The Evolution of DHS Intelligence Review Policy

Last week, one of us published internal documents from the Department of Homeland Security’s Office of Intelligence and Analysis (I&A) illustrating how I&A streamlined its publication of intelligence reporting at the expense of civil rights and civil liberties review.

The memos described changes to a document called the IA-901, which establishes I&A’s responsibilities and procedures for the production and review of DHS’s intelligence products. The documents showed how the 2020 IA-901 departed in several significant respects from the 2016 guidance it replaced in order to fast-track the dissemination of intelligence.

As last week’s post explained, whereas I&A previously sought review on privacy, civil rights, civil liberties, and legal grounds of intelligence reports disseminated beyond the federal government, the office now only has to do so when specific criteria apply. Whereas disputes between I&A and the reviewing offices were previously resolved by the deputy secretary of the Department of Homeland Security , the 2020 IA-901 calls for resolution “at the lowest possible level” and gives the head of I&A final power to resolve I&A’s disputes with reviewers. The new guidance also allows I&A to impose time limits on review and to waive them when necessary.

We have now obtained three distinct versions of the full IA-901 document: one from 2013, one from 2016, and the new one. In this post, we attempt to trace the development of I&A’s procedural reviews, time frames and dispute resolution structures over the past several years.

As we shall show, the exercise sheds significant light on I&A’s aggressiveness over the last few months—showing how the office has been unleashed both procedurally and substantively and undone some of the rule-tightening imposed in response to previous episodes of overly-aggressive intelligence reporting by I&A.

The 2013 IA-901 Policy Instruction

The 2013 guidance is relatively brief. It totals only eight pages and sets forth guidance pertaining to basic production, clearance and dissemination procedures for I&A intelligence products.

It specifies that “I&A products that refer to or describe the activities or beliefs of (i) a U.S. person or (ii) any person or group of persons reasonably believed to be physically present in the United States must be reviewed and cleared by” four reviewing offices: The Office for Civil Rights and Civil Liberties (CRCL), the Privacy Office (PRIV), the I&A Intelligence Oversight Officer (IOO) and the Office of the General Counsel - Intelligence Law Division. The 2013 rules also specify that “I&A products that address or describe populations discernible by race, ethnicity, gender, national origin, or religion must be reviewed and cleared by CRCL.”

Per the 2013 guidelines, these review bodies had to conduct their reviews “within two business days unless a longer review period [was] agreed upon between the clearing office and the author.” But the document also specified that one business day was the “preferred” timeline.

In the event of any dispute between I&A and a clearing office, the 2013 instruction called for the issues in contest to be immediately “elevated to the Deputy Secretary of Homeland Security for the final decision by the principal member of the Office of Intelligence and Analysis, clearing office Principal, or those acting in this capacity.”

The 2013 IA-901 allows deviation from its review procedure if the intelligence product “relates to an immediate threat to homeland security or other exigent situation.” In such situations, the document directs I&A to distribute a copy of the product to:

all applicable clearing offices for accelerated review and clearance. If clearance by those offices cannot be obtained by I&A within the time frame deemed necessary by the Under Secretary for Intelligence and Analysis, every effort will be made to notify the Deputy Secretary of Homeland Security and all clearing offices prior to dissemination of that I&A product and I&A will send a copy of the disseminated product to the clearing offices.

DHS Gets in Some Hot Water

These were the rules when I&A first found itself under scrutiny for intelligence reporting in connection with domestic protests.

In the summer of 2014, amid nationwide protests that erupted following the police killing of Michael Brown in Ferguson, Mo., DHS used social media to track and monitor certain domestic demonstrators. A year later, The Intercept catalogued DHS’s information collection at these Black Lives Matter protests, drawing from over 100 internal DHS intelligence documents obtained through a Freedom of Information Act (FOIA) request.

The Intercept article included a reproduced map of “conflict zones” circulated by a DHS FEMA officer, as well as minute-by-minute reports on protesters’ movements in Washington D.C., among other circulated intelligence products. The piece described documents indicating that “the department frequently collects information, including location data, on Black Lives Matter activities from public social media accounts, including on Facebook, Twitter, and Vine, even for events expected to be peaceful.” And the article reported broad criticism from legal experts and rights activists arguing that the DHS monitoring raised serious concerns about protesters' civil liberties.

Soon after the Intercept report, following the San Bernardino terrorist attack in December of 2015, a number of members of Congress expressed concern about terrorists’ use of social media and began urging DHS to expand its intelligence collection efforts using information available on online platforms. Specifically, lawmakers requested that DHS collect social media data on visa applicants as part of the background screening process. In 2016, DHS undertook five pilot programs to test the use of social media for immigration vetting purposes.

As these changes took place, media and non-governmental organizations documented the ramp-up in DHS’s online surveillance capabilities. The Brennan Center for Justice, for example, compiled a timeline of DHS social media monitoring for immigration vetting. And in May of 2016, VICE detailed findings from a FOIA showing that the I&A drafted open source information reports on tweets from protesters at the 2015 Baltimore protests in the wake of Freddie Gray’s death in police custody.

The 2016 IA-901 Policy Instruction

It was amid the swell of the FOIA requests, media coverage and criticisms that I&A issued a revision of the 2013 IA-901 internal instruction document on August 3, 2016. The updated guidance was significantly more thorough and detailed and bureaucratic than its predecessor. It was also longer, totaling 15 pages.

It gave more responsibility to I&A’s internal mechanisms in the review process by establishing a Certified Release Authority (CRA) position. The CRA role was effectively an I&A position authorized to review and release the office’s finished intelligence products in cooperation with CRCL and PRIV. The 2016 document also included new provisions on training for the CRAs, as well as guidelines for quality, and reviews by compliance and oversight offices for disseminated intelligence products. And it set forth more conditions for the expedited review process.

The document specifically details training protocols for the CRAs. The protocols consisted of a course approved by oversight offices for the “candidate to learn, comprehend, and apply analytics tradecraft standards, legal requirements, policies for the protection of privacy, civil rights, and civil liberties, and oversight and compliance guidelines in the assessment of Finished Intelligence Products.” The process also included annual oversight awareness courses, a 90-day post-training period in which the CRA was shadowed by oversight offices, and qualitative assessments of the CRAs’ ability to identify issues appropriately in their own reviews of intelligence products.

The document also tightened and it clarified the review process itself. I&A personnel were directed to send intelligence products to their respective branch chiefs, who reviewed the products for substance, tradecraft and application of oversight principles. Once cleared, the product moved to a CRA for internal I&A review in conjunction with CRCL and PRIV, a review designed to ensure compliance with a focus on tradecraft and oversight. The product was then submitted to the Office of General Counsel—Intelligence and Law Division (OGC-ILD) and to IOO.

If a CRA was absent during this process, the document details that “[f]inished Intelligence Products intended for dissemination outside the federal government are reviewed by CRCL and PRIV in addition to the OGC-ILD and IOO prior to release to ensure that the product complies with applicable law and policy and appropriately protects individuals’ privacy, civil rights, and civil liberties.”

The 2016 guidance also provided more explicit time frames for the review process than did the previous edition. It instructed that I&A personnel were authorized to advance intelligence products only if “they have exhausted every reasonable effort” and clearance was not given within a time frame that gave “the maximum amount of time possible for the product to be released and still maintain its analytic value.” This period was established to be within two business days for “routine products,” one business day for “priority products” and within two hours for “immediate products.”

The 2016 instruction allowed the USIA in cases of “immediate threat” or “exigent crisis” to modify the pre-publication process. It included new language instructing the USIA in such circumstances to give the oversight offices “the maximum amount of review and coordination time possible” given the situation. If the approval processes could not be completed in this time frame, the document instructed personnel to send a copy of the product to all applicable oversight offices. Notably, this section removed guidance from the 2013 document to notify the Deputy Secretary of Homeland Security at this step.

The 2016 revision also bolstered the dispute resolution process: if there was disagreement between any office and a CRA, the issue was elevated to the DUSIO, who was assisted by an ombudsman. From there, if the respective office and the DUSIO could not reach an agreement, the USIA would review the information and make a determination within ten days. If either CRCL or PRIV contested the USIA’s decision, the matter was elevated to the deputy secretary for a final determination.

Finally, the 2016 instruction adds provisions for evaluations of I&A’s finished intelligence products based on the perceived value of the information. And it sets forth guidance for I&A internal quality reviews to be conducted on a quarterly basis.

These quarterly reports include “any observations and examples of legal, oversight and compliance concerns, substantive recalls or revisions summaries, the use of the expedited pre-publication process, and details of elevated dispute resolution actions and outcomes.” Based on the contents, the ombudsman would make recommendations for revised training or other measures towards improving oversight and tradecraft principles.

2020 IA-901 Policy Instruction

This was the document in place until shortly before the protests began on May 26 this year in response to the police killing of George Floyd.

