AND CIVIL OVERSIGHT BOARD
WASHENGTON, D.C. 20511

 

October 16, 2018

Charlie Savage

The New York Times
1627 1 Street NW

7th Floor

Washington, DC 20006


Re: PCLOB FOIA 2017?021
Dear Mr. Savage:

I am writing in response to your request for records under the Freedom of Information Act
received on May 31, 2017 seeking the disclosure of the Privacy and Civil Liberties Oversight
Board?s report on the implementation of Presidential Policy Directive 28: Signals
Intelligence Activities 

A search was conducted and a document was located that is responsive to your request. However,
release of the document required consultation with other executive branch agencies. The appropriate
executive branch agencies have reviewed the document and provided the PCLOB with any relevant FOIA
exemptions that should be applied prior to disclosure. This letter includes a redacted version of the 
28 report.

After consulting with the appropriate executive branch agencies, redactions pursuant to
Exemptions l, 3, 5, and 6 of the FOIA, 5 U.S.C. 552 and are applied.
Exemption 1 protects from disclosure information that has been deemed classi?ed ?under criteria
established by an Executive order to be kept secret in the interest of national defense or foreign policy.?
Exemption 3 incorporates certain nondisclosure provisions contained in other federal statues into the
Exemption 5 protects certain inter- and infra?agency memorandums or letters protected by the
deliberative process privilege, and Exemption 6 protects information the disclosure of which would
?constitute a clearly unwarranted invasion of personal privacy.? Redactions have been clearly marked
with the corresponding exemption.

You may contact me or the FOIA Public Liaison Eric Broxrneyer at (202) 296?46 1 7 or
foia@pclob. gov for further assistance and to discuss any aspect of your request. Additionally, you may
contact the Office of Government Information Services at the National Archives and Records
Administration to inquire about the FOIA mediation services they offer. The contact
information for OGIS is Of?ce of Government Information Services, National Archives and Records
Administration, 8601 Adelphi Road~OGlS, College Park, Maryland 20740-6001 email at ogis@nara. gov;
telephone at 202?741-5 770; toll free at 1-877-684?6448; or facsimile at 202?741?5 769.

If you are not satis?ed with my response to this request, you may administratively appeal by
writing to the PCLOB Freedom of Information Act Appeal Authority, at 800 N. Capitol St, NW,
Washington, DC 20002, or you may submit an appeal Via email to foia@pclob. gov. Your appeal must be
postmarked or electronically transmitted Within ninety calendar days from the date of this letter.

    

Arman antensen
Acting Freedom of Information Act Of?cer
Attorney?Adviser
(202) 296-2706

Mason Clutter
From:
Sent:
To:
Cc:
Subject:

Savage, Charlie <savage@nytimes.com>
Wednesday, May 31, 2017 4:31 PM
Sharon Bradford Franklin; Mason Clutter; dni-foia@dni.gov
David McCraw; Ian MacDougal
NYT FOIA request for two PCLOB documents

Dear PCLOB and Office of the Director of National Intelligence,
Under the Freedom of Information Act, I request access to (and declassification review of, if necessary) the following
documents:
- the PPD-28 report PCLOB transmitted to Congress about five months ago
- the current version of PCLOB's draft report on Executive Order 12333 issues
As a member of the news media engaged in gathering information about government activities for public education, I
request a fee waiver, please.
I am located at
c/o The New York Times
1627 I Street NW
7th Floor
Washington, DC 20006
Thank you for assistance with this matter.
______________________
Charlie Savage
The New York Times
Phone: 202-862-0317
Cell: 202-369-6653

1

  

PRIVACY CIVIL LIBERTIES OVERSIGHT BOARD

(U) Report to the President on the Implementation of Presidential
Policy Directive 28: Signals Intelligence Activities

TABLE OF CONTENTS

(U) Part I Introduction 1

(U) Part II Significant Changes in Practice due to the Issuance of PPD-28 5

(U) Part Analysis and Recommendations 12
(U) Part IV Conclusion 18
(U) Annexes:

(U) A. Separate Statement by Board Members Rachel Brand and Elisebeth 20
(U) B. Separate Statement by Board Members James Dempsey and Patricia Wald 23

I. Introduction

(U) On January 17, 2014, President Obama signed Presidential Policy Directive 28,
Signals Intelligence Activities which provides principles to guide ?why, whether,
when, and how the United States conducts signals intelligence The directive
recognizes both that ?[t]he collection of signals intelligence is necessary for the United

States to advance its national security and foreign policy interests and to protect its citizens

 

1 (U) See Presidential Policy Directive 28, Signals intelligence Activities (Ianuary 17, 2014)
[hereinafter available at 
office 20 14/0 1/1 7 

 



and the citizens of its allies and partners from harm? and that ?all persons have legitimate
privacy interests in the handling of their personal information.?2 In an effort to protect the
national security of the United States while respecting privacy and civil liberties, the
directive codifies current practices and establishes new principles related to the collection,
use, retention, dissemination, and oversight of signals intelligence, particularly with regard
to personal information of non-US. Persons.

(U) The directive is divided into six sections. Section 1 outlines the following principles:
signals intelligence shall be authorized by and undertaken only in accordance with the
law; privacy and civil liberties shall be integral in the planning of signals intelligence
activities; the collection of foreign private commercial information or trade secrets is
authorized only to protect national security,- and signals intelligence activities shall be
as tailored as feasible. Section 2 limits the use of bulk signals intelligence to six permissible
purposes. Section 3 and the classified annex refine the processes for establishing signals
intelligence priorities and requirements, and reviewing sensitive targets. Section 4 requires
the development and implementation of policies that provide certain safeguards to
information regarding all persons, regardless of their nationality or where they reside,
when it is collected through signals intelligence activities. Section 5 requests, and in most
instances requires, that reports on specific aspects of the implementation of the directive
be written and provided to the White House. Section 6 provides a general description of
how the directive interacts with other legal authorities.

The Privacy and Civil Liberties Oversight Board is issuing this report in
response to Section 5 of PPD-28, which encourages the PCLOB to provide the White House
with a report that assesses the implementation of any matters contained within PPD-28
that fall within the Board?s mandate.3 This report represents the assessment of
PPD-28 matters that fall within the Board?s mandate to . . continually review the
regulations, policies, and procedures, and the implementation of the regulations, policies,
and procedures, of the departments, agencies, and elements ofthe executive branch
relating to efforts to protect the Nation from terrorism to ensure that privacy and civil
liberties are protected.?4 On December 14, 2016, the Board voted unanimously to adopt
this report. Board Members Brand and Collins wrote a joint separate statement, which is
appended to this report in Annex A. Board Members Dempsey and Wald wrote a joint
separate statement, which is appended to this report in Annex B.

