Secret Government Report Shows Gaping Holes in Privacy Protections From U.S. Surveillance

On Tuesday, in response to Freedom of Information Act requests, a federal privacy watchdog released an important report about how the U.S. government handles people’s personal information that it sweeps up in its surveillance. Despite requests from Senator Ron Wyden and the European Union, the Trump administration had refused to make the report public — until now. The report addresses government agencies’ implementation of “PPD-28,” President Obama’s 2014 policy directive on government spying and the treatment of “personal information,” which includes communications like emails, chats, and text messages.

The release of this report, which the Privacy and Civil Liberties Oversight Board finalized in December 2016, was long overdue. The report makes clear that PPD-28’s protections are weak in practice and rife with exceptions. And it will likely only add to concerns European regulators already have about the ways in which U.S. surveillance harms the privacy rights of Europeans — jeopardizing an important transatlantic data-sharing agreement. Here are three key takeaways:

The report confirms just how modest the directive’s privacy protections are.

For the most part, PPD-28 simply prompted the intelligence community to memorialize existing practices. For example, it expressly allows agencies to use information collected in bulk for six purposes, which include detecting and countering “activities directed by foreign powers” and “transnational criminal threats.” These are broad and elastic categories — indeed, so broad that PPD-28 didn’t prompt the NSA to change its problematic practices at all.

Screenshot from document

There has been significant uncertainty — and inconsistency — among agencies about what spying activities the directive covers.

The report states that “the lack of a common understanding as to the activities to which PPD-28 applies has led to inconsistent interpretation and could lead to compliance traps, especially as [intelligence community] elements engage in information sharing.”

One example is the FBI’s approach to communications collected under the Foreign Intelligence Surveillance Act (FISA). The report raises questions about whether the FBI is fully complying with PPD-28 as well as whether it’s seeking to carve out certain surveillance activities from the directive’s modest requirements:

Screenshot from document

Although the report recites the FBI’s “rationale” for exempting certain communications from the directive’s protections, it doesn’t explain why that rationale would justify these exemptions. It is true that certain types of surveillance under FISA are based on an individualized finding of probable cause that a target is a foreign power or an agent of a foreign power. But that should have no bearing on whether the directive applies to private communications acquired under those provisions.

To address these inconsistencies, the privacy board recommended that the National Security Council and the Office of the Director of National Intelligence “issue criteria for determining which activities or types of data will be subject to PPD-28’s requirements.” It is unclear whether these agencies ever issued those much-needed clarifications about the directive’s scope.

There are reasons to be concerned about the NSA’s information-sharing practices and other agencies’ exploitation of intercepted communications.

Finally, the board was concerned about how agencies would apply the directive in light of an upcoming dramatic expansion of the NSA’s power to share “raw,” unreviewed communications with 16 other agencies, like the Drug Enforcement Administration and the Department of Homeland Security.

Historically, the NSA had always reviewed and redacted some types of sensitive data from intercepted communications before sharing them with other agencies. But at the end of 2016, the Obama administration implemented new rules that allowed the NSA to broadly share raw information, including with agencies that had no prior experience handling this kind of intelligence. The Privacy and Civil Liberties Oversight Board explained that these agencies (called “IC elements”) may need to take additional measures to comply with the directive:

Screenshot from document

It’s not clear whether, after this report, agencies appropriately updated their information technology systems to purge unreviewed communications after five years, as required by the directive. Nor is it clear whether agency personnel received the training necessary to comply with this directive. More generally, there are still significant questions about how much raw data the NSA is sharing, for what purposes, and how the directive applies to this data in practice.

This new report is yet more evidence that the future of the central U.S.–EU data-sharing agreement — known as Privacy Shield — is in doubt.

Privacy Shield allows American tech firms operating in Europe to easily and lawfully transfer data to the United States, and it’s predicated on the idea that the U.S. “adequately” protects Europeans’ communications. The European Commission approved Privacy Shield in part because it believed that Obama’s directive provided meaningful protection. PPD-28 recognized that “all persons have legitimate privacy interests in the handling of their personal information” — and it explicitly extended some very modest privacy protections to non-Americans abroad.

Although the directive was a step in the right direction, we’ve explained elsewhere why it does not provide adequate protection for EU persons’ data and is too weak to serve as the legal basis for Privacy Shield. This report makes it even clearer that the directive fails to cure the fundamental problems with U.S. surveillance law.

In short, the U.S. government is exploiting the personal information it gathers using these spying activities more broadly than ever, but the report reveals just how anemic PPD-28’s protections are in practice. It also raises serious questions about whether the directive has been implemented fully and consistently across the intelligence community.

The European Commission’s second annual review of Privacy Shield is already underway, and the EU’s highest court will likely soon have the opportunity to rule on the legality of the agreement. Both the commission and the court will have to grapple with the fundamental weaknesses of PPD-28 and with these new signs that its safeguards do not go nearly far enough.

