March 13, 2023
Protecting Privacy and Promoting Transparency: The Perspective of a Civil Liberties Protection Officer
By: Alex Joel
In June 2005, I was detailed from the Central Intelligence Agency (CIA), Office of the General Counsel, and joined the brand-new Office of the Director of National Intelligence (ODNI). Just a couple of months earlier, President George W. Bush had sworn in the nation’s first Director of National Intelligence (DNI), John Negroponte. Off. of Dir. of Nat’l Intel., Who We Are, History. The statute creating the ODNI—the Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. No. 108-458 (2004)—included a new Intelligence Community position: Civil Liberties Protection Officer. ODNI named me the “interim” Civil Liberties Protection Officer and removed “interim” six months later. I served in the role for 14 years, reporting directly to five different Directors of National Intelligence.
During my tenure, I was privileged to take part in momentous changes in the legal framework governing U.S. intelligence activities. As I look back on what I learned and experienced as the Civil Liberties Protection Officer, the key theme that stands out is change. Change came at us constantly, manifesting itself as new threats to national security, new organizations and missions, new technologies and sources of data, new imperatives for intelligence agencies to respond to, and new risks to privacy and civil liberties. We faced these changes with legal tools that had been developed for a different era. Lawyers tend to think of change as happening incrementally. Laws are passed after months or years of debate, often prompted by specific events that happened at a point in time. Courts issue their decisions long after the start of the litigation. Nation-states enter into international agreements after years of negotiations. The rapid pace of change in the world around us does not wait for the law to catch up. Yet our national security legal framework must still function effectively in the face of constant change; we must apply old rules to new tools. So how well does our legal framework hold up to the challenges posed by constant change?
Authorize and Constrain
At the outset, it is critical to understand that, throughout the constant change, there are certain enduring truths. The most fundamental one for our purposes is this: in a democracy, the national security legal framework must simultaneously achieve two vital goals. It must enable, authorize, and empower government actors to protect the nation from foreign threats; and it must constrain, restrict, and control those actors to protect privacy and civil liberties. Both are equally important. Failing either means failing as a democracy. Achieving these goals simultaneously is no easy task. To protect against threats, agencies not only need people, resources, and skill; they also need specialized legal authorities that enable them to conduct activities that can be highly intrusive on personal privacy. And they need the ability to do so in secret, to conceal their sources and methods from their adversaries, lest those adversaries change their behavior to avoid detection. A fully transparent intelligence service, after all, would be fully ineffective. At the same time, it is vital that our legal framework also constrain and control the exercise of those powers. In other words, our national security agencies must protect the nation from foreign threats, without themselves becoming a threat.
How well does the U.S. legal framework accomplish these twin objectives of authority and constraint? In this paper I highlight aspects that stand out in my mind as I look back on my time at ODNI. I focus on surveillance and secrecy and their impact on privacy and transparency. I cover these same enormously complex and nuanced topics in a semester-long course; given the limitations of this article, I can provide only a surface-level overview of a few elements here. For a more comprehensive review, see Alex Joel, Protecting Privacy and Promoting Transparency in a Time of Change: My Perspective After 14 Years as Civil Liberties Protection Officer (2023).
Separation of Powers
Any discussion of rules must start with the U.S. Constitution. Every day for 14 years, I carried in my pocket a copy of the Constitution as a physical reminder that every intelligence professional takes an oath to support and defend the Constitution, an oath the workforce would retake on Constitution Day each year. How the Constitution separates powers between the branches is taught and retaught in national security law courses.
