CIA Does Not Submit Congressionally Mandated Data Mining Report

WASHINGTON, DC - FEBRUARY 07:  U.S. Assistant to the President for Homeland Security and Counterterrorism John Brennan, nomin
WASHINGTON, DC - FEBRUARY 07: U.S. Assistant to the President for Homeland Security and Counterterrorism John Brennan, nominated by U.S. President Barack Obama to be the next Director of the Central Intelligence Agency, testifies before the Senate Intelligence Committee February 7, 2013 in Washington, DC. Brennan was expected to face sharp questioning on the U.S. military drone program in addition to questions about his nomination to head the CIA. (Photo by Win McNamee/Getty Images)

NEW YORK -- Despite the CIA chief technology officer's stunning claim last month that "we fundamentally try to collect everything and hang on to it forever," the agency does not submit a congressionally mandated report on data mining, The Huffington Post has learned.

That's because under the CIA's reading of the law, it doesn't do any data mining at all. A legal loophole allows it to skip submitting the report even though other agencies, like the Office of the Director of National Intelligence and the Department of Homeland Security, do.

The CIA's interpretation "may technically comply with existing law," said Sharon Bradford Franklin, senior counsel at the Constitution Project. But as the scope of the CIA's capabilities becomes more clear, so does the extent of the legal loophole, she said.

"The definition is overly narrow, and so the act cannot fully serve its purpose of providing greater transparency, accountability and oversight," she said.

The 2007 Federal Agency Data Mining Reporting Act requires government agencies to submit an annual report to Congress whenever they do data mining. Sponsors of that law said they were motivated by the Bush administration's attempt to create a spooky-sounding "Total Information Awareness" surveillance office.

But the law only covers "pattern-based queries" used to identify "a predictive pattern or anomaly indicative of terrorist or criminal activity." Agencies only have to report, in other words, when they're working back from actions to people.

The Department of Homeland Security uses pattern-based data mining to determine, for example, that someone who flew to Bogotá, Colombia without luggage and returned with some might need extra screening.

When the data mining begins with identifying information linked to a single person -- a name, a phone number, an email address -- the law doesn't apply. For example, the CIA could plug in a suspect's name and use it to scoop up information on everyone they've emailed, without ever publishing a data mining report.

It is this exception upon which the CIA rests its case. The loophole enables agency employees to make bold claims like the one from CTO Gus Hunt that it is "very nearly within our grasp to be able to compute on all human generated information."

"It is inconsistent with common understandings of data mining," said Mary Ellen Callahan, the former chief privacy officer for the DHS, where she oversaw the production of that agency's report. For now, she said, "Congress hasn't changed it, so Congress seems to think that the pattern-based data mining report is more important."

“The CIA did not have any reportable activities under the Act," said Jennifer Youngblood, a CIA spokesperson. "If future technologies employ techniques that would require reporting, we would certainly do so."

The Constitution Project has recommended treating all forms of data mining with higher scrutiny.

"If anything did come up, then Congress would be able to potentially require greater controls or we could make sure to include appropriate safeguards, if we learned of tools that were troubling or seemed overly intrusive of Americans' civil liberties," said Bradford Franklin.

This article was updated to include comment from the CIA.



U.S. State Capitol Buildings