 

2 PPD-28 at p.1.
PPD-28 
4 42 U.S.C. 2000ee[d][2) [A)[emphasis added].



The review of the implementation of PPD-28 is based on classified
briefings and discussions with IC elements.5 The review also included examination of the IC
element and IC-wide policies that implement PPD-2 8. In addition, the PCLOB reviewed
public comments, primarily from non-governmental organizations regarding
PPD-28.

Shortly after the President issued PPD-28, the Office of the Director of National
Intelligence created an intra?IC working group to come up with a common
approach to implement the requirements of PPD-28 and to determine what, if any,
additional protections are warranted beyond what PPD-28 requires.6 In July 2014, the
ODNI released a status report on the development and implementation of procedures
pursuant to PPD-28.7 The status report describes the evaluation of possible
additional dissemination and retention safeguards for personal information and includes
key principles that the IC elements must follow as they adopt policies and procedures
under PPD-28.8 In January and February 2015, the IC elements issued public procedures
regarding the implementation of PPD-28.9 In February 2015 and January 2016, the ODNI
released reports that summarize the impact and results of the signals intelligence
reform activities.10 The ODNI reports also inform this report.

The ways in which the IC elements have implemented the directive to date have
varied based on their missions and authorities, access to signals intelligence information,
and information systems. While PPD-28 applies to every element of the IC, the directive has
the greatest impact on the IC elements that collect signals intelligence or information

 

5 (U) The following IC elements were consulted: the Office of the Director of National Intelligence
National Security Agency Central Intelligence Agency Federal Bureau of
Investigation Department of State, Bureau of Intelligence and Research (?State Drug
Enforcement Administration, Office of National Security Intelligence Department of Treasury,
Of?ce of Intelligence and Analysis ("Treasury Department of Homeland Security, Of?ce of Intelligence
and Analysis Department of Homeland Security, US. Coast Guard Department of
Energy, Of?ce of Intelligence and Counterintelligence National Reconnaissance Office 
National Geospatial Agency Defense Intelligence Agency US. Air Force; and other
government personnel that support these IC elements.

5 Office of the Director of National Intelligence, Safeguarding the Personal Information of All
People: A Status Report on the Development and Implementation of Procedures under Presidential Policy
Directive 28 [July 2014] (hereinafter Status Report?), p. 1, available at

files documents 1017 

7 ODNI Status Report.

9 ODNI Status Report at pp.1-2.

9 U.S. Intelligence Community Policies 8; Procedures to Safeguard Personal Information Collected
through SIGINT, available at icontherecord.tumblr.com/ ppd-2 8 2015 privacy-civil-Iiberties [mid-
way through the page].

10 Office of the Director of National Intelligence, Signals Intelligence Reform 2015 Anniversary
Report [February 3, 2015], available at of the
Director of National Intelligence, 2016 Progress Report on Changes to Signals Intelligence Activities [January
22, 2016], available at 

   



that they consider to be covered by PPD-28 and possess and handle unevaluated signals
intelligence. This includes portions ofthe Department of Defense Central
Intelligence Agency and, to a lesser extent, the Federal Bureau of Investigation
The portions of the DOD that either collect signals intelligence, possess and handle
unevaluated signals intelligence, or both under Executive Order 12333 do so under the
direction, authority delegation or control of the Director of the National Security Agency


As a result, this report focuses on NSA, CIA, and to a lesser degree, the FBI. We
note that signals intelligence has traditionally been an NSA function. FBI states in its PPD-
28 procedures that it does not conduct signals intelligence activities.11 However, FBI
interprets footnote 6 of PPD-28 to mean that PPD-ZB applies to FBI in some way, so it is
applying PPD-28 to communications collected under Section 702 of the Foreign
Intelligence Surveillance Act anon-signals intelligence activity.12 Similarly, CIA
notes in its PPD-28 procedures that it applies PPD-28 to both signals intelligence activities
and some non?signals intelli ence activities.13 The uidin rinci 1e is that is

Accordingly, as a matter of internal policy, the CIA has
determined that it will apply PPD-28 to

SA, CIA, and FBI have
ec1 to app to commun1cat1ons co ecte un er ection 702.

This report is limited to an examination of how different elements have
implemented it takes no position on the policy enumerated in PPD-28. The report
discusses NSA, CIA and implementation of PPD-28. It does not focus on the other 
elements because they are primarily consumers of intelligence derived from signals
intelligence after it has been evaluated and disseminated by NSA in accordance with the
PPD-28 procedures.

The report consists of four parts. Part II follows this introduction and describes
changes in practices resulting from the implementation of PPD-28. Part analyzes the [C?s
implementation of PPD-28 and provides four recommendations. Part IV provides
conclusions. Following the conclusions, the report includes two separate statements.

 

11 FBI PPD-28 public procedures 

12 FBI staffBrie?ng to PCLOB staff on PPD-28 [December 15, 2015].

13 Internal CIA policy, Activities to Which the CIA Will Apply PPD-28 
14 Internal CIA policy, Activities to Which the CIA Will Apply PPD-28 
15 Internal CIA policy, Activities to Which the CIA Will Apply PPD-28 

MW

WW

II. Significant Changes in Practice due to the Issuance of PPD-28
a. Collection

The National Intelligence Priorities Framework is the primary mechanism
to create, remove, communicate, and manage national intelligence priorities that guide IC
collection and analytic activities.16 The National Signals Intelligence Committee 
reviews signals intelligence collection requests to ensure that they are consistent with the
NIPF, and validates priorities for signals intelligence collection.17 PPD-28 Section 3
and the classified annex to PPD-28 supplement the signals intelligence priorities review
and approval process. Section 3 requires departments and agencies to identify signals
intelligence priorities and requirements so that the heads of those departments and
agencies can annually review and determine whether those identified priorities and
requirements should be maintained. In making the determination, the value of the signals
intelligence activities must be considered in light of the risks entailed in conducting these
activities. Risks include ?risks created by the constantly evolving technological and
geopolitical environment,? ?inherent concerns raised when signals intelligence can be
collected only in bulk,? and ?the risk of damage to our national security interests and our
law enforcement, intelligence-sharing, and diplomatic relationships should our capabilities
or activities be compromised.?18

 

 

15 Intelligence Community Directive 204: National Intelligence Priorities Framework, D1
[January 2 2015].
17 Letter from the ODN I GC to Justin S. Antonipillai (Counselor, Department of Commerce) and Ted

Dean (Deputy Assistant Secretary, International Trade Administration], p. 5 [February 22, 2016].
19 PPD-28 3.

19 PPD-28 Classi?ed Annex 2.
20 PPD-28 Classified Annex 2.
21 PPD-28 Classi?ed Annex 4-.
32 NSA staffbriefing to PCLOB staff on PPD-28 [December 16, 2015]; CIA staff briefing to PCLOB

staff on PPD-28 [December 17, 2016].

