President Barack Obama’s administration has imposed new privacy restrictions on the CIA that are designed to limit its use of information on Americans — changes that the agency made public just two days before President-elect Donald Trump is to take office.
CIA officials described the changes as a comprehensive update to guidelines that have been in place since the early 1980s, adapting those rules for an age when sensitive data about Americans is increasingly abundant online and vulnerable to being swept up by U.S. intelligence agencies.
One of the new provisions requires the CIA to purge certain types of information that it gathers overseas — including communications that might involve U.S. individuals – from its systems within five years. There was no previous restriction on how long the agency could keep such materials, officials said.
The revised guidelines were posted on the CIA’s website on Wednesday, the first time that the fundamental regulations governing the agency’s routine espionage operations were declassified and fully shared with the public.
“This is a very significant milestone for the agency,” said Caroline Krass, the CIA’s general counsel, who discussed the revisions in a briefing for reporters Wednesday. Krass said that the effort to update the guidelines had taken more than two years, and that the final documents were signed Tuesday by CIA Director John Brennan and Attorney General Loretta Lynch.
CIA officials acknowledged that the revisions were made without input from civil liberties groups, including the American Civil Liberties Union, which have pushed for more aggressive measures to protect Americans’ privacy than are envisioned in the updated guidelines.
The Trump administration could override the revisions and impose its own rules, officials said. But doing so probably would be complicated by the Obama administration’s decision to move the espionage rules from the classified realm into the open.
President-elect Trump and key members of his national security team have said they are in favor of expanding U.S. intelligence authorities that were curtailed after the revelations of U.S. electronic surveillance by Edward Snowden, a former National Security Agency contractor. The changes unveiled Wednesday were driven in part by legal reforms adopted after Snowden’s disclosures about NSA activities.
CIA officials declined to say whether the changes adopted this week, which do not take effect until March, had been discussed with Rep. Mike Pompeo (R-Kan.), who is expected to replace Brennan as CIA director this week.
The CIA’s top privacy official, Ben Huebner, said during Wednesday’s briefing that the changes are aimed at helping the agency’s procedures for handling increasingly large troves of information contained on laptops, thumb drives and other devices swept up in standard espionage.
“Much of it is digital. There is a lot of it,” Huebner said. Although the NSA is the United States’ main agency for electronic eavesdropping, the CIA also has authority to intercept communications.
The guidelines spell out in broad terms how the CIA is to interpret espionage authorities that date back to an executive order, known as 12333, that was signed in 1981 by President Ronald Reagan.
Since then, Huebner said, the agency has relied on a “patchwork” of revisions to that order, which was issued at a time when spy work often involved stealing copies of paper documents.
The five-year limit on holding data applies only to the most sensitive categories of information, including email or cellphone intercepts — data that might otherwise remain in agency systems without being exploited or evaluated. Less-sensitive information is to be expunged after 25 years.
CIA officials said that other measures require additional levels of permission and record-keeping when agency employees seek access to data that might expose information about Americans. Such activities are monitored through regular compliance audits, although officials declined to say how frequently those occur.
The new guidelines do not apply to cover operations carried out by the CIA, including drone strikes on terrorism suspects, that require additional authority from the president conveyed in a memo known as a “finding.”