Published by The Lawfare Institute
in Cooperation With
In July 2017, Privacy International and Yale Law School’s Media Freedom & Information Access Clinic (MFIA) filed a lawsuit against the National Security Agency, the Office of the Director of National Intelligence (ODNI), the State Department, and the National Archives and Records Administration seeking access to records related to the Five Eyes alliance under the Freedom of Information Act. The Five Eyes alliance emerged from spying arrangements forged during World War II and facilitates the sharing of signals intelligence (SIGINT) among the U.S., the U.K., Australia, Canada and New Zealand.
At the time Privacy International and MFIA filed the lawsuit, the most recent publicly available version of the agreement governing the Five Eyes alliance—known as the UKUSA Agreement—dated back to 1955. That version of the agreement provides that the Five Eyes are to share, by default, all SIGINT they gather, as well as methods and techniques relating to SIGINT operations. An appendix to that agreement elaborates further that the Five Eyes are to share “continuously, currently and without request” both “raw” (that is, unanalyzed) intelligence in addition to “end product” (intelligence that has been subjected to analysis or interpretation).
Beginning in December 2017, the NSA and the State Department began making disclosures in response to the lawsuit. We’ve written previously about some of the records disclosed by the government and what they reveal about the government’s approach to classification and publication of these types of agreements. In September 2018, the NSA released several additional batches of records, containing disclosures that significantly enhance our understanding of the history and nature of the UKUSA Agreement. Below, we summarize the most interesting of these disclosures and how they update what we know about the Five Eyes intelligence-sharing arrangement. Privacy International has also made available on its website the records the government disclosed. Nevertheless, critical questions regarding the Five Eyes alliance, including its implications for the constitutional rights of Americans, remain.
Snapshots of the UKUSA Agreement from the 1970s to the 1990s
Among the records the government has produced is a series of documents, dating from the 1970s to the 1990s, that aid our understanding of the history and nature of the UKUSA Agreement, particularly as it has evolved over time.
In 1972, a historical officer at the NSA produced a “Memorandum for the Record” entitled
“Historical Note on the UKUSA COMINT Agreement,” which provides further insight into the formation of the agreement. It begins by noting that “[t]he question occasionally arises as to the governmental levels at which the UKUSA COMINT Agreement was authorized or approved” but quickly clarifies that “the President of the United States authorized an agreement in this field, and that the British Foreign Minister must have been aware of it.” (Compare that with, for example, the statement by David Lange, the former prime minister of New Zealand, who remarked that “it was not until I read [the] book [“Secret Power” by Nicky Hager, which details the history of New Zealand’s Government Communications Security Bureau] that I had any idea that we had been committed to an international integrated electronic network.” He continued that “it is an outrage that I and other ministers were told so little, and this raises the question of to whom those concerned saw themselves ultimately answerable.”)
As support for the NSA’s history of the agreement, the memorandum attaches a 1945 memorandum from President Truman authorizing the then-secretary of war and the secretary of the Navy “to continue collaboration in the field of communication intelligence between the United States Army and Navy and the British, and to extend, modify or discontinue this collaboration, as determined to be in the best interests of the United States.” This presidential memorandum is of particular interest because it provides evidence that the president directly authorized the various military branches to determine the future course and contours of the UKUSA Agreement. This arrangement has not necessarily been clear to the public (nor was it clear, based on the wording of the 1972 memorandum, to the NSA itself). Interestingly, President Truman’s memorandum was not among the documents the NSA released in 2010 relating to the history of the UKUSA Agreement, which cover the period between 1940 and 1956.
In December 1985, the NSA produced what it described as “a review of the NSA-GCHQ [U.K. Government Communications Headquarters] SIGINT relationship including an assessment of the present value of the exchange and identifiable problems.” The purpose of the review was “to serve as a basis for determining … plans for the conduct of this relationship in the future, for any improvements/changes regarding control and accountability of the existing exchange, as well as developing proposals for additional contributions which should be made by each party.” The document provides one of the clearest explanations of the status of the UKUSA Agreement and a detailed overview of its scope and operation at this point in time.
