The Brennan Center for Justice report: What The Government Does With Americans’ Data
Federal and state agencies must maintain databases to carry out legitimate governmental purposes, including the provision of services, the management of law enforcement investigations, and intelligence and counterterrorism functions. In addition, where law enforcement agencies have reasonable suspicion of possible criminal activity or intelligence components are acquiring information on foreign targets and activity, they must retain information to track investigations, carry out lawful intelligence functions, and ensure that innocent people are not repeatedly targeted. History makes clear, however, that information gathered for any purpose may be misused. Across multiple administrations, individuals and groups have been targeted for their activism, and sensitive personal information has been exploited for both political and petty reasons. The combination of vastly increased collection of innocuous information about Americans, long-term retention of these materials, enhanced electronic accessibility to stored data, and expanded information-sharing exponentially increases the risk of misuse.
Against this backdrop, this report analyzes the retention, sharing, and use by federal law enforcement and intelligence agencies of information about Americans not suspected of criminal activity. It examines five distinct categories of information. The categories are Suspicious Activity Reports,assessments, National Security Letters, searches of electronics at the border, and information acquired by the National Security Agency.
Among these data sets, this report finds that in many cases, information carrying no apparent investigative value is treated no differently from information that does give rise to reasonable suspicion of criminal or terrorist activity. Basically, the chaff is treated the same as the wheat. In other cases, while the governing policies do set certain standards limiting the retention or sharing of non-criminal information about Americans, the restrictions are weakened by exceptions for vaguely-described law enforcement or national security purposes. Depending on the data set, presumptively innocuous information may be retained for periods ranging from two weeks to five years to 75 years or more.
And the effect of these extensive retention periods is magnified exponentially by both the technological ability and the legal mandate to share the information with other federal agencies, state and local law enforcement departments, foreign governments, and private entities.
To address these problems, this report recommends the following reforms:
- Ensure that policies governing the sharing and retention of information about Americans are accessible and transparent.
- Prohibit the retention and sharing of domestically-gathered data about Americans for law enforcement or intelligence purposes in the absence of reasonable suspicion of criminal activity, and impose further limitations on the dissemination of personally identifiable information reflecting First Amendment-protected activity.
- Reform the outdated Privacy Act of 1974, which has fallen far short of its goal of protecting the privacy of Americans’ personal information, through statutory amendments and establishment of an independent oversight board.
- Increase public oversight over the National Counterterrorism Center, a massive federal data repository that increasingly is engaged in large-scale aggregation, retention, and analysis of non-terrorism information about Americans.
- Require regular and robust audits of federal agencies’ retention and sharing of non-criminal information about Americans.
Data Retention By the Numbers
- 5 years: How long the National Security Agency keeps “metadata” about all Americans’ domestic and international phone calls without suspicion of wrongdoing
- 5 years: How long the National Counterterrorism Center can keep and search databases of non-terrorism information about Americans
- 5 to 20 years: Retention periods for databases that store at least some information from border searches of Americans’ laptops, phones, hard drives, and more
- 6 years: Time period, beginning with the start of surveillance, that the NSA can keep Americans’ incidentally gathered communications
- 20 to 30 years: Amount of time the FBI keeps information collected via assessments and National Security Letters, even when it is irrelevant to a current investigation
- 30 years: Time period that Suspicious Activity Reports with no nexus to terrorism are kept by the FBI
- 1 Billion and growing: Records in the FBI’s Investigative Data Warehouse
- 1,000,000 sq. ft.: Size of National Security Agency’s data center (opening in 2014)
- 41 billion: Communications records stored by NSA’s XKEYSCORE system every 30 days
ACLU/EFF filed an Amicus Brief concerning spy data collection: