NSA Fort Meade Credit: ACLUThe ACLU obtained a new report by the Privacy and Civil Liberties Oversight Board (PCLOB) government agency through a recent U.S. Freedom of Information (FOIA) request that claims Obama era privacy rules for intelligence agencies has been mostly inadequate.
PCLOB Report on PPD-28 Privacy Policies
Following Edward Snowden’s revelations on NSA’s mass surveillance programs and certain abuses, the Obama administration created a set of privacy policies for intelligence agencies to follow called PPD-28. These new rules were supposed to protect regular citizens against new surveillance abuses. However, PCLOB’s review of these policies found the protections lacking.
The Obama administration passed the PPD-28 policies in 2014, and the PCLOB review of the PPD-28 policies was finalized in December 2016. However, the Trump administration has refused to release the report to the public until now, according to the ACLU.
Bulk Surveillance Activities Unchanged
The report notes that the PPD-28 has allowed the intelligence agencies to continue their existing bulk surveillance practices mostly unhindered. The new policies limited bulk surveillance activities to only six categories, but these categories are so broad that the NSA didn’t have to change its problematic practices at all once the rules went into effect.
The six categories for bulk surveillance activities had already existed before the policies passed, so in essence the PPD-28 only put in writing the surveillance limits the NSA had already given itself.
PPD-28 Policies Are Inconsistent
The report also said that “the lack of a common understanding as to the activities to which PPD-28 applies has led to inconsistent interpretation and could lead to compliance traps, especially as [intelligence community] elements engage in information sharing.”
For instance, the PPD-28 policies apply only to surveillance programs under FISA section 702, but not to programs operating under sections 704 and 705(b). This allows the law enforcement agency to evade the privacy rules for certain surveillance activities.
In order to address these inconsistencies, PCLOB recommended that the National Security Council and the Office of the Director of National Intelligence “issue criteria for determining which activities or types of data will be subject to PPD-28’s requirements.” However, ACLU said that it’s unclear whether or not the agencies ever issued these clarifications.
PPD-28 Doesn’t Address Expanded “Raw” Data Sharing
The privacy board was also concerned with how the agencies would apply the PPD-28 policies with the upcoming expansion of NSA’s power to share “raw” mass surveillance data with 16 other U.S. agencies.
President Obama approved this expansion of power days before he left office. Later, the FISA renewal codified it into law, while also allowing the agencies to see all the surveillance data without needing a warrant. Prior to this change, the NSA had to redact some sensitive surveillance information before sharing it with other agencies.
EU-U.S. Privacy Shield In Doubt
This report came out at the time when the European Parliament has already given both the European Commission and the U.S. government an ultimatum to drastically improve the privacy protections of EU citizens against U.S. agencies’ mass surveillance operations, or it will end the EU-U.S. data agreement.
ACLU noted that it has always believed that the PPD-28 policies never provided adequate protection for EU citizens and are too weak to serve as a legal basis for the Privacy Shield agreement. The published PCLOB report now confirms ACLU’s beliefs.
The second annual review of Privacy Shield is already underway, and EU’s top court is also going to review it as part of a lawsuit by the Ireland Data Protection Commission against Facebook. ACLU believes that both the European Commission and the court will now have to deal with critical report on the PPD-28 policies.