REVIEW OF PROCEDURES AND PRACTICES OF CIA TO DISSEMINATE UNITED STATES PERSON INFORMATION ACQUIRED PURSUANT TO TITLES I AND III AND SECTION 702 OF THE FOREIGN INTELLIGENCE SURVEILLANCE ACT (FISA)

Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED Central Intelligence Agency Office of Privacy and Civil Liberties Review of Procedures and Practices of CIA to Disseminate United States Person Information Acquired Pursuant to Titles I and III and Section 702 of the Foreign Intelligence Surveillance Act (FISA) August 2017 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED This page is intentionally blank. UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASS I Fl ED Review of Procedures and Practices of CIA to Disseminate United States Person Information Acquired Pursuant to Titles I and III and Section 702 of the . Foreign Intelligence Surveillance Act (FISA) I. Executive Summary This report responds to the Director of National Intelligence's request that civil liberties and privacy officers for the Office of the Director of National Intelligence (ODNI), National Security Agency (NSA), Central Intelligence Agency (CIA), and Federal Bureau of Investigation (FBI) review the procedures and practices to disseminate United States (U.S.) person information acquired pursuant to Titles I/III and Section 702 of the Foreign Intelligence Surveillance Act of 1978, as amended (FISA).' This report was undertaken by the CIA's Office of Privacy and Civil Liberties (OPCL). With very limited exceptions for certain activities, CIA does not conduct electronic surveillance or physical searches in the United States.2 As such, CIA does not conduct acquisition pursuant to Section 702 of FISA, electronic surveillance pursuant to Title I of FISA, nor physical searches pursuant to Title HI of FISA. CIA is, however, authorized to receive, review, and appropriately disseminate certain data acquired pursuant to Section 702 or Titles 1/11I that have been initially collected by FBI or NSA. As described below, such information is required to be handled under Foreign Intelligence Surveillance Court (FISC)-approved "minimization procedures" that govern the access to, retention of, and dissemination of FISA- acquired data. This report details CIA OPCL's review of (1) CIA's procedures regarding the dissemination of U.S. person information acquired under the specified provisions of FISA; (2) CIA's actual dissemination practices in light of these procedures; (3) the training program with respect to such dissemination practices; and (4) the related compliance and oversight activities conducted by the CIA Office of General Counsel (OGC), CIA's FISA Program Office, the Department of Justice (DOJ), and ODNI. 50 U.S.C. �� 1801-1885c (2008). See Executive Order 12333, Section 2.4(a) and (b). CIA has limited authority to conduct electronic surveillance in the United States for testing and training purposes or to conduct countermeasures to hostile electronic surveillance, as well as physical searches of non-U.S. persons' personal property that is already lawfully in CIA's possession. A description of the limited electronic surveillance and physical search activities that may be conducted within the United States may be found in Sections 4.4.1,4.4.3, and 4.4.4 of CIA's Executive Order 12333 Attorney General Procedures, available at httos://www.cia.gov/about-cia/privacy-and-civil-liberties/CIA-AG-Guidelines-Signed.pdf . 2 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED As detailed in this report, OPCL's review of CIA's procedures and practices with respect to the dissemination of U.S. persons found: � CIA has specific procedures to minimize the dissemination of U.S. person information, or in other words, specific procedures to limit the dissemination of U.S person information to that which is assessed to be necessary to understand the foreign intelligence information. � Dissemination of U.S.Terson information is only permitted after several prior steps to filter out irrelevant information concerning U.S. persons. The "retention decision" is a particularly critical component of this process. � CIA requires all initial disseminations of information acquired pursuant to Titles 11111 and Section 702 of FISA concerning U.S. persons to be reviewed and approved by both CIA OGC and the FISA Program Office prior to dissemination. � Consistent with prior oversight reviews, OPCL discovered no intentional violations of CIA's procedures governing the handling and dissemination of U.S. person information. � CIA's disseminations of FISA-acquired information concerning U.S. persons are limited in number and, when identifying a particular U.S. person, generally provided to a relatively narrow audience in order to address a specific national security threat. o More specifically, unlike general "strategic" information regarding broad foreign intelligence threats, CIA's disseminations of information concerning U.S. persons were "tactical" insofar as they were very often in response to requests from another U.S. intelligence agency for counterterrorism information regarding a specific individual, or in relation to a specific national security threat actor or potential or actual victim of a national security threat. � Relatedly, because these disseminations were generally for narrow purposes and sent to a limited number of recipients, the replacement of a U.S. person identity with a generic term (e.g., "named U.S. person," sometimes colloquially referred to as "masking") was rare, due to the need to retain the U.S. person identity in order to understand the foreign intelligence information by this limited audience. � Using a generic term in place of a U.S. person's name occurs in finished intelligence products provided to policymakers and broader audiences within the Intelligence Community, but subsequent requests to reveal the identity of the U.S. person (i.e. sometimes colloquially referred to as "unmasking") are rare. OPCL identified no such "unmaskings" in the four months of disseminations that it reviewed. 