CIA reveals new guidelines for collecting data on Americans

The rules may help spies keep pace with the internet era.

Reuters/Larry Downing

There's no question that the US government's approach to handling sensitive data could stand an update to acknowledge the online age, and the CIA is taking a stab at it. The agency has published new procedures that govern how it collects, keeps and shares information on Americans under Executive Order 12333. The guidelines acknowledge that it's much, much easier to collect large volumes of data than when the Order surfaced in the 1980s, and that the nature of the internet requires restrictions that hadn't even been considered before.

The updated rules include "specific approval requirements" for any data that can't be evaluated right away, and limit data collection to the smallest the CIA needs to achieve its goals. Agents can't just scoop up as much as they can and hoard it for later, in other words. The agency will also limit access to unevaluated data, insist on training for handling that data and require the deletion of that data no more than 5 years after it's available.

Data searches, meanwhile, have to both be limited to legal activities and include an explanation whenever there's extra-sensitive information involved, like messages. And spies can't just inflitrate online social circles at will, either. Operatives have to identify their affiliation unless they're joining an organization that primarily consists of and is run by non-Americans, and they'll still have to get approval from the CIA's Director before diving in.

There will be periodic audits on top of existing oversights, the CIA says.

We can see some potential flaws in the guidelines. While the agency does have a good reason to keep info around for a while, 5 years is a long time to retain internet data that probably won't be useful. And is a statement of purpose enough for the CIA to look at private conversations in its databases, even if the scope is narrow? Still, the very fact that the CIA is updating its rules (not to mention making the changes public) is important. This theoretically lowers the odds that surveillance teams will grab more data than they're allowed (ahem, NSA), and increases the chances that abusers will be caught in the act.