Published by The Lawfare Institute
in Cooperation With
Just before John Brennan ended his term as director of the CIA in 2017, his agency issued a new set of guidelines under Executive Order (EO) 12333, the general charter that governs the intelligence community. Entitled “Central Intelligence Agency Intelligence Activities: Procedures Approved by the Attorney General Pursuant to Executive Order 12333,” the guidelines received little attention. A year prior, in 2016, the Department of Defense had published a similar set of guidelines: “DoD Manual 5240.01: Procedures Governing the Conduct of DoD Intelligence Activities.” Beyond a single post on this site—and a post one year later comparing these procedures with guidelines newly released by the CIA in 2017—this manual, too, went essentially unnoticed.
Despite this lack of attention, these documents are vitally important to understanding the nature and scope of the intelligence community’s surveillance activities—including in ways directly relevant to the Edward Snowden controversy. Known as attorney general guidelines, they determine how each intelligence agency gathers, analyzes and disseminates intelligence under EO 12333.
The Defense Department and CIA procedures represent the intelligence community’s first coordinated effort to publicize its updated guidelines. But while the CIA and the Pentagon have issued new versions of their attorney general guidelines, other agencies have not. Most notably, the National Security Agency (NSA) has not yet completed its revision of its own procedures, U.S. Signals Intelligence Directive (USSID) 18. The significance of the NSA’s guidelines must be underscored. The NSA is the primary agency responsible for gathering signals intelligence. In 2017, for example, it gathered more than 534 million records of phone calls and text messages from telecommunications firms. As a result, a significant swath of intelligence and U.S. persons information (USPI) may be subject to procedures that are either outdated, because of advancements in technology, or inconsistent with other agencies’ procedures.
This concern is not just hypothetical. Our recent review of agencies’ attorney general guidelines in the Journal of National Security Law & Policy demonstrates that intelligence agency procedures have varied both within an agency and across agencies in the intelligence community. As a result, it is difficult for the intelligence community’s key constituencies—Congress, the public and even the agencies themselves—to determine the scope of intelligence gathering under EO 12333. The Department of Defense and the CIA have made significant strides toward addressing this concern. But while the NSA update remains pending, the various attorney general guidelines continue to be out of sync. It is therefore urgent that the NSA release its updated version of USSID 18.
EO 12333 and the Structure of the Intelligence Community
In large part, the variation in attorney general procedures stems from EO 12333’s delegation of authority to agencies dispersed throughout the intelligence community. Issued in 1981, EO 12333 establishes the broad framework for the intelligence community’s conduct of foreign intelligence activity. The intelligence community’s activity, in turn, is determined largely by agencies’ own intelligence procedures. EO 12333 specifies that each agency may conduct foreign intelligence activity only in conformity with procedures developed by each agency head and approved by the attorney general. Executive agencies therefore retain substantial discretion to determine when foreign intelligence gathering begins, how long communications are retained, and with which entities, and in what form, information may be shared.
This discretion is particularly notable in the context of EO 12333. Although the Foreign Intelligence Surveillance Act (FISA) and the FISA Amendments Act (FAA) regulate some foreign surveillance, their reach is limited largely to “electronic surveillance” as defined in the act. Where it applies, FISA takes precedence over EO 12333. But outside that narrow ambit, the intelligence community’s foreign intelligence activity is governed solely by the order.
Over time, the attorney general procedures have gained considerable variation both within each agency and across the intelligence community, particularly in their definitions of key terms central to the scope of intelligence gathering. In large part, the intelligence community’s diffuse structure accounts for this drift in the meanings of terms: Composed of 17 member organizations, the intelligence community includes two independent agencies; eight Defense Department elements; and seven elements of other departments and agencies. As the Office of the Director of National Intelligence (ODNI) itself has recognized, it is difficult for these elements to independently adopt a unified approach to intelligence community-wide policies, much less consistent definitions of specific technical terms.
Congress has attempted to drive consolidation through structural reform, like the 1947 National Security Act and the Intelligence Reform and Terrorism Prevention Act of 2004, which created, respectively, a director of central intelligence and the director of national intelligence. But critics caution that these reforms have not done enough to integrate the intelligence community fully. Consequently, power remains dispersed and each agency continues to enjoy discretion in implementing EO 12333.
Definitional Inconsistencies in the Attorney General Guidelines
To assess procedural variations both across agencies and across time, we examined three of the intelligence community’s manuals for our review article: the Defense Department’s current manual (5240.01), issued in 2016; the Defense Department’s previous manual (5240.1-R), issued in 1982; and the NSA’s current manual (USSID 18), issued in 2011. As with any administrative agency’s guidance, these manuals provide intelligence agencies with ground-level instructions on how to conduct foreign intelligence surveillance. Notably, the NSA is subordinate to the Defense Department. While the NSA retains its own guidelines, theoretically, these instructions should complement those of the Department of Defense.
Intelligence agencies’ broad discretion to develop their own procedures, however, has allowed definitional inconsistencies to emerge. By itself, these inconsistencies aren’t unusual or alarming. Government regulation often results in confusion in the meaning of terms over time. But in the context of intelligence gathering, inconsistencies can have troubling consequences—both for the scope of intelligence activity and for independent bodies’ ability to oversee agency compliance.
