counterintelligence operations,” and directed the Attorney General to “issue guidelines relating to activities of the Federal Bureau of Investigation in the areas of foreign intelligence and counterintelligence.”
In 1978, President Carter replaced President Ford’s order with his own executive order governing the Intelligence Community, No. 12036. Section 2-2(a) of President Carter’s order was more explicit than President Ford’s in describing the role of the Attorney General, and provided as follows: “The activities described in Sections 2-202 through 2-208 shall be undertaken only as permitted by this Order and by procedures established by the head of the agency concerned and approved by the Attorney General.”
The current version of the order, Executive Order 12333, was issued by President Reagan in 1981, and amended by President George W. Bush in 2003, 2004, and most significantly in 2008. (The 2008 amendments are explained here.) The order remains in effect today. It retains the role of the Attorney General in approving Intelligence Community procedures, but also acknowledges the role of the Director of National Intelligence (DNI), a position created by statute in 2004. Under Section 2.3 of Executive Order 12333 (reinforced by Section 3.2), “[e]lements of the Intelligence Community are authorized to collect, retain, or disseminate information concerning United States persons only in accordance with procedures established by the head of the Intelligence Community element concerned or by the head of a department containing such element and approved by the Attorney General . . . after consultation with” the DNI. These AG-approved procedures express many of the key limits on conduct by the U.S. Intelligence Community affecting U.S. persons. As the CIA has explained, they “provide the framework for ensuring that the CIA engages in its foreign intelligence, counterintelligence, and covert action missions in support of national security in a manner that respects Americans’ privacy rights and civil liberties.”
To be sure, certain IC collection activities are authorized, prohibited or regulated by statute. For example, the National Security Act of 1947 as amended affirmatively authorizes CIA to do all of the following (50 U.S.C. § 3036(d)):
- “collect intelligence through human sources and by other appropriate means”;
- “correlate and evaluate intelligence related to the national security and provide appropriate dissemination of such intelligence”;
- “provide overall direction for and coordination of the collection of national intelligence outside the United States through human sources by elements of the intelligence community authorized to undertake such collection and, in coordination with other departments, agencies, or elements of the United States Government which are authorized to undertake such collection, ensure that the most effective use is made of resources and that appropriate account is taken of the risks to the United States and those involved in such collection”; and
- “perform such other functions and duties related to intelligence affecting the national security as the President or the Director of National Intelligence may direct.”
Under the direction of the DNI, the CIA must also “coordinate the relationships between elements of the intelligence community and the intelligence or security services of foreign governments or international organizations on all matters involving intelligence related to the national security or involving intelligence acquired through clandestine means.” 50 U.S.C. § 3036(f). The new CIA guidelines recognize these statutory authorizations. See, e.g., CIA guidelines §§ 1.2, 2.1.
The 1947 Act also contains important prohibitions, providing that CIA “shall have no police, subpoena, or law enforcement powers or internal security functions.” 50 U.S.C. § 3036(d)(1). This restriction, known as the “law enforcement proviso,” reflects then-recent memories of the German Gestapo and concerns about a U.S. secret police. It also reflects CIA’s focus on foreign intelligence, leaving the FBI more focused on domestic intelligence. Section 1.3(b)(20) of Executive Order 12333 reinforces that distinction by providing that the “Director of the Federal Bureau of Investigation shall coordinate the clandestine collection of foreign intelligence collected through human sources or through human-enabled means and counterintelligence activities inside the United States,” while the “Director of the Central Intelligence Agency shall coordinate the clandestine collection of foreign intelligence collected through human sources or through human-enabled means and counterintelligence activities outside the United States.” For additional information on the law enforcement proviso and other limits on domestic activity by the CIA, see NSIP §§ 1:4, 2:11.
Section 3.5 of the new CIA guidelines describes in more detail the agency’s relationship with the FBI concerning domestic matters. It cites the executive order and provides that the “CIA may generally cooperate with the FBI . . . to pursue a compatible goal under independent authorities without making or receiving a formal request.” For example, CIA has explained, if “the FBI has a cooperative relationship with an individual inside the United States who provides foreign intelligence information, the FBI may appropriately consult with the CIA regarding the relationship, and the CIA may continue the relationship for intelligence purposes should the individual travel overseas.” However, Section 3.5 of the CIA guidelines goes on to provide, “when the goal is not of interest to one agency or is being pursued under an authority not shared by both agencies (e.g., law enforcement authorities), the CIA should receive from or submit to the FBI a formal request for collection assistance (‘Community Support Letter’).” For a more complete discussion of permitted cooperation between intelligence and law enforcement authorities, and limits on that cooperation, see NSIP §§ 2:8-2:14.
Certain other collection activities are regulated by statute regardless of which IC agency is involved. The most prominent example is the regulation of certain forms of electronic surveillance and physical searches by the Foreign Intelligence Surveillance Act. The CIA is forbidden by Section 2.4(a) and (b) of Executive Order 12333 from conducting “electronic surveillance within the United States except for the purpose of training, testing, or conducting countermeasures to hostile electronic surveillance,” and from “[u]nconsented physical searches in the United States . . . except for . . . [s]earches by CIA of personal property of non-United States persons lawfully in its possession.” See CIA guidelines § 188.8.131.52. But it is permitted (and required) to use part of the FISA Amendments Act of 2008 (FAA), 50 U.S.C. § 1881c, which generally requires a FISA Court order before any “element of the intelligence community may intentionally target, for the purpose of acquiring foreign intelligence information, a United States person reasonably believed to be located outside the United States under circumstances in which the targeted United States person has a reasonable expectation of privacy and a warrant would be required if the acquisition were conducted inside the United States for law enforcement purposes.” See CIA guidelines § 184.108.40.206 (for more detail on the FAA and surveillance abroad, see NSIP Chapters 16-17). A statute also requires that the Congressional Intelligence Committees be kept “fully and currently informed” of intelligence activities (for a more complete discussion of this requirement, see NSIP § 2:7). The CIA has explained that its activities must “comply with a variety of . . . United States laws, including but not limited to, the National Security Act, the CIA Act, the Foreign Intelligence Surveillance Act, and the Privacy Act,” and that the new guidelines “do not, and should not be interpreted to, authorize activities that are otherwise prohibited by United States law.”