3 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED � CIA has an extensive and multi-pronged approach to training to ensure compliance with the minimization procedures. � Compliance and oversight activities to ensure and monitor adherence to the minimization procedures are carried out by several elements of CIA, as well as DOJ, ODNI, Congress, and the FISC. Although the clandestine mission of CIA requires the protection of sources and methods in order to protect national security, CIA also has an obligation to serve the American people by protecting the freedoms, civil liberties, and privacy rights guaranteed by the Constitution and federal laws when conducting its mission. Thus, to increase public transparency and awareness of CIA's activities, authorizations, and limitations regarding the dissemination of U.S. person information acquired under FISA, this report has been written at the unclassified level. II. Scope of Review In order to evaluate the scope, nature, and practices surrounding CIA's dissemination of U.S. person information acquired pursuant to Section 702 and Titles I/III of FISA, OPCL received briefings from CIA OGC, CIA's FISA Program Office, senior managers who supervise the dissemination of information outside of CIA (to include FISA-acquired information), and DOJ. OPCL reviewed the relevant CIA minimization procedures, Agency guidance, DOJ/ODNI oversight reports, and other documents regarding the dissemination of this information. Members of the OPCL staff also attended the live training provided by CIA OGC and the FISA Program Office required of all Agency personnel before they are permitted to receive access to unminimized FISA information. Finally, OPCL examined four months of CIA disseminations of U.S. person information acquired pursuant to Section 702 of FISA. In conducting this review, OPCL examined CIA's practices and internal procedures for (1) compliance with the governing minimization procedures approved by the FISC, and (2) consistency with the comparable concepts for protecting U.S. person information embodied in the CIA's Executive Order 12333 Attorney General-approved Procedures. OPCL also employed the Fair Information Practice Principles (FIPPs)3 to determine whether CIA's practices and procedures adequately protect U.S. persons' privacy and civil liberties. OPCL's findings are incorporated into this report. 3 The FIPPS are a broadly recognized set of principles for assessing privacy impacts. For example, they have been incorporated into Executive Order 13636, Improving Critical Infrastructure Cybersecurity and the National Strategy for Trusted Identities in Cyberspace. These principles are rooted in the U.S. Department of Health, Education and Welfare's seminal 1973 report, "Records, Computers and the Rights of Citizens." The FIPPs have been implemented in the Privacy Act of 1974, with certain exemptions, including ones that apply to certain national security and law enforcement activities. 4 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED III. Background: Intelligence Collection, Retention, and Dissemination at CIA Information shared outside of CIA is considered a dissemination, and is required to occur in accordance with approved authorities, policies, and procedures. Dissemination of information is often one of the fmal steps in the Intelligence Cycle, which is a six-step process through which information is converted into intelligence and made available to users. The six steps of the Intelligence Cycle include: planning and direction, collection, processing and exploitation, analysis and production, and dissemination and evaluation. Relatedly, the protections for U.S. person information begin well before CIA determines that it will share foreign intelligence information with policymakers or other partners. The protection of U.S. person information begins with the authorization to target an individual to obtain electronic communications, and extends to the controls governing the techniques used to acquire information regarding these targets, the access controls on the acquired information, and the restrictions with regard to what data may be retained and used. Only after all of these restrictions are met is it potentially permissible to disseminate acquired information concerning a U.S. person. Whether the U.S. person information in question can, in fact, be disseminated is itself a function of not only the rules governing dissemination, but also the nature of the information, the individuals or entities to which the information is to be disseminated, and the purpose for which the information is to be disseminated. As such, a general background regarding targeting, acquisition, and retention pursuant to Titles I/III and Section 702 of FISA, as well as a broad understanding of how and for what purposes CIA disseminates information, is required to fully understand CIA's dissemination practices in context. CIA does not target individuals pursuant to Section 702 of FISA, nor does CIA conduct electronic surveillance or physical searches pursuant to Titles I/III of FISA. With limited exceptions, Executive Order 12333 prohibits CIA from conducting either electronic surveillance or physical searches within the United States.4 CIA is, however, authorized to receive, review, and appropriately disseminate a subset of data acquired pursuant to Section 702 or Titles I/III that have been initially collected by FBI or NSA. More specifically, CIA receives only a subset of electronic surveillance (Title I) or physical search (Title III) information initially collected by FBI.5 In order to authorize electronic surveillance or physical search under FISA, an application approved by the Attorney General must be made by FBI to the FISC. FBI's application must include the identity of the target of the electronic surveillance or physical search if known, evidence justifying a probable cause fmding that the target is a foreign power or an agent of a foreign power that uses (or is about to use) the 4 See footnote 2. 