With respect to the origins of the agreement, the “Background” section of the document describes how “SIGINT collaboration with the UK began in 1941 and was formalized in the UKUSA Agreement of 1946.” Significantly, however, the section goes on to explain that the agreement “was so generally written that, with the exception of a few proper nouns, no changes to it have been made” and that “[t]he principles remain intact, allowing for a full and interdependent partnership.” (The NSA’s 2010 release of documents relating to the history of the UKUSA Agreement include both the original agreement and an updated version of the agreement, concluded in 1955, the main texts of which are nearly identical.)
The “Background” section notes that “[o]ver the years numerous appendices have been added [to the agreement] to cover specific areas of widening interest and ever-increasing sophistication.” Annex B to the document—“A Description of the Appendices to the UKUSA Agreement”— is perhaps the most complete inventory that we have to date of the agreement’s appendices and includes a short explanation of each appendix. Notably, Annex B divides the appendices into two categories—those “that may be amended only by board agreement” and those “which the directors, NSA and GCHQ, may change or interpret by mutual agreement.”
The “Background” section further indicates that “Divisions of Effort (DOE) and/or understandings between NSA and GCHQ are undertaken to respond to existing requirements.” (Annex C to the document—“Details of UKUSA Division of Effort”—may offer further details on how DOEs are concluded and what they cover but is entirely redacted.) Later in the document, in a section called “Areas of Cooperation/Exchange,” the NSA admits that while “[t]here are many MOA’s [Memoranda of Agreement] and MOU’s [Memoranda of Understanding] between the parties; however, a significant amount of division of effort is accomplished without any formal DOE or MOU and has evolved through cooperation engendered by personal contact and exchange.” The document then notes that “[a]n understanding is created on each target of mutual interest in terms of collection, processing and reporting.”
The document offers some insight into how the two agencies manage this kind of fluid and informal division of effort. In addition to integrating analysts into each other’s headquarters and running joint operations, the two agencies exchange “[a] great number of visits” from “various levels of personnel from the Directorate down” ranging from “analyst-to-analyst discussions, conferences, periodic meetings, management/planning reviews and consultations, [and] Directorate level policy decisions.” In addition, the two agencies hold a number of conferences, typically “on an annual basis” with two of the most significant being the “Program Management & Review” and “Joint Management Review” conferences. The former involves “Senior Management participation” while the latter involves “Senior Management, at Deputy Director level, participation.” (Additional conferences listed are redacted.) (Privacy International has previously discussed the extent and nature of Five Eyes coordination in a report and in its ongoing case against the U.K. government, which challenges, among other issues, its access to intelligence gathered by the U.S. government.)
In addition to clarifying the nature of the original UKUSA Agreement and how the NSA and the GCHQ have adapted it over time, this document confirms our understanding of the broad scope of the UKUSA Agreement. In the “Background” section, it observes that “the basic agreement … for the exchange of all COMINT results including end product and pertinent collateral data … for targets worldwide, unless specifically excluded from the agreement at the request of either party” has “[o]ver the years … been the case.” In its high-level “Findings/Conclusions,” it also documents that “[t]here is a heavy flow of raw intercept, technical analytic results, and SIGINT product between NSA and GCHQ.” Additional language contained in the “Findings/Conclusions” section has been redacted. And in its concluding “Areas of Cooperation/Exchange” section, it indicates that “GCHQ-NSA SIGINT exchange involves a sharing of a wide variety of targets worldwide, ranging from military activities to [REDACTED] terrorist activities, and [REDACTED]” and “includes the exchange of material (raw intercept, analytic, product) on [REDACTED].” The document hints at how the two agencies facilitate such sharing in practice, including by ensuring that the “GCHQ has direct access to NSA computer systems.”
Finally, the “Background” section notes that the nature and scope of the agreement between the NSA and the GCHQ extends to third-party countries as well. It explains that “the agreement makes provision for obtaining agreement between the two partners for COMINT relationships established with Third Parties and to ensure that materials received from such Third Party arrangements are made available to GCHQ and NSA.” It adds that “special consideration” has been given to “Canada, Australia, New Zealand and to not consider them as Third Parties.” (This special consideration is documented in Appendix J of the 1955 version of the agreement and gives rise to what we now know as the Five Eyes Alliance.)
