CIA is collecting in bulk certain data affecting Americans, senators warn

WASHINGTON (NYTIMES) - The CIA has for years been collecting in bulk, without a warrant, some kind of data that can affect Americans' privacy, according to a newly declassified letter by two senators.

The CIA censored the nature of the data when it declassified the letter. At the same time, it declared that a report about the same topic, which had prompted the letter, must remain fully classified, except for some heavily redacted recommendations.

That report, called "Deep Dive II," was part of a set of studies by a watchdog board scrutinising intelligence community operations under Executive Order 12333, rules for intelligence activities that Congress has left unregulated by statute.

The watchdog, the Privacy and Civil Liberties Oversight Board, and its staff members have access to classified information.

In March 2021, the Senate Intelligence Committee received a copy of the report.

In a letter the next month, two Democrats on the panel, Senators Ron Wyden of Oregon and Martin Heinrich of New Mexico, urged Ms Avril Haines, the director of national intelligence, and Mr William Burns, the CIA director, to declassify the activity and any internal rules about querying the data for information about Americans.

Complaining that the CIA had not told the Intelligence Committee about the activity before, the senators suggested that its hidden existence cut against Americans' understanding that various pieces of legislation enacted in recent years "limit and, in some cases, prohibit the warrantless collection of Americans' records."

However, an intelligence official, speaking on the condition of anonymity to discuss the sensitive matter, said that the Intelligence Committee did already know about the agency's classified collection of the data itself.

The Deep Dive II report, the official said, instead focused on repository and analysis tools for storing and querying that data after its collection - systems the committee may not previously have been told about.

After the disclosures in 2013 by former intelligence contractor Edward Snowden that the National Security Agency was collecting bulk logs of all Americans' phone calls using a disputed interpretation of the USA Patriot Act - and had until recently done the same for logs of emails - there was a period of uproar over the scope of government surveillance.

During that time, The New York Times reported that the CIA had been paying AT&T to analyse its vast trove of call records for associates of the agency's overseas terrorism suspects.

It also found that the agency had been obtaining bulk records of international money transfers handled by companies like Western Union - including transactions into and out of the United States - using the same provision of the Patriot Act.

(On Thursday (Feb 10), the CIA also released a redacted version of a report describing its tracking of international financial data under Executive Order 12333 as part of the agency's efforts to combat the Islamic State of Iraq and Syria group.)

In 2015, Congress banned bulk collection of telecommunications metadata under the Patriot Act and limited other types of bulk collection by the FBI under laws governing domestic activities like the Foreign Intelligence Surveillance Act, or Fisa.

Yet "the CIA has secretly conducted its own bulk programme" under Executive Order 12333, the senators wrote.

"It has done so entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, congressional or even executive branch oversight that comes with Fisa collection," the letter continued. "This basic fact has been kept from the public and from Congress."

In a statement, Ms Kristi Scott, the CIA's privacy and civil liberties officer, defended the agency's conduct.

"CIA recognises and takes very seriously our obligation to respect the privacy and civil liberties of US persons in the conduct of our vital national security mission, and conducts our activities, including collection activities, in compliance with US law, Executive Order 12333 and our attorney general guidelines," she said. "CIA is committed to transparency consistent with our obligation to protect intelligence sources and methods."

But in their letter, Mr Wyden and Mr Heinrich pressed the CIA to declassify the nature of its relationship with the sources - presumably companies providing the data - along with the kinds of records it was collecting and "the rules governing the use, storage, dissemination and queries (including US person queries) of the records."

In 2017, the government disclosed Attorney-General guidelines for CIA activities under the executive order that lay out rules for some of those issues.

But it is not clear if the CIA has fully developed procedures for carrying them out; a set of recommendations from the Deep Dive II report said that at the time, it had not developed policies or procedures regarding how the guidelines apply to the unspecified data.

The recommendations also said that when CIA officials use an American's identifier as a query term when searching the unspecified data, a box pops up to remind them that the search must have a foreign intelligence purpose.

But the officials are not required to record what that purpose was, and the recommendations urged the agency to do so.