Despite the range of statutory authorization, prohibition, and regulation, however, much of the day-to-day governance of CIA and other IC agencies arises from the executive order and its subordinate procedures as approved by the Attorney General. Sections 2.3-2.13 of Executive Order 12333 authorize, prohibit, and/or regulate collection of publicly available information, information obtained with consent, foreign intelligence and counterintelligence, information obtained in the course of lawful investigations, information needed to protect intelligence sources and methods, information concerning potential human sources, information needed for investigations into personnel or communications security, information obtained by satellites, incidentally acquired information that may be evidence of a crime, electronic surveillance, physical searches, physical surveillance in the United States and abroad, cooperation between intelligence and law enforcement, clandestine contracting, human experimentation, assassination, covert action, and many other matters. Agency-specific procedures implementing the executive order, such as the CIA’s new guidelines, must be provided to the Congressional Intelligence Committees under Section 3.3 of the order. The decision to publish the new CIA guidelines breaks with historical practice (as noted above, the CIA’s prior guidelines, AR 2-2, were not released to the public until many years after their adoption).
B. Evolution of CIA’s Guidelines
In 1975, prior to President Ford’s executive order (No. 11905), the relevant CIA policy document was known as Headquarters Regulation (HR) 7-1, “Law and Policy Governing the Conduct of Intelligence Activities.” HR 7-1 was amended to conform to President Carter’s executive order (No. 12036) in 1978 and 1979, and amended again in 1987 following issuance of President Reagan’s order (No. 12333). HR 7-1 is not publicly available, although parts of it are quoted in publicly available documents on CIA’s webpage and elsewhere.
In 1987, CIA updated its regulatory structure and nomenclature, and replaced HR 7-1 in relevant part with Agency Regulation (AR) 2-2, including Annexes 2-2A and 2-2B . AR 2-2, also entitled “Law and Policy Governing the Conduct of Intelligence Activities,” applied to CIA activities in all locations, and Annexes A and B provided additional “Guidance for CIA Activities Outside the United States,” and “Guidance for CIA Activities Within the United States,” respectively. In 2005, Annexes A and B were placed into a new, numbered document in keeping with the new regulatory nomenclature, AR 2-2G. These documents were amended periodically over the ensuing years, most recently in 2012, and were made public under the Freedom of Information Act for the first time in 2015.
The new CIA guidelines, like their predecessors, follow and in some cases parrot the language of the executive order. See, e.g., CIA guidelines §§ 1.2-1.3, 2.1-2.2. They also follow the executive order (and the relevant statutes) by dividing CIA collection activity into three broad categories: some collection is prohibited outright; some is permitted only in certain circumstances and/or with certain high-level approvals; and some collection is generally authorized without any such approvals. See CIA guidelines §§ 4-4.1.
For example, the new CIA guidelines follow Executive Order 12333 in generally prohibiting “physical surveillance of a U.S. person in the United States” by the CIA (and other IC agencies apart from the FBI), although they point out that the CIA “may request that the FBI conduct [the] physical surveillance.” CIA guidelines § 220.127.116.11; see AR 2-2 §§ I.1.a(5)(d)(3), I.1.a(5)(d)(4)(b); Executive Order 12333 § 2.4(b), (c). The relevant exception for physical surveillance recognized in the executive order concerns “present or former employees, present or former intelligence element contractors or their present or former employees, or applicants for any such employment or contracting.” Section 18.104.22.168 of the new guidelines uses a similar formulation, referring to “a present or former employee, a present or former contractor of the CIA, a present or former employee of a CIA contractor, or an applicant for any such employment or contracting.” Section I.1.a(5)(d)(3)(a)-(b) of AR 2-2 used the same language as the executive order.
Similarly, Executive Order 12333 generally prohibits “unconsented physical searches in the United States,” with an exception for “[s]earches by CIA of personal property of non-United States persons lawfully in its possession.” Section 22.214.171.124 of the new guidelines takes a similar approach, providing that the “CIA may not conduct a physical search within the United States of real or personal property, except for searches of personal property of non-U.S. persons lawfully in the CIA’s possession.” The CIA guidelines clarify the application of the executive order, however, in recognizing the geographic complexity posed by digital data and networks: they explain that “[w]hether a physical search occurs within or outside the United States depends on several factors, including the location of the item being searched and the location where the item came into the CIA’s possession. For example, the search of a computer located abroad is a search outside of the United States, regardless of the location of the CIA employee conducting the search.” CIA guidelines § 126.96.36.199. Section I.1.a(5)(d)(4)(b) of AR 2-2 provided that “CIA may not engage in unconsented physical searches in the United States, except for searches of personal property lawfully in CIA’s possession, of non-U.S. persons. Such searches require General Counsel concurrence and may require Attorney General approval. Searches with consent, however, are permissible.”