Issues regarding the separation of powers were very much in the public eye when, in 2005, the New York Times first wrote about the Terrorist Surveillance Program (later renamed the President’s Surveillance Program). James Risen & Eric Lichtblau, Bush Lets U.S. Spy on Callers Without Courts, N.Y. Times, Dec. 16, 2005. See Off. of Dir. of Nat’l Intel., The Department of Justice Releases Inspectors General Reports Concerning Collection Activities Authorized By President George W. Bush After the Attacks of September 11, 2001, INTEL.gov. After 9/11, President Bush directed the interception of communications under circumstances that ordinarily would have required a court order under the Foreign Intelligence Surveillance Act of 1978 (FISA), Pub. L. No. 95-511 (1978). I had joined ODNI only a few months earlier and found out about this program when I woke up to a radio broadcast describing it. Learning more about the program turned out to be more difficult than I assumed as it was tightly compartmented with access controlled by the White House. See, e.g., Off. of Inspector Gen’l of Dep’t of Def., et al., Report on the President’s Surveillance Program, Ann. Vol. II-C, at 14 (July 10, 2009). With the support of the DNI, I, along with the then-nascent Privacy and Civil Liberties Oversight Board, was eventually able to gain access. Thanks to the efforts of the ODNI General Counsel among others and after major modifications, the program was eventually moved under the auspices of the Federal Intelligence Surveillance Court, a move that was later superseded with the passage of the Protect America Act of 2007, Pub. L. No. 110-55 (2007), and the FISA Amendments Act of 2008, Pub. L. No. 110-261 (2008). The President’s decision to initiate the surveillance program, however well-intentioned it may have been, created major repercussions throughout the ensuing years. My own takeaway from this experience: the executive branch must do all it can to act consistent with the will of the legislative branch. Any perceived advantages of moving quickly are likely to be fleeting, and, even if arguably constitutional, fast action can cause lasting damage to public trust.
Although the President claims primacy in national security matters, the role of Congress remains crucial, especially its power of the purse and the oversight it exercises over classified intelligence activities. There are a range of statutory reporting and related requirements to keep Congress fully and currently informed. See Memorandum from Alfred Cumming, Cong. Rsch. Serv., on Statutory Procedures Under Which Congress is to be Informed of U.S. Intelligence Activities, Including Covert Actions (Jan. 18, 2006). In my time at ODNI, I felt that Congress exercised its oversight powers vigorously. While the Intelligence Community can do better in providing timely responses to congressional requests for information, disputes over access to information were, from my perspective, the exception rather than the rule.
Regarding the third branch of government, the role of the judiciary in national security is a complicated one. On the one hand, the Supreme Court has interpreted the “cases and controversies” clause in Article III, U.S. Const. art. III, in a manner that sharply limits the ability of individuals to challenge national security programs in civil cases. See Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013). That is because a plaintiff must show actual injury to establish standing; they cannot rely on “mere speculation” but must, in essence, demonstrate that they have been the subject of surveillance. Id. While this showing can seem to be an impossible hurdle to leap in the face of classified information, it can be done. See, e.g., Wikimedia Found. v. Nat'l Sec. Agency/Cent. Sec. Serv., 14 F.4th 276 (4th Cir. 2021).
Even if a plaintiff can establish standing, the executive branch can assert the state secrets privilege to prevent a case from going forward if it would require the disclosure of classified information. Jennifer K. Elsea & Edward C. Liu, Cong. Rsch. Serv., R47081, The State Secrets Privilege: National Security Information in Civil Litigation (Apr. 28, 2022). The state secrets privilege was recently reaffirmed by the Supreme Court in United States v. Zubaydah, 142 S. Ct. 959 (2022). Recognizing the seriousness of the concerns raised about the privilege, see, e.g., Elizabeth Goitein & Frederick A.O. Schwarz, Jr., Congress Must Stop Abuses of Secrets Privilege, Roll Call, Dec. 14, 2009, the Department of Justice during the administrations of President Barack Obama and President Joe Biden issued guidance on when and how the privilege can be asserted. Memorandum from the Att’y Gen. on Policies and Procedures Governing Invocation of the State Secrets Privilege (Sep. 23, 2009); Memorandum from the Att’y Gen. on Supplement to Policies and Procedures Governing Invocation of the State Secrets Privilege (Sep. 30, 2022).
