Memo to NSA: Stop Saying You Apply the FIPPs
The intelligence community has no set of general principles for judging the privacy impact of their programs. Some privacy scholars believe that the Fair Information Protection Principles (FIPPs) serve this purpose and can apply to intelligence programs as they do to myriad other government programs. The NSA itself said in a recent report on collection under Executive Order 12333 that it was applying the FIPPs for the first time.
Published by The Lawfare Institute
in Cooperation With
The intelligence community has no set of general principles for judging the privacy impact of their programs. Some privacy scholars believe that the Fair Information Protection Principles (FIPPs) serve this purpose and can apply to intelligence programs as they do to myriad other government programs. The NSA itself said in a recent report on collection under Executive Order 12333 that it was applying the FIPPs for the first time. But however appealing it may seem to apply generally applicable privacy principles to intelligence programs, it is simply impossible for the intelligence community to apply the FIPPs literally.
The FIPPs are a bad fit for clandestine intelligence programs. This is obvious from the text of the FIPPs and from the fact that the NSA, after saying it was applying the FIPPs to 12333 collection, turned right around and said it could not apply two core FIPPs principles (transparency and individual participation). Although I applaud the NSA for taking a step forward in assessing the privacy impact of its activities, there is little point in adopting a set of principles that the agency admittedly cannot apply. Instead, the intelligence community should craft a new set of information privacy principles for intelligence programs. I suggested as much to the government witnesses during a recent PCLOB public hearing, and ODNI privacy officer Alex Joel agreed that it would be a good idea to have a new privacy framework for the intelligence community.
The version of the FIPPs that NSA said it is applying was published in 2008 by the Department of Homeland Security. Some of its principles---data security, for example---can and should apply to data collected in clandestine intelligence programs just as they do in other government programs. But the DHS FIPPs includes some provisions that cannot possibly be implemented in a clandestine intelligence program and lacks other important principles that can protect individual privacy in that context.
The most obvious problem with applying the FIPPs to intelligence programs is the "individual participation" principle. The DHS FIPPs state that the agency "should involve the individual in the process of using [personally identifiable information] and, to the extent possible, seek individual consent for the collection, use, dissemination, and maintenance of PII." It is quite obvious why this requirement cannot be applied to a clandestine intelligence program such as NSA's collection under Section 702 of FISA or Executive Order 12333. For that matter, it is not clear how DHS could apply this rule to all of its own activities. While this principle makes sense for the many DHS programs in which individuals come into contact voluntarily---or at least wittingly---with the agency, DHS has law enforcement and intelligence functions to which the individual participation principle cannot fully apply.
Applying the "transparency" FIP is also impossible in the intelligence context because it requires transparency to the individual whose information is collected. The agency must "provide notice to the individual regarding its collection, use, dissemination, and maintenance of personally identifiable information." As with the individual participation principle, it is fairly obvious why this requirement cannot apply to a clandestine intelligence program. However, a new set of intelligence community principles should contain a transparency principle modified for the intelligence context. As recommended by the PCLOB's reports on the Section 215 and Section 702 programs, the intelligence agencies can be more transparent than they have been about what they understand the law to be, how they do business in general terms, and the impact of their work on Americans' privacy without endangering national security. And even where agencies cannot disclose information to the public, they should be transparent to oversight bodies including the Foreign Intelligence Surveillance Court and Congress.
Relatedly, the new framework should contain an oversight principle. The greater the need for secrecy surrounding a program, the greater the need for oversight of that program. The DHS FIPPs' last principle is entitled "accountability and auditing" and states that the agency should "audit[] the actual use of PII." But this audit trail requirement is a pale substitute for a principle requiring robust oversight by institutions that have access to all information about intelligence programs, can truly assess whether the law is being followed and privacy is being protected, and have the legal authority to impose consequences otherwise.
There are at least two other principles not in the FIPPs that should be included in the new intelligence community principles. First is an effectiveness and necessity principle. Agencies should not initiate or continue a program if its intelligence value does not outweigh its imposition on privacy interests, and agencies should not collect personal information if it is not necessary to the intelligence purpose of the program. The FIPPs partially reflect this principle insofar as they say that the agency should only "collect PII that is directly relevant and necessary to accomplish the specified purpose(s)" of the program. However, this does not require an ongoing judgment about whether the program should exist at all. As the PCLOB recommended in our report on the Section 702 program, the intelligence community should routinely assess whether the efficacy of intelligence programs justify their existence, rather than relying on ad hoc judgments as it has done in the past.
Second is an evidentiary threshold principle. Programs should have clear thresholds for how much evidence of an individual's connection to terrorism, espionage, or other interests is required before an agency may collect his or her information. Nothing in the FIPPs reflects this value. Constitutional and statutory law already imposes these thresholds in many contexts, but there remain circumstances in which the executive branch sets the rules for when information may be collected or accessed. For those circumstances, the new intelligence community principles should require that the thresholds for every program be clear and that they be commensurate to the program's potential impact on privacy.
