April 13, 2018

Centralizing Freedom of Information Act (FOIA) and Privacy Act operations to provide policy and programmatic oversight, to support operational implementation within the DHS components, and to ensure the consistent handling of disclosure requests

We are pleased to present the 2016 Executive Orders 13636 and 13691 Privacy and Civil Liberties Assessments Report. On February 12, 2013, President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience, directing federal departments and agencies to work together and with the private sector to strengthen the security and resilience of the Nation’s critical infrastructure. Specifically, Executive Order 13636 requires federal agencies to develop and incentivize participation in a technology-neutral cybersecurity framework, and to increase the volume, timeliness, and quality of the cyber threat information they share with the private sector.

In addition, on February 13, 2015, President Obama issued Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing, which builds upon the foundation established by Executive Order 13636 and PPD-21. Executive Order 13691 specifically acknowledges that organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. Therefore, the Executive Order encourages the voluntary formation of such information sharing organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.

Section 5 of both Executive Orders 13636 and 13691 require that federal agencies coordinate their activities under each Executive Order with their senior agency officials for privacy and civil liberties to ensure that appropriate protections for privacy and civil liberties are incorporated into such activities. Senior agency officials for privacy and civil liberties are also required to annually assess the privacy and civil liberties impacts of the activities their respective departments and agencies have undertaken pursuant to each Executive Order. The senior officials must submit those assessments to the Department of Homeland Security (DHS) Office for Civil Rights and Civil Liberties and the DHS Privacy Office for compilation and publication in this Privacy and Civil Liberties Assessment report.

This third annual report provides assessments of activities under Executive Orders 13636 and 13691 that occurred in fiscal year 2015. With regard to Executive Order 13636, this report builds on last year’s report, focusing on programs or activities that are new or have substantially changed within the last fiscal year as a result of the Executive Order’s implementation. Since Executive Order 13691 was issued in February 2015, DHS is the only the department or agency

2016 EO 13636 Privacy & Civil Liberties Assessment Report

3 | P a g e

that performed reportable activities pursuant to the Order in fiscal year 2015. These activities are discussed in DHS’s section of this Privacy and Civil Liberties Assessment report.

The chart below provides an overview of the departments and agencies that provided input for this year’s report pursuant to Executive Order 13636. We note that not all agencies were required to assess all sections of Executive Order 13636. To view the privacy and civil liberties assessments conducted by departments and agencies for previous Executive Order 13636 Privacy and Civil Liberties Assessments Reports, please visit: https://www.dhs.gov/cybersecurity-and- privacy.

2016 Executive Order 13636 Section 5 Reports by Department and Topic

Department

of Homeland Security (DHS)

Department of Treasury (Treasury)

Department of Defense

(DoD)

Department of Justice

(DOJ)

Department of Health

and Human Services

(HHS)

Department of Energy

(DOE)

Office of the Director of National Intelligence

(ODNI)

4(a) Cybersecurity Information

Sharing

4(b) Dissemination

of Cyber Threat

Reports

4(c) Enhanced Cybersecurity

Services / Defense

Industrial Base Program

4(d) Private Sector

Clearance Program

X X

9(a)/9(c) Critical

Infrastructure Identification &

Notification

Other X X

Our offices – the DHS Office for Civil Rights and Civil Liberties and the DHS Privacy Office – coordinated with the senior agency officials for privacy and civil liberties for each reporting agency. This coordination was accomplished with the goal of the reporting senior agency officials assessing and reporting on their respective agencies in an objective and independent manner, consistent with their own authorities and policies. We did not direct the officials in the selection of activities for assessment, their assessment methods, or in the drafting of their reports.

https://www.dhs.gov/cybersecurity-and-privacy

2016 EO 13636 Privacy & Civil Liberties Assessment Report

4 | P a g e

The reporting senior agency officials did, however, work jointly to produce this report, sharing best practices, following similar formats, and coordinating assessment coverage for sections of Executive Orders 13636 and 13691 being implemented in multiple agencies.

Our offices also facilitated communications among the senior agency officials and the United States Privacy and Civil Liberties Oversight Board (“the Board”) with regard to the privacy and civil liberties assessments conducted under Executive Order 13636. Each agency, however, worked independently and directly with the Board in its consultative role, as specifically required by Section 5 of Executive Order 13636, to maximize the senior officials’ latitude for disclosure and responsiveness to the Board during this process.

Each agency’s report reflects its own senior agency officials’ determination regarding which activities were required under Executive Orders 13636 and 13691, or were otherwise deemed appropriate to be assessed. In future years, as the activities required under each Executive Order are fully implemented across the U.S. Government, senior agency officials will continue to identify, assess, and report on the privacy and civil liberties impacts of new and/or substantially altered programs and activities.

Megan H. Mack Officer for Civil Rights and Civil Liberties

Karen L. Neuman Chief Privacy Officer

2016 EO 13636 Privacy & Civil Liberties Assessment Report

5 | P a g e

TABLE OF CONTENTS FOREWORD ……………………………………………………………………………………………… 2

PART I: DEPARTMENT OF HOMELAND SECURITY …………………………… 6

PART II: DEPARTMENT OF THE TREASURY …………………………………….. 23

PART III: DEPARTMENT OF DEFENSE ………………………………………………. 46

PART IV: DEPARTMENT OF JUSTICE ………………………………………………… 50

PART V: DEPARTMENT OF HEALTH AND HUMAN SERVICES ……….. 61

PART VI: DEPARTMENT OF ENERGY ………………………………………………… 66

PART VII: OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE ……………………………………………………………………………………… 69

2016 EO 13636 Privacy & Civil Liberties Assessment Report

6 | P a g e

PART I: DEPARTMENT OF HOMELAND SECURITY

2016 EO 13636 Privacy & Civil Liberties Assessment Report

7 | P a g e

I. Introduction

Background and Scope

Section 5 of Executive Orders 13636 and 13691 require the DHS Chief Privacy Officer and Officer for Civil Rights and Civil Liberties to assess the privacy and civil liberties impacts of the activities that the Department of Homeland Security (DHS or Department) undertakes pursuant to these Executive Orders and to include those assessments, together with recommendations for mitigating identified privacy risks, in an annual public report. In addition, the DHS Privacy Office and the Office for Civil Rights and Civil Liberties (CRCL) are charged with coordinating and compiling in a single published report the Privacy and Civil Liberties assessments conducted by Privacy and Civil Liberties officials from other Executive Branch departments and agencies with reporting responsibilities under the Executive Orders.

This year’s assessment covers Department activities conducted under Executive Orders 13636 and 13691 during fiscal year 2015. Specifically, this year’s report provides updates to previous assessments conducted under Executive Order 13636 Sections 4(b), (c), and (d), including explaining instances where implementation approaches have changed. In addition, the DHS Privacy Office and CRCL report the activities that the Department has conducted as a result of Executive Order 13691’s issuance in February 2015.

As in the previous 2014 and 2015 Executive Order 13636 assessments, the scope of this year’s assessment is limited to those DHS activities that were undertaken as a result of Executive Orders 13636 and 13691 or were substantially altered by these orders. Section 5 of both Executive Orders 13636 and 13691 direct the assessment of “the functions and programs undertaken by DHS as called for in this order,” and the scope of the assessment is therefore limited to those functions and programs, rather than attempting to assess the many DHS cybersecurity programs and activities conducted under other authorities. Attempting to include that wide array of programs and activities within this assessment would be impractical, straining oversight office resources, and diluting the in-depth focus on the activities that are driven by Executive Orders 13636 and 13691. More information on DHS’s cybersecurity responsibilities and activities is available at: http://www.dhs.gov/topic/cybersecurity.

DHS Privacy Office

The Privacy Office is the first statutorily created privacy office in any federal agency, as set forth in Section 222 of the Homeland Security Act (Homeland Security Act).1 The mission of the Privacy Office is to protect all individuals by embedding and enforcing privacy protections and transparency in all DHS activities. The Privacy Office works to minimize the impact of DHS programs on an individual’s privacy, particularly an individual’s personal information, while achieving the Department’s mission to protect the homeland. The Chief Privacy Officer reports directly to the Secretary of Homeland Security.

1 6 U.S.C. § 142

2016 EO 13636 Privacy & Civil Liberties Assessment Report

8 | P a g e

The DHS Privacy Office accomplishes its mission by focusing on the following core activities:

• Requiring compliance with federal privacy and disclosure laws and policies in all DHS programs, systems, and operations, including cybersecurity-related activities;

• Centralizing Freedom of Information Act (FOIA) and Privacy Act operations to provide policy and programmatic oversight, to support operational implementation within the DHS components, and to ensure the consistent handling of disclosure requests;

• Providing leadership and guidance to promote a culture of privacy and adherence to the Fair Information Practice Principles (FIPPs) across the Department;

• Advancing privacy protections throughout the Federal Government through active participation in interagency fora;

• Conducting outreach to the Department’s international partners to promote understanding of the U.S. privacy framework generally and the Department’s role in protecting individual privacy; and,

• Ensuring transparency to the public through published materials, reports, formal notices, public workshops, and meetings.2

DHS Office for Civil Rights and Civil Liberties

The Office for Civil Rights and Civil Liberties supports the Department’s mission to secure the nation while preserving individual liberty, fairness, and equality under the law. The Officer for CRCL reports directly to the Secretary of Homeland Security. CRCL integrates civil rights and civil liberties into all of the Department’s activities by:

• Promoting respect for civil rights and civil liberties in policy creation and implementation by advising Department leadership and personnel;

• Communicating with individuals and communities whose civil rights and civil liberties may be affected by Department activities, informing them about policies and avenues of redress, and promoting appropriate attention within the Department to their experiences and concerns;

• Investigating and resolving civil rights and civil liberties complaints filed by the public regarding Department policies or activities, or actions taken by Department personnel; and,

• Leading the Department’s equal employment opportunity programs and promoting workforce diversity and merit system principles.3

2 Detailed information about DHS Privacy Office activities and responsibilities, including Privacy Impact Assessments conducted by the Privacy Office for DHS cybersecurity-related efforts, is available at http://www.dhs.gov/privacy. 3 Detailed information about the activities and responsibilities of the DHS CRCL is available at http://www.dhs.gov/office-civil-rights-and-civil-liberties.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

9 | P a g e

DHS Methodology for Conducting Executive Order (EO) 13636/13691 Assessments

Executive Order 13636 and Executive Order 13691 direct senior agency privacy and civil liberties officials of agencies engaged in activities under the orders to perform an “evaluation of activities against the Fair Information Practice Principles (FIPPs) and other applicable privacy and civil liberties policies, principles, and frameworks.” DHS has evaluated its activities against the FIPPs and other applicable privacy and civil liberties policies, principles, and frameworks. More information on the evaluation process is described below.

The DHS Privacy Framework

The FIPPs, which are rooted in the tenets of the Privacy Act of 1974,4 have served as DHS’s core privacy framework since the Department was established. They are memorialized in the DHS Privacy Office’s Privacy Policy Guidance Memorandum 2008-01, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security5 and in DHS Directive 047-01, Privacy Policy and Compliance (July 2011).6 The DHS implementation of the FIPPs is as follows:

Transparency: DHS should be transparent and provide notice to the individual regarding its collection, use, dissemination, and maintenance of personally identifiable information (PII). Technologies or systems using PII must be described in a System of Records Notice (SORN)7 and Privacy Impact Assessment (PIA)8, as appropriate. There should be no system the existence of which is a secret.

4 5 U.S.C. § 552a 5 Available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf. 6 Directive 047-01 is available at http://www.dhs.gov/xlibrary/assets/foia/privacy-policy-compliance-directive-047- 01.pdf. The Directive supersedes the DHS Directive 0470.2, Privacy Act Compliance, which was issued in October 2005. 7 The Privacy Act requires that federal agencies issue a SORN to provide the public notice regarding personally identifiable information collected in a system of records. A system of records means a group of records under the control of the agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. SORNs explain how the information is used, retained, and may be corrected, and whether certain portions of the system are subject to Privacy Act exemptions for law enforcement or national security reasons. If a SORN is required, the program manager will work with the Component Privacy Officer to demonstrate accountability, and to further the transparency of Department activities. PIAs and SORNs relevant to the Department’s activities under Executive Order Section 4 are discussed in the assessments reported below. The Privacy Point of Contact and Component counsel write the SORN for submission to the Privacy Office. The DHS Chief Privacy Officer reviews, signs, and publishes all DHS SORNs. 8 The E-Government Act and the Homeland Security Act require PIAs, and PIAs may also be required in accordance with DHS policy issued pursuant to the Chief Privacy Officer’s statutory authority. PIAs are an important tool for examining the privacy impact of IT systems, initiatives, programs, technologies, or rulemakings. The DHS PIA is based on the FIPPs framework and covers areas such as the scope and use of information collected, information security, and information sharing. Each section of the PIA concludes with analysis designed to outline any potential privacy risks identified in the answers to the preceding questions and to discuss any strategies or practices used to mitigate those risks. The analysis section reinforces critical thinking about ways to enhance the natural course of system development by including privacy in the early stages. PIAs are initially developed in the DHS Components, with input from the DHS Privacy Office. Once approved at the Component level, PIAs are submitted to the DHS Chief Privacy Officer for final approval. Once approved, PIAs are published on the Privacy Office website, with the exception of a small number of PIAs for national security systems.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

10 | P a g e

Individual Participation: DHS should involve the individual in the process of using PII. DHS should, to the extent practical, seek individual consent for the collection, use, dissemination, and maintenance of PII and should provide mechanisms for appropriate access, correction, and redress regarding DHS’s use of PII.