The Fourth Amendment
Fourth Amendment jurisprudence is a fundamental part of national security surveillance law. The U.S. government is not free to ignore the Fourth Amendment, U.S. Const. amend. IV—or any other part of the Constitution—as it pursues national security objectives. That said, the question of whether and how the Fourth Amendment applies to a national security activity is a complex one. The judicial understanding of what a “reasonable expectation of privacy” entails in the digital age continues to evolve. For example, in Carpenter v. United States, 138 S. Ct. 2206, 2217 (2018), the Supreme Court refused to extend the “third party doctrine” to cell site location information (CSLI) and held that “an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI” covering an extended period of time. Cases such as Carpenter provide hope that the slow-moving judiciary is now grappling with the implications of technological change (a trend sometimes referred to as “digital is different,” see Stephen E. Henderson, In Celebration of Dissents (And Lengthy Textbooks), 83 Ohio St. L. J. 913 (2022)). But the cases also raise questions for practitioners on how to shape policies and programs as technology continues to leap ahead. For example, Congress has been probing how government agencies interpret Carpenter when they seek commercially available data, including location information. See, e.g., William S. Stewart, Clarification of Information Briefed During DIA’s 1 December Briefing on CTD, Defense Intelligence Agency, U-21-0002/OCC-1, Jan. 15, 2021.
Executive Order 14086
The Foreign Intelligence Surveillance Act and Executive Order 12333 are essential aspects of the U.S. national security legal framework, but they are covered elsewhere in this anthology as well as in my longer paper. Joel, supra. I will not, therefore, go into those authorities here. Instead, I will turn to Executive Order 14086. In October of 2022, President Biden signed Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities, Exec. Order No. 14086, 87 C.F.R. 62283 (Oct. 7, 2022). This order enhances privacy safeguards for U.S. signals intelligence activities and breaks new legal ground for the Intelligence Community. See Alex Joel, Breaking New Ground, Privacy Across Borders, Oct. 7, 2022. The team I lead on Privacy Across Borders at the Tech, Law & Security Program, Washington College of Law, American University, has been digging into this executive order, and we will have much more to say about it in the near future. For now, below are some of the reasons why I find this order (and the instrument it replaced, Presidential Policy Directive 28, Signals Intelligence Activities, Jan. 17, 2014) so groundbreaking.
First and foremost, Executive Order 14086 extends key privacy safeguards to cover all individuals, regardless of nationality. The 1975-1976 Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, otherwise known as the Church Committee, responded to abuses by intelligence agencies that improperly conducted surveillance on (and in some cases influenced) Americans exercising their First Amendment freedoms. Unsurprisingly, the major legal reforms that followed, such as FISA, supra, and Executive Order 12333, United States Intelligence Activities, 46 C.F.R. 59941 (Dec. 4, 1981), aimed to prevent such abuses in the future and thus focused their protections on domestic activities and the rights of U.S. persons. We now live in a different world, one that is bound together by a digital web carrying information and communications of people around the globe. U.S. companies own and operate much of this digital infrastructure. It should come as no surprise, then, that foreign governments are concerned about the safeguards that U.S. intelligence agencies apply to their citizens’ data. Executive Order 14086 answers those concerns and protects the privacy of both U.S. and non-U.S. persons.
Second, Executive Order 14086 delineates 12 legitimate objectives that can be pursued through signals intelligence activities. It also lays out four prohibited objectives, such as suppressing free speech, and declares that collecting commercial information from a non-U.S. private entity to afford a U.S. company a competitive advantage is not a legitimate objective. The order also includes the Civil Liberties Protection Officer (CLPO) in the process of setting intelligence priorities to ensure that each priority advances a legitimate objective. It then provides that signals intelligence activities may be conducted “only following a determination … that the activities are necessary to advance a validated intelligence priority” and that they are conducted “only to the extent and in a manner that is proportionate” to that priority. Exec. Order No. 14086, supra.