 

b.  U)Use

Section 2 of PPD-28 requires the IC to use signals intelligence collected in bulk only
for the purposes of detecting and countering six threats: espionage and threats and
activities directed by foreign powers; threats to the US. and its interests from
terrorism; threats to the US. and its interests from weapons of mass destruction; 
cybersecurity threats; threats to the U.S., allied Armed Forces or U.S./allied personnel;
and transnational criminal threats.25 In its status report, ODNI directed that ?in the case
of unevaluated SIGINT information contained in datasets or repositories, Intelligence
Community element policies should reinforce existing analytic practices and standards
whereby must seek to structure queries or other search terms and techniques to
identify intelligence information relevant to a valid intelligence or law enforcement task;
focus queries about persons on the categories of intelligence information responsive to an
intelligence or law enforcement requirement; and minimize the review of personal
information not pertinent to intelligence or law enforcement requirements."26

Prior to the issuance of PPD-28, as a practical matter use of signals
intelligence collected in bulk was already limited to the six abovementioned purposes.27
However, these limitations were not codified in NSA procedure until the directive was
issued.28 As a result of 8, NSA has memorialized the fact that it limits its use of signals
intelligence collected in bulk to the six permissible purposes listed in 

general querying30 standards have not changed as a result of PPD-28.
However, as a result of PPD-Z 8, NSA has memorialized the fact that queries must be

 

23 ODNI staff brie?ng to PCLOB staffon PPD-ZB [January 21, 2016].

24 ODNI staff briefing to PCLOB staffon PPD-28 [January 21, 2016].

25 PPD-28 2.

25 ODNI Status Report at p. 5.

27 NSA staffbriefmg to PCLOB staff on [December 16, 2015].

23 NSA staffbriefing to PCLOB staff on PPD-28 [December 16,2015].

29 NSA public procedures 

30 PPD-28 procedures and 13.0. 12333 procedures use the phrase "selection term? to refer to

the process of using individual terms to ?effect or defeat selection of particular communications for the

   
   
   



designed to return foreign intelligence and, if a query is intended to run against a database
containing unminimized signals intelligence collected in bulk, the query may be run only to
address one of the six authorized purposes for bulk SIGINT collection. 31 Prior to PPD-28,
procedures focused on protecting US. person information rather than
personal information of all individuals regardless of nationality.32 However, NSA reports
that even prior to the issuance of PPD-28, it would run queries whether designed to
return USPI, or both only to obtain information related to specific foreign
intelligence targets or topics.33

Limiting the use of si nals intelli ence collected in bulk to the ur oses that
are listed in the directive

However, in the past, CIA would also

As a result of PPD-28, CIA is only permitted to query signals intelligence collected
in bulk to the six purposes that are listed in the directive and has memorialized this
requirement.37

{319431-11} Like NSA, prior to ClA?s uer in rules focused on rotecting U.S.
erson information 

decided to require its to ?structure query terms and techniques in a manner
reasonably designed to identify intelligence relevant to an authorized intelligence
requirement and minimize the review of personal information not relevant to an
authorized intelligence requirement.? 39

(U) public PPD-28 procedures state that ?[t]he FBI will focus queries about
persons, regardless of nationality, on the categories of intelligence information responsive

 

purpose of interception.? Classified Annex to Manual 5240.01 NSA applies the restrictions on the use
of ?selection terms? to queries of repositories containing signals intelligence information. For purposes of
consistency, we use the term "query" to refer to searches of its signals intelligence repositories.

31 (U) NSA staffbriefing to PCLOB staff on PPD-28 (December 16, 2015). See also NSA PPD-ZB public
procedures 

32 (U) NSA staffbriefing to PCLOB staff on PPD-28 (December 16, 2015).

33 (U) NSA staffbriefing to PCLOB staff on PPD-28 [December 16, 2015).

34 (U) CIA staffbriefing to PCLOB staffon PPD-28 (December 17, 2015).

35 (U) CIA staffbriefing to PCLOB staffon PPD-28 (December 17, 2015).

36 (U) CIA staffbrie?ng to PCLOB staff on PPD-28 (December 17, 2015).

37 (U) CIA public PPD-28 procedures p.3.

33 (U) CIA staff call with PCLOB on follow-up questions (August 4, 2016].

39 (U) CIA public PPD-28 procedures p.5.



to an intelligence requirement or an authorized law enforcement activity.? 40 Under FISA
Section 702, the Bureau was already required to structure query terms to identify
information relevant to a valid intelligence requirement or an authorized law enforcement
activity.41

c. IU) Retention

PPD-28 establishes three requirements concerning the retention of non-U.S. person
information: personal information of non-U.S. persons shall be retained only if
comparable information of U.S. persons may be retained pursuant to Section 2.3 of ED.
12333; personal information of non-U.S. persons shall be subject to the same retention
period as comparable information concerning U.S. persons; and personal information
that has not been determined to fit within an E.O. 12333 Section 2.3 category [also referred
to as unevaluated information) shall be retained for no longer than five years unless the
DN1 expressly determines that continued retention is in the interest of national security/i2
These are not absolute requirements; they are to be applied equally to the personal
information of all persons, regardless of nationality, to the maximum extent feasible
consistent with the national security.43 

With respect to the first provision, NSA, CIA, and FBI procedures repeat 
requirement that personal information of non?U.S. persons shall only be retained if
comparable information of U.S. persons may be retained pursuant to section 2.3 of EC.
12333.44 Similarly, these IC elements? procedures bring into effect the second requirement
to harmonize the retention periods for USPI and With respect to the third
requirement, the ODNI issued Intelligence Community Directive 107-01, a policy
governing requests for extensions beyond the five?year retention period.46 The policy
requires the submission of written requests that are approved by high-level officials,
are as narrowly tailored as possible, and include a mission need for the information
and the views on the adequacy of the proposed protections from the senior official
responsible for matters involving the protections of privacy and civil liberties.47 NSA
complied with the ODNI mandate in 107-01 to inventory its data by the end of 2015 to

 

4? FBI public PPD-28 procedures 

41 FBI staffbriefing to PCLOB staff on PPD-28 [December 15, 2015]. FBI PPD-28 Fact Sheet p.2.
42 PPD-28 

43 PPD-28 emphasis added.

44 NSA public procedures do not recite this statement, but they state that the 

Supplemental Procedures extend comparable safeguards currently provided for U.S. Persons to all persons,
regardless of nationality."p.1; CIA PPD-28 public procedures 13.4; FBI PPD-28 public procedures 

45 NSA Public Procedures 15} CIA Public Procedures 13.4; FBI Public Procedures 

45 Intelligence Community Standard 107-01: Continued Retention of SIGINT Under PPD-28
[February 2, 2015].

47 107-01: Continued Retention Under PPD-ZB 



determine which data sets, if any, might require such extension requests.