View comments (9)
Read the Terms of Use



Dr. Timothy Leary

The only "gaping holes" I know of are between you-know-who's ears.


The Fourth Anendment - as clearly written - prohibits all forms of warrantless domestic spying and preemption practices. The U.S. Supreme Court should have ruled on this decisively about 15 years ago. Executive Branch officials have publicly admitted that is how so-called "intelligence" is used, they snoop in violation of the Fourth Amendment and if they find criminality they refer the case to law enforcement - the polar opposite of what Fourth Amendment restraints were designed for. Maybe the most part of the Fourth Anendment is requiring police and investigators to testify under penalty of law before requesting a search warrant from a Judicial Branch judge. Using a Needle in the Haystack metsphor, this practice essentially makes the haystack of suspects larger making it harder to find the real bad guys. Former FBI counter-terrorism agent, Mike German, agrees with this premise. German explained he might encounter 10 guys but maybe 1 was dangerous, you spend your taxpayer funded resources on the 1 guy, not the other 9. The Fourth Amendment has not been amended, the U.S. Supreme Court has ample evidence to outlaw preemption and warrantless spying.


You are correct, great post.


The ACLU attorneys have some unfinished business. The U.S. Deparrment of Justice seems to have violated the 14th Amendment rights of government employees and contractors. A 14th Amendment violation of "unequal" treatment is also a violation of the Federal Criminal Code statutes. The legal loophole is there is no real watchdog when tbe DOJ violates the law. The DOJ chose NOT to enforce torture felony statutes with clear and overwhelming evidence. The DOJ chose not to enforce warrantless witetapping and actually coerced private telecoms into committing felonies on behalf of the DOJ (ex: Qwest Communications in 2001). Congress then illegally made those past felonies legal (ex post facto clause). DOJ did choose to enforce laws against legal whistleblowing and laws about leaking information. From Joseph Nacchio, Thomas Drake, John Kiriakou, Chelsea Manning and many others had their 14th Amendment rights violated. In today's Washington Post reports of an FBI official being convicted for lesser crimes than torture or warrantless spying. The DOJ should be forced, by the courts, to enforce torture statutes, warrantless spying and other felony crimes. Many of the past DOJ attorneys that committed legal malpractice on torture were promoted, none lost their icense to practice law. Each and every FBI and DOJ swore an Oath of Office NOT to violate the U.S. Constitution.


Excellent post.


They will go to hell if they keep on spying on me

Sabrina Kaelin

I have been a victim of being a human experiment by a group of psychopaths since earlier this year. They use electronic harassment and have in the past used a variety of other evil methods to drive me crazy and make me question what is real and what is not real. They use everyone around me, at first they made my loved ones act very strangely, and now they make them all act like everything is normal even though they have obviously been very evil to everyone I care about, not just me. They follow me around everywhere using the voice-to-skull method, constantly talking wherever I go 24/7. I have been mostly isolated from my community and everyone I care about since this began. They literally turn everyone around me evil, obviously they force them to be evil, another reason I don’t leave my home. It is heartbreaking to know that everyone I care about knows what is going on and they have to act normal, that they can’t help me or themselves to get rid of these evil people. They constantly watch me and everyone I care about, at least, I assume they watch the people I care about as well as my family. They direct thoughts into my head and constantly play mind games with me. They cause ringing in my ears. Is there anything I can do or you could do to help me? They’ve made it so I can’t go try to get help. They make everyone act like I’m just crazy or just have schizophrenia, but believe me, it’s not that at all. I’m a completely normal innocent person. That’s what, I would imagine, they do to all their targets – choose normal, good, innocent people to make them as miserable as these evil people obviously are with themselves. Worst of all they get away with what they do because, of course, there’s no physical evidence. I believe they implanted a chip in my arm but I have no way to go anywhere, and no one I could go to, to get it out of my arm. I am pretty sure they manipulate everyone I go around to act like I’m just crazy which makes it seem even more hopeless. Please, please help me. It’s not me who I’m worried about. I’m worried about the people I care about since they’ve obviously already been very evil to those who I care about. It’s extremely heartbreaking to think about what they probably have forced my friends and family to do and act like. We are not criminals. We are normal, everyday people being illegally watched and messed with every day of our lives. I never knew anything like this even existed. If it matters I live at 38 Aroostook Scenic Highway, Hersey, Maine. Yeah. Northern Maine. How surprising it is for someone who lives in a small town to be going through this – probably another reason they chose to do this to me, because we live in a small community, not easy for them to be located that way. I’m desperate for help. You don’t want to know what they’ve already done to me. I could write a book about all the evil things they’ve done to us and the mind games they’ve played with me. Please, please help us.



Stay Informed