The CIA Has Been Stealing Your Data For Years

Edited by Sam Thielman

IN THE ACKNOWLEDGEMENTS of REIGN OF TERROR, I warn readers that the book is incomplete. That's because, among other reasons, a substantial amount of the War on Terror remains entirely out of public view. We don't even know how much remains to be unearthed. We only know that what we've been able to uncover isn't the whole thing. So we have to keep digging.

On Thursday, two senators on the intelligence committee who have done significant work to expose and contextualize the War on Terror prompted a declassification that amounts to their own warning. Sens. Ron Wyden and Martin Heinrich revealed that the CIA has "secretly conducted its own bulk [surveillance] program" ensnaring Americans' data. "Bulk" refers to wholesale collection of data, rather than surveillance targeted at a person, account or enterprise due to suspicions relevant to a foreign-intelligence purpose.

Wyden and Heinrich learned this through a maddeningly weak but still significant government institution called the Privacy and Civil Liberties Oversight Board (PCLOB). In March 2021, according to a now-partially declassified letter from Wyden and Heinrich the following month, the PCLOB delivered to the Senate intelligence committee a report on something we're now calling "Deep Dive II." That report remains classified. But in a partially-declassified set of recommendations about Deep Dive II, the PCLOB frets over the CIA's ease in sifting through data it took, warrantlessly, without any substantive or even procedural safeguard.

(The PCLOB also reviewed a different CIA surveillance activity, apparently concerning financial surveillance related to the so-called Islamic State—"Deep Dive I"—but for the purposes of this piece, we're going to mostly set that declassified report aside, as I have yet to conduct my own deep dive into Deep Dive I.)

The redacted letter from Wyden and Heinrich did not reveal what the surveillance actually collects. The CIA and the Office of the Director of National Intelligence have kept that central aspect of the surveillance classified. In their letter, the senators express hair-on-fire alarm at what, to us, remains a mystery. "Among the many details the public deserves to know are the nature of the CIA's relationships with its sources and the legal framework for the collection; the kind of records collected [redacted] the amount of Americans' records retained; and the rules governing the use, storage, dissemination and queries (including U.S. person queries) of the records," they write. (My emphasis.) In other words, the public is unaware of the nature and scope of the CIA theft, but the Senate intelligence committee has at least the outlines.

Beyond that, we know barely anything. I have some hunches and speculations, but with one big exception that we'll address momentarily, I don't know how responsible it is to think out loud about them. What appears in this piece is the result of a couple days' worth of discussions with current and former knowledgeable U.S. officials, and then some judgment calls about how to present this stuff. As a result, this piece is going to highlight relevant questions about the surveillance instead of attempting to answer them.

That's unsatisfying. But having been at this as long as I have, as both a rando blogger and a credentialled investigative reporter, I think that serves you, the reader, best. Otherwise we're on Front Street, where speculation gets repeated so often as to blur into fact without the rigor of confirmation. No thanks.

FOREVER WARS is part of the Discontents Substack cartel, and with cartelization comes benefits. Subscribe to Forever Wars for a year and receive six FREE months of two of our affiliated newsletters, Welcome To Hell World by Luke O’Neil and Derek Davidson’s Foreign Exchanges. Both of them are excellent, and you’ll get them both at the subscriber tier. Subscribe today! And remember: REIGN OF TERROR is available now!

PARSING THE DECLASSIFIED DOCUMENTS, there are two elements of the surveillance at issue, both of them fundamental. First, the collection of the data itself, an express constitutional violation because it's done wholesale. The 4th Amendment renders your personal effects secure from government access except when a warrant, specifically named, details what can be taken.

After collection, a second constitutional violation occurs. The PCLOB recommendations document says the CIA queries the relevant databases without specifying any foreign-intelligence reason for accessing, again, troves of Americans' warrantlessly-stolen data. "[A]nalysts are not required to memorialize the justification for their queries," the document states.

Wyden coined a phrase for this: a backdoor search. James Ball and I published part of a document in the Snowden trove showing how backdoor searches, from a legal/bureaucratic perspective, work. (Though that concerned surveillance under a different legal(ish) regimen, FISA Section 702, than this surveillance, which we'll talk about in a moment.) The secret surveillance court known as the FISA Court in 2018 told the FBI that such searches were "inconsistent with… the requirements of the Fourth Amendment"; in 2021 it confirmed the bureau continues the practice. Accordingly, the CIA is committing a multi-tiered constitutional violation, first at the collection stage and then at the analysis stage. Wyden and Heinrich's letter also suggests Langley might be committing further violations at later stages, like not purging the data or disseminating it to other government agencies.

Now it's time for that exception I mentioned above.

The existence of this surveillance program puts into relief Wyden’s recent preoccupation with bulk call-records purchases. Last year, Wyden and other senators introduced a bill preventing the government from buying Americans' call records from the surveillance-capitalism phenomenon of data brokers. They likened the practice to the government using a credit card for an end-run around the 4th Amendment.

It's possible these two things aren't related. But I note as well that in an annex to the PCLOB report on Deep Dive I, two PCLOB members reference what they call "the CIA’s regular practice of acquiring datasets [redacted] of incidentally-collected USP information." (USP = "U.S. persons," i.e., people inside the U.S.; citizens or otherwise.)