5 50 U.S.C. �� 1804, 1805, 1823, 1824. 5 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED communication facility (e.g., an email address) or place subject to electronic surveillance or physical search. The surveillance application is then reviewed by the FISC. If the FISC determines that probable cause has been demonstrated, the judge issues an order authorizing the electronic surveillance or physical search of the communication facilities or places specified in the application. Once authorized, FBI may only conduct the specific electronic surveillance and physical search activities authorized by the FISC, and FBI's collection activities are governed by procedures designed to minimize the acquisition of irrelevant information concerning U.S. persons.6 If requested by FBI in certain cases, unevaluated information acquired by FBI can be shared with CIA.7 Under Section 702 of FISA, NSA is authorized to target only non-U.S. persons reasonably believed to be located outside the United States who are assessed to possess, communicate, or receive certain categories of foreign intelligence information authorized by the Director of National Intelligence (DNI) and the Attorney Genera1.8 Such targeting decisions are made by NSA personnel but are governed by "targeting procedures" that are approved by the Attorney General, in consultation with the DNI, and reviewed by the FISC.9 CIA may nominate targets to NSA for Section 702 collection, but the ultimate decision to target a non-U.S. person reasonably believed to be located outside the United States rests with NSA.1� Section 702 is not a bulk collection program; NSA makes an individualized decision with respect to each non-U.S. person target. In addition to this initial targeting decision, the techniques used to acquire the foreign intelligence information pursuant to Section 702 are governed by specific procedures 6 See, e.g., 50 U.S.C. � 1805(cX2)(A) (requiring all electronic surveillance to be conducted in conformance with "minimization procedures"); 50 U.S.C. � 1825(c)(2)(A) (requiring the same for physical searches); 50 U.S.C. � 1801(h) (defining "minimization procedures" to be, in part, procedures "reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition ...of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information."); 50 U.S.C. � 1821(4) (same for physical searches). 7 Previously released information regarding the sharing of unevaluated FBI-acquired FISA information with CIA may be found at httos://icontherecord.tumblr.com/oost/112610953998/release-of-documents-concerning-activities- under. The original motion seeking approval for such sharing is available at https://www.dni.gov/files/documents/0315/Exhibit%20A%20to%20May%2010%202002%20Motion.pdf. 850 U.S.C.* 1881a(a), (g). 9 50 U.S.C. � 1881a(d). A redacted version of the NSA's targeting procedures is available at httos://www.dni.gov/files/documents/icotr/51117/2016 NSA 702 Targeting Procedures Mar 30 17.pdf (hereinafter "NSA Section 702 Targeting Procedures"). Additional descriptions of the Section 702 targeting process may be found in the NSA Director of Civil Liberties and Privacy Office Report: NSA's Implementation of Foreign Intelligence Surveillance Act Section 702, April 16, 2014, pages 2-6, available at http://www.dni.gov/files/documents/0421/702%20Unclassified%20Document.pdf, and the Privacy and Civil Liberties Oversight Board's (PCLOB) "Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, July 2, 2014, pages 41-48, available at https://www.oclob.gov/library/702- Report.pdf (hereinafter, "PCLOB Report"). I� See PCLOB Report. at 42, 47. 6 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASS I Fl ED designed to limit the scope of the data collected) In addition, there are statutory limitations on collection activities under Section 702 of FISA that prohibit the Government from (1) intentionally targeting persons known to be located in the United States; (2) intentionally targeting persons reasonably believed to be located outside of the United States, if the purpose is to target an individual reasonably believed to be located within the United States; (3) targeting a U.S. person reasonably believed to be located outside of the United States; (4) intentionally acquiring any communication when the sender and all intended recipients are known at the time of the acquisition of the communication to be located in the United States; and (5) or otherwise acquiring information in a manner inconsistent with the Fourth Amendment to the Constitution.12 As described further below, the targeted information that CIA receives from either NSA or FBI pursuant to either Section 702 or Titles I/III of FISA is subject to specific procedures, referred to as "minimization procedures," that are approved by the Attorney