Earlier today, the Office of the Director of National Intelligence (ODNI) released an optimistically titled report Safeguarding the Personal Information of all People. This is basically a status update from ODNI on how they are doing in implementing Presidential Policy Directive 28, which among other things was supposed to better recognize the privacy rights of people worldwide.

Today’s report from the ODNI is disappointing, though not surprising. This is in part because PPD 28 was pretty limited in the first place. When Obama first announced his surveillance reforms and PPD 28, we rated him on 12 criteria for effective surveillance reform—and found his proposal only met only 3.5 of those criteria. We saw an example of the limitations of PPD 28 in its 5th footnote, which begins, "The limitations contained in this section do not apply to signals intelligence data that is temporarily acquired to facilitate targeted collection." That seems to say that they can seize a haystack so long as they intend to look for needles.

Here are a few choice sections from our initial read of today's report:

To that end, PPD-28 states that personal information of non-U.S. persons shall be retained and disseminated only if the retention and dissemination "of comparable information concerning U.S. persons would be permitted under section 2.3 of Executive Order 12333."

We are disheartened to see ODNI pinning its privacy protections to Executive Order 12333. EO 12333 is a poorly-understood Reagan-era authority; one former State Department chief said:

…Section 215 permits the bulk collection only of U.S. telephone metadata — lists of incoming and outgoing phone numbers — but not audio of the calls. Executive Order 12333 contains no such protections for U.S. persons if the collection occurs outside U.S. borders. Issued by President Ronald Reagan in 1981 to authorize foreign intelligence investigations, 12333 is not a statute and has never been subject to meaningful oversight from Congress or any court. Sen. Dianne Feinstein (D-Calif.), chairman of the Senate Select Committee on Intelligence, has said that the committee has not been able to “sufficiently” oversee activities conducted under 12333.

The ODNI report itself highlights (Section D) one massive flaw in EO 12333, noting that "if read literally," it places no limits whatsoever on retention or dissemination of any information about any foreign person. One wonders if any element of the intelligence community has ever acted in accordance with this reading.

In short, Executive Order 12333 is a weak privacy standard—at least what we know of it, because its implementation has had little oversight from the public or even Congress. This is not the standard we want to adopt for protecting the rights of individuals worldwide who have not been suspected of a crime.

What might be a better standard? EFF along with intentional human rights groups and scholars worldwide developed 13 principles for protection human rights when engaging in communications surveillance. That’s a much better starting point for crafting protections for privacy of people worldwide.

Another disappointment (though again not a surprise) in today’s report was the failure to address or rein in mass collection of digital data:

Section 2 of PPD-28 acknowledges the importance of collecting SIGINT in bulk to help identify new and emerging threats or other vital national security information. At the same time, the United States recognizes that collecting information in bulk may not result in the collection of information about persons whose activities are not of interest to the Intelligence Community. PPD-228 therefore places limitations on the use of SIGINT collected in bulk.....PPD-28 also states that in no event may SIGINT be used for the purpose of suppressing or burdening criticism or dissent….

Basically, ODNI is reaffirming that it will continue to vacuum up data from people not suspected of a crime and is merely outlining methods of limiting the use and dissemination of that data.

It’s particularly disheartening to see ODNI talking about how data collected in bulk will not be used for the purpose of suppressing or burdening criticism or dissent. This is a cognitive dissonance: mass surveillance by its nature creates a chilling effect on free speech. More than 500 authors, including 5 Nobel laureates, have written that:

A person under surveillance is no longer free; a society under surveillance is no longer a democracy. To maintain any validity, our democratic rights much apply in virtual as in real space. Surveillance violates the private sphere and compromises freedom of thought and opinion.

The ODNI deludes itself into believing that you can have surveillance without suppressing or burdening dissent. In fact, it is the very nature of mass surveillance to chill criticism and dissent. That is the very basis for our lawsuit against the NSA phone record collection program.

Finally, all of the commitments to civil liberties and privacy in ODNI’s report come with a rather alarmingly large loophole:

N. Intelligence Community Elements Must Have the Flexibility to Deviate from their PPD-28 Implementing Procedures After Receiving Senior Level Approval. It is important that elements have the ability to deviate from their procedures when national security requires doing so, but only with approval at a senior level within the Intelligence Community element and notice to the DNI and Attorney General.

Regardless of what procedures are put into place to safeguard individual privacy, the intelligence community gives itself a loophole for “national security” concerns. National security, unfortunately, remains undefined in the document.

We’re still reviewing the report and may have more thoughts in the coming days, but these are our initial impressions.

Read the entire report. Take action against mass surveillance.