Next we turn to the legal predicate the CIA uses for the surveillance.

Starting with the creation of the modern Security State in the late 1940s and early 1950s, the CIA, NSA and FBI conducted national-security surveillance on U.S. soil unilaterally and without either judicial or congressional approval or review. Then, following revelations of systemic constitutional violations, Congress created the 1978 Foreign Intelligence Surveillance Act (FISA), bringing such surveillance under a judicial and congressional regime. Congress declared the FISA process was the "exclusive means" for such surveillance inside the United States or on U.S. persons. But in practice that hasn't been the case. In addition to outright violations like the NSA's STELLAR WIND, the intelligence agencies base a significant-but-undisclosed amount of domestic surveillance not on FISA or another act of Congress, but on a Reagan-era executive order called EO 12333, or "twelve-triple-three." Whatever this is, it's an example of 12333 surveillance.

Around the time of the paltry post-Snowden reforms to NSA bulk collection of Americans' phone records, a State Department whistleblower named John Napier Tye warned that reforms to FISA will always be insufficient because of 12333. "To the extent U.S. person information is either stored outside the United States, routed outside the United States, in transit outside the United States, it's possible for it to be incidentally collected under 12333," Tye told me in 2014. We were speaking in the context of NSA surveillance, but it applies equally to the CIA. The details can be complex, but the point is that 12333 provides the intelligence agencies with a route around whatever restrictions FISA imposes around the collection of U.S. data.

Then there's a timeline issue worth noting. According to PCLOB's Deep Dive I report, it began looking at CIA (and NSA) 12333-predicated surveillance activities in 2015. Shortly before that time, the CIA's deputy director was Avril Haines. Haines was John Brennan's deputy at Langley because of her expertise as a national-security lawyer. She rejoined the White House in early 2015, but as deputy director, Haines would surely have known about this surveillance; though an important caveat is that we don't know when the surveillance activity began, and so we don't know who began it.

I mention Haines because she is now director of national intelligence. Her office has significant influence over any further declassifications concerning a program that likely implicates her past service. (One of the CIA's statements suggests that Langley performed the declassification review that resulted in Thursday's disclosure.) I sent the Office of the Director of National Intelligence a list of questions concerning Haines' relationship to the surveillance as deputy CIA director. Liberty Crossing didn't reply. I also sent questions to a representative for Haines' former boss, #Resistance hero Brennan, and similarly got no reply.

Haines is perhaps the most significant figure within the Security State who advocates for restraint in the War on Terror. But as I highlighted in a 2020 profile, Haines is also not an abolitionist. That comes out in relief on this issue. As director of national intelligence, she presides (at a remove) over a CIA that appears, based on its statements last week about the surveillance, to continue this bulk theft of your data, whatever it precisely is.

One last observation about that timeline. 2015 is also when Congress enacts its only post-Snowden reform, a doomed compromise concerning NSA/FBI access to bulk American call data called the USA FREEDOM Act. It is glaringly conspicuous that the CIA conducted this bulk surveillance—we can't say either began or continued yet—while Congress was expressly rejecting bulk surveillance of Americans' phone data, as had federal courts.

FINALLY, A CODA. In 2011, Wyden warned that the PATRIOT Act was being secretly reinterpreted by the government to permit a kind of surveillance that Americans would find disturbing. He warned there was a body of what he called "secret law" that weakened the meager restrictions Congress placed on national-security surveillance. "We're getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says," he told me over a decade ago. Despite my efforts over an hour-long interview, Wyden did not reveal what surveillance specifically disturbed him.

Two years later, Edward Snowden revealed what Wyden meant. The NSA was collecting, in bulk, Americans' phone metadata. Wyden gained a reputation as a human warrant canary owing to his cryptic warnings of secret surveillance abuse.

Something similar is going on here. Again, we don't know the What—though, unlike in 2011, Wyden used the words "bulk collection." But he has issued a signal, this time backed up with a declassified document. The document is full of redactions, but through its blinds, we can see a flashing red light.

In retrospect, we can see earlier flashes as well. In August, Wyden and Heinrich attached a note of cautious dissent to the intelligence committee's markup of the annual intelligence authorization bill. "As in previous years, our votes in favor of the Intelligence Authorization Act should not be read as an endorsement of all Intelligence Community programs and activities," they wrote. "We are particularly concerned about a CIA program described in a report by the Privacy and Civil Liberties Oversight Board (PCLOB), which we have requested be declassified." (Maybe don't vote for it in that case!)

When Wyden voted against the fiscal-2020 intelligence authorization, he nevertheless noted that he was "pleased that the [bill's] Classified Annex requires a report with information that Senator Heinrich and I have been seeking related to collection conducted pursuant to Executive Order 12333." Seems like the canary was chirping back then as well.

It's only been five days—five days in which much journalistic and government attention has gone to Ukraine rather than this. Hopefully as "national security" reporters we'll stay on this until we get ground truth about what looks to be a massive and ongoing CIA heist of your data. Unless there's a whistleblower waiting in the wings, that might take years.

ON THURSDAY, FEB. 17, I'll be speaking to the Massachusetts Institute of Technology. Not in person—which sucks, I wanted to go to Luke's emo night—but if you want to hear me address a highly respectable forum about REIGN OF TERROR, you can join in at 4:30 pm ET.