Purpose Specification: DHS should specifically articulate the authority which permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.

Data Minimization: DHS should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s), and only retain PII for as long as is necessary to fulfill the specified purpose(s). PII should be disposed of in accordance with DHS records disposition schedules as approved by the National Archives and Records Administration.

Use Limitation: DHS should use PII solely for the purpose(s) specified in the notice. Sharing PII outside the Department should be for a purpose compatible with the purpose for which the PII was collected.

Data Quality and Integrity: DHS should, to the extent practical, ensure that PII is accurate, relevant, timely, and complete, within the context of each use of the PII.

Security: DHS should protect PII (in all forms) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.

Accountability and Auditing: DHS should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.

The FIPPs govern the appropriate use of PII at the Department and are the foundation of all DHS privacy-related policies and activities at DHS. DHS uses the FIPPs to assess privacy risks and enhance privacy protections by assessing the nature and purpose of all PII collected to ensure it is necessary for the Department’s mission to preserve, protect, and secure the homeland. The DHS Privacy Office applies the FIPPs to the full breadth and diversity of Department systems, programs, and initiatives that use PII, or are otherwise privacy-sensitive, including the Department’s cybersecurity-related activities. Because the FIPPs serve as the foundation of privacy policy at DHS, the Privacy Office works with Department personnel to complete Privacy Threshold Analyses (PTA) 9, PIAs, and SORNs to ensure the implementation of the FIPPs at DHS. When conducting a Privacy Compliance Review (PCR)10, such as the one completed on 9 The first step in the DHS privacy compliance process is for DHS staff seeking to implement or modify a system, program, technology, or rulemaking to complete a PTA. The Privacy Office reviews and adjudicates the PTA, which serves as the official determination as to whether or not the system, program, technology, or rulemaking is privacy sensitive and requires additional privacy compliance documentation such as a PIA or SORN. 10 The DHS Privacy Office exercises its authority under Section 222 of the Homeland Security Act to assure that technologies sustain and do not erode privacy protections through the conduct of PCRs. Consistent with the DHS Privacy Office’s unique position as both an advisor and oversight body for the Department’s privacy sensitive programs and systems, the PCR is designed as a constructive mechanism to improve a program’s ability to comply with assurances made in existing privacy compliance documentation.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

11 | P a g e

the Enhanced Cybersecurity Services (ECS) program,11 the Privacy Office evaluates the program’s compliance with the FIPPs, any requirements outlined in its PTA, PIA, or SORN, and any privacy policies that are specific to that program. It is important to note, however, that because DHS uses the FIPPs as its foundational privacy policy framework, many DHS programs or activities do not require specific privacy policies aside from DHS’s Privacy Policy Guidance Memorandum on the FIPPs, DHS Directive 047-01 “Privacy Policy and Compliance,” and any specific privacy requirements documented in an applicable PTA, PIA, and/or SORN.

Civil Rights and Civil Liberties Assessment Framework

CRCL conducts assessments using an issue-spotting approach rather than a fixed template of issues because the particular issues that may be presented vary greatly across programs and activities. This approach necessitates in-depth factual examination of a program or activity to determine its scope and how it is implemented. Next, CRCL considers the applicability of relevant individual rights protections, first evaluating compliance with those protections, then considering whether a program or activity should modify its policies or procedures to improve the protection of individual rights. As CRCL evaluates programs and activities, consideration is given, but not limited to, the following legal and policy parameters:

• Individual rights and constraints on government action provided for in the Constitution of the United States.

• Statutory protections of individual rights, such as the Civil Rights Act of 1964, 42 U.S.C. §§ 1981-2000h-6.

• Statutes that indirectly serve to protect individuals, such as the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2522.

• Executive Orders, regulations, policies, and other rules or guidelines that direct government action and define the government’s relationship to the individual in specific circumstances.

• Other sources of law or authority that may be relevant in specific instances, such as international law standards pertaining to human rights, or prudential guidelines suggesting best practices for governance of particular types of government activities.

The assessment process typically results in the evaluation of several possible individual rights questions raised by a program or activity. The most salient of the factual findings and policy concerns are then addressed in policy advice, and sometimes in a formal memorandum or similar document, or in a format comparable to this assessment. CRCL then works with the DHS elements involved, including the Department’s Office of the General Counsel, to craft workable policy recommendations and solutions to ensure individual rights are appropriately protected within the assessed program or activity. These solutions may be embedded in program-specific policies, operating procedures, other documentation or simple changes in program activities, as appropriate.

11 See Section III, “EO Section 4(c): Enhanced Cybersecurity Services,” for more information on the Privacy Compliance Review.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

12 | P a g e

Related DHS Privacy and Civil Liberties Cyber Activities

Our work under Executive Orders 13636 and 13691 provides further transparency into the Department’s cybersecurity-related activities dating back to PIAs and SORNs published in 2004.12 In addition, the Department has sought the guidance of its Data Privacy and Integrity Advisory Committee (DPIAC)13 on cybersecurity-related matters. The DHS Privacy Office has briefed the DPIAC on cybersecurity-related matters in numerous public meetings. At the Chief Privacy Officer’s request, the DPIAC issued a public report and recommendations on implementing privacy in cybersecurity pilot programs. The report, which was issued in November 2012, has informed the Department’s development work in this area, and will serve as a guide for future assessments by the Privacy Office.

In this year’s report, as noted, the DHS Privacy Office and CRCL provide updates to previous assessments conducted under Executive Order 13636 Sections 4(b), (c), and (d). In addition, the DHS Privacy Office and CRCL report the activities that the Department has conducted under Executive Order 13691 since its issuance in February 2015. As the Department continues its implementation activities under these two Executive Orders, the DHS Privacy Office and CRCL will assess new activities, and provide any necessary updates to previous assessments in future reports.

II. EO Section 4(b): Dissemination of Reports

The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.

Background

In the 2015 Privacy and Civil Liberties Assessment Report, DHS reported that it participated in a pilot with the Federal Bureau of Investigation (FBI) to determine whether the Cyber Guardian system on the Secret Internet Protocol Router Network (SIPRNET) could be leveraged to track the production and dissemination of cyber threat reports to targeted private sector critical infrastructure entities. As a result of the pilot and with guidance from the National Security Council (NSC) staff, FBI, DHS, and the Department of Defense (DOD) developed an

12 These PIAs and links to associated SORNs are available on the DHS Privacy Office’s website at http://www.dhs.gov/privacy-documents-national-protection-and-programs-directorate-nppd. 13 The DPIAC is a discretionary advisory committee established under the authority of the Secretary of Homeland Security in 6 U.S.C. § 451. The DPIAC operates in accordance with the Federal Advisory Committee Act, 5 U.S.C. Appendix 2. More information about the DPIAC, including all reports and recommendations, is available on the DHS Privacy Office website at http://www.dhs.gov/privacy-office-dhs-data-privacy-and-integrity-advisory- committee

http://www.dhs.gov/privacy-office-dhs-data-privacy-and-integrity-advisory-committee

2016 EO 13636 Privacy & Civil Liberties Assessment Report

13 | P a g e

interagency Joint Requirements Team (JRT) to develop requirements for a system that meets the Section 4(b) mandate.

Since last year’s report, the JRT did develop and formalize requirements for a system that meets the Section 4(b) mandate in a Section 4(b) Support Capability Requirements document. On April 10, 2015, the White House Inter-Agency Policy Committee accepted this requirements document and designated the FBI’s National Cyber Investigative Joint Task Force (NCIJTF) as the Implementer of the 4(b) Support Capability via the Cyber Guardian System.

Since the White House Inter-Agency Policy Committee accepted the Section 4(b) Support Capability Requirements document in April 2015, the FBI has completed a Memorandum of Understanding (MOU) that participating federal agencies must sign in order to access/use Cyber Guardian and a Rules of Behavior (ROB) document that individual users of the system must sign and with which they must abide. DHS has signed the MOU and all DHS employees currently using the Cyber Guardian system have signed the ROB document as well as completed training on the Cyber Guardian system. Currently, Cyber Guardian enables government agencies with cyber missions to be aware of and de-conflict cyber incidents. Moving forward, Cyber Guardian is the planned platform for cyber incident reports to be assimilated and made available for dissemination to the private sector, and is intended to have the capability to disseminate both unclassified and classified reports to critical infrastructure entities authorized to receive them. Because the NCIJTF maintains and manages the Cyber Guardian system from an engineering and maintenance perspective, additional information on the Cyber Guardian system and its policies may be found in Section 4(b) of this year’s Department of Justice (DOJ) Privacy and Civil Liberties Assessment Report.

While the NCIJTF maintains and manages the Cyber Guardian system to track the production and dissemination of cyber threat reports to targeted private sector critical infrastructure entities, DHS continues to develop, receive, and handle cyber threat reports specific to targeted private sector critical infrastructure entities before that information is entered into the Cyber Guardian system. This year’s report summarizes DHS’s cyber threat reporting under Section 4(b) of Executive Order 13636 and provides a FIPPs assessment conducted by the DHS Privacy Office regarding the cyber threat reporting process.

DHS’s Cyber Threat Reporting under Section 4(b)

Typically, DHS law enforcement components discover cyber threat information, specific to a targeted entity, during the course of an investigation. DHS may, however, also encounter cyber threat information in other mission-related activities, such as the protection of federal civilian networks and cyber threat analysis. In addition, targeted private sector entities may voluntarily submit cyber threat information to DHS through the National Cybersecurity and Communications Integration Center (NCCIC) in connection with efforts to protect information systems from known or suspected cybersecurity threats, mitigate such cybersecurity threats, or respond to cyber incidents. DHS shares cyber threat information within the Cyber Guardian system for the purposes of tracking the production, dissemination, and disposition of significant threat reports shared under Section 4 of the Order with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats and to facilitate proper coordination of victim notifications, in accordance with Section 4(b) of Executive Order 13636 and the Cyber Guardian MOU with FBI.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

14 | P a g e

Privacy Assessment

FIPPs Analysis

Transparency: As noted in the 2014 Report in reference to 4(a) activities, DHS has published a number of PIAs explaining how it currently collects, uses, maintains, and disseminates cyber threat information, including any PII.14 These PIAs provide generalized notice of DHS’s cyber activities as they relate to cyber threats. The PIA that covers the reporting and collection of cyber threat information from the public and private sector relevant to 4(b) activities is DHS/NPPD/PIA-026 National Cybersecurity Protection System (NCPS), July 30, 2012. NCPS is an integrated system for intrusion detection, analysis, intrusion prevention, and information sharing capabilities used to defend the federal civilian government’s information technology infrastructure from cyber threats. The National Protection and Programs Directorate (NPPD) conducted this PIA because PII may be collected by NCPS, or through submissions of known or suspected cyber threats received by the NCCIC for analysis. Cyber threat information collected by DHS, specific to targeted private sector critical infrastructure entities, is shared with other Federal agencies that have cybersecurity responsibilities through the FBI’s Cyber Guardian system, as detailed in DOJ’s Privacy and Civil Liberties Assessment Report of 4(b) activities. Cyber Guardian is employed to track the production, dissemination, and disposition of threat reports shared under Section 4 of the Order with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats and to facilitate proper coordination of victim notifications.

Data Minimization: Data minimization is at the core of DHS’s cyber threat reporting process under Section 4(b) of the Order. As described in the Cyber Guardian MOU with FBI, Cyber Guardian only collects limited PII that is directly relevant and necessary to accomplish the specified purpose of tracking the production, dissemination, and disposition of threat reports shared under Section 4 of the Order and only retains PII for as long as necessary to fulfill this specified purpose. As a result, DHS only enters PII into the Cyber Guardian system that may allow U.S. private sector entities to better protect themselves against cyber threats and to facilitate proper coordination of victim notifications.

Individual Participation: It is not possible to allow individual participation in the context of DHS’s sharing cyber threat information with the FBI’s Cyber Guardian system and it is not feasible for the Government to provide redress for individuals whose PII may be included in the information submitted to Cyber Guardian.