Take, for example, the definition of the term “collection.” What qualifies as intelligence collection is critical to the scope of intelligence activity because it determines when intelligence gathering begins. Although it never provides its own definition, EO 12333 repeatedly refers to collection as the beginning of the intelligence gathering cycle. The agencies themselves elaborate on EO 12333’s general guidance by defining collection in their internal procedures. As we chart in greater detail in our article, the Defense Department’s and the NSA’s definitions of collection vary significantly, even though the NSA is a subordinate agency of the Pentagon.
The Defense Department defines collection as intelligence gathering at a much earlier point than the NSA’s. Under DoD 5240.01, the department’s current manual, “information is collected when it is received by a Defense Intelligence Component,” regardless of how that information is “obtained or acquired.” By contrast, the NSA’s current version of USSID 18 states that collection “means [the] intentional tasking or SELECTION of identified nonpublic communications for subsequent processing aimed at reporting or retention as a file record.” As a result, collection for the Defense Department’s purposes appears to involve no processing or action; information is collected as soon as it is received. For the NSA, however, collection begins only once the information has been “selected” and put to further use.
What’s more, the Defense Department’s previous manual, 5240.1-R, established a third definition of collection somewhere between those of 5240.01 and USSID 18. 5240.1-R states that information is collected when it has been “officially accept[ed]” and “processed into [an] intelligible form,” such as deencryption. Whereas DoD 5240.1-R started the collection clock when the data is intelligible, and DoD 5240.01 now begins it once the information is received, the NSA appears to require that someone actually be reading that data for collection to have commenced.
Outside the intelligence community itself, the technical terms used by these manuals make these differences, and their significance, difficult to see. Under the NSA’s attorney general guidelines, for example, vast amounts of intelligence could be gathered without technically being collected. This means that, on paper, none of the guidelines’ subsequent protections for or limitations on the use of that intelligence apply when the information is first received. In theory, the NSA’s guidelines might permit the agency to gather significant amounts of unprocessed intelligence and then store it indefinitely.
Our article identifies and examines similar inconsistencies in the intelligence community’s use of “acquisition” and “targeting.” It’s possible that the NSA’s updated version of USSID 18 addresses these concerns. Until the NSA issues that manual, however, the attorney general guidelines remain inconsistent across the intelligence community. It is therefore urgent that the NSA complete its revisions—and also imperative that the intelligence community adopt longer-term solutions to preventing definitional inconsistencies in the future.
Releasing USSID 18
In August 2013, David Medine, the former chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), wrote to then-Attorney General Eric Holder and then-Director of National Intelligence James Clapper to express his concern that intelligence agency guidelines “have not comprehensively been updated, in some cases in almost three decades, despite dramatic changes in information use and technology.” Although some agencies had revised their procedures internally, none had been publicly released.
The Defense Department and CIA’s revisions to their attorney general guidelines represent a significant step toward addressing the PCLOB’s critiques. These revisions also enabled the agencies to adopt a uniform understanding of key terms that determine the scope of intelligence activity.
The necessity of creating such a uniform understanding extends beyond the attorney general procedures themselves. For example, in January 2014, President Obama issued Presidential Policy Directive 28 (PPD-28) to guide “why, whether, when, and how the United States conducts signals intelligence activities” in response to foreign and domestic concerns regarding U.S. intelligence gathering that the Snowden disclosures sparked. As the PCLOB recently noted, however, PPD-28 failed to define the term “signals intelligence activities.” Rather, PPD-28 left to each intelligence agency discretion to determine the directive’s scope. As a result, the report explains, “the lack of a common understanding as to the activities to which PPD-28 applies has led to inconsistent interpretation and could lead to compliance traps[.]” The PCLOB ultimately recommends that the ODNI issue more specific guidance in order for PPD-28 to “[apply] uniformly throughout the [intelligence community].”
To be sure, definitional inconsistencies are not unique to the intelligence community. There are inevitable differences in the meanings of terms across any body of law. But the intelligence community’s distinct characteristics make these differences particularly troubling. Most notably, the surveillance programs governed by EO 12333 are often classified and, therefore, less amenable to public oversight. Publication of the attorney general procedures acts as a check on the intelligence community’s foreign intelligence activity by facilitating public and congressional oversight.
In the absence of updated, uniform procedures, however, the attorney general guidelines cannot fulfill this role. Our article proposes several long-term solutions to constrain executive discretion and curb inconsistencies across the intelligence community. For example, the executive branch could issue a glossary that would define all of the terms across agencies. The ODNI or the National Security Council’s director for intelligence could coordinate an interagency process to produce the document, allowing each agency to participate. A glossary would leave the executive’s discretion unaffected, but it would ensure standardization across agencies and likely increase the stickiness of these definitions. Alternatively, Congress could play a role, either by creating an additional oversight body (like the PCLOB) to preclear terms or, more likely, by enacting legislation that either defines key terms or requires that manuals be updated regularly in a manner that maximizes conformity across agencies. As noted above, FISA provides a definition of electronic surveillance that is binding across the intelligence agencies. Congress could similarly specify when intelligence gathering begins.
Some of these proposals may not be viable in the long term. Fixed congressional definitions of key terms, for example, might unduly interfere with each intelligence agencies’ operations and would likely be met with resistance from the intelligence community. To assess the feasibility of any of these proposals, however, we must first understand the extent to which the intelligence community has begun to address on its own the issues we have described. The Defense Department and the CIA have taken the first step forward. It’s time for the NSA to do so and release its updated attorney general guidelines as well.