Third, the order’s most dramatic innovation is the creation of a new redress mechanism. This two-tier process directs the CLPO to receive and investigate complaints and to create a complete record of each investigation. The CLPO is empowered to direct agencies to remedy any violations (including destroying improperly collected information) and is granted independence to perform investigative and remedial functions. Importantly, the order also establishes within the Department of Justice a Data Protection Review Court (DPRC), composed of experts from outside the U.S. government who are guaranteed independence and have binding authority to direct agencies to remediate violations. The remedy processes overcome the two challenges involved with judicial redress: standing and secrecy. Within the order’s administrative processes, claimants must provide certain information to the CLPO when submitting their complaints but need not show that they have been the targets of surveillance. In addition, the CLPO and the DPRC have full access to the classified information necessary for investigation and remediation. Interestingly, the order’s redress processes can result in situations where non-U.S. persons have greater access to remedy than U.S. persons. The new redress mechanism applies only to a “qualifying complaint,” which Executive Order 14086 defines as a complaint involving personal information that the complainant believes to have been transferred to the United States from a foreign country that has been designated a “qualifying state” by the Attorney General. While there is no specific nationality requirement, Americans who have not traveled abroad are not able to avail themselves of the order’s redress process.
It is not enough to have rules. Particularly for classified intelligence, oversight is a vital element of the national security legal framework. In the United States, we have what I like to call a system of many layers with many players. Within the executive branch, agencies have civil liberties and privacy offices, offices of general counsel, compliance organizations, and offices of inspectors general. The Department of Justice provides granular oversight over the use of FISA, shapes Executive Order 12333 procedures, and serves as the chief legal officer of the executive branch. In addition, the Intelligence Oversight Board receives and assesses reports from the Intelligence Community of potential violations of laws, executive orders, and directives. Another key oversight entity is the Privacy and Civil Liberties Oversight Board (PCLOB), which provides advice and oversight regarding counterterrorism and other activities, such as those relating to Executive Order 14086. I had the privilege of working closely with the PCLOB in its various iterations during my tenure as CLPO and am a strong believer in the vital role that it plays. As discussed above, Congress also conducts vital oversight.
I end this whirlwind tour of key developments with the subject of intelligence transparency, something that I was privileged to work on extensively during my time at the ODNI. Early on, I realized that we needed to enhance transparency. As I told the Wall Street Journal in April 2006, “’One of the things I’ve tried to champion is finding ways to draw the circle around the secret a little more tightly,’ says Mr. Joel. By doing that, he says, there are things related to a program that can be discussed to ameliorate concerns without giving up its essence.” Anne Marie Squeo, New U.S. Post Aims to Guard Public’s Privacy, Wall St. J., Apr. 20, 2006. Within the Intelligence Community, I was not alone in this view, but dramatic progress came only after the Snowden disclosures in 2013. See Ewen Macaskill & Gabriel Dance, NSA Files: Decoded, The Guardian, Nov. 1, 2013. The crisis of confidence that ensued prompted the Intelligence Community to launch a far-reaching transparency initiative, one that continues to bear fruit to this day. We adopted the Principles of Intelligence Transparency for the Intelligence Community, followed up with an implementation plan, established IC on the Record as a platform to post documents about our surveillance authorities, worked with Freedom of Information Act (FOIA) offices to lean forward on releasing requested records with fewer and fewer redactions, created transparency reports, and released large amounts of information about “Section 702” as well as other intelligence activities. See, e.g., Off. of Dir. of Nat’l Intel., the Intel Vault, INTEL.gov.
Where To Next?
When I look at the legal framework that governs U.S. intelligence activities, I see a resilient and flexible structure that sustained shocks to the system and adapted to change. I am proud of the framework and the role I played in creating it. That said, it is not perfect. It faces the same fundamental challenge that all laws and policies face: it is, in essence, reactive rather than proactive. It can dynamically respond to a crisis but does not readily anticipate change. As a result, we have a framework more shaped by prior events, albeit momentous ones, than mindfully designed for the future. And more change is certainly coming. Technological advances far outpace the ability of our legal system to keep up. Threats morph with increasing speed. New opportunities bring new risks. What to do? I do not believe there is a single answer to the question. There are, however, several practical steps we can take right now that will better position the system to both authorize and constrain intelligence agencies in the future.