 

At NSA, the five-year temporary retention period does not represent a change
in practice. According to NSA, as a general matter, even prior to PPD-28, NSA retained
unevaluated signals intelligence information, for no more than five years, regardless of the
nationality of the persons to whom the information pertained, since NSA could not rule out
the possibility that unevaluated signals intelligence information of or concerning non-US.
persons might also include USPI.50 By contrast, the requirement to seek DNI approval for

    

noted above, FBI elected to apply the relevant provisions of PPD-28 to
information collected pursuant to FISA Section 702.53 This includes the five-year retention
period. FBI indicated that the five-year retention period is not a change in practice for FISA
Section 702 data because the FISA Section 702 minimization procedures already
impose a five-year retention limit for information that has never been reviewed.54

d. lUl Dissemination

states that personal information of non-U.S. persons shall be
disseminated only if comparable USPI may be disseminated under E.O. 12333 Section 2.3,
to the maximum extent feasible consistent with the national security.55 ODNI has
interpreted this to mean that elements may disseminate the personal information of
non-U.S. persons only if the personal information relates to an authorized foreign

 

48 ODNI staff brie?ng to PCLOB staff re. PPD-28 [January 21, 2016].

49 ODNI staff brie?ng to PCLOB staff re. PPD-28 [January 21, 2016].

50 NSA staffbrieflng to PCLOB staffon PPD-28 [December 16, 2015].

51 NSA staffbriefing to PCLOB staff on PPD-28 [December 16, 2015].

53 CIA staffbrie?ng to PCLOB staffon PPD-28 [December 17, 2015].

53 FBI public procedures I.

54 FBI staff Brie?ng to PCLOB staff on PPD-28 [December 15, 2015]. FBI 702 Minimization

Procedures lIl.G.1.a. [Iul. 1 5, 201 5] [?FISA-acquired information that has been retained but never reviewed
shall be destroyed five years from the expiration date of the certification authorizing the collection?).
55 PPD-ZB 

    



intelligence requirement.56 The mere fact that signals intelligence is about a non-US.
person is not, absent additional information, sufficient to disseminate such information.

[574131-13] NSA reports that its implementation of this requirement has not resulted in
substantial changes in practice with regards to its disseminated SIGINT products. 
past practice was to limit all signals intelligence activities, including the dissemination of
personal information of non-U.S. persons in disseminated SIGINT products, to those
necessary to accomplish its foreign intelligence mission.57 Nevertheless, the NSA has
modified its training and guidance to include the requirement that it disseminate personal
information of non-US. persons in disseminat 
authorized forei intelli ence re uirement.S

    

PPD-28 procedures state that the NSA may include in
reporting if it is ?related to an authorized foreign intelligence requirement.?60 This standard
differs from the standard that governs dissemination of USPI: USPI may be disseminated if
doing so is ?necessary to understand the foreign intelligence information or assess its
importance.?61 Section 4- 0f PPD-28 states that 1C element PPD-28 policies and procedures,
including provisions that govern dissemination, are to be applied equally to the personal
information of all persons, regardless of nationality, but only ?to the maximum extent

feasible consistent with the national securit .

CIA has a pre-existing requirement that personal information relating to non?
U.S. persons could be disseminated only if it related to a foreign intelligence purpose.63 CIA
has determined that PPD-28 required no change in existing practice. However, it
incorporated this requirement into its public procedures, which now specify that if the CIA
is "disseminating personal information concerning a foreign person because it is foreign

 

55 ODNI Status Report at p. 5.

57 NSA staffbriefing to PCLOB staffon PPD-28 [December 16, 2015]. See, for example, NSA Public
Procedures 7.

53 NSA staffbrie?ng to PCLOB staffon PPD-28 [December 16, 2015].

59 NSA staff brie?ng to PCLOB staffon PPD-28 [December 16, 2015].

50 NSA staff briefing to PCLOB staffon follow?up questions [August 4, 2016]; NSA PPD-28
public procedures [emphasis added].

51 NSA staff briefing to PCLOB staff on PPD-28 follow-up questions [August 4-, 2016]; USSID 18 
7.2.c [emphasis added].

62 NSA staffbrie?ng to PCLOB staffon PPD-28 [December 16, 2015].

63 CIA staffbrie?ng to PCLOB staffon [December 17, 2015].

10



intelligence, the information must be related to an authorized intelligence requirement,
[and] cannot be disseminated solely because of the person?s foreign status.?64 This
standard differs from the standard that governs the dissemination of USPI derived from
electronic surveillance: ?Information about a United States person derived from electronic
surveillance may be retained and disseminated. . . if the identity of the US person and all
personally identifiable information are deleted. . . . If the information cannot be sanitized in
such a fashion because the identity is necessary or reasonably believed that it may become
necessary, to understand or assess the information, that identity may be retained or
disseminated outside the CIA along with the information if. . the information fits within a
list of categories that are similar to those found in E.O. 12333 Section 2.3.65 As noted above,
pursuant to PPD-28 Section 4, dissemination provisions are to be applied equally to the
personal information of all persons, regardless of nationalit to the maximum extent
feasible consistent with the national securit .

    
 

FBI stated that it already meets the dissemination requirements of PPD-28. Even
prior to the Directive, all FBI targets under Section 702 of FISA were connected with a full
investigation.67 Accordingly, FBI contends that all personal information of non?US. persons
was obtained in the course of a lawful foreign intelligence, counterintelligence, or
international terrorism investigation and therefore may be disseminated under PPD-28
and the ODNI guidance.68

 

6?4 CIA public PPD-28 procedures p.5 [emphasis added].

65 Internal Agency Policy, Law and Policy Governing the Conduct of Intelligence, Appendix 
[emphasis added].

65 (U) CIA staff brie?ng to PCLOB staff on FPD-ZS (December 17, 2015).

67 FBI Domestic Investigations and Operations Guide 7.9 and 18.7.3
[Released October 15, 2011, Updated November 19, 2012].

53 FBI PPD-28 Fact Sheet p.2.

11



111. Analysis and Recommendations

a. Clari in the Sco eofPPD?28

The President issued PPD-28 to establish special requirements and
procedures for the conduct of signals intelligence activities. PPD-28 does not define
?signals intelligence activities.?69 Nor did the ODNI. It was left to each lC element to
determine how to apply PPD-28 to its respective activities.

As a result, the a lication varies across the 1C.

 

 

5" (U) Footnote 3 of PPD-28 clarifies that nless otherwise specified, this directive shall apply to
signals intelligence activities conducted in order, to collect communications . .
70 Internal CIA Policy, Activities to Which the CIA Will Apply PPD-28 

2

mm

  

FBI applies PPD-28 to communications collected under
Section 702 of but exempts communications collected under FISA Title I or Sections
704 and 705(b] of FISA.71 rationale is that PPD-28 should not apply to the latter FISA
activities because those surveillances requir 
Furthermore some 1C elements such as the

   
 

It is not unusual for individual lC elements to apply different
procedures to similar types of data. This is often a function of the authorities and missions
unique to each 1C element. However, the lack ofa common understanding as to the
activities to which PPD-28 applies has led to inconsistent interpretation and could lead to
compliance traps, especially as elements engage in information sharing.