General and the FISC and govern access to, retention of, and dissemination of the information. Prior to any dissemination of information concerning U.S. persons, CIA must first determine that the U.S. person information meets the retention requirements. As a result, the limitations and oversight mechanisms governing retention provide important checks prior to any decision to disseminate U.S. person information. In addition to these specific FISA minimization procedures, CIA's dissemination of information is restricted by the statutory authorities, Executive Order, procedures, and practices that govern and limit all of CIA's foreign intelligence activities. While statutes and Executive Order 12333 provide the general authority for CIA to conduct intelligence activities, CIA does not independently determine its intelligence collection priorities. CIA's intelligence activities are instead conducted in response to intelligence requirements established by the President and CIA's other intelligence consumers. Specifically, the DNI approves the National Intelligence Priorities Framework (NIPF),13 which establishes national intelligence priorities that reflect the guidance of the President and the National Security Advisor with input from Cabinet-level and other senior government officials. CIA's duly authorized intelligence activities are conducted in response to the NIPF priorities or other intelligence requirements imposed by the President and other intelligence consumers. II See 50 U.S.C. � 1881a(dX1)(B) (requiring the adoption of targeting procedures that are reasonably designed to "prevent the intentional acquisition of any communications as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States."); 50 U.S.C. � 1881a(e)(1) (requiring the adoption of minimization procedures as defined by 50 U.S.C. � 1801(h) or 50 U.S.C. � 1821(4)); supra note 6 (providing statutory definitions of minimization procedures); see also NSA Section 702 Targeting Procedures, supra; NSA's Section 702 Minimization Procedures, � 3, available at https://www.dni.gov/files/documents/icotr/51117/2016-NSA-702-Minimization-Procedures Mar 30 17.pdf. 12 50 U.S.C. � 188 la(b). 13 Information concerning the NIPF is available at https://dni.gov/files/documentsfICD/ICD%20204%20National%20Intelligence%20Priorities%20Framework.pdf. 7 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED In all activities, including but not limited to FISA, CIA is authorized to disseminate information concerning U.S. persons, only in furtherance of CIA's authorized intelligence activities, or in limited circumstances to provide information indicating a crime or illegal activity to law enforcement agencies that is acquired incidentally while conducting these foreign intelligence activities. CIA may not maintain information for the sole purpose of monitoring the lawful exercise of rights secured by the Constitution or United States law, including First Amendment rights. CIA is also prohibited from engaging in any activities for purposes of affecting or interfering with the domestic political process." Because these rules and restrictions govern all of CIA's foreign intelligence activities, not just its review of data acquired pursuant to FISA, CIA has a variety of processes, guidelines, and training to ensure the proper handling of all U.S. person information. These practices establish a baseline for the handling, including dissemination, of U.S. person information, which are further supplemented by FISA-specific protections. Relevant aspects of these more general practices pertaining to dissemination are discussed further below. Finally, but critically, it is important to understand that CIA produces and disseminates to policymakers and partners all-source analysis in order to provide tactical and strategic advantage to the United States. The fact that the information CIA produces may be tactical, strategic, or both is a key feature to understanding how CIA disseminates information, including U.S. person information. In determining what information is to be disseminated to policymakers and partners, including but not limited to U.S. person information, CIA must assess whether the specific U.S. person information is necessary to understand the foreign intelligence information in light of the information that is to be disseminated and the needs and authorities of the recipients of the information. Consistent with CIA's foreign intelligence mission, this means that U.S. person identifying information (such as a name or title) is often not just deleted or replaced with a generic term, but instead never referenced in the first place in the reporting, which is instead focused on the priorities identified in the NIPF. On the other hand, particularly in instances regarding more "tactical" information that is disseminated to a limited number of individuals or entities directly involved in countering the foreign intelligence threat at issue, CIA personnel may make the determination at the time of dissemination that the U.S. person's information and identity are necessary to understand the foreign intelligence information and will therefore disseminate this identifying information in the first instance, as opposed to deleting the U.S. person information or replacing the U.S. person identity with a generic term. In addition, there are instances in which the U.S. person information is necessary for some recipients to understand the foreign intelligence reporting, but not for others. In this case, CIA deletes or otherwise sanitizes the U.S. person information with a generic term such as "a named U.S. person" for