A change in rules to the way spies and analysts can collect data may end up being a win-win scenario for those in the intelligence community and U.S. citizens concerned about their personal privacy.
The proposed new policy sets some much needed parameters on ambiguous directives and laws that may have muddled the information gathering process.
When “an adversary is involved we need to be able to get those authorities if it involves a court order, if it involves a [Foreign Intelligence Surveillance Act] Court. We need to be able to do that very quickly. It’s about ensuring that we have the right first phase analysis, the right protocols in place that we can act very quickly and get the authority to go to the next level down. I think we have that today, but I think further refining that in an updated directive might be valuable,” said Terry Roberts, founder of WhiteHawk Inc., a cybersecurity company, and analyst at New America.
The policy, which is expected in the coming weeks, makes some major changes to the way the intelligence community can use data with U.S. citizens’ information in it, how long that data can be retained and how it can be disseminated.
Those rules mostly apply to databases of information that are shared between the 17 organizations in the IC and the military. In recent years, the IC and military have made a concentrated effort to collect intelligence information in common databases so data on threats can be easily accessed by any of the agencies.
That way if the military thinks a terrorist is in a building, it can get information from other organizations about the threat and make sure the threat is actually in the location. Those databases also hold information on American citizens that has been purposely or incidentally collected.
The IC Information Technology Enterprise is the biggest undertaking of the sort.
The policy is “a recognition of how significant [shared data] is to us in the intelligence community,” said Michael Mahar, DoD’s senior intelligence oversight official, at the DoD Intelligence Information Systems Worldwide Conference in Atlanta. “What we’ve done is for the first time established rules and procedures and responsibilities for both the hosts and the participants in these systems.”
When it comes to who can access certain information in those shared databases and how long information can stay in them, the law gets a little fuzzy.
For example, right now the government can gather information on American citizens, but that data doesn’t have a time limit on how long it can be kept until it’s actually used by the IC.
The new policy will change that, and in turn, may bolster the civil liberties of U.S. citizens.
“On the policy side I think it’s a little more protective [of citizens] because we were collecting this stuff anyway and now we are trying to put a little more governance structure around it. Is this leaning a little bit more toward privacy protection? I would say it probably is, because every time you have more governance you’re giving greater clarity on the rule set,” said Todd Rosenblum a senior fellow at the Atlantic Council.
Rosenblum agrees with Roberts, the new policy may make things easier for the IC to do its job.
“A system as large as [the Defense Department] having cleaner rules for operating within itself is a good thing,” Rosenblum said. “The idea of doing better at synchronizing the rules of why information is collected, how long it’s going to be stored and who it’s going to be shared with is a huge leap forward, but this is never going to be a clean, solvable issue.”
While a new directive may at least help simplify the Gordian knot that is intelligence data collection, actually implementing that policy is another monster in itself.
It’s one thing to say only certain people will have access to the most sensitive and personal information on U.S. citizens in the databases, but actually achieving it is another story.
The same goes for making sure data is actually deleted safely when the government is required to get rid of it.
The government needs serious enterprise management and IT to accomplish the goals of the policy.
Mahar listed off a bunch of areas where industry will be needed in the implementation process.
“That is an IT challenge when you are talking about over 150,000 intelligence professionals that are engaged in some aspect of collection, retention, dissemination and analysis or IT support,” Mahar said.
Mahar said the IC will need a computer-based training program to train its employees. It will also need industry’s help creating a system that can sift through and tag personal information. DoD is also looking to industry for ways to document the legitimacy of searches in the database to prove it is for a mission.
That’s only a few of the department’s needs for the policy.
“The main thing they need from industry are systems that have a good auditing footprint,” Rosenblum said. “This is very doable in the technology world, where you set up a set of rules of ‘Does the person from this particular organization have a need to know? Does a unit within an organization have a need to know?’ That’s kind of straight forward and that’s sort of underway. The larger you scale it up the harder it is to capture it cleanly.”
Roberts said industry is the critical linchpin that government has to work with because they own and operate the networks and retain the communication datasets.
“There may need to be updated regulations regarding the internet service providers and the managed service providers who also are holding ten-fold, a hundred-fold more data on private citizens than the government is. Our current communications mechanisms now have put in the hands of primarily industry a tremendous amount of our private information. None of these conversations can happen only on the government side” Roberts said.
She added that government and industry should be able to get something done within a year.