Editor's Note: This article has been updated to more accurately reflect the circumstances under which a defense intelligence component may collect U.S. personal information inside the United States.
Today, the Department of Defense released revised procedures—along with an accompanying fact sheet—governing the conduct of its intelligence activities. DoD Manual 5240.01, ensures that Defense Department policy complies with DoD Directive 5240.01 and Executive Order 12333, which authorize Defense components to collect, retain, and disseminate information concerning U.S. persons and conduct other activities “in accordance with the Constitution and laws of the United States”.
The manual’s provisions apply to all DOD components, the U.S. military and defense intelligence agencies—including the National Security Agency. These latest revisions were approved by the Attorney General and Secretary of Defense after consultation with the Director of National Intelligence.
Updates to 5240 are long-overdue. The manual was last issued in 1982, the same year that Time named the personal computer the “Machine of the Year,” and one year prior to the magazine’s newsroom transition from typewriters to word processors. The intervening decades have seen dramatic developments in the technology, law, and practice surrounding intelligence collection and analysis, raising novel questions regarding privacy and civil liberties. Following the 9/11 attacks, these capabilities developed further in the face of new asymmetric threats and demands for greater information sharing and the intelligence community underwent rounds of reform, including the creation of the Office of the Director of National Intelligence.
In light of these developments, the revised manual makes six major changes to the previous version, including updating the definitions for “collection” and “publicly available information,” as well as creating new rules regarding the retention of information from U.S. persons, information sharing within the intelligence community, and conducting physical searches for foreign intelligence purposes.
One of the most important changes is the new Defense Department definition of “collection.” Under the new rules, “collection” occurs “upon receipt,” whereas the previous manual defined “collection” as occurring when the information was “officially accept[ed] … for use.” The change ensures that all protections governing even the incidental collection of U.S. personal information (USPI) applies upon receipt of that information. The clock starts to run as soon as information is collected, meaning that collected information must be promptly evaluated to determine the proper retention period.
Unless it meets the standard for permanent retention, outlined below, all USPI data will be deleted at the end of the maximum retention period. Intentionally targeted USPI may only be retained for five years. Incidentally collected USPI may be retained for up to 5 years if the initial collection targeted a person or place in the United States or involves “special circumstances.” The information may be retained for up to 25 years if the collection targeted a person who is reasonably believed to be outside the United States. These evaluation periods may only be extended based on high-level approval, requiring both a written finding of necessity and a finding that the information is likely to contain valuable intelligence.
The new manual also updates and expands rules governing the protection and evaluation of information for permanent retention. Incidentally USPI must be deleted from intelligence databases unless it is affirmatively determined to meet criteria for permanent retention. During the evaluation phase, enhanced safeguards and protections are now required. Moreover, the manual establishes new rules for dissemination, including requirements for disseminating unevaluated information, the minimization of disseminated information, and rules for disseminating information to foreign governments.
The manual also includes a new section on “special circumstances,” which focuses on collections wherein privacy and civil liberties interests may be heightened. These special circumstances may require additional safeguards based on “the volume, proportion, and sensitivity of” the USPI, or the intrusiveness of the collection method used to gather the information. A senior intelligence official will now be required to make a determination as to the intelligence value of collection in a “special circumstance.”
The manual creates new rules for shared data repositories when a DoD intelligence component is the host of or a participant to a shared data repository--potentially a nod to the intelligence community’s move to its ICITE cloud database. The new rules provide additional guidance for the dissemination of USPI within and outside the DoD.
The manual clarifies the definition of “publicly available” information in light of policy issues raised by the Internet and the proliferation of new media and new technology.
Finally, the new manual incorporates new physical search rules that reflect changes to the Foreign Intelligence Surveillance Act since 1982. These include requirements to obtain a FISA warrant for nonconsensual physical searches conducted inside the United States and for targeted collection of U.S. person information outside the United States.
Below is a brief summary of Procedure 3.2 “Collection of USPI” and 3.3 "Retention of USPI," areas of particular interest for Lawfare readers.
Summary of Collection and Retention Procedures of USPI
Under 3.2.C, a Defense Intelligence Component may only intentionally collect USPI if the information is reasonably believed to be necessary for the performance of an authorized intelligence mission and if the USPI falls with within one of thirteen categories: 1) Publicly Available; 2) Consent; 3) Foreign Intelligence; 4) Counterintelligence; 5) Threats to Safety; 6) Protection of Intelligence Sources, Methods, and Activities; 7) Current, Former, or Potential Sources of Assistance to Intelligence Activities; 8) Persons in contact with sources or potential sources; 9) Personnel security; 10) Physical security; 11) Communications security investigation; 12) Overhead and airborne reconnaissance; and 13) Administrative purposes.