This is not an exhaustive list of privacy principles that should apply to the intelligence community or of the ways in which those principles should deviate from the FIPPs. There are undoubtedly many other values that should be reflected in a new intelligence community privacy framework, and I am looking forward to working with the intelligence community as it builds that framework. Rachel Brand has served as a Member of the Privacy and Civil Liberties Oversight Board since 2012. The post above expresses her views only, and not those of the Board.
The FIPPs are a bad fit for clandestine intelligence programs. This is obvious from the text of the FIPPs and from the fact that the NSA, after saying it was applying the FIPPs to 12333 collection, turned right around and said it could not apply two core FIPPs principles (transparency and individual participation). Although I applaud the NSA for taking a step forward in assessing the privacy impact of its activities, there is little point in adopting a set of principles that the agency admittedly cannot apply. Instead, the intelligence community should craft a new set of information privacy principles for intelligence programs. I suggested as much to the government witnesses during a recent PCLOB public hearing, and ODNI privacy officer Alex Joel agreed that it would be a good idea to have a new privacy framework for the intelligence community.
The version of the FIPPs that NSA said it is applying was published in 2008 by the Department of Homeland Security. Some of its principles---data security, for example---can and should apply to data collected in clandestine intelligence programs just as they do in other government programs. But the DHS FIPPs includes some provisions that cannot possibly be implemented in a clandestine intelligence program and lacks other important principles that can protect individual privacy in that context.
The most obvious problem with applying the FIPPs to intelligence programs is the "individual participation" principle. The DHS FIPPs state that the agency "should involve the individual in the process of using [personally identifiable information] and, to the extent possible, seek individual consent for the collection, use, dissemination, and maintenance of PII." It is quite obvious why this requirement cannot be applied to a clandestine intelligence program such as NSA's collection under Section 702 of FISA or Executive Order 12333. For that matter, it is not clear how DHS could apply this rule to all of its own activities. While this principle makes sense for the many DHS programs in which individuals come into contact voluntarily---or at least wittingly---with the agency, DHS has law enforcement and intelligence functions to which the individual participation principle cannot fully apply.
Applying the "transparency" FIP is also impossible in the intelligence context because it requires transparency to the individual whose information is collected. The agency must "provide notice to the individual regarding its collection, use, dissemination, and maintenance of personally identifiable information." As with the individual participation principle, it is fairly obvious why this requirement cannot apply to a clandestine intelligence program. However, a new set of intelligence community principles should contain a transparency principle modified for the intelligence context. As recommended by the PCLOB's reports on the Section 215 and Section 702 programs, the intelligence agencies can be more transparent than they have been about what they understand the law to be, how they do business in general terms, and the impact of their work on Americans' privacy without endangering national security. And even where agencies cannot disclose information to the public, they should be transparent to oversight bodies including the Foreign Intelligence Surveillance Court and Congress.
Relatedly, the new framework should contain an oversight principle. The greater the need for secrecy surrounding a program, the greater the need for oversight of that program. The DHS FIPPs' last principle is entitled "accountability and auditing" and states that the agency should "audit[] the actual use of PII." But this audit trail requirement is a pale substitute for a principle requiring robust oversight by institutions that have access to all information about intelligence programs, can truly assess whether the law is being followed and privacy is being protected, and have the legal authority to impose consequences otherwise.
There are at least two other principles not in the FIPPs that should be included in the new intelligence community principles. First is an effectiveness and necessity principle. Agencies should not initiate or continue a program if its intelligence value does not outweigh its imposition on privacy interests, and agencies should not collect personal information if it is not necessary to the intelligence purpose of the program. The FIPPs partially reflect this principle insofar as they say that the agency should only "collect PII that is directly relevant and necessary to accomplish the specified purpose(s)" of the program. However, this does not require an ongoing judgment about whether the program should exist at all. As the PCLOB recommended in our report on the Section 702 program, the intelligence community should routinely assess whether the efficacy of intelligence programs justify their existence, rather than relying on ad hoc judgments as it has done in the past.
Second is an evidentiary threshold principle. Programs should have clear thresholds for how much evidence of an individual's connection to terrorism, espionage, or other interests is required before an agency may collect his or her information. Nothing in the FIPPs reflects this value. Constitutional and statutory law already imposes these thresholds in many contexts, but there remain circumstances in which the executive branch sets the rules for when information may be collected or accessed. For those circumstances, the new intelligence community principles should require that the thresholds for every program be clear and that they be commensurate to the program's potential impact on privacy.
This is not an exhaustive list of privacy principles that should apply to the intelligence community or of the ways in which those principles should deviate from the FIPPs. There are undoubtedly many other values that should be reflected in a new intelligence community privacy framework, and I am looking forward to working with the intelligence community as it builds that framework. Rachel Brand has served as a Member of the Privacy and Civil Liberties Oversight Board since 2012. The post above expresses her views only, and not those of the Board.
Rachel Brand is a member of the Privacy and Civil Liberties Oversight Board.