As I stated at the beginning of this article, a legal framework must both authorize and constrain. But that framework is not self-sustaining. One cannot write a rule, implement it, and then forget it. The rule needs to be interpreted, understood, and followed. The rule, to be effective, requires investment, in both its creation and its ongoing implementation, and that investment must bear a relationship to the scope of activity that is subject to that rule.
In one of its lesser-known recommendations, the Church Committee called for the strengthening of the roles of general counsels and inspectors general as a safeguard against illegality and abuse. S. Rep. No. 94-755, at 332 (1976). Other organizations, including privacy and civil liberties offices, compliance organizations, and oversight bodies, such as the PCLOB, also play a key role in the multifaceted task of ensuring that rules are properly designed, interpreted, and followed. . In my experience, these entities are staffed with highly dedicated and expert professionals, but they are substantially under-resourced. The impact they have and can have on enhancing the trust necessary for intelligence agencies to do their work cannot be underestimated and requires a corresponding investment. The same is true for transparency. A relatively small number of professionals must work to answer FOIA requests, conduct declassification reviews, and surge limited resources on an ad hoc basis to review and release information of pressing public interest (e.g., Section 702 reauthorization). In particular, the overclassification problem is widely recognized, and the burden on declassification and release officials is increasing exponentially with the explosion of classified records that is a byproduct of the digital era. See, e.g., Kai McNamee, et al., The U.S. Has an Overclassification Problem, Says One Former Special Counsel, NPR, Jan. 17, 2023. The key task of transparency requires significant new investments in both people and technology. How will investment help the legal framework cope with change? It may be impossible to predict exactly what will come, but we can predict that we will need to constantly adapt. It is, therefore, imperative that we have a well-resourced framework with dedicated and trained professionals ready to assess and adjust as change comes our way.
A system of many layers with many players can be robust and comprehensive, as I believe ours is, but it can also create unnecessary friction and complexity, especially when new circumstances arise that challenge settled ways of handling issues. The roles of the various players (e.g., the Intelligence Oversight Board vis-à-vis the PCLOB) should be studied and adjustments made to avoid overlap and ensure comprehensive coverage.
Update and Harmonize Rules
Keeping rules up to date is a never-ending process that we must recognize as such. As new laws and policies are created, we must take care to ensure that they stand the test of time. Where possible, they should be technology-neutral and should apply across a range of related activities. To the extent different intelligence agencies and missions are involved, the rules that establish their authorities and constraints should be consistent in goals, principles, and terminology. Processes should be put in place to monitor how well those rules work for their intended purposes given constantly changing circumstances. In addition, rules should not be developed in closed silos, but rather should emerge after robust engagement and consultation inside and outside of government, including not only interagency discussion but also engagement with civil society and international partners. In a world tied together by technology, where national security activities can intrude on the privacy of people around the globe, it is more important than ever to develop a common understanding of what a legal framework for intelligence activities should authorize and what it should constrain. The Organization for Economic Cooperation and Development (OECD) has already taken the first step, adopting in December 2022 the Declaration on Government Access to Personal Data held by Private Sector Entities, OECD/LEGAL/0487 (Dec. 13, 2022). This effort involved the hard work of data protection and national security officials from member countries, coming together over many months to work out the principles their legal frameworks hold in common for law enforcement and national security access to personal data in private-sector hands.
Start with First Principles
How to take these steps? Start with first principles. Or first start with principles. We must reach a general understanding of key principles and then move out from that core to develop and update the rules, oversight, and transparency necessary to carry out those principles. This is the model we followed with transparency: we started with the transparency principles, followed with an implementation plan, ensured we had buy-in at all levels, and based our work on those principles. The principles for a legal framework should include technology neutrality; the need for consistency, clarity, and broad coverage; a recognition that the enormous volumes of data in today’s digital age must be treated with great care; effective redress mechanisms; and an unwavering commitment to the protection of privacy and the promotion of transparency. Ultimately, we must invest the time, energy, and resources necessary to ensure we have a legal framework that is both robust and flexible enough to adapt to change.
The views expressed in this publication are the author’s and do not imply endorsement by the Office of the Director of National Intelligence, the Intelligence Community, or any other U.S. Government agency.