On May 7, 2020, the head of I&A, David Glawe, signed a second revision of IA-901, which included the changes summarized by one of us in a Lawfare piece last week. As detailed in that article, the new 2020 edition of the IA-901 winds down oversight procedures by presenting precise criteria for reviews by CRCL and PRIV offices that were previously standard, removing the time frame provided in the 2016 guidance and reducing the deputy secretary’s role in dispute resolution:

The new policy describes no training procedures of the type laid out in the 2016 version. It simply affirms that the Deputy Under Secretary for Intelligence Enterprise Readiness (DUSIER) “oversees the I&A certification process, in consultation with the [Deputy Under Secretary for Intelligence Enterprise Operations] (DUSIEO) and Oversight Offices, to ensure the training and evaluation aspects are appropriate to support [Oversight Review Authority] duties.”

The 2020 document instructs that intelligence products should be reviewed by two “Product Reviewers” who are to, “Focus on the message, tradecraft, and style of the product, to include: scope, accuracy, logical argumentation, accurate sourcing and evidence, proper coordination, and clarity of writing and organization.”

Once the I&A author discusses feedback with each reviewer, the product moves forth through the process. Here, the 2020 guidance establishes that only products meeting one or more of the below conditions should be required to go through an oversight equities review:

1. Specifically addresses or describes populations discernible by race, ethnicity, gender, religion, sexual orientation, gender identity, country of origin or nationality;
2. References or describes the activities of minors (under 18) individually or as a discernible population;
3. Includes Sensitive Personally Identifiable Information (SPII);
4. Reflects analysis based upon or derived from a “Bulk Data Collection” containing US person information;
5. Names elected US Government officials, candidates for elected federal officer, or US political parties;
6. References or describes the political, religious, ideological, or other Constitutionally-protected speech or activity of a US Person (or person in the United States) when not directly linked to violence or threat of violence; and
7. Any other criteria promulgated in writing by the DUSIEO.

If a product fits into any of these categories, it will undergo another review for CRCL and PRIV equities. In this case, either an ORA will review the product, or it will be sent to CRCL and PRIV. From there, the product goes to the OGC-ILD and IOO . An I&A mission manager is the final official in the review process, and that manager will approve the product for release if there are no disputes.

The new guidance explicitly states that all “oversight-related disputes should be resolved at the lowest possible level.” If there is a dispute between the author and the product reviewer, the mission manager is expected to resolve the issue. If an agreement cannot be reached, the matter is elevated to the DUSIEO.

In the event that the intelligence product does not fall into a category entitling it to oversight equities review, the DUSIEO is the final authority. Otherwise, the dispute will be elevated to the USIA, who will then make the final decision adjudicating between the oversight offices and I&A. There is no review by the deputy secretary. Those are a lot of changes but the big takeaway here is that ultimately, I&A now gets to resolve its own disputes with its reviewers.

The 2020 revision removes the time frames provided in 2016. It instructs that the “Standard Operating Procedure” (SOP) for finished intelligence products will provide instruction on timing and will “be coordinated in advance with the Oversight Offices” to reflect a “reasonable amount of time” (rather than the previous “maximum amount of time possible”) to ensure the product maintains its “analytic value.” These SOPs have apparently not yet been produced.

The 2020 revision differs significantly from the 2016 guidance on this issue; in the event of “exigent crisis,” the DUSIEO (rather than the USIA) is now allowed to modify the standard processes and determine time limits for review. Effectively, this moves emergency decisions down the chain of command.

Finally, on the subject of the post-production audits initially established in the 2016 guidance, the 2020 version adds: “The procedures for and frequency of these evaluations and audits shall minimize the impact on production activities and ensure I&A provides appropriate support to the compliance review process” (emphasis added). The new document replaces the quarterly evaluations from the previous guidance with “periodic” reports. And it removes the prior instruction to use these reports to modify training procedures for reviewing personnel.

In short, DHS has recently faced mounting criticism over its deployment of federal agents to protests in Portland, Oregon and its intelligence activities there. And the controversy has already resulted in personnel changes within I&A. After the Washington Post broke news that I&A disseminated Open Source Intelligence Reports on Mike Baker of the New York Times and one of the two of us for publishing unclassified government documents on Twitter, Acting USIA Brian Murphy was removed from his position.

In light of these revised guidelines, the stories about I&A and the criticism it is receiving are unsurprising. While this isn’t the first time DHS has been aggressive in reporting on protestors, the current policy changes head in precisely the opposite direction that DHS has gone in response to prior criticism. Whereas the 2016 revision of the IA-901 guidance included provisions to increase oversight and training mechanisms at the I&A amid public concerns, the 2020 edition is doing the opposite, though it remains to be seen how the office responds to renewed scrutiny.

It should surprise nobody if the unit is reporting aggressively. It has been unleashed.