As stated in the MOU, however, DHS understands that information submitted to Cyber Guardian is subject to applicable federal laws, including but not limited to the Privacy Act, the Freedom of Information Act, the Federal Records Act, and discovery requirements. To the extent information exchanged as a result of Cyber Guardian results in a request or demand for that (or related) information from FBI files pursuant to federal or state civil or criminal discovery or any other request by a third-party for FBI information, such disclosure may only be made after

14 Available at www.dhs.gov/cybersecurity-and-privacy.

http://www.dhs.gov/cybersecurity-and-privacy

2016 EO 13636 Privacy & Civil Liberties Assessment Report

15 | P a g e

consultation with, and approval by, the FBI and DHS (whose information is at issue), or as otherwise required by law.

Purpose Specification: DHS components have a variety of authorities to collect and share cyber threat information, such as through their responsibilities to protect federal civilian networks, coordinate with the private sector, conduct law enforcement activities, analyze cyber threats, and perform mitigation assessments. As it relates to the MOU for DHS’s sharing of cyber threat information with the FBI’s Cyber Guardian system, the following authorities apply:

1. Privacy Act of 1974, 5 U.S.C. § 552a;

2. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 13, 2013;

3. Presidential Policy Directive 21, Critical Infrastructure Security and Resilience, February 12, 2013; and

4. Executive Order 12829, National Industrial Security Program, January 6, 1993, as amended.

Use Limitation: DHS only enters cyber threat reports into the Cyber Guardian system pursuant to Section 4(b) of Executive Order 13636 and the signed Cyber Guardian MOU with FBI. Both state that the information submitted to Cyber Guardian is to be used only for the purposes of tracking the production, dissemination, and disposition of threat reports shared under Section 4 of the Order. In doing so, U.S. private sector entities may better protect and defend themselves against cyber threats and federal agencies may facilitate proper coordination of victim notifications.

Data Quality and Integrity: The cyber threat report information entered into the Cyber Guardian system by DHS, pursuant to Section 4(b) of Executive Order 13636, is derived from existing threat reporting. The data quality and integrity measures in place for those activities are set forth in the NCPS PIA.

Security: DHS accesses the Cyber Guardian application through the secure environment of the SIPRNET, a Department of Defense secret enclave. As explained in the MOU, the use of SIPRNET triggers certain reporting requirements in the event of an unauthorized disclosure. Furthermore, the FBI’s ROB for Cyber Guardian sets forth specific rules of behavior, expressly prohibited behavior, and monitoring/search provisions for users of the system.

Accountability and Auditing: As stated in the Cyber Guardian MOU, the FBI monitors, records, and audits use of Cyber Guardian to ensure compliance with applicable laws, regulations, policies, and with the terms of the MOU. If requested by the FBI, each agency that signed the MOU will be responsible for compiling system compliance-related information about its own authorized users and providing that information to the FBI. Such compliance-related information shall include tracking logons and logoffs, creating audit logs, and other appropriate measures, as related to DHS’s system.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

16 | P a g e

III. EO Section 4(c): Enhanced Cybersecurity Services

To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.

Background

DHS’s Enhanced Cybersecurity Services (ECS) was established as a voluntary information sharing program to assist critical infrastructure owners and operators to improve protection of their systems from unauthorized access, exploitation, or data exfiltration. ECS consists of the operational processes and security oversight required to share sensitive and classified cyber threat information with qualified commercial service providers15 and operational implementers16 (hereinafter “commercial service providers”) that will enable them to better protect their customers, which consist of U.S.-based public and private entities.

DHS reported on the ECS Program in both the 2014 and 2015 Privacy and Civil Liberties Assessment Reports. In the 2014 Privacy and Civil Liberties Assessment Report, DHS focused on discussing key foundational questions in the establishment and operation of the program and the Privacy Office conducted a FIPPs assessment of ECS. In the 2015 Report, DHS provided an overview of the privacy, civil rights, and civil liberties oversight of the program, the assessments of CRCL and the Privacy Office, and a summary of the PCR that the DHS Privacy Office conducted in coordination with the ECS Program and the NPPD Office of Privacy. This year’s report provides a brief update on the ECS program’s commercial service providers and also addresses the four recommendations from the April 15, 2015, DHS PCR of the ECS Program as discussed in last year’s privacy assessment.

ECS Program Update

As explained in the 2015 Privacy and Civil Liberties Assessment Report, NPPD Office of Cybersecurity and Communications (CS&C) provides government furnished information (GFI), specifically indicators of malicious cyber activity,17 to qualified commercial service providers. 15 The term Commercial Service Provider (CSP), refers to a public or private company that is capable of providing managed security services for the protection of their customers, which consist of U.S.-based public and private entities. Any managed security service provider meeting the eligibility security requirements may become a CSP. 16 The term Operational Implementer refers to a critical infrastructure organization that may choose to build its own infrastructure for the purposes of receiving, managing, and utilizing the DHS cyber threat indicators in the protection of its information assets, in effect to act as its own commercial service provider. The requirements for operational implementers are the same as those for commercial service providers. For simplicity, references in this assessment to commercial service providers also apply to operational implementers. 17 Cyber threats can be defined as any identified efforts directed toward accessing, exfiltrating, manipulating, or impairing the integrity, confidentiality, security, or availability of data, an application, or a federal system, or information processed, controlled, stored on, or transmitting to/from an information system, without lawful authority. Information about cyber threats may be received from government, public, or private sources. Categories

2016 EO 13636 Privacy & Civil Liberties Assessment Report

17 | P a g e

Participating commercial service providers must enter into a memorandum of agreement with DHS and become accredited by achieving a high standard of security competence, including retaining the ability to safeguard sensitive information, obtaining personnel and facilities clearances, and constructing secure network systems as set forth by the security requirements of the ECS Program.

As of the 2014 Assessment cycle, and as noted in the 2015 Privacy and Civil Liberties Assessment Report, only accredited commercial service providers are permitted to provide cybersecurity services to U.S.-based public and private entities. At the time that report was published, only AT&T and CenturyLink were accredited as commercial service providers for ECS. Since the 2015 report was published, however, Verizon and Lockheed Martin have also met the standards for accreditation and are now recognized as ECS Commercial Service Providers. During Fiscal Year 2015, the ECS Program also permitted commercial service providers to extend their ECS customer base beyond those determined to be within the sixteen critical infrastructure sectors, and ECS is now open to all U.S.-based public and private entities.

Update on ECS Privacy Compliance Review Recommendations

As described in the 2015 Privacy and Civil Liberties Assessment Report, the DHS Privacy Office completed a PCR of the ECS Program18 in coordination with the ECS Program and the NPPD Office of Privacy. The PCR found that NPPD has demonstrated exemplary attention to implementing strong privacy protections in ECS and its related processes, and the DHS Privacy Office provided four recommendations for NPPD in order to further strengthen its privacy protections in ECS and its related processes. These recommendations as well as updates on how they have been addressed by NPPD are described below.

• Recommendation 1: NPPD should update the ECS PIA to better reflect the current state of indicator testing and the existing data quality protections DHS is using in the ECS Program. Update: NPPD has published an ECS PIA Update to reflect the current state of indicator testing. The original PIA stated that ECS indicators were tested for false positives and false negatives in a test environment before sharing with the commercial service providers. The ECS PIA Update clarifies that while testing is a part of the signature development lifecycle as it relates to DHS’s deployment of signatures to the .gov domain; ECS shares indicators (GFI) with a CSP, not signatures. Indicators serve as the basis for an entity to develop a signature within its own unique environment. The CSP may choose to use GFI to develop signatures and would follow its own processes for testing. Consequently, because DHS is sharing indicators for ECS, not signatures, indicator testing is not performed. DHS has other measures to promote data quality including initial and periodic review of indicators which are governed by the program’s GFI Data Verification and Vetting Process to ensure GFI is timely, actionable, and vetted by DHS.

of cyber threats may include, for example: phishing, IP spoofing, botnets, denials of service, distributed denials of service, man-in-the-middle attacks, or the insertion of other types of malware. 18 See “Privacy Compliance Review of the Enhanced Cybersecurity Services (ECS) Program,” available at www.dhs.gov/privacy

2016 EO 13636 Privacy & Civil Liberties Assessment Report

18 | P a g e

This process incorporates standard operating procedures that seek to minimize the use or collection of unnecessary PII.

• Recommendation 2: NPPD should update the ECS PIA to reflect the current frequency of log reviews. Update: NPPD has published an ECS PIA Update to clarify that user activity in the National Cybersecurity Protection System, which maintains ECS-related data and information, is logged and the logs are reviewed regularly.

• Recommendation 3: NPPD should provide updated information about indicator retention in a future ECS PIA update. Update: NPPD published the ECS PIA Update to explain that a records retention schedule for NCPS (Records Schedule # DAA-0563-2013-0008) was approved by NARA on January 12, 2015. The NCPS Records Retention Schedule is broken down by five broad capability areas and covers all fields and data collected by and maintained on NCPS, including the voluntary metric information for ECS. The NCPS retention schedule covers all cyber threat information and is not broken down by program. Generally, NPPD will destroy or delete cyber threat information when it is three years old or when it is no longer needed for agency business, whichever is later. Information that is inadvertently collected or determined not to be related to known or suspected cyber threats or vulnerabilities will be destroyed or deleted immediately or when it is no longer needed for agency business (e.g., after the completion of analysis).

• Recommendation 4: NPPD should describe in a future ECS PIA update how its subsequent analysis of cybersecurity metrics may lead to the development of new indicators. Update: The updated ECS PIA explains that NPPD/CS&C provides cybersecurity indicators to commercial service providers, who participate in ECS information sharing, which in turn permits the providers to offer enhanced cybersecurity services to protect the networks of U.S.-based public and private sector entities that request them. The commercial service providers, at the request of ECS participants, use cyber indicators to block known or suspected cyber threats. As part of the program, commercial service providers may share summary information with NPPD/CS&C about the fact that known or suspected cyber threats were detected. This “fact of” occurrence reporting does not contain PII or information that could be considered PII19. As per the PCR recommendation, NPPD/CS&C is exploring subsequent analysis of data that may lead to the development of new indicators.

19 DHS uses the phrase “information that could be considered PII” because certain indicators of a cyber threat can be the same type of information individuals use to identify themselves in online communications such as an email address or other information that might be included in the message or subject line. In the context of NCPS, these types of information are not used to identify an individual; instead, they are used as a reference point for particular known or suspected cyber threats.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

19 | P a g e

The DHS Privacy Office has determined the ECS updates explained above and memorialized in the DHS/NPPD PIA Update, DHS/NPPD/PIA-028(a), published on November 30, 2015 are responsive to the PCR recommendations and are considered closed-implemented. Furthermore, these updates do not affect the FIPPs assessment conducted for ECS in the 2014 Privacy and Civil Liberties Assessment Report. Should additional changes take place in the ECS Program that affect privacy, the DHS Privacy Office will assess the risks posed and the steps taken to mitigate them, and will include its assessment in a future Executive Order 13636 Privacy and Civil Liberties Assessment Report.

IV. EO Section 4(d): Private Sector Clearance Program for Critical Infrastructure

The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.

As discussed in the 2014 Privacy and Civil Liberties Assessment Report, DHS built upon NPPD’s Critical Infrastructure Private Sector Clearance Program (since renamed to the Private Sector Clearance Program for Critical Infrastructure (PSCP)) to implement Section 4(d) of Executive Order 13636. Since that time, the PSCP has implemented minor enhancements to better meet the intent of Executive Order 13636 as described below.

Clearance Prioritization Categories: In order to effectively meet the requirements outlined in Section 4(d) of the EO, as well as other critical needs for clearances, the Department developed three categories to prioritize private sector clearance applicants employed by the critical infrastructure owners and operators identified through Section 9 of the Executive Order. DHS assigns the applicant’s priority category during the initial application phase. The applicant’s priority category remains throughout the clearance package until DHS makes a clearance determination for the applicant. The three categories of prioritization are:

1. Normal Prioritization: This is the default categorization for clearance applications; 2. Time-Critical Prioritization: This is an accelerated process in which the application

sponsor has certified a near-term threat requiring a security clearance and a pending classified threat briefing to share that information; and,

3. Expedited Prioritization: This is the fastest option and applies to applications for personnel of critical infrastructure owners and operators, in which “a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,” as identified in Section 9 of EO 13636.

Applications designated as Time-Critical or Expedited receive priority processing at each phase of the application process.