In 1994, the NSA director of foreign relations issued an action memorandum, which appears to request input from various divisions within the agency regarding another review of the UKUSA Agreement. The memorandum notes that the purpose of the review is to “satisfy the foreign reviews and audits currently underway with Congressional, DoD [Department of Defense], and GAO [Government Accountability Office] staffs, in addition to providing a comprehensive study of current exchange policies with GCHQ.” The memorandum further notes that the Operations Directorate had already initiated “an operational review … to include a list of what is not currently exchanged with the British, what we should not exchange in the future, and new things that should be exchanged in the future,” documented in a 1993 memorandum included as Attachment A. The 1994 memorandum also indicates that a second attachment consists of a template for presenting “(1) by country, and (2) by topic … exactly what is exchanged in terms of raw traffic, product and technical reports, [REDACTED] technology, etcetera.” Finally, it orders that “[w]here possible,” “copies of any Memorandums of Understanding or Divisions of Effort between NSA and GCHQ be provided in support of the exchanges [REDACTED].”
The most interesting aspect of this disclosure is the attached 1993 memorandum, which describes the Operations Directorate’s ongoing operational review of the UKUSA Agreement. First, it states that there is “no single document [that] exists in sufficient detail to serve as such an agreement,” confirming to some extent the description of the evolution of the UKUSA Agreement in the 1985 document discussed above. Second, it admits that “to list what IS shared would be extremely expensive in terms of required man-hours.” It therefore proposes “to break the task into three parts,” consisting of (1) “[l]isting in sufficient detail those things that are not (to the best of your knowledge) exchanged with the UK today,” (2) “those things that managers and senior technical experts believe may well need to be altered or declared unexchangeable in the near future (5-8 years out or less),” and (3) “those new things that should be exchanged with the UK in the future.”
In 1997, the NSA produced a background paper on the “US-UK Cryptologic relationship” for President Clinton in advance of his upcoming meeting with then-U.K. Prime Minister Tony Blair. The paper describes the relationship as “based on a formal ‘UKUSA Agreement,’ which was signed in 1946, and includes numerous supporting agreements signed over the years with NSA’s counterpart, the Government Communications Headquarters (GCHQ).” The paper also confirms that the agreement’s original understanding of “unrestricted” exchange “except for those areas that are specifically excluded (e.g. U.S. ONLY information) at the request of either party” continues into this period. The language immediately following this statement is redacted.
One line stands out in particular: “Some GCHQ [REDACTED] exist solely to satisfy NSA tasking.” The unredacted portion of this sentence may indicate that the NSA is—or, at least, was—directly outsourcing certain SIGINT activities to the GCHQ. What we know about the purpose of the UKUSA Agreement certainly suggests this type of activity could fall within its scope. Appendix C of the 1955 version of the UKUSA Agreement discusses how the object of the agreement “is to ensure that maximum advantage is obtained from the combined available personnel and facilities of both parties.” Government officials have also acknowledged the pooling of resources among the Five Eyes. Former Defense Secretary Caspar Weinberger, for example, has observed that the “United States has neither the opportunity nor the resources to unilaterally collect all the intelligence information we require. We compensate with a variety of intelligence sharing arrangements with other nations in the world.” But the language contained in the background paper is a particularly stark suggestion of outsourcing.
This undated document is authored by one of the NSA’s special U.S. liaison officers (SUSLO-4). SUSLO-4 describes it as “an honest effort … to describe the strengths and weaknesses of the UKUSA relationship so that NSA might better be able to make some hard decisions about the future of the relationship.” This document is a particularly fascinating disclosure because it is one of the few to reveal and discuss tensions in the UKUSA relationship. While much of the document is redacted, the language that has not been expresses alarm regarding certain aspects of the NSA-GCHQ relationship.
The document notes particular concern regarding the exchange of personnel between the two agencies. It indicates that “[a]side from the respective liaison staffs, NSA and GCHQ exchange large number of integrees” and that “in recent years, some operational and staff elements in GCHQ have begun to use integrees as their representatives, and some integrees have assumed liaison-like functions.” The document continues, noting that “[m]aking matters worse has been a recent trend to send integrees to function as special assistants, sometimes to alpha plus-one components working sensitive missions” meaning that “they also serve as lobbyists for GCHQ seniors in policy matters.”
