The updated rules include "specific approval requirements" for any data that can't be evaluated right away, and limit data collection to the smallest the CIA needs to achieve its goals. Agents can't just scoop up as much as they can and hoard it for later, in other words. The agency will also limit access to unevaluated data, insist on training for handling that data and require the deletion of that data no more than 5 years after it's available.

Data searches, meanwhile, have to both be limited to legal activities and include an explanation whenever there's extra-sensitive information involved, like messages. And spies can't just inflitrate online social circles at will, either. Operatives have to identify their affiliation unless they're joining an organization that primarily consists of and is run by non-Americans, and they'll still have to get approval from the CIA's Director before diving in.

There will be periodic audits on top of existing oversights, the CIA says.

We can see some potential flaws in the guidelines. While the agency does have a good reason to keep info around for a while, 5 years is a long time to retain internet data that probably won't be useful. And is a statement of purpose enough for the CIA to look at private conversations in its databases, even if the scope is narrow? Still, the very fact that the CIA is updating its rules (not to mention making the changes public) is important. This theoretically lowers the odds that surveillance teams will grab more data than they're allowed (ahem, NSA), and increases the chances that abusers will be caught in the act.