Updated DHS Form 9014: With the enhancements to the PSCP, NPPD’s Office of Infrastructure Protection expanded the DHS Form 9014, Critical Infrastructure Private Sector Clearance Program Request, to collect additional information from qualified PSCP Nominees

2016 EO 13636 Privacy & Civil Liberties Assessment Report

20 | P a g e

who require clearances based on their day-to-day work related to the security and protection of critical infrastructure. As it relates to Executive Order 13636, these PSCP Nominees include, in part, the private sector clearance applicants employed by the critical infrastructure owners and operators identified through Section 9 of this Executive Order. As a result, PSCP Nominees must now provide the following information via the updated DHS Form 9014 (Note: (*) denotes a new data element requested on the updated DHS Form 9014):

• Full name; • Company name and address; • Business phone number; • Business email address; • Level of clearance requested; • Current association memberships; • U.S. Citizen (yes/no); • Justification to access classified information (to include Nominee’s job title, position,

and responsibilities); • Information regarding whether the Nominee’s company Chief Security Officer (or the

executive otherwise responsible for the Nominee organization’s security posture) has been notified of the Nominee’s nomination (yes/no/N/A);*

• Information regarding whether there is a secure facility within 50 miles where a clearance holder may attend a classified briefing (yes/no/no, but willing to travel);*

• Information pertaining to how the Nominee satisfies the criteria for PSCP nomination (checkboxes provide the criteria selection from EO 135497);* and,

• Nominee’s sector.

If the Nominee has held an active clearance within the past 24 months, then the Nominee must also provide:

• Whether he or she previously held or currently holds a clearance and what type of clearance he or she held or holds (Secret/Top Secret);

• The name of the Agency that sponsored the clearance; • Contact information for his or her Security Official/Office (phone number and email

address); • Information regarding whether he or she is retired or separated or if he or she is

planning on retiring and separating from the position in which he or she held an active clearance within the past 24 months (to include from where the Nominee is retiring or separating);

• If the Nominee is retired or separated, then he or she must also provide his or her date of retirement or separation;

• Reciprocity/reinstatement (yes/no (Nominees may only select “yes” if they have a current clearance or if their prior security clearance was active within the last 2 years));* and,

• If a PSCP clearance holder is undergoing a reinvestigation, then he or she must provide information regarding how recently he or she used the PSCP clearance (No, Yes-within the past year, Yes-within the past 2 years, Yes-within the last 5 years, or Yes-within the last 10 years).*

2016 EO 13636 Privacy & Civil Liberties Assessment Report

21 | P a g e

These new data elements were added to improve the program’s overall effectiveness. For example, the PSCP is now requesting that Nominees provide information regarding whether or not they are located within 50 miles of a secure facility for classified briefings. This information will help the program determine the best way to deliver classified information to the PSCP Nominee if and when he or she is provided with a clearance. Furthermore, the updated DHS Form 9014 requests information from PSCP clearance holders undergoing reinvestigations regarding how often they have used their federal security clearance. This information will provide the PSCP with a better understanding of whether a clearance holder should continue to hold a federal security clearance in order to perform his or her duties.

The DHS Privacy Office determined that the changes do not alter the FIPPs assessment conducted for the PSCP in the 2014 Privacy and Civil Liberties Assessment Report. These changes were, however, captured in a DHS/NPPD Privacy Impact Assessment Update, DHS/NPPD/PIA-020(a) – Private Sector Clearance Program for Critical Infrastructure, which was published on February 11, 2015. Should additional changes take place in the Program that affect privacy, the DHS Privacy Office will assess the risks posed and the steps taken to mitigate them, and will include its assessment in a future Executive Order 13636 Privacy and Civil Liberties Assessment Report.

V. Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing

Background

On February 13, 2015, President Obama signed Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing, to build upon the foundation established by Executive Order 13636 by encouraging the development of information sharing and analysis organizations (ISAO) to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and Government. Specifically, Executive Order 13691:

• Directs the Secretary of DHS to strongly encourage the development and formation of ISAOs;

• Directs DHS to select, through an open and competitive process, a non-governmental organization to serve as the ISAO Standards Organization. This ISAO Standards Organization will identify a set of voluntary standards or guidelines for the creation and functioning of ISAOs;

• Streamlines the mechanism for DHS’s NCCIC to enter into information sharing agreements with ISAOs. This will ensure that robust, voluntary information sharing continues and expands between the public and private sectors;

• Directs DHS to develop a more efficient means for granting clearances to private sector individuals who are members of an ISAO via a designated critical infrastructure protection program; and,

• Adds DHS to the list of federal agencies that approve classified information sharing arrangements.

The purpose of the ISAOs is to permit sharing of cyber threat information among a broader group of sharing and analysis organizations than is presently feasible. Current cyber threat information sharing among groups of this type is focused on Information Sharing and Analysis

2016 EO 13636 Privacy & Civil Liberties Assessment Report

22 | P a g e

Centers, which are linked to the 16 Critical Infrastructure Sectors and the corresponding Sector- Coordinating Councils. The effort to suggest model information sharing structures to ISAOs responds to the independent establishment of voluntary participation cyber threat analysis and sharing organizations that are not tied to Critical Infrastructure Sectors. Expanding the scope of this information sharing – with appropriate privacy and civil liberties safeguards – will enable the Department to provide robust support to diverse groups that may be organized around regional cybersecurity interests, non-critical infrastructure industry or commerce interests, or other communities of interest seeking to voluntarily and collectively improve their cybersecurity posture.

Executive Order 13691 Update Following the competitive process directed by Section 3(a) of the Order, the Department selected, as the ISAO Standards Organization, the University of Texas at San Antonio (UTSA) with support from Logistics Management Institute (LMI) and the Retail Cyber Intelligence Sharing Center (R-CISC). This ISAO Standards Organization will result in the promulgation of model practices standards for ISAOs, and, it is hoped, lead to the widespread establishment of ISAOs. ISAOs will serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government. Per Executive Order 13691, the UTSA team will work with existing information sharing organizations, owners and operators of critical infrastructure, relevant agencies, and other public and private sector stakeholders to identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs.

DHS has participated in other activities in implementing Section 2(a) of the Executive Order. DHS led three public workshops with the private sector to receive feedback on some of the requirements that the selected ISAO Standards Organization should focus on upon selection. These workshops were held on the following dates and locations:

• April 20, 2015 in San Francisco, CA (partnered with White House and PricewaterhouseCoopers);

• June 9, 2015 in Cambridge, MA; and, • July 30, 2015 in San Jose, CA.

DHS also provided over 25 briefings to private sector and Government organizations during that time frame to provide transparency into the process, discuss the development and formation of ISAOs, and encourage participation.

Although the Department has undertaken significant activities to implement Executive Order 13691, our offices determined that none of the activities directed by the Order are in a posture that is suitable for privacy or civil liberties assessment at this time. The DHS Privacy Office and CRCL will continue to monitor the progress of the Department’s Executive Order 13691 activities and will assess these activities, as appropriate, in future Privacy and Civil Liberties Assessment Reports.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

23 | P a g e

PART II: DEPARTMENT OF THE TREASURY

2016 EO 13636 Privacy & Civil Liberties Assessment Report

24 | P a g e

DEPARTMENT OF THE TREASURY ASSESSMENT OF THE IMPLEMENTATION OF E.O. 13636,

“IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY”

Introduction On February 12, 2013, the President signed Executive Order (“EO” or “Order”) 13636, “Improving Critical Infrastructure Cybersecurity,” stating: “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber- environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” To ensure the inclusion of privacy and civil liberties protections in activities under the Order, Section 5(a) requires federal agencies to coordinate EO-related cybersecurity activities with their senior agency officials for privacy (“SAOP”). Section 5(b) further requires the SAOP to conduct an assessment of their agency’s activities under the Order and to submit to the Department of Homeland Security (“DHS”) its assessment for consideration and inclusion in a public report that shall be reviewed on an annual basis.

The Department of the Treasury (“Treasury” or “Department”) is engaged in activities under the EO, and the Department’s SAOP submits the following assessment of Treasury’s activities conducted during the October 1, 2014 to September 30, 2015 reporting period.

Treasury’s Privacy and Civil Liberties (PCL) Organization and Processes Within Treasury, the Assistant Secretary for Management (“ASM”) is responsible for the overall implementation of privacy and civil liberties requirements. Treasury Order 102-25, “Delegation of Authority Concerning Privacy and Civil Liberties,” designates the ASM as the Department’s SAOP, Chief Privacy and Civil Liberties Officer, and Information Sharing Environment Privacy Official. At Treasury, the Deputy Assistant Secretary for Privacy, Transparency, and Records (“DASPTR”) is the ASM’s principal advisor on privacy and civil liberties matters. The DASPTR is responsible for establishing Treasury-wide policies, procedures, and standards to ensure the Department’s full compliance with federal laws, regulations, and policies relating to information privacy.

Overview of 13636 Relevant Activities

Fostering the stability of financial markets and institutions is an integral component of Treasury’s leadership, domestically and globally. A secure and resilient financial system is at the heart of our Nation’s economic prosperity and Treasury’s primary objective since 1789.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

25 | P a g e

In 1998, the President issued Presidential Decision Directive (“PDD”) 63, identifying telecommunications, banking and finance, energy, transportation, and essential government services as vulnerable sectors. In the PDD, the President appointed Treasury as the lead agency for liaison with the banking and finance sector as part of a national effort to assure the security of the United States’ increasingly vulnerable and interconnected infrastructures. In 1999, as part of this effort, Treasury supported the creation and development of the Financial Services Information Sharing and Analysis Center, which is one of the oldest private information-sharing Initiatives in the United States. Following the attacks of September 11, 2001, Treasury established the Office of Critical Infrastructure Protection and Compliance Policy (“OCIP”), chaired a newly formed Finance and Banking Information Infrastructure Committee comprised of financial regulators, and encouraged the establishment of the Financial Services Sector Coordinating Council of private sector institutions and organizations. Homeland Security Presidential Directive 7 (“HSPD 7”), released in 2003, superseded PDD 63 and reaffirmed Treasury’s role as sector liaison by naming Treasury the Sector Specific Agency (“SSA”) for finance and banking, while recognizing the importance of the roles played by the Departments of Homeland Security, State, Justice, Commerce, and Defense in protecting our nation’s national infrastructure protection across all sectors. Presidential Policy Directive (“PPD”) 21, which superseded HSPD 7 in 2012, continued to advance a unified approach to strengthening and maintaining secure, functioning, and resilient critical infrastructure against both cyber and physical threats. PPD 21 identifies 16 critical sectors, reaffirming Treasury as SSA for the Financial Services Sector. In its capacity as the SSA for the Financial Services Sector, Treasury is the day-to-day federal interface and coordinating agency for various interagency and public-private partnership activities relating to the security and resilience of the Financial Services Sector’s critical infrastructure. These responsibilities generally are carried out through OCIP, which is part of the Treasury Office of Financial Institutions. OCIP facilitates implementation of EO 13636 as described below.

Treasury’s Continued Activities under the EO for the Reporting Period Treasury’s activities under the EO have not materially changed since we last reported. Treasury continues to play a minor role in two programs that distribute personally identifiable information (PII): Information Sharing under section 4(a) of the EO, and the Critical Infrastructure Private Sector Clearance Program under section 4(d) of the EO. In addition, Treasury continues to play a minor role in identifying critical infrastructure where a cybersecurity incident could reasonably result in catastrophic consequences (“high risk critical infrastructure”), as required under section 9(a) of the EO. As the SSA for the Financial Services Sector, Treasury continues to receive requests for nominations for national security clearances to allow financial services critical infrastructure owners, operators, and sector leaders to access cyber threat information. Through a consultative

2016 EO 13636 Privacy & Civil Liberties Assessment Report

26 | P a g e

process required by EO 13636, Treasury continues to assist law enforcement and national security agencies with identifying high risk critical infrastructure. During the FY 2015 reporting period, the Cyber Intelligence Group (CIG)20 of Treasury’s Office of Critical Infrastructure Protection and Compliance Policy (OCIP) held monthly classified cyber information meetings for cleared financial sector representatives, and, separately, for cleared financial regulators to increase the volume, timeliness, and quality of cyber threat information shared with the U.S. financial sector under Section 4 of EO 13636. This activity is consistent with our responsibilities under the EO that we assessed in previous reports. Summary of Assessment Methodology The Fair Information Practice Principles (“FIPPs”) are a set of internationally recognized principles designed to ensure the protection of information privacy protections. Treasury uses the FIPPs as the general framework to analyze Treasury’s collection, use, maintenance, and sharing of PII. Detailed Analyses of Private Sector Clearance Program under 4(d) of EO 13636

Section 4(d): Private Sector Clearance Program It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. . . .The [DHS] Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.