Below, we discuss several newly released NSA policy documents, which clarify the policies governing Five Eyes partner access to U.S. SIGINT and help elucidate the distinction between a liaison and an integree. USSID FA6001, which addresses “Second Party SIGINT Relationships,” describes the “Special United States Liaison Officer (SUSLO)” as “represent[ing] ODNI … in all SIGINT relationships with that Second Party, and, in so doing, execut[ing] National Intelligence Board (NIB) policy guidance.” Presumably, liaison officers from the other Five Eyes partners play a similar role vis-a-vis the United States. By contrast, NSA/CSS [Central Security Service] Policy 1-13, which addresses the policies and procedures for integrating Five Eyes partner employees into the NSA defines “Second Party Integrees” as individuals “who … are working solely under the direction and operational control of the DIRNSA/CHSS [Director of the NSA/Chief of the Central Security Service] to conduct cryptologic or information assurance activities that support NSA/CSS mission.” In other words, whereas the role of a liaison officer is to explicitly advocate for the interests and policies of the second party that they represent, the role of an integree is more operational in nature and intended to support the activities of the host agency.
The document provides two specific, troubling examples regarding integrees. First, it described how a GCHQ official “[r]ecently … lobbied hard to place an integree in” a particular position within the NSA, which the NSA “rightly rejected … as it would give GCHQ insight into certain sensitive operations we do not share.” Second, it described how “[i]n another instance a strategically placed GCHQ drafted an MOA that committed [REDACTED] assistance from NSA to GCHQ” and concluded that “without addressing the correctness of this assistance, the propriety of this situation is disturbing.” The second example is of particular interest because the disclosures as a whole reveal that the UKUSA Agreement’s evolution over time has taken place through the exchange of MOUs/MOAs and DOEs (and, in some instances, without any written documentation). This example suggests a lack of oversight, at least at the time the document was written, as to how all these various arrangements are hashed out.
Indeed, the document then points to a broader lack of organization and control over the UKUSA relationship. It notes that whether it is exchanging SIGINT or integrees, the mode of interfacing with the GCHQ evolves based on myriad decisions at various levels within the NSA. It asks:
Do we need to have an overall policy to ensure that these agreements are consistent with our plans for the future? For instance, should we determine a modus vivendi for exchange of integrees? Should the type of work be limited by charter? Should there be a common NSA position on the number and kind of electronic interfaces between NSA and GCHQ? Should the number be driven by NSA design or by GCHQ needs?
Five Eyes Partner Access to U.S. SIGINT
Among the records that the government has produced are several previously unreleased NSA policy documents, all dated within the past seven years, that illuminate a long-opaque feature of the Five Eyes relationship—the policies governing Five Eyes partner access to U.S. SIGINT.
U.S. Signals Intelligence Directive FA6001 addresses the many ways that U.S. SIGINT flows throughout the Five Eyes, albeit at a high level. Specifically, Annex B of the directive discusses the “Release of U.S. SIGINT Information to Second Party SIGINT Organizations” and notes that Five Eyes partners:
- Collaborate on a wide range of targets, with MOUs or DOEs, which are provided to the NSA/CSS Office of Corporate Policy, documenting the specific targets and degree of collaboration.
- “[R]eceive raw traffic, technical material, and serialised SIGINT reports derived from the U.S. effort on mutual targets.”
- Receive “intelligence information on issues impacting international relations, and on events related to the partners’ political, economic, military, or security interests.”
Though this annex partially answers how the U.S. shares information with its Five Eyes partners, it also raises more questions: What is the scope of “targets” for which the countries collaborate? How “targeted” are they? And what kinds of authorization processes do each of the agencies undergo before agreeing to collaborate on mutual “targets”? Despite what we’ve learned at a general level about the content and nature of Five Eyes information sharing, these more specific contours remain largely unknown.
Signals Intelligence Directorate Management Directive 427 is originally dated Aug. 1, 2009, but was subsequently revised on Dec. 28, 2013, and more recently on Sept. 14, 2015. This directive is most notable for its discussion of Five Eyes partner access to data that haven’t been evaluated for foreign intelligence value or gone through the minimization process. The directive addresses Five Eyes personnel access to “NSA-CSS maintained databases or data sets” and then specifies that such databases or data sets should “only contain classified information marked releasable to that partner” or be “capable of restricting access only to that data which is marked as releasable to that partner.”