The collection of USPI is governed by several criteria that both restrict the purpose of such collection and limit the means for and amount of collection. As stated, Defense Intelligence Components are required to use the “least intrusive collection techniques feasible within the United States or directed against a U.S. person abroad.” This means that to the extent feasible, information will be gathered from publicly available sources. If the information is not available publicly, the information may be collected from cooperating sources. If this is not feasible or sufficient, collection may be conducted using other lawful intelligence techniques that do not require a judicial warrant or approval of the Attorney General. Finally, if none of the above prove feasible or sufficient, a Defense Intelligence Component may seek approval from the General Counsel of the Defense Department for the use of a collection method that requires a judicial warrant or approval of the Attorney General.
Other specific limitations apply to collection of USPI inside the United States, including that the information may be collected only if 1) the information is publicly available or 2) the source of the information is advised or otherwise aware that he or she is providing the information. In the event that neither of the two previous requirements are met, the Defense Intelligence Component may employ collection methods that are directed at the United States if a) the foreign intelligence is significant and the collection is not undertaken for the purpose of acquiring information about a U.S. person’s domestic activities; b) the intelligence cannot be obtained publicly or from sources who are advised they are providing information to the DoD; and c) the Defense Intelligence Component head concerned or a single delegee has approved as being consistent with the manual and its outlined procedures the use of techniques other than the collection of publicly available information or from an informed source.
Once USIP is intentionally collected, the DoD may retain the information for up to five years in order to evaluate the information properly.
In the event that USPI is incidentally collected, such information may be temporarily retained, evaluated for permanent retention, and disseminated only in accordance with Procedures 3 and 4, which allows the Defense Intelligence Component to retain the information for evaluation for up to five years if the target was believed to be in the United States and for 25 years if the target was reasonably believed to be outside the United States at the time of collection and the information complies with the parameters set out in USC 50 Section 1813(b)(3)B). That statute mandates that information may not be retained for more than five years unless the information has been affirmatively determined to constitute foreign intelligence or counterintelligence, is evidence of a crime retained by law enforcement, the information in enciphered or believed to have secret meaning, all parties are non-U.S. persons, retention is necessary to protect against an imminent threat to human life, the information is necessary for technical assurance or compliance purposes, or retention is approved by the head of the element of the intelligence community responsible for retention based on a determination that the information is necessary to protect national security and the head of the element has outlined to congressional intelligence committees the specific information to be retained, why it is necessary to protect national security, for how long the information will be retained, and the measures taken to protect the privacy interests of U.S. persons.
The Defense Intelligence Component head or a delegee may approve extended retention of information for no more than five years beyond the time permitted if the official finds that retention is necessary to carry out a mission of the component, that the component will retain and handle the information consistent with the protection of privacy and civil liberties, that the component will consider enhanced protections, and will consult with legal and privacy and civil liberties officials. In addition, the Component head must find that the information is likely to contain valuable information that the Component is authorized to collect. Finally, the official must document compliance with the requirements in writing.
The time period of retention does not begin for any information that is not in an intelligible form until the information is processed into an intelligible form.
If a Component does not find that the information meets the standards for permanent retention during the specified time period, the Component must delete all USPI from the Component’s automated systems of records.
A Component may permanently retain USPI if it determines that retention is reasonably necessary for the performance of an authorized intelligence mission, the information was collected lawfully, and its retention will comply with the several protections and safeguards for USPI outlined in the manual. These protections include limiting access to employees with proper clearances and a mission requirement; only using queries or other techniques that are relevant to the intelligence mission; and using tailored queries to minimize the amount of USPI returned that is not pertinent to the mission. Among these, the Component must also take steps to audit access to information systems containing USPI, ensure effective auditing, establish documented procedures for retaining data containing USPI and recording the reason for retaining such data, and annually train employees with access to such data on civil liberties and privacy protections. Safeguards may include any number of minimization procedures, access restrictions, or other privacy-enhancing techniques.
A Component may also retain the information if it is retained for the purposes of oversight, accountability, or redress, or when required by law or court order, or when directed by the DoD SIOO, Inspector General, or the Attorney General.