Detailed Description of Private Sector Clearance Program As the SSA for the Financial Services Sector, Treasury receives requests for access to cyber threat information from financial services critical infrastructure owners, operators, and sector leaders (i.e., Sector Coordinating Council members). Treasury recognizes that cyber threat information may include classified information and that an individual must have an active national security clearance prior to receiving classified information from the government. Therefore, to allow owners, operators, and sector leadership to receive classified cyber threat information, Treasury nominates appropriate individuals for national security clearances. In this program, Treasury receives requests for security clearances from DHS and the private sector. DHS is responsible for providing forms to Treasury for distribution and for referring

20 The CIG consists of a specialized team of analysts with expertise in financial services, cybersecurity, and intelligence analysis. The CIG’s primary function is to distribute timely and actionable information and analysis that financial institutions can use to protect themselves from cyber attacks.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

27 | P a g e

individuals in the Financial Services Sector to Treasury for formal nomination. Private sector clearance candidates are required to complete certain sections of DHS Form 9014. Individuals from the Financial Services Sector submit a partially completed DHS Form 9014 to Treasury. A Treasury employee verifies that the private sector clearance candidate has completed the necessary sections of the form. The Treasury employee signs the form, nominating the individual for a security clearance, and sends the form to DHS as an attachment via encrypted electronic mail and deletes the form from Treasury systems. Once DHS receives the form, a DHS employee works directly with the nominee in the clearance process. Description of Assessment Methodology To facilitate the processing of national security clearances for appropriate Financial Services Sector personnel, Treasury participates in the DHS Critical Infrastructure Private Sector Clearance Program (“DHS Private Sector Clearance Program”). This program is a government- wide service that provides a means for expediting the processing of national security clearance applications for private sector partners. Treasury is responsible for initiating the nomination process for Financial Services Sector security clearance nominees. Once nominated, DHS and the Office of Personnel Management (“OPM”) are responsible for conducting the investigation necessary to adjudicate national security clearances for nominated private sector individuals. The data collected for security clearances is not used for any purpose other than assisting with securing a clearance. A full assessment of the DHS Private Sector Clearance Program is included in the DHS portion of the 2015 Executive Order 13636 Privacy and Civil Liberties Assessments Report. Treasury uses the FIPPs to assess cybersecurity programs for potential privacy issues. The FIPPs are:

1. Transparency: Treasury should be transparent and provide notice to the public regarding its collection, use, sharing, and maintenance of PII.

2. Individual Participation: Treasury should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, sharing, and maintenance of PII. Treasury should also provide mechanisms for appropriate access, correction, and redress regarding Treasury’s use of PII.

3. Purpose Specification: Treasury should specifically articulate the authority that permits the collection of PII and the purpose or purposes for which the PII is intended to be used.

4. Data Minimization: Treasury should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).

5. Use Limitation: Treasury should use PII solely for the purpose(s) specified in required information notices (e.g., systems of records notices). Sharing of PII outside the Department should be done in a manner compatible with the purpose for which the PII was originally collected.

6. Data Quality and Integrity: Treasury should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

28 | P a g e

7. Security: Treasury should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.

8. Accountability and Auditing: Treasury should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.

Civil liberties are those basic rights and freedoms guaranteed to individuals. As recognized by the EO and its associated guidance, these Constitutional rights may be implicated by cybersecurity programs that monitor lawful activities or communications. Therefore, in addition to its FIPPs analysis, Treasury will consider whether agency EO activities involve the monitoring or interception of communications, or compiling of information regarding lawful activities that may impact civil liberties. Treasury will also consider the legal authorities that support such activities and the procedures undertaken to safeguard individual rights in carrying out such activities.

Privacy and Civil Liberties (PCL) Assessment of Private Sector Clearance Program

PCL Protections and Compliance

All PII collected within this activity is stored on a Treasury system. Permission to access this information is granted on a need to know basis to protect the information collected. Information is stored within the Treasury network on a temporary basis only. Treasury acts as a facilitator in this process, so the PII submitted for clearance purposes is not shared with or used by any other Treasury programs. The majority of this activity is performed by DHS. Therefore, that Department handles the majority of the PCL protections and compliance associated with it.

Protections Response Are individuals provided notice at the time of collection regarding why the information is being collected and how it will be used?

Treasury uses DHS Form 9014, “Critical Infrastructure Private Sector Clearance Program Request,” to collect the limited set of PII necessary to nominate an individual for a national security clearance. A Privacy Act statement is provided to individuals at the time they receive the form advising them of why the information is being collected and how it will be used.

Please describe how the program removes data that is no longer necessary

Individuals identified by their organization or by DHS electronically mail Treasury a partially completed DHS Form 9014. Once received, Treasury reviews the information and nominates the individual by forwarding the form to DHS. While in Treasury’s custody, the DHS Form 9014 is a working paper. Once DHS receives it, DHS is responsible for maintaining and disposing the form under General Records Schedule 18, Number 22, Personnel Security Clearance Files. Once DHS confirms the receipt of

2016 EO 13636 Privacy & Civil Liberties Assessment Report

29 | P a g e

Protections Response DHS Form 9014, any copies of such form maintained at Treasury are working papers. As working papers in a DHS system of records, Treasury is no longer responsible for maintaining them. Once Treasury receives confirmation from DHS that it received the form, Treasury deletes the partially completed DHS Form 9014 from its system.

Please describe any steps taken to mitigate any use of PII that is not specified in the applicable notices.

Once received, Treasury reviews all DHS Form 9014s. Treasury employees complete two steps: first, they review information only to ensure that the proper boxes have been filled in and then they formally nominate the individual by electronically mailing the DHS Form 9014 to DHS. While Treasury reviews the form for completeness, it is stored in a local folder, with access limited to only those who have a need to know the information to perform their duties.

Please describe any safeguards that are in place to ensure the continued security of data maintained within the system.

Information Treasury collects in support of the DHS Private Sector Clearance Program is sent directly from the private sector clearance candidate to Treasury by electronic mail. AES 256 bit Encryption is deployed by the Treasury Network for encrypting external traffic from the Departmental Offices Local Area Network (“DO LAN”). DO LAN employs technology that scans for viruses, malware, spam, and other dangerous or suspicious signatures before being delivered to mailboxes. Anything identified as potentially harmful to PII being sent to Treasury employees is quarantined in a secure container until it can be handled properly. While Treasury reviews the DHS Form 9014 for completeness, it is stored in a Treasury local shared drive folder with restricted access. Treasury’s non-classified electronic mail and local shared drives are maintained on the DO LAN. The DO LAN is rated as a Federal Information Security Management Act HIGH system, meaning that the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The safeguards applied to the DO LAN reflect the sensitivity of the information it contains.

Please describe the method for securing data at rest in the system.

Treasury employs Microsoft Active Directory’s role based access controls to prevent unauthorized access to data at rest on the DO LAN. This directory helps ensure that employees and contractors who do not have a need to access the information stored in this program do not have privileges to access the information.

What methods are in place to audit access to records

Treasury deploys a Splunk Enterprise solution to allow for auditing of user activities on the DO LAN. The solution monitors role based access controls assigned to the files and

2016 EO 13636 Privacy & Civil Liberties Assessment Report

30 | P a g e

Protections Response maintained within the system?

folders in which Treasury temporarily stores DHS Form 9014s. This helps Treasury prevent employees who have access to the information to perform their official Treasury functions from exceeding their authority by accessing and/or using the information for unauthorized purposes.

Please describe any agency oversight mechanisms that apply to the system.

Private sector clearance candidates send their information in support of the DHS Clearance Program to Treasury by electronic mail. While Treasury reviews the DHS Form 9014 for completeness, it is stored in a local shared drive folder. Treasury’s non-classified electronic mail and shared drives are maintained on the DO LAN, a system secured at the highest level for a non-classified system. There is no way to guarantee that electronic mail sent to Treasury from outside entities is encrypted. All Treasury information systems used to process and store PII undergo a mandatory security assessment and authorization (“SA&A”) process to verify that the system provides adequate measures to preserve the confidentiality, integrity, and availability of all sensitive information residing on or transiting those systems. A Privacy Impact Assessment (“PIA”) is required as part of the SA&A process. The PIA for the DO LAN was completed on Dec 4, 2007. A revised and updated Privacy and Civil Liberties Impact Assessment (“PCLIA”) for the DO LAN is currently in development.

PIAs or Other Documentation

DHS Form 9014s are stored only on the DO LAN while they are reviewed for completeness. The PIA for the DO LAN was completed on Dec 4, 2007 and is currently being updated. A PIA is not required when information contained in a system relates to internal government operations or when it has been previously assessed under an evaluation similar to a PIA.

FIPPS and/or Civil Liberties Analysis:

Transparency: Response: How is the general public informed about the DHS Critical Infrastructure Private Sector Clearance Program?

DHS is the lead agency for the DHS Private Sector Clearance Program. Pursuant to the E-Government Act of 2002 and Office of Management and Budget (OMB) Memorandum 03-22, “OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002,” DHS last published a PIA for the program on February 11,

2016 EO 13636 Privacy & Civil Liberties Assessment Report

31 | P a g e

2015. . The PIA, which informs the general public about this program, is available to the general public on the DHS Privacy Office’s website.21

When collecting information from members of the public, does the program submit documentation for an OMB Collection number?

Yes. The collection number for DHS Form 9014 is OMB No. 1670-0013. DHS last published notice of the form in the Federal Register on September 24, 2014. See Federal Register Docket Number DHS-2014-0007.

Does the agency operate a Privacy Act system of records in support of the DHS Critical Infrastructure Sector Clearance Program?

Treasury does not operate a Privacy Act system of records in support of the DHS Sector Clearance Program. Once Treasury transmits the DHS Form 9014 to DHS, the system of records notice entitled DHS/ALL–023 Department of Homeland Security Personnel Security Management, 75 FR 8088 (February 23, 2010) covers the information.

How does this program ensure that notices are updated to reflect system or program changes?

As the lead agency for the DHS Private Sector Clearance Program, DHS is responsible for ensuring that its PIA is updated to reflect system or program changes. This report also serves to provide notice to the public about the privacy safeguards deployed in the implementation of the DHS Private Sector Clearance Program. Treasury does not maintain any additional notices with respect to its supporting role in the DHS Private Sector Clearance Program. A PIA is not required when information contained in a system relates to internal government operations; when it has been previously assessed under an evaluation similar to a PIA.

Individual Participation: Response: Are individuals asked for consent and given the opportunity to object to the collection of their PII?

Yes. Individuals in the Financial Services Sector who have been identified by their organization or by DHS as needing access to classified cyber threat information may complete DHS Form 9014 and securely transmit it by electronic mail to Treasury to start the nomination process. There is a Privacy Act Statement in the form providing notice to individuals regarding DHS’s use of the information. Participation in the DHS Private Sector Clearance Program is voluntary. Individuals who do not approve of DHS’s use of the information as stated in DHS Form 9014 have the opportunity to object to collection of their PII by not completing and submitting the form for review. By completing and submitting the form, the individuals consent to the collection of the contents of the form. The individual is not required to submit information for a clearance, but

21 The DHS PIA for the Private Sector Clearance Program is available here: https://www.dhs.gov/sites/default/files/publications/privacy-pia-nppd-pscp-february2015.pdf

https://www.dhs.gov/sites/default/files/publications/privacy-pia-nppd-pscp-february2015.pdf

2016 EO 13636 Privacy & Civil Liberties Assessment Report

32 | P a g e

refusal to submit the information will result in their inability to secure a clearance.

Are individuals given the opportunity to access and correct their PII?

Yes, nominees have the opportunity to access and correct information submitted using the DHS Form 9014. Access and correction procedures are described in the DHS Critical Infrastructure Private Sector Clearance Program PIA, which is available to the public through the DHS Privacy Office website. A PIA is not required when information contained in a system relates to internal government operations; when it has been previously assessed under an evaluation similar to a PIA.

Describe the mechanism provided for an individual to seek redress in the event of inappropriate access to or disclosure of their PII.

If inappropriate access or disclosure gave rise to sufficient risk to the individual or Treasury, Treasury would provide notification to the individual as required in Treasury Directive (TD), 25-08, Safeguarding Against and Responding to the Breach of PII. If notification is given under TD 25-08, the notice would provide a point of contact to whom questions may be directed. If questions evolve into a complaint, the complaint will be addressed by the Office of Privacy, Transparency, and Records working in conjunction with the Office of General Counsel and the Office of Public Affairs.

Purpose Specification: Response: Please provide the specific purpose(s) for the maintenance of PII within the system

Treasury collects PII from individuals in the Financial Services Sector who their organization or DHS has identified as needing access to classified cyber threat information. After DHS or sector representatives identify individuals who need a clearance, the private sector clearance candidate completes the form and sends it to Treasury. Treasury disposes of the information after it ensures the DHS Form 9014 is completed according to the form’s directions, securely transmits the completed form to DHS, and receives notice of receipt from DHS.

What steps are taken to ensure the authority for the collection is valid?

