Government Has New Rules for Watching You

Terrorist-tracking agency gets more access to records on citizens, travelers. Former officials question whether privacy has been jeopardized.

By: Shane Harris

A new surveillance regime represents a "sea change" in how the U.S. government tries to monitor terrorists, and implicates untold number of innocent citizens in a vast electronic dragnet, according to an important and intriguing new report in the Wall Street Journal

The change concerns not what information the government is collecting on you, but how long a particular agency can hold onto it before having to permanently delete the information from its records. According to the Journal, the new rules were put in place after a high-level debate over whether they would allow "unprecedented government surveillance of U.S. citizens." 

"The rules now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure from past practice, which barred the agency from storing information about ordinary Americans unless a person was a terror suspect or related to an investigation.

"Now, NCTC can copy entire government databases—flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others. The agency has new authority to keep data about innocent U.S. citizens for up to five years, and to analyze it for suspicious patterns of behavior. Previously, both were prohibited. Data about Americans 'reasonably believed to constitute terrorism information' may be permanently retained." 

The NCTC, located in McLean, may be a little-known agency, but we're all well-acquainted with the work it does. Data housed at the center is used to create airline watch lists, so to some degree, anyone who's flying on an airplane is someone the NCTC has an interest in, even if they're never put on a list. It was the NCTC that came in for the most direct criticism on Christmas Day, 2009, when a terrorist with a bomb hidden in his underwear was allowed to board a trans-Atlantic flight headed for Detroit. He failed to detonate the device. 

For a few years now, NCTC analysts and their bosses have complained that they don't have enough time to examine certain kinds of data, because the rules on how long they can hold onto it are set by the agency that gives it to them. There's an important distinction here: The NCTC doesn't actually collect information on its own. It's entirely dependent on the CIA, the FBI, the Homeland Security Department and others to provide it with intelligence reports, visa applications, travel records, and other sources of information. There's a lot of it; usually NCTC analysts get several thousands new pieces of information every day. It is the NCTC's responsibility, by law, to fuse all that information together and provide warnings of future terrorist plots.  

The issue chronicled in the Journal article was that the rules for retaining the information weren't uniform. Some agencies allowed NCTC to hang onto their records for several months or years, some as few as 30 days. I'm told that intelligence agencies in particular were concerned about relinquishing control of information that they viewed as hard-won and too precious to share. But officials in other agencies, namely some in the Homeland Security Department, were more inclined to give the NCTC longer-term access. One analyst said recently that the lack of uniformity in the rules was making it harder for the NCTC to do its job. 

Supporters of the new rules, which apparently were put in place with no public notice, say it does the NCTC little good to have access to all this material if it can't hold onto it for a considerable period of time, perhaps several years. 

Michael Leiter, who ran the NCTC from 2008 to 2011, tells me that when officials had looked at past cases to see how they could improve their future chances of spotting a potential terrorist, the question of how long analysts had access to various sets of data was crucial. "One big issue was that if you had to delete data 30 days after it was received, that might not be sufficient to make connections. It certainly was going to reduce the likelihood that you would find someone or find someone quickly." 

The Journal reports that the disagreements over where to draw the lines became so heated that a deputies-level meeting of national security officials was convened in the White House Situation Room in March. 

"Not everyone was on board. 'This is a sea change in the way that the government interacts with the general public,' Mary Ellen Callahan, chief privacy officer of the Department of Homeland Security, argued in the meeting, according to people familiar with the discussions." 

John Brennan, President Obama's counterterrorism adviser, weighed the differing points of view. But any misgivings became moot just a few days later, when Attorney General Eric Holder signed the new guidelines, according to the Journal. That ended the official debate.

Stewart Baker, who was the first assistant secretary for policy at Homeland Security, thinks there was more bureaucratic rivalry at play here than concern over civil liberties. "This is a turf fight dressed up as a privacy dispute," he says, questioning whether allowing NCTC to hang onto information that other government agencies already possess really limits people's privacy any further. "How many Americans would agree with this statement: 'Janet Napolitano [the Homeland Security Secretary] has a record of my flights in and out of the country. I'm fine with that. But if Matt Olsen [the NCTC director] gets those same records, my privacy has been so damaged that it's a sea change.'?" 

Having written extensively about terrorism surveillance and the NCTC, I'm not convinced that giving the center more direct, longer-term access to existing information fundamentally undermines privacy any more than the collection of that information in general. But there's a real concern that by putting all that information under one roof, so to speak, the temptation to move beyond NCTC's mandate to track terrorists and start looking for other criminal activity is heightened. The Journal article is clearly driving at that concern, which is apparently shared by the sources who revealed the debate in the first place. 

In a blog post, the ACLU's Chris Calabrese distills the essence of the concern here. 

Innocent people can be investigated and their data kept for years. It can be shared with foreign governments. All of this in service of not just terrorism investigations but also investigations of future crimes.

The Journal article also makes reference to an ill-fated data-analysis program from the early 2000s called Total Information Awareness, which aimed to search not just government records, but private and commercial information, as well. It's worth noting that TIA never envisioned putting all that information in one place. Rather, TIA would have used so-called "red teams" of terrorism experts to imagine plausible terrorist scenarios, and then would use search agents to scour various databases for information that fit the imagined pattern. 

It might seem like a distinction without a difference to say that the data in TIA's world would stay where it originated. But it underscores how important, both to a bureaucracy and to privacy protection, it can be to keep some data separate. This feature was deliberately designed by TIA's architect, John Poindexter, to protect both those interests.  

Putting aside the rules over who can see what and for how long, there's still the question of whether NCTC can make sense of the flood of information it receives every day. Back in 2009, when the underwear bomber got onto an airplane, it became clear that there was no systematic way for the center to understand the collective significance of, in that case, intelligence reports, immigration records, and flight manifests. But it was also true that even if the center had the technology to do that, it might never spot the bomber among thousands of other passengers it was tracking. 

The failed attack exposed critical weaknesses. Leiter says that things have improved somewhat on that score. "[NCTC] certainly has more to do. But it's vastly improved. The tools [for searching and analyzing information] are better."