The Trilateral Ethical Framework Underpinning U.S. Intelligence Programs

In the past four years, Edward Snowden’s leaks cast the spotlight on the alleged negligence of the intelligence community in enabling blanket government surveillance programs that indiscriminately collect data on American citizens. To better understand how members of the US intelligence community balance national security concerns with individual privacy rights in formulating their intelligence gathering and sharing program, we interviewed Mary Pearl, Senior Vice President of Integral Consulting Services. Integral Consulting Services is a defense contractor that builds technical infrastructure for the sharing of biometric signals intelligence between nation-states. Pearl’s work centers around regulatory compliance — ensuring that the technology and the workflows that it enables stay within the ethical boundaries and guidelines for intelligence gathering prescribed by the government.

One of Pearl’s landmark projects, which framed much of our discussion with her, was the creation of a worldwide intelligence sharing portal that the US intelligence community used share and analyze intelligence from allies worldwide, such as Canada and New Zealand.

Through our conversation with Pearl, we learned how the U.S. intelligence coalition has three levels of maintaining an ethical framework within their intelligence programs: 1) ensuring access to U.S. intelligence is only given to classified and authorized parties, 2) identifying and purging inadvertently collected intelligence on innocent parties in a timely manner, and 3) reporting cases of unethical or unjustified dissemination or access to intelligence. We concluded, thus, that the US government has a much more robust framework for safeguarding personal information and civil liberties than the Snowden leaks led the public to believe.

Level 1: Limiting Access to Intelligence

Could you tell us a little more about the intelligence sharing network between the US and its intelligence partners and the relevant regulatory considerations that govern its use?

What’s very interesting is that the United States has different bilateral [intelligence sharing] agreements with different countries. So depending on the project we are working, we have to ensure we have to be very, very careful, especially with information sharing….because each country has their own [laws and regulations], especially when it comes to who is allowed to access biometrics or intelligence that can identify their citizens.

So there are things that really need to be monitored…[so that] you do not inadvertently enable the storage…or passage of information over these networks that could potentially harm American citizens.

Level 2: Purging Inadvertently Collected Personal Data

Could you tell us more about the regulations or standards governing the collecting and sharing of intelligence concerning U.S. citizens?

Basically, under the Department of Defense Intelligence Operations guidelines, we cannot gather or share information on U.S. citizens. We just can’t. We need to build our technology to ensure that when information is identified as pertaining to [an American] person or [an American] company information, it is purged and cannot be backed up, unless it can be tied to a terrorist nexus can be identified within the 90 days.

So if anything is inadvertently collected or shared with us by an intelligence partner [regarding US American citizens], we ensure that it is removed from the purview of the intelligence community’s databases, as we cannot keep tabs on U.S. persons. We build auditing technology to enable the Intelligence Oversight Program…to go through regularly to make sure there is no collected information on US persons.

However, there are different rules pertaining to law enforcement…organizations like the FBI are allowed to surveil and monitor US citizens. That’s why the law enforcement community and the intelligence community have to be very careful on how they share their information, so as to not make it appear that the intel community is specifically targeting.

How do you make ethical judgments regarding what information can and cannot be disseminated through the American intelligence sharing portals?

We need to make sure that the information [captured and shared] is compliant with the regulation…[there are] regulations on what we can or cannot store. Typically, for sensitive personal information…the government would have to present a very strong case on why we have to store this information.

Furthermore, we need to ensure that the system forces continual re-evaluation of the credibility of threats and suspicious entities that it flags. For example, suppose the intelligence portal receives information about an [American citizen]…who appeared to be [involved in a terrorist attack. After further review of the information, it could be that this person just happened to be talking [innocuously] to someone else who was related [to the terrorist attack]. We have to purge that information so that no one in advertently targeted or tracked.

When it comes to the biometric enabled watch list, for example, we have to continually go down that list so that people who may have been put on the ‘no fly list’ and make sure that even law enforcement individuals have made the proper recommendations.

What sort of guidelines do you set for how much confidence you need to have in the intelligence obtained by the US government’s intelligence sharing portals before law enforcement and military officials use it determine what actions to take?

Well there are many different tiers corresponding to the seriousness of the threat…and what the response should be…and every one of those tiers has regulations and a checklist of criteria that are being checked and matched.

Sometimes information doesn’t get to the right individuals or is firewalled between agencies because of these regulations…like that Christmas Eve underwear bomber. That information was with the Department of Homeland Security but it wasn’t with the TSA because all of the criteria [for sharing the intelligence] hadn’t been met…granted nothing really bad happened, but he did get on a plane. If there was better information sharing among some of these agencies, he may not have even boarded the plane.

We cannot disregard rules and regulations that have been put in place to protect US citizens, just because we may catch the one or two people prior. That leads us down a dangerous path.

So that is something that the intelligence community, law enforcement, Homeland Security…[are all] kind of grappling with — how do you ensure that we keep our rights and privacies at the same time we are ensuring that we are keeping the nation safe. These regulations and rules help us walk that line.

Level 3: Reporting Cases of Unethical Practices

What decisionmaking frameworks do the intelligence community and defense contractors have in place for resolving ethical disputes regarding intelligence gathering and sharing?

We have a group of individuals…tasked with handling this if something is brought to someone’s attention, that we understand should really have not occurred. For example, we had an incident…when someone, not maliciously, published a book. He did not go through the proper steps with the government, to ask if the intelligence he was writing about could be released.

We found out, so we self-reported and let the government know that this happened. It does not appear that anything he had released in the book was of sensitive or secret or top-secret nature. … but understand that you are not supposed to do this and that all the intelligence that gets used, shared, and released needs to goes through the proper processes…that we have guidelines for. Even though it appeared that nothing had been compromised…we had to remove him from the intelligence community…[because] of his lapse in following those ethical and security-sensitive rules and regulations.

Sid Grover & Aanchal Johri