Pursuant to PDD 21, “Critical Infrastructure Security and Resilience,” Treasury is the SSA for the Financial Services Sector. In this role, and in support of the EO, Treasury may nominate individuals from the sector for national security clearances. Treasury is responsible for verifying that individuals in the process are associated with the Financial Services Sector.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

33 | P a g e

Data Minimization: Response: Please describe the data elements that are relevant and necessary.

To initiate the process, individuals complete the DHS Form 9014 and send the following information to Treasury: name, company name/address, phone number, e-mail address, level of clearance, and citizenship. Treasury then securely transmits this information to DHS after reviewing it for completeness. Employees of the Office of Privacy, Transparency, and Records have conducted several meetings with OCIP to ensure that any PII distributed has been minimized and is only used for its original stated purpose. As the SSA for the Financial Services Sector, it has been determined that Treasury’s knowledge of the Financial Services Sector is instrumental in the decision making process for identifying individuals within the sector who require clearances.

Use Limitation: Response: Please describe the steps taken to ensure the use of PII is limited to the purpose(s) specified in applicable notices.

PII that Treasury receives for the DHS Critical Infrastructure Private Sector Clearance Program is limited to the information submitted by the nominee using DHS Form 9014. Once identified, Treasury directs private sector clearance candidates to submit the DHS Form 9014 to a secure Treasury electronic mail inbox that is dedicated to receipt of these forms. Access to the dedicated inbox is limited to Treasury employees and contractors who have a need to know. Treasury does not share DHS Form 9014s with any other Treasury bureaus or offices and only shares them externally with DHS. Information collected in this program is only used for its original purpose.

Data Quality and Integrity: Response: What steps are taken to ensure the continued quality and integrity of data maintained by the project or system?

Information Treasury collects in support of the DHS Critical Infrastructure Private Sector Program is sent directly from the potential nominee to Treasury by electronic mail. Treasury, in turn, sends the information on to DHS using encrypted electronic mail. DHS then contacts the nominee directly to provide the additional information necessary to complete the remaining DHS Form 9014 fields.

What steps are taken to ensure information maintained in the system is accurate, timely, relevant, and complete?

After DHS receives the DHS Form 9014 from Treasury and collects additional information from the private sector nominee/clearance candidate to complete the form, DHS provides to OPM the information necessary to begin the background investigation. OPM then works directly with

2016 EO 13636 Privacy & Civil Liberties Assessment Report

34 | P a g e

nominees to ensure that the information provided to Treasury and DHS is accurate, timely, and complete. Nominees are provided the opportunity to correct inaccurate or erroneous information. Any inaccurate or outdated information provided to Treasury is thereby corrected by either DHS or OPM.

Please describe the method for eliminating PII that is no longer needed.

Information collected by Treasury in support of the DHS Private Sector Clearance Program is sent directly from the potential nominee to Treasury by electronic mail. While the DHS Form 9014 is being reviewed by Treasury, the form is stored in a Treasury local shared drive folder with access limited to personnel and contractors who have a need to know. After Treasury electronically mails the partially completed form to DHS and receives confirmation from DHS that it received the form, Treasury deletes the partially completed DHS Form 9014.

Security: Response: Please describe any safeguards that are in place to ensure the continued security of data maintained within the system.

Information collected by Treasury in support of the DHS Private Sector Program is sent directly from the potential nominee to Treasury by electronic mail. While the DHS Form 9014 is being reviewed by Treasury, it is stored in a Treasury local shared drive folder with access limited to personnel and contractors who have a need to know. Treasury’s non-classified electronic mail and local shared drives are maintained on the DO LAN. The safeguards applied to the DO LAN reflect the sensitivity of the information it contains.

Please describe the method for securing data at rest in the system.

Treasury employs Microsoft Active Directory’s role based access controls and audit controls to prevent unauthorized access to or use of data at rest on the DO LAN.

If data from the system is sent electronically, what methods are in place to ensure appropriate safeguards apply?

Private sector clearance candidates send the partially completed DHS Form 9014 to a secure Treasury electronic mail inbox dedicated to receiving these forms. Treasury then reviews the form for completeness and forwards it via encrypted electronic mail to DHS. AES 256 bit Encryption is deployed by Treasury Network for encrypting external traffic from the DO LAN.

Accountability and Auditing:

Response:

What methods are in place to audit access to records

Treasury deploys a Splunk Enterprise solution to audit user activities on the DO LAN. The solution monitors role based

2016 EO 13636 Privacy & Civil Liberties Assessment Report

35 | P a g e

maintained within the system?

access controls assigned to files and folders in which Treasury temporarily stores DHS Form 9014s.

Please describe any agency oversight mechanisms that apply to the system.

All Treasury information systems used to process and store PII undergo a mandatory SA&A process to verify that the system provides adequate measures to preserve the confidentiality, integrity, and availability of all sensitive information residing on or transiting those systems. Treasury information security professionals oversee completion of the SA&A process. A PIA is required as part of the SA&A process. Treasury also deploys a Splunk Enterprise solution to audit user activities on the DO LAN. The solution monitors role based access controls assigned to files and folders in which Treasury temporarily stores DHS Form 9014s. The PIA for the DO LAN was completed on Dec 4, 2007. A revised and updated PCLIA for the DO LAN is currently in development. A PIA is not required when information contained in a system relates to internal government operations or when it has been previously assessed under an evaluation similar to a PIA.

Civil Liberties Considerations: The Office of Privacy, Transparency, and Records reviewed this activity, its standards, and the criteria for participation in it. At this time, there is no Privacy and Civil Liberties Impact Assessment for DO LAN that specifically addresses the information in this program. Treasury is currently working on an updated Privacy and Civil Liberties Impact Assessment for the DO LAN that will address the privacy and civil liberties information in this program.

PCL risks/impacts:

Risk: Impact: Please explain the possibility of redress if data is lost due to an email breach.

If inappropriate access or disclosure gave rise to sufficient risk to the individual or Treasury, Treasury would provide notification to the individual as required in TD 25-08, Safeguarding Against and Responding to the Breach of PII. If notification is given under TD 25-08, a relevant point of contact would be given, to whom questions may be directed. If questions evolve into a complaint, the complaint will be addressed by the Office of Privacy, Transparency, and Records.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

36 | P a g e

Please describe the method for ensuring that access to data maintained within the system is limited to individuals with a need to know.

Identity verification for access to information maintained on the DO LAN includes the use of personal identity verification cards, usernames, and passwords.

Private Sector Clearance Program Summary Treasury has conducted its review for the reporting period and has determined that the limited role the Department plays in the Private Sector Clearance Program raises no broader PCL issues, policy considerations, nor legal considerations. Treasury will continue to evaluate its role in the program and may develop a more thorough privacy assessment, as that role expands or changes for future reports.

Detailed Analyses of Cyber Security Information Sharing Under 4(a) of EO 13636 Section 4(a): Cyber Security Information Sharing22 It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that they may better protect and defend themselves against cyber threats.

Detailed Description of Cyber Security Information Sharing

To increase the volume, timeliness, and quality of cyber threat information shared with U.S. financial sector entities so they may better protect and defend themselves against cyber threats, Treasury requests declassification of and subsequently disseminates relevant law enforcement and intelligence information to the financial sector (including financial regulators) and other critical infrastructure partners. This information consists of malicious cyber actors’ tactics, techniques, procedures (TTPs) and associated indicators, to assist in network defense capabilities and planning. In addition, Treasury occasionally receives information on malicious cyber actors’ TTPs and associated indicators from the financial sector and continued to do so during the current reporting period.

22 Treasury’s cyber security information sharing initiatives to provide certain cybersecurity threat information to the financial services sector are, pursuant to Presidential Policy Directive (PPD) 21, which preceded the EO. In PPD-21, the President outlined the national effort to strengthen and maintain secure, functioning, and resilient critical infrastructure, which provides the essential services that underpin American society. PPD-21 designated the financial services sector as a critical infrastructure sector and designated Treasury as the SSA for the financial services sector. Treasury, in coordination with the Department of Homeland Security and other relevant federal departments and agencies, is responsible for providing, supporting, and facilitating technical assistance for this sector to identify vulnerabilities and help mitigate incidents, as appropriate. However, these activities are within the scope of the EO, therefore, it is included as part of this report.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

37 | P a g e

OCIP shares cyber threat information in the form of unclassified Cyber Intelligence Group (CIG)23 Circulars, through monthly meetings, and upon request from the financial services sector or a member of the sector. These activities are described in more detail below: CIG Circulars and Financial Services Sector Requests OCIP’s CIG Circulars are intended to increase the volume, timeliness and quality of cyber threat information shared with the U.S. financial services sector so that sector entities may better protect and defend themselves against cyber threats. Pursuant to EO 13636 and the instructions issued by the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, the U.S. Government produces timely unclassified reports of cyber threats to the U.S. homeland. In addition to these unclassified reports, the financial services sector seeks relevant information from OCIP regarding cyber threats to the financial services sector. Specifically, OCIP receives requests for cyber threat information targeting the financial services sector through the Financial Services Information and Analysis Center (FS-ISAC). The FS- ISAC was established in 1999 pursuant to PDD 63, as an information sharing mechanism to gather, analyze, “sanitize,” and disseminate information between the U.S. Government and the private sector. The FS-ISAC allows the U.S. Government to convey information to the private sector that will allow financial services firms to better protect their computer systems from attack. The FS-ISAC makes periodic requests to Treasury for cyber threat information targeting financial sector firms that is not otherwise available to the financial sector. These requests may themselves contain cyber threat information the FS-ISAC received from private financial services sector firms, including malicious cyber actors’ tactics, techniques, and procedures (TTPs) and associated indicators. As discussed above, the FS-ISAC serves as a mechanism to appropriately sanitize24 information shared with the U.S. Government by the private sector. In response to these requests, OCIP gathers declassified cyber threat information from U.S. Government sources, primarily intelligence and law enforcement agencies, to describe cyber threats to the financial services sector. OCIP uses this information to draft unclassified CIG Circulars for the purpose of sharing this cyber threat information with financial services sector entities and other critical infrastructure partners through the FS-ISAC. The information obtained by OCIP is lawfully collected by other U.S. Government agencies and only includes information approved for release by the U.S. Government data owner or owners to the FS-ISAC, for network defense purposes. OCIP does not solicit information from the private sector for inclusion in the

23 The CIG consists of a specialized team of analysts with expertise in financial services, cybersecurity, and intelligence analysis. The CIG’s primary function is to distribute timely and actionable information and analysis that financial institutions can use to protect themselves from cyber attacks. 24 The term “sanitization,” includes (but is not limited to) distilling the information so it is not traceable to the submitter and does not reveal any information that:

• Is proprietary, business-sensitive, or a trade secret; • Relates specifically to the submitting person or entity (explicitly or implicitly); or • Is otherwise not customarily in the public domain.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

38 | P a g e

CIG Circulars. In one instance during the FY 2015 reporting period, Treasury included information supplied by a private sector entity through FS-ISAC in a produced CIG Circular. OCIP shares cyber threat information in the form of unclassified CIG Circulars, and upon request from the financial services sector or a member of the sector. CIG Circulars provide information on advanced persistent cyber threat actors’ tactics, techniques and procedures and associated indicators. CIG Circulars are provided to financial institutions, their supporting cyber security service providers, financial regulators, DHS’s Cyber Information Sharing and Collaboration Program, and other critical infrastructure partners, for the purpose of protecting U.S. critical infrastructure from cyber threats.

Monthly Classified Cyber Information Meetings To increase the volume, timeliness, and quality of cyber threat information shared with U.S. financial sector entities, in FY 2015, Treasury’s Financial Sector Cyber Intelligence Group (CIG) began holding monthly classified cyber information meetings for cleared financial sector representatives and, separately, for cleared financial regulators. The meeting participants have to provide the following PII to enter the Treasury building: legal name, date of birth, social security number, and nationality. This information is also needed to verify that the participants have active security clearances. Instead of providing their PII each month, Treasury gave the meeting participants the option of authorizing the CIG, in writing, to retain their PII to facilitate building access and clearance verification for CIG-sponsored meetings in 2015. With their permission, their PII is stored in a locked cabinet in a Sensitive Compartmented Information Facility (SCIF) in a folder marked Privacy Protected Data. In particular, the CIG retains the PII for 11 cleared financial sector representatives, 19 cleared financial regulators, and six FBI and DHS personnel to facilitate their participation in the meetings. The participants have the option of authorizing the CIG to retain their PII to facilitate building access and clearance verification for CIG-sponsored meetings in 2016. If they choose to not authorize the CIG to retain their PII in 2016, their PII will be destroyed.