C. History of CIA Collection of Publicly Available Information (Open-Source Collection)
The CIA was born in 1947, created by the National Security Act of that year, and emerging from the wartime Office of Strategic Services (OSS) and the post-war Central Intelligence Group. See NSIP §§ 1:2, 1:4. Today’s open-source intelligence elements have their origins in the Foreign Broadcast Monitoring Service (FBMS), established during World War II, which performed the function that its name suggests. According to documents on the CIA’s website, the FBMS became the Foreign Broadcast Intelligence Service in 1942, and then in 1967, as part of CIA, was renamed the Foreign Broadcast Information Service (FBIS), but I am advised that the current CIA Historian maintains that the name “Foreign Broadcast Information Service” was actually adopted in 1946 when the entity was transferred to the Central Intelligence Group. In any event, in 2005, the FBIS became the Open Source Center, and in 2015 it changed its name to the Open Source Enterprise (OSE) when it became part of CIA’s newly-created Directorate of Digital Innovation, as explained in Director Brennan’s March 2015 Message to the Workforce, an October 2015 CIA Press Release, and a graphic describing the agency’s current organization. Today, OSE solicits applications from candidates to be open source officers by asking, “Are you a news junkie? Do the foreign affairs headlines pull you in? You should consider the CIA’s Open Source Enterprise (OSE) for your next career.” Additional information about the early days of CIA’s open source collection is available here and here.
The FBMS was established primarily due to concerns over foreign government propaganda, spread across national borders by the new technology of shortwave radio, as explained on page 3 of a CIA historical report:
Shortwave radio developed rapidly in the decade leading to the outbreak of World War II, and with the rise of competing ideologies in Europe and Asia, their sponsors seized upon this new and simple vehicle for breaching international boundaries to propagandize and subvert. European democracies quickly became aware of this new threat to their freedom, while in the United States the rapid spawning of shortwave propaganda broadcasts was watched with apprehension.
This worry about international propaganda resonates today, of course, in concerns over terrorists’ online recruitment efforts, particularly by ISIL using social media.
Initially, private efforts, sponsored by newspapers and universities, were used to monitor the foreign propaganda broadcasts, but “[t]oward the end of 1940 the Secretary of State, in an informal discussion with President Roosevelt, suggested that a government unit should be established to monitor and analyze propaganda beamed to the United States.” (In writing this paper, I was reminded that my grandfather, Ernst Kris, was involved in monitoring and analysis of German radio propaganda in Great Britain and later in Canada, and wrote on the topic of propaganda from a psychological point of view. See, e.g., Ernst Kris & Hans Spier, German Radio Propaganda (1944); Ernst Kris, The “Danger” of Propaganda (1941), in The Selected Papers of Ernst Kris 409, 411 & n.1 (1975); Louis Rose, Psychology, Art, and AntiFascism: Ernst Kris, E.H. Gombrich and the Politics of Caricature (2016).)
Shortly thereafter, the FBMS came into existence. It was “the only recognized service organization trained and equipped to monitor and process foreign broadcasts for the benefit of all government agencies needing the service,” and by the time it became part of the CIA in 1947, it had “thoroughly demonstrated . . . that the task of listening to foreign broadcasts and reporting to other government units was an essential task that could not be abandoned, and that the best way to meet the need was to assign the responsibility to one central organization.” In 1971, FBIS published a retrospective of major events it had monitored, including the failed assassination attempt on Adolph Hitler, the surrender of Japan in World War II, the Korean War, the death of Joseph Stalin, the end of the Hungarian uprising against the Soviet Union, the Cuban Missile Crisis, the Cultural Revolution in China, and the death of Ho Chi Minh. Beginning in 1974, and for the next 40 years, FBIS regularly provided to government agencies, and the public, a broad array of foreign news reports.
In 2005, the WMD Commission’s recommendations (pages 22-23) led to creation of the Open Source Center. The Commission concluded that “analysts who use open source information can be more effective than those who don’t,” and urged creation of an “entity that collects, processes, and makes available to analysts the mass of open source information that is available in the world today.” The Commission recognized the value of the FBIS, but (on pages 377-380 of its report) concluded that the Internet and other modern communications technology required a broader commitment to collecting, analyzing, and exploiting Open Source Intelligence (OSINT). Section 1052 Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) also contained a sense of the Congress supporting the establishment of “an intelligence center for the purpose of coordinating the collection, analysis, production, and dissemination of open-source intelligence.”
The Open Source Center became the Open Source Enterprise within CIA’s newly-created Directorate of Digital Innovation as part of CIA’s reorganization in 2015. By placing OSE within the Digital Directorate, CIA was acting in accordance with the WMD Commission’s recommendations, which explained (on page 22 of its report) that the mission of an open-source IC element “would be to deploy sophisticated information technology to make open source information available across the Community. This would, at a minimum, mean gathering and storing digital newspapers and periodicals that are available only temporarily on the Internet and giving Intelligence Community staff easy (and secure) access to Internet materials . . . . The Open Source [element of CIA] should also be the primary test bed for new information technology because the security constraints – while substantial – are lower for open source than for classified material.”
A. Publicly Available Information in American Constitutional and Statutory Law
The absence of protection for publicly available information has deep roots in American law. Under the Fourth Amendment, “[w]hat a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection.” Katz v. United States, 389 U.S. 347, 351 (1967); see California v. Greenwood, 486 U.S. 35, 41 (1988). To be sure, in United States v. Jones, 132 S. Ct. 945 (2014), Justice Sotomayor’s concurrence questioned whether voluntarily providing information to certain third parties would extinguish a reasonable expectation of privacy in the information. Id at 957. But Justice Sotomayor was not questioning the general proposition that publicly available information is unprotected. She was questioning only the significance of making information available to certain third parties, particularly those who are needed to facilitate transmission of communications. In other words, while Justice Sotomayor might well conclude that email is constitutionally protected despite being turned over to a communications provider for transmission, see United States v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010), neither she nor any other Justice appears to question the general principle that providing information to the public (rather than merely to a communications provider) is an abandonment of privacy. No one would doubt, for example, that this published paper is public and unprotected by the Fourth Amendment.
In keeping with that basic Constitutional principle, federal statutes governing surveillance treat publicly available information as unprotected. For example, the Federal Wiretap Act, 18 U.S.C. § 2511(2)(g)(i), generally regulates electronic surveillance for law enforcement purposes, but provides that it “shall not be unlawful . . . for any person . . . to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” Similarly, the Foreign Intelligence Surveillance Act defines “electronic surveillance” in ways that expressly incorporate Fourth Amendment principles and law enforcement standards, 50 U.S.C. §§ 1801(f), and requires “minimization” of “nonpublicly available information,” 50 U.S.C. § 1801(h). As noted above, Executive Order 12333 § 2.3(a) provides that Intelligence Community procedures “shall permit collection, retention, and dissemination of . . . [i]nformation that is publicly available or collected with the consent of the person concerned.”
B. Publicly Available Information in the New CIA Guidelines
1. General Limits in the CIA Guidelines.
The CIA guidelines focus on collection, retention and dissemination of information “concerning” U.S. persons. CIA guidelines §§ 2.3, 3.2. The definitions section of the guidelines (§ 12.25) provides that “the phrase ‘information concerning U.S. persons’ includes any information concerning a U.S. person,” which isn’t much help (to be fair, this part of the CIA guidelines is trying to accomplish something else), but in practice the phrase refers to information sent to or from a U.S. person as well as information (regardless of sender or recipient) that is about a U.S. person. Information concerning a U.S. person includes “U.S. Person Identifying Information (USPII),” which the guidelines explain (§ 12.25) “is a subset of information concerning U.S. persons” that is “reasonably likely to identify one or more specific U.S. persons.” The USPI “may be either a single item of information” (e.g., a name, title, address, telephone number, social security number, IP address, or biometric record) “or information that, when combined with other information, is reasonably likely to identify one or more specific U.S. persons.” Id. The CIA guidelines recognize that application of this standard may be contextual and require judgment. Id. The DOD procedures take a similar approach. They refer to the information as USPI rather than USPII, but define it in the same way. DOD Manual 5240.01 §§ 3.2, G-2. Unlike the CIA guidelines, the DOD procedures provide explicitly that USPI may include publicly-available information – e.g., if a person’s telephone number is listed in a public directory – but note that a “reference to a product by brand or manufacturer’s name, or the use of a name in a descriptive sense, as, for example, Ford Mustang or Boeing 737” is not USPI. DOD Manual § G-2. This is consistent with FISA’s treatment of the same issue, see H.R. Rep. No. 1283, Part I, 95th Cong. 2d Sess. 57 (1978) (referring to “trade names such as a Xerox copier, a Boeing 747, etc.”), and with CIA’s minimization procedures implementing FISA.
As a general matter, the CIA may collect information, including information concerning U.S. persons and USPII, only if the collection has “a purpose consistent with [lawful] CIA authorities and responsibilities,” and may collect “only the amount of information reasonably necessary to support that purpose.” CIA guidelines § 3.3. Similarly, as a general matter the DOD procedures permit intentional acquisition of USPI “only if the information sought is reasonably believed to be necessary for the performance of an authorized intelligence mission or function assigned to the [DOD] Component” conducting the acquisition. DOD Manual § 3.2.c; see id. § 3.2.f(2). These baseline requirements preclude, for example, voyeurism or LOVEINT (government officials spying on actual or potential romantic partners), or intelligence collection for partisan political purposes.
Other rules designed to protect the integrity of government and civil rights include bans on “any intelligence activity, including dissemination to the Executive Office of the President, for the purpose of affecting the political process in the United States,” CIA guidelines § 3.3; see DOD Manual § 3.1.a(4); any collection of information about U.S. persons “solely for the purpose of monitoring (1) activities protected by the First Amendment or (2) the lawful exercise of other rights secured by the Constitution or laws of the United States,” CIA guidelines § 3.3; see DOD Manual § 1.2.b(3); and any cat’s-paw efforts to “request any person or entity to undertake any activity” forbidden by the guidelines, CIA guidelines § 3.3; see DOD Manual § 1.2.b(4); see also DOD Manual § 3.1.a(1).
An explanatory document released with the new CIA guidelines explains the First Amendment limit as follows:
In addition, the CIA may not collect or maintain information for the sole purpose of monitoring the lawful exercise of rights secured by the Constitution or United States law, including First Amendment rights. For example, the CIA could not collect the public statements of or about a United States person merely because he or she was making critical statements regarding the United States government. If, however, the CIA were collecting intelligence information about a United States person engaged in international terrorism, the CIA would not have to ignore or remove from its systems public statements made by that individual, because the collection occurred during the course of a duly authorized intelligence activity.
Of course, neither Executive Order 12333 nor the CIA guidelines forbid collection that is based partly, rather than solely, on First Amendment activity. The Foreign Intelligence Surveillance Court, interpreting a similar prohibition in FISA, concluded that it could issue an order even where “[n]one of the conduct or speech” attributed to the subject of the investigation “appears to fall outside the ambit of the first amendment,” because of “related conduct” by others, not constitutionally protected, which underlay the investigation. The CIA and Department of Justice (which is to be consulted on any “significant legal interpretations” of the CIA guidelines, § 11.2) are very likely to have adopted the same approach with respect to the guidelines.