the 14 See CIA's Executive Order 12333 Attorney General Procedures, available at https://www.cia.gov/about- cia/orivacv-and-civil-liberties/CIA-AG-Guidelines-Signed.pdf. 8 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED broader audience, while separately providing the specific identity to those individuals or entities for whom that identifying information is necessary. IV. Procedures Governing CIA's Dissemination of Information Acquired Pursuant to Section 702 and Titles I/III of FISA As described above, any unevaluated data that CIA receives from either NSA or FBI acquired pursuant to either Section 702 or Titles UIII of FISA must be governed by specific "minimization procedures" adopted by the Attorney General and approved by the FISC, that are reasonably designed to minimize the retention and prohibit the dissemination of non-publicly available information concerning non-consenting U.S. persons, while also remaining consistent with CIA's unique mission requirement of obtaining, producing, and disseminating foreign intelligence information. CIA has released to the public lightly-redacted versions of the minimization procedures governing both Section 702 collection and Titles I/III collection.I5 In general, the default rule is that information may be disseminated outside of CIA if the information has been determined to be retained under the minimization procedures (as described further below) and "if the identity of the U.S. person and all personally identifiable information regarding the U.S. person are deleted or otherwise sanitized to prevent the search, retrieval or review of the identifying information. A generic term may be substituted which does not identify the U.S. person in the context of the data."' In other words, if the information concerning the U.S. person is removed in its entirety or rendered such that the specific U.S. person cannot be identified by the recipient, the information may be disseminated to authorized recipients. Although not a term found in the minimization procedures, as stated above, replacing the U.S. person's identity with a generic term is sometimes colloquially referred to as "masking." In certain circumstances, however, dissemination of information identifying the U.S. person is permissible. Specifically, the minimization procedures state that if the U.S. person's identity is "necessary to understand foreign intelligence information or assess its importance," the U.S. person's identity may be disseminated to authorized recipients." The minimization 15 CIA's current Section 702 minimization procedures are available at https://www.dni.gov/files/documents/icotr/51117/2016 CIA Section 702 Minimization Procedures Se 26 2016. f (hereinafter, "CIA Section 702 Minimization Procedures"). Minimization procedures governing CIA's handling of unevaluated Titles I/III data related to terrorism initially acquired by FBI are available at https://www.dni.gov/files/documents/0315/Exhibit%20A%20to%20May�/02010%202002%20Motion.pdf (hereinafter "CIA Titles I/Ill Minimization Procedures"). 16 CIA Section 702 Minimization Procedures at � 5; see also CIA Titles I/III Minimization Procedures at � 2. "CIA Section 702 Minimization Procedures at � 5; see also CIA Titles I/III Minimization Procedures at � 2. The minimization procedures also permit the dissemination of a person's identity that "may become necessary" to 9 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED procedures require that in each dissemination CIA evaluates whether the identifying information is necessary to understand the foreign intelligence information. Prior to dissemination of any information identifying, or even concerning, a U.S. person, the minimization procedures require that CIA make a determination that the information concerning the U.S. person may be retained outside of access-controlled systems accessible only to CIA personnel with specialized FISA training to review unevaluated information. Information regarding a U.S. person may only be retained outside such access-controlled repositories if (a) the information concerning the U.S. person is publicly available; (b) the U.S. person has consented to the retention of the information concerning him or her; (c) the U.S. person's identity is deleted or otherwise sanitized to prevent the search, retrieval or review ("querying") of the identifying information; or (d) the U.S. person's information falls within one of several established categories related to CIA's foreign intelligence mission.' 8 These established categories include that the U.S. person information Indicates that an individual is an agent of a foreign power (e.g., a member of an international terrorist organization), that the U.S. person may be the target of a foreign power's intelligence activities, or the information concerns a U.S. government official acting in their official capacity. Certain other rules provide further restrictions with respect to certain disseminations. Strict rules restrict the dissemination of any attorney-client information obtained pursuant to these FISA authorities.� Special rules also apply to disseminations of information concerning U.S. persons to a foreign government.20 CIA is also permitted to disseminate to FBI and other appropriate law enforcement authorities information that reasonably appears to be evidence of a crime.21 According to CIA OGC, disseminations of FISA information to law enforcement of information that is not foreign intelligence information but is evidence of a crime are rare. None of the disseminated reports reviewed by OPCL contained information that was solely evidence of a crime. V. Dissemination in Practice understand certain types of foreign intelligence information, such as information concerning international terrorism. In discussions with FISA Program Office personnel, as well as OPCL's review of training materials and actual disseminations, OPCL did not discover any reliance on the "may become necessary" language as a basis for dissemination. 