The value of these limitations depends on the definitions of “databases” and “data sets.” The directive later defines a data set as “a large collection of intelligence data that has not been evaluated for foreign intelligence or minimized to protect U.S. identities but is not a formal database subject to the SIGINT Contact Center (SCC) process” and may also be “[a] data feed such as would be needed for a research/development effort.” This definition suggests that data sets may contain “data that has not been evaluated for foreign intelligence or minimized to protect U.S. identities,” which raises questions as to how the U.S. restricts in practice what should or shouldn’t be accessible to their Five Eyes partners.
The directive defines a database as “a structured collection of records or data that is stored in a computer system and organized in a data management system for quick retrieval of those records.” It further notes that a database “is generally subject to the SCC process or a similar access control” but does not clarify what the SCC process is or to what (other) extent the data have been evaluated or minimized before being retained in a database.
The directive also discusses, although at a very high level, the procedures before a Five Eyes partner can access data. For partners working from within their own country’s SIGINT agency, there appears to be a registration process in addition to training and auditing. However, the Snowden disclosures revealed how insubstantial training for NSA analysts can be, which continues to raise doubts about training requirements for Five Eyes partners. For Five Eyes partners who are integrated within a U.S. SIGINT component, there’s a requirement to list databases or data sets that they’ve accessed.
NSA/CSS Policy 6-20 is originally dated March 31, 2014, but was revised Nov. 8, 2016. Though this policy mainly addresses the grainier details of Five Eyes partner access to NSA systems, it also holds some interesting insights.
The policy cites the UKUSA Agreement as its governing basis for information sharing (as do the two policy documents discussed above). However, this policy also notes the existence of “subsequent bilateral understandings with each Second Party partner,” before proceeding to outline three relevant bilateral understandings, although two out of the three are redacted. The policy also notes, as a more general matter, that MOUs shall govern system connection and access policy and that these documents will be maintained by the Office of Policy.
The policy also mentions that Five Eyes partners are explicitly prohibited from accessing “U.S.-only keying materials or Nuclear Command and Control Information Assurance Materials (NCCIM).” However, the policy does not define “U.S.-only keying materials” and it is not clear what types of materials would fall under this category. It therefore says little about the bounds of what Five Eyes partners may and may not view.
NSA/CSS Policy 1-13 addresses the policies and procedures for integrating Five Eyes partner employees into the NSA. The NSA also disclosed what appears to be a forerunner of this document, a NSA/CSS Directive on “Second Party Integrees” dated Nov. 26, 1990. Both documents may be of interest in light of the discussion above of the undated record, “An Assessment of the UKUSA Relationship: Where We Go From Here,” which raises concerns regarding GCHQ integrees and the lack of policy governing them.
Questions, Answers ... and More Questions
Taken together, these documents begin to flesh out some of the unknowns surrounding the Five Eyes relationship. Thanks to this litigation, we’ve learned much more about the UKUSA Agreement’s history and evolution, as well as its current policies governing the flow of U.S. SIGINT within the Five Eyes. However, while these documents have answered some of our questions, they continue to leave many others unaddressed and have prompted even more.
For example, these disclosures have helped clarify the basis of the Five Eyes alliance, which appears to continue to be the general language of the original 1946 agreement, supplemented by appendices and a potentially dizzying array of memoranda of understanding and divisions of effort (not to mention more informal arrangements). Yet the government was unable to locate, let alone produce, most of these additional records. That failure suggests continuing challenges to manage a sprawling intelligence-sharing enterprise, hinted at in the disclosures discussed above. Without clear sight of these various records forming the UKUSA Agreement, we continue to remain in the dark about the overall nature and scope of intelligence sharing among the Five Eyes, particularly as it is carried out today.
Even more troubling, we still don’t know the rules, if they exist, that govern U.S. intelligence agencies’ access to and dissemination of Americans’ private communications and data. What happens to U.S. persons’ information when it’s collected by partner agencies? When it’s collected by the U.S. and shared with partner agencies? Whether purposely or inadvertently? Does the U.S. allocate targeting efforts to partner agencies that may include the collection of U.S. persons’ communications and data? If so, do the same rules apply as when the U.S. collects those persons’ communications and data directly? The government has so far failed to produce any documents that address these questions. While we’ve further elucidated some of the history of the UKUSA Agreement and nature of the Five Eyes relationship, we still don’t fully understand their impact on the constitutional rights of Americans.