The CIA guidelines permit the use of a collection technique “only if a less intrusive technique cannot acquire intelligence of the nature, reliability, and timeliness required.” CIA guidelines § 4.1. As the CIA explains, “[c]ollection against a United States person must employ the least intrusive techniques feasible that will still obtain the required information in a reliable and timely manner . . . . the Intelligence Community must use the least intrusive collection techniques feasible when collecting information within the United States or directed against United States persons abroad.” See DOD Manual § 3.2.(f)(3)(a) (“least intrusive means”).
2. Limits on Collection in the CIA Guidelines.
As noted above, depending on the nature of the private information and technique used to collect it, the CIA guidelines may require various levels of approval. Section 4 identifies three groups of collection techniques – “basic,” “standard,” and “special” – with varying requirements and approval levels for each. The CIA’s explanatory document, released with the new guidelines, provides a detailed and helpful account of the three levels of activity:
Basic collection generally involves the least intrusive types of collection. Basic collection includes the collection of publicly available information (e.g., searching the public Internet to determine the significance of a United States phone number recovered from a known terrorist’s cell phone) or collecting information with the consent of the United States person in question (e.g., asking them directly for information about themselves). Because the collection of these kinds of information do not represent a significant intrusion on an individual’s privacy rights, and in certain circumstances involve no such intrusion at all, the Attorney General Guidelines do not require special approvals for this type of collection. However, any such collection must still be conducted in accordance with the restrictions in these Attorney General Guidelines and other agency policies. Basic collection must be for an authorized purpose, such as foreign intelligence or counterintelligence, and limited to information reasonably necessary to support that purpose.
Standard collection targeting a United States person includes any collection technique directed at a United States person that is not one of the defined forms of basic collection or a special collection technique (described in the previous and following sections). Examples of standard collection techniques include requesting another government agency to provide their records about a United States person, asking a current CIA asset about the activities of a United States person living in a foreign country, or asking a foreign government for information about the same person. All standard collection techniques require approval by designated CIA officials, but there may be additional restrictions imposed by these Attorney General Guidelines or CIA policies. For example, the CIA may ask the FBI to conduct physical surveillance (i.e., follow a person around) of a United States person in the United States because the individual is reasonably assessed to be involved in espionage or international terrorism. However, the CIA is barred from conducting such physical surveillance in the United States itself except in narrow circumstances where the target of the physical surveillance is a current or former CIA employee or contractor, or someone applying to be a CIA employee or contractor.
The use of special collection techniques is highly restricted. A special collection technique is any technique that would require a warrant if the technique were used in the United States for law enforcement purposes. Electronic surveillance or a search of a home or office are examples of special collection techniques. With narrowly defined exceptions regarding testing and training, the CIA may not use special collection techniques in the United States. The CIA is, however, permitted to ask another federal agency to perform special collection techniques in the United States under that agency’s legal authorities. The CIA may also provide technical equipment or knowledge to another federal agency in conducting authorized special collection in the United States with the approval of the CIA’s General Counsel. The CIA may conduct special techniques outside the United States that target a United States person only with the approval of the Director of the CIA (or his designee), the CIA General Counsel, the Attorney General, and (where applicable) the Foreign Intelligence Surveillance Court.
The DOD procedures likewise require various types of internal or external approvals depending on the collection technique involved (e.g., electronic surveillance may require a FISA Court order, see DOD Manual § 3.5).
3. Publicly Available Information in the CIA Guidelines.
With respect to intentional acquisition of “publicly available information” concerning a U.S. person, which qualifies as a “basic” collection technique, the CIA guidelines generally do not require any special approvals (although an authorized purpose is still required, and collection of very large quantities of publicly available information concerning U.S. persons is subject to additional restrictions under Sections 5 and 7 of the guidelines, as discussed further below). See CIA guidleines §§ 4.2(a), 4.21. As noted above, the key requirements with respect to such collection are that it must be for an authorized purpose, such as foreign intelligence or counterintelligence, and limited to information reasonably necessary to support that purpose. The same is true under the DOD procedures, see DOD Manual § 3.2.c(1), and was true under the prior CIA guidelines, see AR 2-2 § I.1.a(4)(c)(1).
The term “publicly available information” is defined by the CIA guidelines to be the following:
 information that has been published or broadcast for public consumption,  is available on request to the public,  is accessible online or otherwise to the public,  is available to the public by subscription or purchase,  could be seen or heard by any casual observer (but not amounting to physical surveillance),  is made available at a meeting open to the public, or  is obtained by visiting any place or attending any event that is open to the public.
The DOD definition is essentially identical, but adds an eighth clause with the clarification that “Publicly available information includes information generally available to persons in a military community even though the military community is not open to the civilian general public.” DOD Manual §§ 3.2.b and G-2. The prior version of the CIA guidelines contained a similar definition, but without any references to the Internet and more modern communications platforms: they defined the term “publicly available” to mean “information that any member of the public could lawfully obtain by request or observations (not amounting to physical surveillance), and information, including public communications, that is lawfully accessible to any member of the public.” AR 2-2G § II.A. The term “public communications” was defined to mean “communications transmitted within frequency bands devoted to AM/FM radio, television, and other broadcasts and communications intended for subsequent broadcast or public dissemination; amateur and CB communications; police, fire, ambulance, navigational aid and distress, and other public service transmissions; and aircraft and maritime communications not connected with land-based telephone lines.” Id.