18 CIA Section 702 Minimization Procedures at � 3; see also CIA Titles I/III Minimization Procedures at � 2. 19 See CIA Section 702 Minimization Procedures at � 7(a); see also CIA Titles 1/Ill Minimization Procedures at � 4(a). 28 See CIA Section 702 Minimization Procedures at � 7(c); see also CIA Titles I/III Minimization Procedures at � 4(e). 21 See CIA Section 702 Minimization Procedures at � 7(d); see also CIA Titles I/III Minimization Procedures at � 4(f). 10 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED While CIA minimization procedures set the outer bounds of what is permissible in the dissemination of information concerning the U.S. person, OPCL's review extended to what practices CIA has developed to implement these procedures, as well as the scope and nature of information actually disseminated by CIA. To this end, OPCL met with senior managers from multiple elements who supervise the dissemination of foreign intelligence information, officers in the FISA Program Office who train and oversee CIA's FISA program, and CIA OGC attorneys who review disseminations of U.S. person information. OPCL also reviewed four months of disseminations that had been identified as containing U.S. person information obtained pursuant to Section 702 of FISA.22 Consistent with the minimization procedures for Titles I/III and Section 702 of FISA, the protection of U.S. person information begins before a report is drafted for potential dissemination. Unevaluated data is stored in access-controlled repositories and may be viewed only by CIA personnel who have received specific training in the applicable rules for minimizing the long-term retention and dissemination of information concerning U.S. persons.23 The "retention decision," a required precursor to the dissemination of any information concerning a U.S. person, is a particularly critical juncture in the minimization process. It is at this stage that information concerning a U.S. person that does not meet one of the specific retention categories outlined in the minimization procedures is removed from the communication before it is made available for dissemination. Such retention decisions are individualized � each communication must be evaluated separately and all information within the communication that is not deleted or replaced with a generic term that does not identify a specific U.S. person must be determined to meet the retention standard. When making these individualized retention decisions, CIA personnel are required to indicate whether any of the information to be retained contains U.S. person identifying information and, if so, the personnel must write a further contemporaneous justification for why the retention of the U.S. person identifying information is permissible under the relevant CIA minimization procedures. These retention justifications are subject to oversight by DOJ and ODNI. This initial retention decision is necessary but not sufficient to disseminate information concerning U.S. persons. Based on statistics kept by the FISA Program Office, CIA disseminates a very small percentage of the information concerning U.S. person information that has been determined to meet the retention standard articulated in CIA's minimization procedures. 22 OPCL did not separately review all similar CIA disseminations in this time period of information acquired by FBI pursuant to Titles I/III of FISA, but some reviewed disseminations of Section 702-acquired information also contained disseminated Titles VIII information. 23 While CIA's Title I/Ill minimization procedures do not discuss training, CIA's policy is to require such training, consistent with the requirement in CIA's Section 702 minimization procedures. 11 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED All such disseminations of U.S. "person information acquired pursuant to Section 702 or Titles I/III of FISA are required to be coordinated with several CIA elements prior to dissemination, including a CIA OGC attorney, the FISA Program Office, and a cadre of CIA managers that supervise the dissemination of all information (not just FISA information) concerning U.S. persons. In separate briefuigs, several CIA senior managers charged with supervising and/or approving the dissemination of information outside of CIA stated that while CIA does disseminate information concerning U.S. person information when it must, these procedural requirements and the greater scrutiny given to any dissemination of U.S. person information act to reinforce the requirement that information identifying a U.S. person be disseminated only when necessary. OPCL's review of CIA's disseminations identified several commonalities: � First, OPCL identified no violations of the CIA minimization procedures. In each case, OPCL determined that the information concerning or identifying a U.S. person was necessary to understand the foreign intelligence information contained in the disseminated report. More specifically, the information concerning U.S. persons was necessary to understand specific national security threats identified in both the NIPF and Section 702 certifications approved by the Attorney General and the DNI, not the broader and more theoretical outer limits of FISA's