(U) Recommendation 1: The Board recommends that the National Security Council
and ODNI issue criteria for determining which activities or types of data will
be subject to PPD-28's requirements. The ODNI could establish these criteria by issuing
a list of PPD-28 activities or by promulgating guidelines for applying PPD-28. This guidance
may be classified, in whole or in part, in order to provide the appropriate level of detail.

 

71 (U) FBI public PPD-ZB procedures 1.

72 lUl Email from ODNI Deputy General Counsel Bradley Brooker to PCLOB Attorney Adviso-

ated September 14, 2016.

13




Whatever the format, the ODNI guidance should be in writing and applied uniformly
throughout the IC.

b. Application of PPD-28 to Multi-Sourced Systems

1. Background

The IC conducts both targeted and bulk collection of intelligence information
through a variety of sources that include signals intelligence. In some cases, 1C elements
have created databases and tools that store and use signals intelligence collected in bulk
together with signals intelligence collected in a targeted manner or store signals
intelligence together with information collected through a different intelligence discipline
human source intelligence]. We refer to the mixing of multiple sources of intelligence
sources as ?multi-sourced? systems.

PPD-28 requires the IE to provide specific protections to personal information
derived from signals intelligence and limits the ways in which the may use signals
intelligence collected in bulk. As outlined above, it establishes three requirements [with the
qualifier ?to the maximum extent feasible with the national security?) for the retention of
personal information collected through signals intelligence activities: personal
information of non?U.S. persons shall only be retained if comparable information of U.S.
persons may be retained pursuant to Section 2.3 of EC. 12333; personal information of
non-U.S. persons shall be subject to the same retention period as that of U.S. persons; and
personal information of all individuals, regardless of nationality, that has not been
determined to fit within an E.O. 12333 Section 2.3 category shall be retained for no longer
than five years unless the DN1 expressly determines that continued retention is in the
interest of national security.73

In addition, PPD-28 specifies that signals intelligence collected in bulk may only be
used for detecting and countering: espionage and threats and activities directed by
foreign powers; threats to the U.S. and its interests from terrorism; threats to the
U.S. and its interests from weapons of mass destruction; cybersecurity threats; 
threats to the U.S., allied Armed Forces or U.S./allied personnel; and transnational
criminal threats.?

These requirements do not apply to intelligence collected through other disciplines.

 

73 PPD-28 
74 (U) PPD-28 2.

14



ii. Application of PPD-28 to Multi?Sourced Systems at CIA

CIA primarily collects intelli ence throu human sources also known as
human intelligence or HUMINT.

 

As noted above, we refer to
these as ?multi?sourced systems? since they contain information collected through more
than one intelligence discipline.

    

Now, CIA has imposed a requirement that limits its use of signals intelligence
collected in bulk to the permissible uses that are listed in PPD-28.76

addition, pursuant to CIA will retain personal information derived
from signals intelligence that has not been determined to fit within an EU. 12333 Section
2.3 category for no more than five years unless the DN1 a roves continued retention.77 In

eneral, existin stems for storin dat

    
  
 

To comply with PPD-28, CIA is
undertakin a lon_-term substantial effort to identif si_nals intelli_ence in its holdin-

    

has exlained that it is usin a hased a roach to identi SIGINT in its

  
    

holdins,

     

  

      

        

  

In- I - is hevast majority ofdata in

consists of hich reating as signals intelli ence covered
by PPD-28. Some of the remaining data in uch as

does not fit within the list of activities to which CIA applies PPD-28.81

 

      
  

  
  

 

75 CIA staff brie?ng to PCLOB staff on PPD-28 [December 17, 2015].

75 CIA staff briefing to PCLOB staff on PPD-28 [December 17, 2015].

77 CIA public PPD-28 procedures p.5.

73 CIA staff call with PCLOB staff on PPD-28 follow-up questions [August 10, 2016].

79 CIA staff call with PCLOB staff on PPD-28 follow-up questions [August 10, 2016].

30 CIA staff call with PCLOB staff on PPD-ZB follow-up questions [August 10, 2016].

31 Internal CIA Policy, Activities to Which the CIA Will Apply PPD-28 CIA staff call with

PCLOB staffon PPD-28 follow-up questions [November 30, 2016].

15

 

In order to ensure that all information subject to PPD-28 receives PPD-ZB
protections, the CIA has, at times, opted to apply PPD-28 protections to all information
within multi?sourced systems even if the CIA assesses that PPD-28 does not apply to all
data within the stems. For exam le, the CIA is a in PPD-28 rules to all information

 

appreciates efforts to comply with the directive and recognizes that it may be both
more protective of civil liberties and more economical from a technical, training and

resource ers ective to be over-inclusive in a

   
  
 
  

lin PPD-28 revisions.?

the CIA continues to

   

  

review its holdings for signals intelligence

requirements

(U) Recommendation 2: IC elements should consider both the mission and privacy
implications of applying PPD-28 to multi-sourced systems.

  

c. Potential Impacts of Increased Sharing of Raw Signals Intelligence

(U) IC elements? authorities and access to information may change over time. When
such changes occur, the IC will need to ensure that it remains in compliance with PPD-28.
For example, the IC is working to issue new procedures pursuant to the unenumerated
paragraph of E.0. 12333 Section 2.3. That provision requires elements to establish
written procedures approved by the Attorney General in order to engage in the sharing of
unevaluated signals intelligence.85 Unevaluated information is information that has neither

 

92 CIA staff call with PCLOB staff on PPD-28 follow?up questions [November 30, 2016).
CIA staff call with PCLOB staffon PPD-28 follow-u uestions November 30, 2016 .

    

35 (U) E.O. 12333 permits IC elements to disseminate information "to each appropriate element within

the Intelligence Community for purposes of allowing the recipient element to determine whether the
information is relevant to its responsibilities and can be retained by it, except that information derived from
signals intelligence may only be disseminated or made available to Intelligence Community elements in
accordance with procedures established by the Director in coordination with the Secretary of Defense and
approved by the Attorney General."

. 1 6




been evaluated for relevance to foreign intelligence purposes nor minimized to restrict
personal information not relevant to understanding the intelligence value of the data.