By referring to information  “that has been published or broadcast for public consumption,” the definition in the new CIA guidelines incorporates traditional notions of these terms, including information conveyed by AM/FM radio, television, CB, short-wave, and other open communications platforms, as well as newspapers, magazines, newsletters, and other paper documents made available to the public. The definition seems also to include more modern analogues to traditional broadcast platforms, such as Twitter.
By referring to information  “accessible online or otherwise to the public,” the definition includes materials posted on open websites such as Lawfare, or on the shelves of a public library. Depending on a user’s privacy settings, information about Facebook accounts may be available in this way. Where paper or online telephone books exist, they would qualify as well. Thus, for example, CIA explains that it may “search the public Internet to determine the significance of a United States phone number recovered from a known terrorist’s cell phone.” In short, public information may be published or broadcast  via traditional means, or  via more modern, post-Internet means.
The reference to information  “available on request to the public” includes records held in local government offices and courthouses, such as real-estate transactional records, and presumably anything that can be obtained under the federal Freedom of Information Act or its state-law counterparts. At least as a practical matter, however, it probably would not include classified information that is available on the Internet due to unauthorized disclosures – e.g., to WikiLeaks – because the IC still considers such information to be classified. See Executive Order 13526 § 1.1(c).
Information available to the public  “by subscription or purchase” reinforces the inclusion of sources such as newspapers, magazines, and newsletters that require payment, but also (when combined with the reference to “online” access in clause ) extends to information behind an Internet paywall or held by companies like Lexis/Nexis (which advertises access to “over 45 billion current public records”) and other aggregators of public data, whether on-line or otherwise. In short, public information may be available in paper or online, as requested  for no charge or  in exchange for payment.
The CIA guidelines deal explicitly with bulk collection, which (in the context of Signals Intelligence) is permitted for at least six specified purposes by Section 2 of PPD-28. The guidelines define “bulk collection” as the “collection of data that, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).” CIA guidelines § 12.2. By referring to “technical or operational” considerations underlying bulk collection, the guidelines seem to have in mind two kinds of situations. The first, motivated by “technical” reasons, is where bulk collection occurs even though the goal of the collection may be narrower, because it is not technically possible to discriminate at the acquisition stage. The second situation, where bulk collection is conducted for “operational” reasons, would include situations in which the bulk collection is actively intended, even if the subsequent use of the data is more narrowly restricted – e.g., the NSA’s bulk metadata collection program prior to the USA Freedom Act. The CIA guidelines require additional documentation of bulk collection, as well as any collection that results in acquisition that is either too large to evaluate for retention or is permitted to be retained without individualized review of data (see discussion below concerning retention and dissemination of unevaluated information). CIA guidelines § 5.1.
As for the DOD procedures, they contain no explicit mention of “bulk collection,” but they do call for additional requirements for “Special Circumstances Collection” depending on the “volume, proportion, and sensitivity of USPI likely to be acquired, and the intrusiveness of the methods used to collect the information.” DOD Manual § 3.2.e. When “special circumstances exist, the DOD component head or delegee must determine whether to authorize the collection and, if so, whether enhanced safeguards are appropriate.” Id. (The DOD procedures provide that in addition to using the least intrusive means of collection, “in collecting non-publicly available USPI,” DOD components “will, to the extent practicable, collect no more information than is reasonably necessary.” Id. § 3.2.f.(3)(a), 3.2.f.(4). By its terms, this requirement does not apply to publicly available information.) If and when NSA prepares its own version of the DOD procedures, likely in the form of an appendix to them, it will presumably deal with bulk collection more explicitly.
The definition of “publicly available information” in the CIA guidelines includes [6-7] information “made available” at a “meeting” or any other “event that is open to the public.” This includes a public rally or protest or other event convened by an organization but open to anyone, including persons who are not members of the organization. It also includes trade or product shows, concerts, and other events that are open to the public, even if admission requires a ticket, including a purchased ticket. By referring to information that “is obtained by visiting any place or attending any event that is open to the public” or could be seen or heard  by “any casual observer,” the definition continues to exclude information obtained from “physical surveillance,” and provides for that exclusion explicitly. The term “physical surveillance” is defined in Section 12.19 of the CIA guidelines to be “unconsented following or tracking of one or more persons where such individuals have no reasonable expectation of privacy.” The term “does not include casual observation, which would be short in duration and narrow in scope, and not intended to track the movement of a person.” The DOD procedures use similar language. See DOD Manual § G-2. The prior CIA guidelines, by distinguishing between “observations” and “physical surveillance,” excluded from “publicly available information” the kind of information available only as a result of “(a) unconsented and deliberate observation of a person by any means on a continuing basis, or (b) unconsented overhearing of a non-public conversation by a person who is not visibly present at the location of the conversation.” AR 2-2G § II.A.
The new CIA guidelines also address situations in which an organization convenes an event for, or otherwise conveys information to, its members only, rather than to the general public. It is not entirely clear whether information obtained from members-only sources may ever qualify as “publicly available information.” The definition of that term is limited to information available in one way or another “to the public,” but as noted above one of the ways that information can be available to the public is “on request” or “by subscription or purchase” – concepts that share a fuzzy border with membership in the organization providing the information. In British English, “subscription” is defined by the dictionary to mean membership dues, but even American companies like Apple refer to certain subscriptions as “membership” in the subscription service.
4. Undisclosed Participation in the CIA Guidelines.
The CIA guidelines address this issue of subscription and membership through a set of rules governing official “participation” in organizations located in the United States, with “participation” read to include “joining such an organization.” CIA guidelines § 9.1. The guidelines do not apply to situations in which CIA personnel join organizations entirely in their personal capacities, not related to their employment (e.g., when a CIA officer joins Costco for grocery shopping or opens a personal Facebook account). The DOD procedures similarly define “participation” to include “acquiring membership” in an organization, and similarly do not restrict joining organizations in a personal capacity. See DOD Manual §§ 3.10, G-2.