Cyber Security Information Sharing PCL Assessment

PIAs or Other Documentation

Information in this program is disseminated through correspondence and uploaded onto two portals: the Financial Services Information Sharing and Analysis Center (FS-ISAC) portal, and the DHS HSIN Financial Services portal, which is maintained by Treasury. Treasury’s non- classified electronic correspondence and shared drives are maintained on the DO LAN. All Treasury information systems used to process and store PII undergo a mandatory SA&A process to verify that the system provides adequate measures to preserve the confidentiality, integrity, and availability of all sensitive information residing on or transiting those systems. A PIA is not required when information contained in a system relates to internal government operations or when it has been previously assessed under an evaluation similar to a PIA.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

39 | P a g e

Standard for Sharing PII OMB Memorandum 07-16 defines personally identifiable information (PII) as information “which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” OCIP only intends to produce technical descriptions of malware in its CIG Circulars. The CIG Circulars produced for the FS-ISAC in FY 2015 described cyber threats to the financial services sector, including technical information that would help a network systems administrator identify a particular form of malware rather than an individual. They did not include any individual’s name, Social Security number, biometrics, or e-mail address. Some of the technical descriptors included in the CIG Circulars may include TTPs, file names, domain names, and Internet Protocol (IP) addresses to which malware beacons direct, or hashes that characterize particular forms of malware. In some cases, these technical descriptions could be PII under OMB’s broad definition because they potentially could link back to an individual. IP addresses, for example, sometimes could be traced back to entities, groups of individuals sharing an IP address, or a specific individual. OCIP, however, does not “link” an IP address or other technical description back to a particular entity, group, or individual, even if it were possible to do so in certain cases. OCIP only uses the technical descriptions to alert the financial services sector to a characteristic of a particular piece of malware, not to identify a specific individual or entity. Although any PII associated with technical descriptions in CIG Circulars is de minimis, Treasury nevertheless analyzed the contents of the circulars to assess compliance with the FIPPs. OCIP includes technical descriptions in its CIG Circulars when they are relevant and necessary to describe a cyber threat to the financial services sector. CIG Circulars report information that is actionable, relevant, timely, and not available elsewhere to the financial sector. When responding to specific requests for information from the FS-ISAC, OCIP only requests lawfully obtained information from U.S. Government intelligence community and law enforcement agencies to address the request. All information included in CIG Circulars is declassified and approved for release to the FS-ISAC by the data owner or owners. The CIG Circulars are produced for the FS-ISAC pursuant to the Traffic Light Protocol (TLP) initially established by DHS and adopted with modifications by the FS-ISAC. Most of the CIG Circulars are identified as TLP Green, which permits sharing among peers, trusted government and critical infrastructure partners, and service providers, but not via publicly accessible channels. FS-ISAC explains the TLP to its members. FS-ISAC distributes the Circulars to critical infrastructure owners in other sectors through the National Council of ISACs and also to members of the DHS Homeland Security Information Network (HSIN) Financial Services Portal. Treasury shares the information obtained through its cyber security activities for cybersecurity purposes only.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

40 | P a g e

FIPPS and Civil Liberties Analysis:

Transparency: Response: How is the general public informed about this program?

The general public is informed of this program through PDD 21 and through this report.

Does the agency operate a Privacy Act system of records in support of this program?

The information sharing process does not require a system of records notice because PII is not collected by Treasury directly, but relies upon Intelligence and Law Enforcement agencies to collect and identify cyber threat information. Treasury then requests from the collecting agency the permission to disseminate that cyber threat information to the financial sector. Potential cyber security threats, as well as technical indicators and tactics, techniques, and procedures of known cyber threats are distributed in this program to prevent cybersecurity attacks on the financial services sector.

Individual Participation: Response: Are individuals asked for consent and given the opportunity to object to the collection of their PII?

Treasury is not responsible for the collection of PII in this program and therefore is not required to ask for consent. The CIG Circulars produced to the FS-ISAC in FY 2015 described cyber threats to the financial services sector, including technical information that would help a network systems administrator identify a particular form of malware rather than an individual. In some cases, these technical descriptions could be PII under OMB’s broad definition, because they potentially could link back to an individual. However, Treasury does not “link” the technical descriptions back to a particular entity, group, or individual, even if it were possible to do so in certain cases. Therefore, it would be impossible for Treasury to obtain consent from individuals who may be linked to the technical information included in CIG Circulars, and in the monthly meetings.

Are individuals given the opportunity to access and correct their PII?

The information is related to cyber threats, not individuals, and is collected by intelligence agencies and law enforcement, who have their own processes and procedures for handling and correcting PII.

Describe the mechanism provided for an individual to seek redress in the event of inappropriate access to or disclosure of their PII.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

41 | P a g e

addressed by the Office of Privacy, Transparency, and Records.

Purpose Specification: Response: Please provide the specific purpose(s) for the maintenance of PII within the system

Intelligence and law enforcement agencies gather information regarding cyber threat information, which may contain limited PII in the form of IP addresses. As part of its information sharing activities under PPD 21 and Section 4 of EO 131636, Treasury expressly requests declassification of cyber threat information for dissemination to the Financial Services Sector to assist with network defense.

Data Minimization: Response: Please describe the data elements that are relevant and necessary.

Treasury does not collect information directly, but relies upon Intelligence and Law Enforcement agencies to collect and report cyber threat information. Treasury then requests from the collecting agency the permission to disseminate that cyber threat information to the financial sector. Potential cyber security threats, as well as technical indicators and tactics, techniques, and procedures of known cyber threats are distributed in this program to prevent cybersecurity attacks on the financial services sector. The CIG Circulars produced for the FS-ISAC in FY 2015 described cyber threats to the financial services sector, including technical information that would help a network systems administrator identify a particular form of malware rather than an individual. They did not include any individual’s name, Social Security number, biometrics, or e- mail address. Some of the technical descriptors included in the CIG Circulars may include TTPs, file names, domain names, and IP addresses to which malware beacons direct, or hashes that characterize particular forms of malware. OCIP along with Treasury’s Office of Privacy Transparency and Records has determined that the de minimis PII that may be linked to the TTPs, file names, domain names, IP addresses to which malware beacons direct, or hashes from CIG Circulars are relevant and necessary to describe a cyber threat to the financial services sector. CIG Circulars report information that is actionable, relevant, timely, and not available elsewhere to the financial sector.

How long does Treasury retain the information contained in CIG Circulars?

Treasury does not limit recipients’ retention of the information contained in CIG Circulars. OCIP presently keeps copies of all its Circulars for reference purposes; the

2016 EO 13636 Privacy & Civil Liberties Assessment Report

42 | P a g e

oldest CIG Circular derived from law enforcement reporting was issued on December 2, 2013. Treasury will continue to evaluate the appropriate retention schedule for cyber threat information and will develop a more definite retention schedule as the program continues.

Use Limitation: Response: Please describe the steps taken to ensure the use of PII is limited to the purpose(s) specified in applicable notices.

Treasury only shares cyber security information for cyber security purposes. OCIP shares information that is actionable, relevant, timely and not available elsewhere to the financial sector. When responding to specific requests for information from the FS-ISAC, OCIP only requests lawfully obtained information from U.S. Government intelligence community and law enforcement agencies to address the request. All information included in CIG Circulars is declassified and approved for release to the FS- ISAC by the data owner or owners. In the event PII were to be included in the CIG Circulars, the inclusion of the PII in the CIG Circulars would be assessed by Treasury as relevant and necessary to describe a cyber threat to the financial services sector. The CIG Circulars are produced to the FS-ISAC pursuant to the TLP25 initially established by the U.S. Department of Homeland Security and adopted with modifications by the FS-ISAC. Most of the CIG Circulars are identified as TLP Green, which permits sharing between peers, trusted government and critical infrastructure partners, and service providers, but not via publicly accessible channels. FS- ISAC explains the Traffic Light Protocol to its members. FS- ISAC distributes the Circulars to critical infrastructure owners in other sectors through the National Council of ISACs and also to members of the DHS Homeland Security Information Network (HSIN) Financial Services Portal.

25 For more information on the TLP, see: https://www.us-cert.gov/tlp.

https://www.us-cert.gov/tlp

2016 EO 13636 Privacy & Civil Liberties Assessment Report

43 | P a g e

Data Quality and Integrity: Response: What steps are taken to ensure the continued quality and integrity of data maintained by the project or system?

Treasury relies heavily on the accuracy of the information provided by the Law Enforcement and Intelligence Agencies. The information obtained by OCIP is lawfully collected by other U.S. government agencies and only includes information approved for release by the U.S. government data owner or owners to the FS-ISAC, for network defense purposes.

What steps are taken to ensure information maintained in the system is accurate, timely, relevant, and complete?

Please describe the method for eliminating PII that is no longer needed.

Treasury’s Office of Privacy, Transparency, and Records reviews OCIP CIG Circulars and has yet to specifically identify PII in CIG Circulars. PTR will continue to review CIG Circulars to identify PII and work with OCIP to ensure that unnecessary PII is eliminated.

Security: Response: If data from the system is sent electronically, what methods are in place to ensure appropriate safeguards apply?

The information is distributed to the financial sector and other critical infrastructure partners by electronic means. The dissemination is limited by the Traffic Light Protocol 26 and includes a statement that the information is “NOT FOR POSTING ON ANY PUBLIC-FACING WEBSITE.”

Accountability and Auditing:

Response:

Please describe any agency oversight mechanisms that apply to the system.

PTR works with OCIP to review CIG Circulars that are released to the financial services sector. This provides a layer of oversight for the potential sharing of PII.

26 For more information on the TLP, see: https://www.us-cert.gov/tlp.

https://www.us-cert.gov/tlp

2016 EO 13636 Privacy & Civil Liberties Assessment Report

44 | P a g e

Civil Liberties Considerations: The Office of Privacy, Transparency, and Records reviewed this activity, its standards and the criteria for participation in it, and found no significant civil liberties issues requiring discussion and assessment at this time.

PCL Risks and Recommendations

Risk: Impact: Please explain the risk associated with the accuracy of the information.

As the distributor of this information, Treasury risks distributing inaccurate information from other agencies in this program. Without a way to verify information, Treasury is at risk of providing inaccurate information to the private sector. Any distributed inaccurate information could potentially have negative impacts on the effectiveness of cybersecurity in the private sector.

Please describe risk that Treasury is retaining information for a longer period than necessary.

There is a risk that Treasury’s retention of information shared for cyber security purposes is not limited. Treasury is working to develop an appropriate retention schedule that will ensure that the information, and potential PII shared in the program is not retained for a longer period than necessary.

Cyber Security Information Sharing Summary Treasury has conducted its review for the reporting period and has determined that the limited role the Department plays in the Cyber Security Information Sharing raises no broader PCL issues, policy considerations, nor legal considerations. Treasury will continue to evaluate its role in the program and may develop a more thorough privacy assessment, as that role expands or changes for future reports.

Detailed Analyses of Identification of Critical Infrastructure at Greatest Risk under Sec. 9 of EO 13636 Section 9. Identification of Critical Infrastructure at Greatest Risk: Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. In identifying critical infrastructure for this purpose, the Secretary shall use the consultative process established in section 6 of this order and draw upon the expertise of Sector-Specific Agencies. Heads of Sector-Specific Agencies and other relevant agencies shall provide the Secretary with information necessary to carry out the responsibilities under this section. The Secretary, in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of

2016 EO 13636 Privacy & Civil Liberties Assessment Report

45 | P a g e

critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided the basis for the determination. Treasury does not collect or disseminate PII in this program. Therefore, an analysis of the privacy and civil liberties concerns of this program at Treasury is not necessary. Conclusion Treasury continues to play a minor role in the distribution information to the financial services sector. Treasury will continue to assist in the sharing of cybersecurity information while protecting privacy and civil liberties. If Treasury’s role expands or the Department substantially changes its activities under the order, we will provide a comprehensive privacy and civil liberties assessment of those activities in future reports.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

46 | P a g e

PART III: DEPARTMENT OF DEFENSE

2016 EO 13636 Privacy & Civil Liberties Assessment Report

47 | P a g e

Ms. Karen L. Neuman Chief Privacy Officer U.S. Department of Homeland Security Washington, D.C. 20528 Dear Ms. Neuman: I write as the Department of Defense (DoD) Privacy and Civil Liberties Officer. Pursuant to the requirements of Section 5 of Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity”27 and Presidential Policy Directive 21 (PPD-21), “Critical Infrastructure Security and Resilience,”28 this letter supplements DoD’s privacy and civil liberties assessments of the Defense Industrial Base (DIB) Cybersecurity/Information Assurance (CS/IA) Program contained in the 2014 and 2015 EO 13636 Privacy and Civil Liberties Assessment reports. For the 2016 report, the DoD decided against replicating its 2014 and 2015 privacy and civil liberties assessments because the DIB CS/IA Program policies and procedures have not materially changed. Instead, this letter briefly summarizes DIB CS/IA Program activities that were carried out during Fiscal Year (FY) 2015, October 1, 2014 through September 30, 2015, in accordance with privacy and civil liberties safeguards. EO 13636 establishes policy directing the U.S. Federal Government to work together with U.S. private sector entities to strengthen the security and resilience of the Nation’s critical infrastructure against cyber threats. Section 5 requires senior agency officials for privacy and civil liberties to incorporate privacy and civil liberties protections into such activities, to conduct assessments of those activities, and submit the assessments to the Department of Homeland Security for compilation and publication of a public report. Section 5(b) adds that the report shall be reviewed on an annual basis and revised as necessary. The DoD’s privacy and civil liberties assessment focuses on the activities of the DIB CS/IA Program. The DIB encompasses the DoD, U.S. Federal Government, and private-sector worldwide industrial complex with capabilities to perform research and development, design, produce, deliver, and maintain military weapon systems, subsystems, components, or parts to meet military requirements. PPD-21 designates the DoD as the Sector-Specific Agency (SSA) for the DIB. The DoD established the DIB CS/IA Program to enhance and supplement DIB capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems. Cyber incident reporting and related activities under this program allow the DoD to assess damage to critical programs when defense information is compromised. The DIB CS/IA Program includes a voluntary information sharing component under which DIB companies and the government agree to share cyber threat information out of a mutual concern for the protection of sensitive, but unclassified information, related to DoD programs on DIB company networks. Through collaboration and information sharing under this program, DoD and DIB participants increase cyber situational awareness and capabilities to counter malicious cyber activity.