If approved by the Attorney General, procedures governing the sharing of
unevaluated signals intelligence Procedures?) would allow NSA to share unevaluated,
unminimized signals intelligence information with elements that do not currently have
access to such information. lC elements that request and are granted access to unevaluated
signals intelligence will be able to assess the information under their own authorities and
in support of their specific mission requirements. This would cause a significant change for
these 1C elements, and one that would affect the application of PPD-28 to these elements.
Therefore, prior to obtaining this information, 1C elements would need to review and likely
update PPD-28 procedures, guidance, and trainings. In particular, any IC elements that
receive unevaluated signals intelligence would likely need to update their retention and
dissemination practices governed by Section 

understand that the 2.3 Procedures, if approved, will permit IC elements to
request access to raw SIGINT from NSA. NSA may choose to make raw SIGINT available 
through systems; (ii) through a shared 1C or other Government capability, such as a
cloud-based environment the Intelligence Community Information Technology
Enterprise or by transferring some or all of the information to the recipient
IC element?s information systems. Only information that can be afforded appropriate
handling, storage, retention, and access protections by the recipient IC element will be
made available. 3?5 NSA is responsible for ensuring compliance with PPD-28 retention
requirements for its own data stored in IC By contrast, IC elements that receive data
from the NSA and retain it in their own systems bear the responsibility of retaining
unevaluated signals intelligence in compliance with PPD-28.

discussed above, to comply with IC elements must age off
unevaluated signals intelligence within five years unless the DNI grants an extension.87
Recipient IC elements may need to update information technology systems that handle data
tagging and age-off to comply with this requirement. They may also need to provide
additional training or guidance to personnel who will be handling unevaluated signals
intelligence for the first time.

1C elements obtaining first-time access to unevaluated signals intelligence pursuant
to 2.3 procedures should consider how PPD-28 impacts their retention, use, and
dissemination practices. IC elements receiving formally disseminated signals intelligence

 

35 W1C is a common, cloud architecture intended to enable greater integration,
information sharing and safeguarding across the IC.
37 By contrast, if the NSA shared unevaluated signals intelligence available to other H:

elements through and also retains control over the data, NSA would bear the responsibility for
applying the appropriate retention period to the raw data.

17




may rely on the disseminating IC element?s determination that the personal information is
foreign intelligence and that it is relevant to the authorized purpose of the dissemination.
IC elements gaining access to unevaluated signals intelligence should assume the
responsibility of determining whether personal information meets the PPD-28 use,
retention, and dissemination rules.

(U) Recommendation 3: The Board recommends that the NSC and ODNI ensure that
any IC elements obtaining first-time access to unevaluated signals intelligence
update their PPD-28 use, retention and dissemination practices, procedures, and
trainings before receiving any unevaluated data.

In part, the purpose of PPD-28 is to build trust, both domestically and
internationally, in the process for conducting signals intelligence activities. One aspect
of building trust is transparency. In January and February 2015, IC elements issued public
procedures regarding the implementation of PPD-28.88 Since element authorities or
access to information may change over time, it is important that each element 
periodically review its PPD-28 procedures to ensure that the procedures continue to reflect
current practices, periodically review its PPD-28 practices to ensure that they remain
consistent with the directive and ODNI guidance, and update its publicly available
procedures, consistent with classification requirements, to re?ect changes in practice. This
will be particularly the case if and when the 2.3 Procedures are approved and issued.

(U) Recommendation 4: The Board recommends that to the extent consistent with
the protection of classified information, IC elements update their public
PPD-28 procedures to re?ect any pertinent future changes in practices and policy,
including those changes due to issuance of new procedures under Section 2.3 of 13.0.
12333.

IV. Conclusion

Mono; The President encouraged the Board to provide a report that assesses the
implementation of any matters concerned in the Directive that fall within the Board?s
mandate. 89 PPD-28 is still new and the IC still faces many questions of first impression in
interpreting its requirements. As implementation takes shape, the ODNI may consider
monitoring PPD-28 questions, compliance issues, and incidents with the aim of identifying
any systemic problems or IC best practices.

 

83 U.S. Intelligence Community Policies Procedures to Safeguard Personal Information Collected
through SIGIN T, available at ppd-28 2015 privacy-civil-liberties [mid-
way through the page).

39 PPD-28 

18



WPPD-ZB requires that privacy and civil liberties be integral considerations in
the planning of U.S. signals intelligence activities. 90 public procedures assign the
Director of the Civil Liberties and Privacy Office with the responsibility to provide advice
on PPD-28 implementation, and to review privacy and civil liberties safeguards for new or
unique collection programs. The Board understands that the NSA has formalized its
assessment of civil liberties and privacy into its reviews of operational activities. ClA?s
public PPD-28 procedures similarly require consultation with the Privacy and Civil
Liberties Officer when executing novel or unique collection activities, or when considering
significant changes to current collection activities. Other 1C elements may also consider
creating internal processes, patterned after those at NSA and CIA, to ensure that privacy
and civil liberty interests are accounted for throughout the intelligence process. We also
invite further dialogue between the 1C and the Board as PPD-28 implementation
progresses.

 

90 PPD-28 103).

19

52W

ANNEX A
(U) Separate Statement of Board Members Rachel Brand and Elisebeth Collins

(U) We write separately to express our concern with certain aspects of the
implementation of PPD-28. The Board?s review of PPD-28 did not extend to evaluating the
underlying policy decision to equalize treatment of non-U.S. Persons and U.S. Persons
in the field of foreign intelligence gathering. While we have significant reservations about
the wisdom of this policy judgment, particularly when the intelligence services of other
nations do not afford Americans the same courtesy [and have not been inspired to do so by
PPD-2 we leave that policy question to the side in this statement.

During our interactions with IC elements in the course of the Board?s review, we
observed a great deal of confusion among the agencies as to whether and how each should
apply PPD-28. We do not believe the Administration provided adequate guidance to
individual agencies on which programs should fall within the scope of the Directive.
Perhaps the primary cause of the agencies? implementation challenges was the decision to
base the entire PPD-28 framework on the term "signals intelligence," which has no
definition in It has long been understood in the to refer to certain NSA
activities; one senior IC official described it to us as referring to ?what the NSA does when
the NSA does it.? Basing the parameters on this undefined term, particularly when
many agencies covered by PPD-28 did not have what they previously considered to be a
?signals intelligence? function, left agencies scrambling to figure out whether and how to
apply PPD-28 to their operations. The briefings we received on implementation
left us with the impression that the agencies understood guidance to mean that
each of them should find something to which they could apply the PPD, which they then did,
even at the cost of over application.

We have significant concerns that agencies may apply retention

requirements beyond the letter or even the spirit of the PPD due to a combination of policy
judgments and technical challenges.

CIA, for example, has decided to apply PPD-28 to a broad range of
activities, including some that it explicitly acknowledges ?are not The CIA has
also decided to app - ha ntain on i
covered by PPD-28

For example, durin the Board?s
review, we were in orme at CIA was app ying PPD-28 to?The Board

recently provided its final report to the 1C for accuracy review. In our separate statement,

for the reasons set ort eow. tt at pomt,t prov1 us

91 Internal CIA Policy, Activities to Which the CIA Will Apply PPD-28, sec. LA.
92 See PCLOB Report on PPD-28 at pp. 15-16.