The CIA guidelines and DOD procedures generally permit, and do not require special approvals for disclosed participation in an organization, as part of which the officer reveals his or her government affiliation. CIA guidelines § 9.2; DOD Manual § 3.10.d. Such overt participation, and collection that may follow, is regulated by the general limits discussed above. Thus, whether or not a payment is properly characterized as a “subscription” to an organization’s publication or as “membership” dues evincing “participation” in the organization with resulting access to members-only content, no special approvals are required if the collector’s government affiliation is disclosed.
With respect to membership or other participation in an organization that is not disclosed (UDP), CIA personnel may “join or otherwise participate in an organization in the United States” in several situations without special approvals, as long as they are doing so as part of an authorized intelligence activity. First, unsurprisingly, CIA officers or agents “may join or otherwise participate in an official establishment of a foreign government in the United States, such as an embassy.” CIA guidelines § 9.3.1(a). If the CIA can place someone inside a foreign government’s embassy, it could be very useful to U.S. intelligence efforts. As the agency explains in connection with its new guidelines, “the CIA conducts espionage.”
Second, CIA officers or agents may join or otherwise participate in “an organization that is generally open to the public where the organization accepts participants regardless of affiliation and does not require disclosure of affiliation as a condition of attendance or access.” CIA guidelines § 9.3.1(b). This expressly includes “attendance at any seminar, forum, conference, exhibition, trade fair, workshop, symposium” or other event or venue that is open to the public, including an “online forum.” To emphasize the importance of online access, a separate subsection of the guidelines (§ 9.3.1(c)) expressly permits CIA officers or agents to “view, register for, research, join, or otherwise participate in areas available to the public on or via an electronic information network such as the Internet, provided that access . . . is accomplished using interfaces made available by the online area to any member of the public, and provided that the area does not require disclosure of affiliation as a condition of access.” Where disclosure of affiliation is required but the organization accepts all participants, supervisor approval is required. CIA guidelines § 9.3.2(b). Where the organization discriminates on the basis of affiliation, the approval of the CIA Director, with the concurrence of the CIA general counsel, is required to omit or falsify the affiliation as necessary. CIA guidelines § 9.3.2(f). Special internal approvals are also required for undisclosed participation in organizations or events not open to the general public for the purpose of receiving professional certifications, for the purpose of maintaining cover, or if the organization is “international” or run by non-U.S. persons; internal approvals are also required to solicit assistance from pre-existing members of an organization without disclosure to the organization’s leadership. CIA guidelines § 9.3.2.
The DOD procedures are similar, allowing undisclosed participation where an organization conducts an activity that is “open to the public,” including “meetings, seminars, conferences, exhibitions, trade fairs, workshops, symposiums, or similar events sponsored or conducted by an organization, in person or through technical means (e.g., social networking sites, websites, or forums).” DOD Manual § 3.10.f.(1)(d). A DOD official may participate in such activity only where certain other conditions are met, including the requirement that the collection “is not focused on a specific U.S. person,” providing “employment affiliation is not a condition of access,” and participation “does not include the elicitation of” information that is reasonably likely to identify a U.S. person. Compare DOD Manual §§ 3.10.f.(1)(d) with DOD Manual §§ 3.10.f(2)(b); see DOD Manual § G-2. The DOD UDP rules do not apply, however, to collection of “publicly available information on the Internet in a way that does not require a person to provide identifying information (such as an email address) as a condition of access and does not involve communication with a human being.” DOD Manual § 3.10.b.(3). This is a narrow exception, especially given the desire to track users of “free” on-line resources for the purpose of selling advertisements, but might become more relevant if different monetization models and artificial intelligences become more prevalent.
Once part of an organization, CIA officers or agents “may collect publicly available or volunteered information concerning U.S. persons without [special] approvals,” including “information provided by an organization to its members,” and they may ask “questions” to obtain “volunteered” information from other members of the organization. CIA guidelines § 9.3. However, any information provided by other members in response to a “tasking” would not be considered volunteered and would therefore require special internal CIA approvals. Id.
The CIA guidelines do not define the terms “volunteered” and “tasking,” but the distinction is probably analogous to that between “casual observation” and “physical surveillance” discussed above. It is animated at least in part by the need for CIA officers to “live their authorized cover” by participating in organizations – a new member of an organization who never asked questions about other members or shunned information being volunteered would stand out as much as one who asked too many questions. CIA guidelines § 9.3. The DOD procedures are similar to CIA’s guidelines in this respect, and refer to “elicitation” of information: they provide that no special approvals are required to join an organization without disclosure if “membership is open to the public” and if the collection is “solely for the purpose of obtaining information published or posted by the organization or its members and generally available to its members,” but not involving “elicitation” of information. DOD Manual § 3.10.f(1)(b)-(c). DOD officials may also participate in an organization “solely for the purpose of obtaining or renewing membership status in accordance with DOD cover policy.” DOD Manual § 3.10.f.(1)(b). Activities beyond the basic renewal of membership, however, require UDP approvals. Id. This may be sufficient for today, but as the range of social media and other publicly available information expands, including longitudinally beginning in childhood or adolescence, it may be more and more difficult to establish digital personae for undercover agents and officers. There are separate limits for both CIA and DOD when it comes to activity intended to “influence” an organization. See CIA guidelines § 9.3.2(g); DOD Manual § 3.10.e(6)(A).