definition of foreign intelligence information. OPCL's findings are consistent with those of past oversight and compliance reviews. Since 2008, DOJ and ODNI have identified no intentional incidents of noncompliance with the use of the FISA Section 702 authorities.24 While unintentional compliance incidents have occurred, incidents involving CIA's dissemination of U.S. person information are extremely rare.25 � Second, CIA's disseminations of FISA-acquired information concerning U.S. persons tended to be both tactical in nature and relatively narrow in distribution. As opposed to general strategic information regarding broad foreign intelligence threats, CIA's disseminations of information concerning U.S. persons were "tactical" insofar as they are very often in response to requests from another U.S. intelligence agency for counterterrorism information regarding a specific individual, or in relation to a specific national security threat actor or potential or actual victim of a national security threat. As 24 See also PCLOB Report at 133. 25 See, e,g., U.S. DEPARTMENT OF JUSTICE, QUARTERLY REPORT TO THE FOREIGN INTELLIGENCE SURVEILLANCE COURT CONCERNING COMPLIANCE MATTERS UNDER SECTION 702 OF THE FOREIGN INTELLIGENCE SURVEILLANCE ACT, March 2015, at 68, available at https://www.dni.gov/files/documents/icotr/51117/Bates%20580-671.pdf. (identifying no incidents of noncompliance with the CIA minimization procedures during the reporting period); U.S. DEPARTMENT OF JUSTICE, QUARTERLY REPORT TO THE FOREIGN INTELLIGENCE SURVEILLANCE COURT CONCERNING COMPLIANCE MATTERS UNDER SECTION 702 OF THE FOREIGN INTELLIGENCE SURVEILLANCE ACT, MARCH 2014, at 63, available at https://www.dni.gov/files/documents/icotr/51117/Bates%20672-752.udf (same). 12 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED such, reports containing information concerning U.S. persons were disseminated for purposes and in a manner directly related to the specific national security threat at issue. Specifically, the reports were generally disseminated not to the United States Intelligence Community as a whole, but to the participating elements, and sometimes individuals within those elements, who had requested the information or who were working to address the specific national security threat. � Third, and relatedly, the replacement of a U.S. person identity with a generic term (e.g., "named U.S. person") was rare. Consistent with CIA's foreign intelligence mission, disseminated intelligence products often contain no U.S. person information, as CIA's reporting is focused on foreign intelligence priorities established by the NIPF. As a result, disseminations outside CIA were focused on foreign intelligence information related to non-U.S. persons and the number of reports containing United States person information were few in number.26 Where dissemination of information concerning U.S. person information did occur, however, U.S. persons were generally specifically identified because the identities were determined to be necessary to understand the foreign intelligence information by the relatively narrow list of entities or individuals who received CIA's report. � Fourth, CIA also produces finished intelligence products to policymakers and broader audiences within the Intelligence Community of a more strategic nature. The broader scope and audience.of these documents, combined with CIA's foreign intelligence mission, however, often results in the deletion, not the replacement with a generic term, of information concerning U.S. persons. When appropriate, generic terms such as "named U.S. person" or "named U.S. company" are utilized. CIA's Directorate of Analysis advises that it rarely receives requests for the specific identities behind such generic terms, and in the rare instances when this does occur, the requests are referred to the CIA entity that initially reviewed the acquired communications. In order to subsequently identify, i.e., "unmask," the U.S. persons to anyone outside CIA, CIA personnel would need to reapply both the retention and dissemination procedures discussed above and issue a new report with a narrower audience containing the identifying information. OPCL identified no such "unmaskings" in the four months of reports containing FISA- acquired information it reviewed. 26 In a substantial proportion of these disseminations, the U.S. person identified was a U.S. corporation or organization, not an individual. FISA's definition of "United States person," extends not only to United States citizens and lawful permanent residents, but also to corporations incorporated in the United States and unincorporated associations where a substantial number of members are United States citizens or lawful permanent residents. 50 U.S.C. � 1801(i). 13 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED In summary, CIA's privacy and civil liberties protections with regard to disseminating U.S. person information are not best described with reference to the "masking" or "unmasking" of individuals. While the use of generic terms is sometimes utilized, the more critical controls for protecting U.S. person information occur in the initial targeting and collection, the retention decisions regarding which information may be kept that are made as a prerequisite to any dissemination, the exclusion of irrelevant information concerning U.S. persons in disseminations, and the determination of the appropriate list of recipients for whom reporting identifying specific U.S. persons is determined to be necessary to understand the foreign intelligence information. VI. Training CIA takes a multi-pronged