    
         
 
   
  

  

  
     
 

     

      

  

with the ?clarification?

 

20



    

    



   

welcome this clarification, although it

reinforces our perception of a somewhat chaotic 
are surprised that such a consequential decision

has not yet been made.

 
   
 

We urge the CIA not to apply retention rules to_ unless and
until it develops a way to avoid over?application of the Directive. contains
ecords collected records

that were never intended to be covered by PPD-28, will be deleted
two years from now. Although the CIA does not regularly maintain qualitative metrics as to
the value of older records, in 2015 the CIA determined that? queries
returned data more than five years old. Therefore, it is reasonable to assume that if the CIA

applies PPD-28's retention rules _queries will return more limited
information.

(U) We also have concerns about the implementation of PPD-28. As noted above,
agencies were left with a sense that they must "do something? to comply with PPD-28,
leading to a mismatch between even the spirit of PPD-28 and its application. In the course
of our review, the FBI informed us that although it does not engage in ?signals intelligence,"
it felt compelled to apply retention restrictions to some FBI activity because the
FBI is mentioned in a footnote in the collection section.g3 Based on this extrapolation
from a footnote, the FBI applies PPD-28 to FISA section 702. Even if it makes sense to
apply target nomination and review process94 to collection under Section 702, it
does not follow that the retention requirements should be applied to Section 702, a
program consisting of targeted collection that is already subject to court authorization and
extensive minimization procedures.

Finally, PPD-28 has been applied inconsistently among agencies even as to the
same activity. the FBI applies PPD-28 to FISA Section 702 but not to
FISA Sections 704 or 705 or FISA Title 1,95

By contrast, app 1es - to a 

This disparity among applications creates increased

 

93 (U) PPD-28, sec. 3, note 6. Section 3 of PPD-28 directs senior policymakers to consider the "special
concerns? associated with certain potential collection activities. Footnote 6 excludes from this Section certain
FBI activities. From this exclusion from the collection section, the FBI concluded that it should apply
the retention provisions to at least some FBI activity.

'94 See sec. 3, and Annex, secs. 2-7.
95 FBI, Presidential Policy Directive 28 Policies and Procedures (Feb. 2, 2015), sec. 1, possim.
95 Internal CIA Policy, Activities to Which the CIA Will Apply PPD-28, secs. LB 81 C.

21
stop?SEW

mm

risk of compliance problems and of future over-application of the PPD
The agencies apparently were left to make these decisions without
clear guidance from senior policymakers.

We urge senior policymakers to carefully consider the impact of application of PPD-
28 and to suspend application of the retention requirements at the CIA and any other IC
elements that currently lack the technical means to avoid over-application of the PPD.

22



ANNEX 
(U) Separate Statement of Board Members lames Dempsey and Patricia Wald

(U) We write separately to register our additional views on Presidential Policy Directive
28 We address three issues related to the implementation of the directive by
the Intelligence Community (1) the importance to U.S. global leadership of the policy
expressed in (2) the decisions about the term "signals intelligence activities?
and the scope of and (3) the implementation of PPD-28 with respect to mixed data
sets or ?multi-sourced systems,? as defined in the Board?s report.97

(U) Policy expressed in PPD-28

(U) Although the Board?s report ?takes no position on the policy enumerated in
we write in support ofthe directive.

(U) PPD-28 was a milestone. It responded to an important and difficult issue in U.S.
foreign intelligence practice: How to conduct necessarily robust collection of
communications data outside the United States while respecting the privacy rights of non-
U.S. persons privacy rights inherent, according to the long-standing policy of the United
States, in all human beings. This challenge has become magnified in the Internet age.
Electronic communications offer a rich source ofvaluable intelligence. The use of global
communications networks has become woven into the daily business and personal lives of
literally billions of people. Demonstrated respect for the privacy rights of the non-U.S.
person communicating electronically on global networks is vital to ensuring a strong
leadership role for the United States.

(U) By codifying for the first time significant limits on intelligence activities affecting
non?U.S. persons outside the United States, the directive gave substance to our
government?s claim to respect the human rights of all individuals. It affirmed and
strengthened the role of the United States as the world?s leader by (1) establishing express
limits on intelligence activities, even as it reaffirmed the need for robust intelligence
capabilities; (2) promoting transparency about those limits; and (3) establishing a greater
degree of equivalence, where feasible, between protections for the personal information of
U.S. persons and non-U.S. persons.

(U) But PPD-28 is necessary not solely because of human rights. The protections in
PPD-28 are also intended to strengthen U.S. relationships with foreign allies, to protect U.S.

 

97 (U) See PCLOB Report on PPD-28 at p. 14.

23



commercial, financial, and economic interests, and to minimize risks to intelligence sources
and methods.98

The protections of PPD-28 played a key role in the restoration of a legal framework
allowing U.S. companies to collect and process data about Europeans. That legal
framework, the EU-U.S. Privacy Shield, is crucial to the Internet services that create jobs in
the United States. A move away from the protections in PPD-28 would jeopardize trans-
Atlantic data flows, to the peril of US. commercial interests.

?Signals intelligence activities? and Intelligence Community interpretation

Turning to implementation, it is important to echo the note in the Board?s report
that protections are not absolute but rather are expressly intended to be applied
in a manner that does not jeopardize national security.99 PPD-28 applies to, but does not
define, ?signals intelligence activities.? In the absence ofa definition, it was left to the 1C to
determine which activities would be subject to requirements.

In our view, elements went about identifying the activities subject to PPD-28 with
appropriately careful consideration of the purpose and intent of PPD-28 and what the
directive calls the ?evolving technological and geOpolitical environment" in which our
intelligence agencies operate.100

WOne central feature of this environment is th-

I owever in toda ?s diital world

 

Nevertheless, the privacy interests of
individuals and the harms that could occur if the fact of collection were disclosed are the
same.

 

93 PPD-28 at 13.1 ["At the same time, signals intelligence activities and the possibility that such
activities may be improperly disclosed to the public pose multiple risks. These include risks to: our
relationships with other nations, including the cooperation we received from other nations on law
enforcement, counterterrorism, and other issues; our commercial, economic, and financial interests, including
a potential loss of international trust in US. firms and the decreased willingness of other nations to
participate in international data sharing, privacy, and regulatory regimes; the credibility of our commitment
to an open, interoperable, and secure global Internet; and the protection of intelligence sources and

metho 

?39 Section 4?s safeguards are to be implemented "[t]to the maximum extent feasible consistent with
the national security." PPD-

reerer rerer-zererrewr?

ould have failed to address the risks resented other activities
yielding communications data, such as

 
 

In our view, the ODNI appropriately chose an implementation approach that is
consistent with the intent of the directive and the challenges to which it responded.101 We
commend approach. The U.S. Government should not provide public assurances
that it is collecting and processing foreign communications under rules designed to protect
privacy and civil liberties while quietly exempting certain activities yielding the same types
of information. Otherwise, when the inconsistency was exposed, it would damage the
credibility of the United States.

(U) While we understand and applaud the lC-wide intent to avoid overly formalistic
applications of PPD-28, the Board's report registers concerns raised by divergent
applications of PPD-28 across the IC. The current, fragmented approach may cause
confusion and could prove inadequate to address the risks of improper disclosure
identified in the directive. Efforts to implement the Board?s first recommendation that
the NSC and the ODNI ?issue criteria for determining which activities or types of data will
be subject to be requirements? should follow the guidance to avoid an
?overly narrow? application of protections.

(U) application of PPD-28 to multi-sourced systems

Keeping in mind the importance of PPD-28 in strengthening the United States?
position as a global leader and recognizing the value of applying PPD-28 consistently
across the same types of data when collected by different means, it is possible to turn to
more granular questions of implementation. When it comes to the application of PPD-28 to
specific datasets? based on the assessments developed by the IC so far, we
do not believe that the Board is in a osition to definitivel assess the erational im act.

 

'cation of five-year rule will result in the aging off of
ata that is returned ueries the CIA has presented us with no
how its loss would impact

 
     
  

      

information about

 

101 See ODNI Status Report at p. 2 n. 1 (?Intelligence Community elements should not take an overly
narrow approach to de?ning what information will be protected under their PPD-28 procedures?).

192 Email from CIA Privacy and Civil Liberties Officer Benjamin Huebner to PCLOB Board Member
Elisebeth Collins [December 7, 2016].

25


mm

?This lack of a meaningful assessment of efficacy is part

of a broader interest that the Board has highlighted since its earliest work. We recognize
that value is a matter ofjudgment, and we appreciate that no one is likely to say that a
dataset or an item of information would never be useful. However, PPD-28 and much other
intelligence policy is based on a balancing of concerns. In this case, as in so many other
cases, the relevance and efficacy components of the equation are unmeasured [at least the
Board has been presented with no measurements). In the absence of specific information
about relevance and efficacy, we believe it is appropriate to note only that this issue merits
continued attention.

0 question that decision would 

en made a aila 1e

 

{Sf??1513} We understand that the CIA has undertaken a long-term effort to identify its

data holdings?- This is an

important initiative with potentially positive consequences for data management,
operational efficiency, and privacy that go beyond the CIA's implementation of PPD-28.

26



(U) LIST OF SOURCES

(U) Presidential Policy Directive 28, Signals Intelligence Activities (January 17,
2014), available at 


(U) 42 U.S.C. 2000ee.

(U) Office of the Director of National Intelligence, Safeguarding the Personal
Information ofAll People: A Status Report on the Development and Implementation
of Procedures under Presidential Policy Directive 28 (July 2014), available at

files /documents 1017 PPD 28_Status_Report_0ct_2014.pdf.
(U) Office of the Director of National Intelligence, Signals Intelligence Reform 2015
Anniversary Report (February 3, 2015), available at
28/2015.

(U) Office of the Director of National Intelligence, 2016 Progress Report on Changes
to Signals Intelligence Activities (January 22, 2016), available at
28/2016.

(U) FBI Presidential Policy Directive 28: Policy and Procedures PPD-28 public
procedures") (Feb. 2, 2015).

(U) FBI staff Briefing to PCLOB staff on PPD 28 (December 15, 2015).

(U) Internal CIA policy, Activities to Which the CIA Will Apply PPD 28.

(U) Intelligence Community Directive 204: National Intelligence Priorities
Framework (January 2 2015).

(U) Letter from the ODNI GC to Justin S. Antonipillai (Counselor, Department of
Commerce) and Ted Dean (Deputy Assistant Secretary, International Trade
Administration) (February 22, 2016). 

(U) NSA staff briefing to PCLOB staff on PPD 28 (December 16, 2015).

(U) CIA staff briefing to PCLOB staff on PPD 28 (December 17, 2016).

(U) ODNI staffbriefing to PCLOB staff on PPD 28 (January 21, 2016).

(U) USSID SP0018: Supplemental Procedures for the Collection, Processing,
Retention, and Dissemination of Signals Intelligence Information and Data
Containing Personal Information of Non-United States Persons public
procedures?) (January 12, 2015).

(U) Classified Annex to Manual 5240.01.

(U) CIA staff call with PCLOB on follow-up questions (August 4, 2016).

(U) CIA Signals Intelligence Activities Public Policy.

(U) Intelligence Community Standard 107-01: Continued Retention of
SIGINT Under PPD-28 (February 2, 2015).

(U) FBI 702 Minimization Procedures (Jul. 15, 2015).

(U) NSA staff briefing to PCLOB staff on PPD 28 follow-up questions (August 4,
2016)

27



FBI Domestic Investigations and Operations Guide [Released October 15,
2011, Updated November 19, 2012].

Presidential Policy Directive 28 Application to the FBI: Fact Sheet.

Email from ODNI Deputy General Counsel Bradley Brooker to PCLOB Attorney
Advisor Renee Gewercman, dated September 14, 2016.

CIA staff call with PCLOB staff on PPD 28 follow-up questions [August 10, 2016].
CIA staff call with PCLOB staff on PPD 28 follow-up questions [November 30,
2016]

E.O. 12333: United States Intelligence Activities [2008].

Office of the Director of National Intelligence Presidential Policy Directive 28
Policies and Procedures, available at 
[mid-way through the page].

Department of Treasury, Procedures for the Office of Intelligence and
Analysis, available at 
civil-liberties [mid-way through the page].

Department of Homeland Security, Office of Intelligence and Analysis,
Safeguarding Personal Information Collected from Signals Intelligence Activities,
available at icontherecord.tumblr.com ppd-28 2015 /privacy-civil-liberties
[mid-way through the page].

U.S. Department of State, Bureau of Intelligence and Research, Presidential
Policy Directive 28- Policies and Procedures, available at
[mid-way
through the page].

Drug Enforcement Administration, Office of National Security Intelligence,
Presidential Policy Directive 28- Policies and Procedures, available at
/icontherecord.tumblr.com/ ppd-28 2015 privacy-civil-liberties [mid-way
through the page].

Coast Guard Implementation of Presidential Policy Directive/PPD-28- Policies
and Procedures, available at 

28 2015 /privacy?civil-liberties [mid-way through the page].

NRO Presidential Policy Directive 28 Procedures, available at
[mid-way
through the page].

Department of Energy Office of Intelligence and Counterintelligence, 
Policy Guidance Number 28.1, Implementation of PPD-28, available at
[mid-way
through the page].

Email from CIA Privacy and Civil Liberties Officer Benjamin Huebner to PCLOB
Board Member Elisebeth Collins [December 7, 2016].

28