The CIA guidelines do not separately define the term, but an organization is “open to the public” if no special status is required to join. For example, the ACLU appears to be open to the public (at least to members of the public willing to make a monetary donation), but the Veterans of Foreign Wars is not because VFW eligibility depends on U.S. military service “in a war, campaign, or expedition on foreign soil or in hostile waters.” Under the CIA guidelines and DOD procedures, therefore, an officer could join the ACLU without disclosing his affiliation and without special approval, but she could not join the VFW without higher-level approval. As a member of the ACLU, she could get access to an ACLU newsletter, but could not (without special approvals) try to gather from ACLU members significant information about other ACLU members. As the CIA explains, special approvals would be required if “a CIA officer sought to question a specific individual of the organization to obtain specific information.” This UDP standard is consistent with the fuzzy border between “subscription” and “membership” discussed above.
Although the ACLU and the VFW come in handy to illustrate the meaning of “open to the public,” in one important sense they make poor examples, because undisclosed participation in these organizations under any reasonably foreseeable factual situation would be barred by other aspects of the CIA guidelines. As noted above, UDP must still always be conducted for “authorized intelligence activities” under Section 9.3 of the CIA guidelines, and for a proper purpose under Section 3.3, and in particular CIA conduct intelligence activities against U.S. persons solely for the purpose of monitoring First Amendment or other Constitutionally protected activity. So, the analysis above is not designed to trigger anxiety in the ACLU or VFW, but only to explain what it means for an organization to be open to the public.
5. Retention and Dissemination of Information in the CIA Guidelines.
The CIA guidelines also govern retention, use and dissemination of publicly available information. Publicly available information, including information concerning U.S. persons, may be retained indefinitely (subject to NARA records control schedules), even if it contains USPI. CIA guidelines § 7(a)-(b). The retained information generally may be queried “if the query is reasonably designed to retrieve information related to a CIA authority and responsibility.” CIA guidelines § 7. Information concerning a U.S. person may be disseminated freely within the CIA, and to another IC element if relevant to that element’s responsibilities (or for the purpose of determining whether the information is relevant). Id. Publicly available information concerning U.S. persons, including USPI, also may be disseminated freely. CIA guidelines § 8.2.1(j).
if the CIA obtained a hard drive previously used by a foreign state-sponsored hacking group, that hard drive could contain both information about the hackers and information about United States persons the hackers had collected themselves. Depending upon the amount and nature of information in the hard drive, the CIA might be able to evaluate the information promptly to obtain foreign intelligence, or it might take a great deal of time to determine what portions of the data constitute foreign intelligence information or involve United States persons.
In such a case, the CIA guidelines impose special requirements until the information has been evaluated.
The DOD procedures also govern retention, use, and dissemination of publicly available information. When a DOD intelligence component intentionally collects USPI, whether via a “special circumstances” collection or otherwise, it must “evaluate the information promptly,” but if “necessary, the Defense Intelligence Component may retain the information for evaluation for up to 5 years,” extendable for another five years based on certain findings by a high-ranking official. DOD Manual §§ 3.3.c.(1), 3.3.c.(5); see DOD Manual § 3.3.c.(4). (For information incidentally collected, there is no requirement for prompt evaluation, and if the incidental collection occurred as part of the targeting of a person or place located outside the United States, DOD may retain the information for 25 years. DOD Manual § 3.3.c.(2).)
Retained data may be queried, but queries must be pertinent to an authorized intelligence mission (e.g., not LOVEINT), and must be tailored “to the greatest extent practicable to minimize” the return of non-pertinent information; the DOD component must also document the basis for USPI queries of “unevaluated” information, periodically audit queries to assess compliance, and annually train employees with access to the retained information. DOD Manual § 3.3.f.(1). Where there is a “special circumstances” collection, enhanced safeguards for retention must be considered, such as stronger limits on “review, approval, or auditing of any access or searches” of the information; “[p]rocedures to restrict access or dissemination” of the information; use of “privacy-enhancing techniques” such as masking USPI data; and enhanced access controls, training, or other measures. DOD Manual § 3.3.g. In general, publicly available information may be disseminated to any recipient by properly trained officials. DOD Manual § 3.4.c.(1). However, dissemination of a “large amount of USPI . . . that has not been evaluated” requires additional approvals, apparently even if the USPI is publicly available. DOD Manual § 3.4.d. As is the case under FISA, there is no requirement in the DOD procedures to minimize publicly available information before dissemination. DOD Manual § 3.4.e. The CIA and DOD elements are also subject to the Privacy Act (although the Act contains exceptions, especially for the CIA). Thus, for example, the National Security Agency (NSA) has issued a System of Records Notice (SORN), known as GNSA 18, that describes some of the routine retention and dissemination practices of the NSA with respect to U.S. Persons, maintained in its foreign intelligence holdings.
The new CIA guidelines represent the culmination of a long process, and are a significant step forward. They are updated to reflect the Internet and other current technologies, particularly with respect to publicly available information. They include more detailed rules governing acquisition, retention, querying and dissemination of such information, and the idea of collection that raises special privacy concerns. They deal with the border between subscription-based access to information and membership in the organization providing the information. And they go at least some distance towards addressing counter-intelligence concerns based on the need to establish and maintain undercover digital personae through undisclosed participation in organizations. The detailed explanatory document that CIA provided in connection with the new guidelines is very high in quality, and the fact that the guidelines are entirely public is itself significant (as noted above, the prior version of the guidelines was not released for many years after its adoption). The new guidelines may not be perfect, and can certainly be criticized from the perspective of security or privacy, but they are a major achievement. At this writing, however, one looming question is whether and how the Trump administration will deal with them and the issues they regulate.