approach in its training to ensure compliance with the procedures and practices for disseminating information concerning U.S. persons only when appropriate. In the first instance, CIA's handling of U.S. person information must comply with CIA's Executive Order 12333 Attorney General Procedures. All new CIA officers receive training on the Attorney General Procedures. In addition, CIA personnel who manage the reporting of intelligence information outside of CIA receive additional, specialized training that focuses on the restrictions on disseminating information concerning U.S. persons. Because FISA has additional, more specific, rules that may supersede some of the requirements of the Attorney General Procedures, all CIA personnel who have access to unevaluated information acquired under FISA are required to receive additional, in-person training provided by CIA OGC and the FISA Program Office. This training covers, but is not limited to, the restrictions governing the retention and dissemination of U.S. person information. OPCL assesses that CIA's PISA training program provides practical guidance to trainees regarding the application of the CIA minimization procedures and related CIA policies. For example, trainees are provided specific examples of sufficient and insufficient justifications for retaining information concerning a U.S. person, the precursor decision for any dissemination of a U.S. person identity. The role of subsequent oversight is also emphasized. Trainees are repeatedly reminded that their retention and dissemination decisions are subject to additional external review by DOJ and ODNI. Supervisors who manage CIA's reporting of foreign intelligence information emphasized that these formal training requirements are supplemented by on-the-job training. Junior officers are provided guidance from more experienced officers in honing their skills to make the determination of what is, in fact, necessary to understand the foreign intelligence information. In addition, CIA OGC attorneys are integrated with mission elements to provide further guidance to CIA personnel and the FISA Program Office provides additional resources regarding the dissemination of U.S. person information. 14 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED VII. Compliance and Oversight In the first instance, compliance with the regulations and procedures governing the dissemination of U.S. person information is monitored by CIA managers specifically trained in the dissemination of information outside of CIA. In the case of information acquired pursuant to Titles I/III and Section 702 of FISA, all disseminations concerning U.S. persons also must be coordinated with CIA OGC attorneys and the FISA Program Office. Both CIA OGC attorneys and FISA Program Office staff advised that they will request further information on a report prior to concurring in the dissemination if it appears that any of the FISA-acquired information concerning an identified U.S. person is not necessary to understand the foreign intelligence information. In addition, DOJ and ODNI conduct bimonthly reviews of CIA's compliance with the Section 702 minimization procedures. These Section 702 oversight reviews include an evaluation of retention decisions (including the contemporaneous written justifications of such retention decisions) and a review of all CIA reports that disseminate information concerning an identified U.S. person. DOJ has reviewed disseminations of United States person information acquired pursuant to the Title I/III in the past and is discussing with CIA the conduct of future reviews. On a more programmatic basis, CIA's handling of U.S. person information in FISA and other contexts is also subject to review by OPCL, as occurred during the course of this review, and by CIA's Office of the Inspector General. The Privacy and Civil Liberties Oversight Board also conducted a comprehensive review of the FISA Section 702 program.27 Oversight is also conducted by Congress and the judiciary. The FISC Must approve Section 702 certifications and all FISA Title I/III applications, to include the minimization procedures that govern all collection obtained from those certifications/applications. Incidents of potential noncompliance with the CIA's minimization procedures are reported to DOJ, which in turn reports confirmed incidents of non-compliance to the FISC and to Congress. Compliance incidents involving CIA's dissemination of U.S. person information are exceedingly rare, but when a compliance incident of any type is discovered, this incident report describes the scope, nature, and the cause of the incident. 27 (U) See PCLOB Report, supra note 9. 15 UNCLASS I Fl ED Approved for Release: 2023/04/18 C06749520 Approved for Release: 2023/04/18 C06749520 UNCLASSIFIED VIII. Conclusion OPCL's review of CIA's dissemination of information concerning U.S. persons initially acquired by NSA and FBI pursuant to Section 702 and Titles 11111 of FISA revealed no incidents of noncompliance with the applicable procedures governing such disseminations. Consistent with CIA's foreign intelligence mission, the disseminated reports were all in response to specific, identifiable foreign intelligence priorities and identifying information concerning U.S. persons was only released to authorized persons outside of CIA when that identifying information was necessary to understand the foreign intelligence information. CIA has specific procedures, practices, training, and oversight to ensure the appropriate dissemination of U.S. person information. 16 UNCLASSIFIED Approved for Release: 2023/04/18 C06749520