27 Available at https://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf. 28 Available at https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical- infrastructure-security-and-resil.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

48 | P a g e

As noted above, the structure and activities of the DIB CS/IA Program have not materially changed since DoD’s submissions to the 2014 and 2015 reports. DoD’s submission to the 2014 report29 assessed the activities of the DIB CS/IA Program based upon the Fair Information Practice Principles (FIPPs). For the 2015 report30, DoD enhanced its privacy and civil liberties assessment of the DIB CS/IA Program by incorporating constructive feedback and suggestions provided by the Privacy and Civil Liberties Oversight Board. Both assessments concluded that the DIB CS/IA Program protects our Nation’s critical infrastructure from cyber threats in a manner that preserves individual privacy and civil liberties. In FY 2015, the DoD expanded industry participation in the DIB CS/IA Program to 128 companies. Each of these participating DIB companies agreed to protect individual privacy and civil liberties before reporting any cyber incidents discovered on its networks that resulted in an actual or potential compromise of DoD information. This voluntary agreement includes compliance with Title 32 of the U.S. Code of Federal Regulations (CFR), Part 236, “Department of Defense (DoD) – Defense Industrial Base (DIB) Voluntary Cyber Security and Information Assurance (CS/IA) Activities.”31 32 CFR Part 236 places responsibility on DoD and each DIB company to conduct DIB CS/IA Program activities in accordance with applicable laws and regulations, including restrictions on the interception, monitoring, access, use, and disclosure of electronic communications or data. 32 CFR Part 236 also requires the DIB company to perform a legal review of its policies and practices that support its program activities before sharing any information with the Government. Additionally, the DoD began updating DIB CS/IA Program documentation in FY 2015 to increase transparency about how DoD and DIB companies maintain personally identifiable information (PII) in electronic form, including PII embedded in information shared for cyber security analysis. Specifically, the DoD reviewed the Privacy Impact Assessment (PIA) for the DIB Cybersecurity Activities32 and the System of Records Notice (SORN) for the DIB Cybersecurity (CS) Activities Records33 to ensure that adequate privacy safeguards exist for all information maintained by the DIB CS/IA Program. This review verified the legal authority for collecting and storing DIB CS/IA Program records, the individuals about whom the records are collected, the type of information collected, and how the records are used. The DoD published updates to both documents in FY 2016 and will include details of the revisions in its submission to the 2017 report.

29 Available at http://www.dhs.gov/publication/executive-order-13636-privacy-and-civil-liberties-assessment-report- 2014. 30 Available at http://www.dhs.gov/publication/2015-executive-order-13636-privacy-and-civil-liberties-assessment- report. 31 Available at http://www.gpo.gov/fdsys/pkg/CFR-2013-title32-vol2/pdf/CFR-2013-title32-vol2-part236.pdf. 32 Available at http://dodcio.defense.gov/Portals/0/Documents/DIB%20CS- IA%20PIA_FINAL_signed_30jun2011_VMSS_GGMR_RC.pdf. 33 Available at http://dpcld.defense.gov/Privacy/SORNsIndex/DODwideSORNArticleView/tabid/6797/Article/570553/dcio- 01.aspx.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

49 | P a g e

The voluntary reporting under the DIB CS/IA Program focuses on sharing cyber threat indicators that participating DIB companies believe are valuable in alerting the Government and other DIB CS/IA Program participants, as appropriate, to better counter threat activity. It does not replace or duplicate mandatory reporting required by law, regulation, policy, or contractual obligations. This includes mandatory reporting requirements under Section 941 of the National Defense Authorization Act (NDAA) for FY 2013 and Section 1632 of the NDAA for FY 201534, which require defense contractors to report successful penetrations of covered contractor networks that affect or have the potential to affect covered defense information, or incidents that affect a contractor’s ability to provide operationally critical support. The NDAA’s mandatory reporting requirements for defense contractors are levied at DoD in contractual language. DoD implements the requirements through Defense Acquisition Regulations System (DFARS) Case 2013-D018, “Network Penetration Reporting and Contracting for Cloud Services”, published as an interim rule on August 26, 2015.35 This rule establishes the same processes and systems for mandatory cyber incident reporting that already exist for voluntary reporting under the DIB CS/IA Program, and requires defense contractors to rapidly report successful penetrations of their unclassified networks or information systems while also ensuring that privacy and civil liberties protections continue to be effective. Overall, the DIB CS/IA Program’s privacy and civil liberties framework provides a multi- layered approach to the incorporation of the FIPPs, as well as other privacy and civil liberties protections guaranteed by Federal law and DoD regulations, policies, and procedures. The activities of the DIB CS/IA Program in FY 2015 complied with these privacy and civil liberties safeguards. In FY 2016, DoD will continue to monitor the DIB CS/IA Program to ensure that all privacy and civil liberties controls are functioning properly.

Sincerely,

Peter Levine DoD Privacy and Civil Liberties Officer

34 Sections 941 and 1632 are codified in Sections 391 and 393 of Title 10, United States Code. Available at http://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title10- chapter19&saved=|KHRpdGxlOjEwIHNlY3Rpb246MzkxIGVkaXRpb246cHJlbGltKQ%3D%3D|||1|false|prelim&e dition=prelim. 35 Available at https://www.federalregister.gov/articles/2015/08/26/2015-20870/defense-federal-acquisition- regulation-supplement-network-penetration-reporting-and-contracting-for.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

50 | P a g e

PART IV: DEPARTMENT OF JUSTICE

2016 EO 13636 Privacy & Civil Liberties Assessment Report

51 | P a g e

I. Introduction Executive Order (“EO” or “Executive Order”) 13636 aims to strengthen the cybersecurity of critical infrastructure by increasing information sharing, and by jointly developing and implementing a framework of cybersecurity practices with industry partners.36 The EO requires agencies to coordinate their activities under the EO with their Senior Agency Officials for Privacy and Civil Liberties (SAOPCL), and to ensure that privacy and civil liberties protections are incorporated into such activities based upon the Fair Information Practice Principles (FIPPs) and other privacy and civil liberties policies, principles, and frameworks. Annually, the SAOPCLs are to provide written assessments of agencies’ activities under the EO to the Department of Homeland Security (DHS) for consideration and inclusion in a government-wide report compiled by the DHS Privacy Office and Office for Civil Rights and Civil Liberties. The Department of Justice (“DOJ” or “the Department”) submitted privacy and civil liberties assessments for inclusion in the 2014 and 2015 government-wide reports. Both assessments detailed the Department’s activities implementing Section 4(a) and Section 4(b) of the EO. In addition, the 2015 assessment included a description of the Department’s privacy and civil liberties framework, as well as the Department’s cybersecurity framework. The Department engages in cybersecurity information sharing under the EO through activities undertaken by the Federal Bureau of Investigation (FBI). Accordingly, the 2015 assessment included descriptions of FBI- specific frameworks and protections for privacy and civil liberties, as well as detailed assessments of two FBI activities that, although not undertaken specifically pursuant to EO 13636, align with the goals of the EO.37 This assessment covers the timeframe from October 1, 2014 to September 30, 2015. II. Implementation of Section 4(a)

Section 4(a) of EO 13636 establishes as the policy of the U.S. Government the requirement to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Section 4(a) also requires the DHS Secretary, the Attorney General (AG), and the Director of National Intelligence (DNI) to issue instructions to ensure the timely production of unclassified cyber threats to the U.S. homeland that identify a specific targeted entity (“cyber threat reports”). The instructions are to address the need to protect intelligence and law enforcement sources, methods, operations, and investigations. As noted in the Department’s 2014 assessment, the Office of the Deputy Attorney General (ODAG) issued a Department Order requiring the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.38 The Order also requires that all actions taken pursuant to the Order must be consistent with the need to protect privacy and

36 Executive Order No. 13636, Improving Critical Infrastructure Cybersecurity (Feb. 12, 2013), available at http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf. 37 These two activities, iGuardian and Malware Investigator, were assessed in detail in the 2015 report and will not be further elaborated upon in this assessment. As noted in the 2015 report, these activities do not fall within the scope of EO 13636. This report focuses on Cyber Guardian, which implements Section 4(b) of EO 13636. 38 DOJ Order 3393, Issuing Instructions Pursuant to Executive Order 13636 Regarding the Timely Production of Unclassified Reports of Cyber Threat Information (2013).

http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf

2016 EO 13636 Privacy & Civil Liberties Assessment Report

52 | P a g e

civil liberties. The implementation of Section 4(b), discussed below, addresses the plan of the United States government to address sharing cyber threat information with the private sector by coordinating the interagency management of cyber threats and the ultimate notification to specific targeted entities. III. Implementation of Section 4(b)

Under Section 4(b) of EO 13636, the DHS Secretary and the AG, in coordination with the DNI, are required to establish a process that rapidly disseminates cyber threat reports to the targeted entity. Such a process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. Finally, Section 4(b) of EO 13636 requires the DHS Secretary and the AG, in coordination with the DNI, to establish a system to track the production, dissemination, and disposition of these reports, the so-called “4(b) solution.” The Department’s 2015 assessment described the initial interagency efforts to develop the 4(b) solution, including the establishment of an interagency Joint Requirements Team (JRT), with guidance from the White House’s National Security Council (NSC). The JRT, with representatives from FBI, DOJ, DHS, Defense Cyber Crime Center (DC3), Defense Security Service (DSS), National Security Agency, and Sector Specific Agencies (SSAs) and other government agencies/components interested in participating in the targeted entity notification requirements and development process, developed and finalized a document titled, “Executive Order (EO) 13636 Section 4(b) Support Capability Requirements for Notification to Critical Infrastructure Targeted Entities” (accepted April 10, 2015). This document was used as the starting point for the development of the requirements for the 4(b) process and to build an agreed-upon business process and technical solution to implement the 4(b) solution. On April 10, 2015, the NSC, through the Cyber Interagency Policy Committee, authorized the FBI’s National Cyber Investigative Joint Task Force (NCIJTF) to implement Section 4(b) of EO 13636 through the use of Cyber Guardian, a sharing and integration platform. Thus, Cyber Guardian is being developed and implemented by an interagency effort as the 4(b) solution and will be modified, as appropriate, as additional requirements are identified. The FBI conducted a Privacy Impact Assessment (PIA) on Cyber Guardian that assessed the privacy risks in accordance with Section 208 of the E-Government Act of 2002,39 the Office of Management and Budget directives, DOJ policy, and specific FBI guidance.40 Each of these requirements incorporates the FIPPs (e.g., transparency; individual participation; purpose specification; data minimization; use limitation; data quality and integrity; security; and accountability and auditing) in assessing how privacy and other protections are incorporated into Cyber Guardian. A FIPPs assessment of Cyber Guardian is included as Attachment A. Cyber Guardian currently serves as the tracking system for the production, dissemination, and disposition of cyber threat reports from the U.S. Government that are shared with U.S. private

39 See 44 U.S.C. § 3501 (note) (2012). 40 The PIA was completed by FBI and is currently under review by DOJ Office of Privacy and Civil Liberties.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

53 | P a g e

sector entities. Cyber Guardian offers Federal Cyber Centers41 and Intelligence Community (IC) partners the ability to coordinate a whole-of-government response to targeted entities and victims of cyber incidents identified in government intelligence collections. The FBI is currently in the process of making Cyber Guardian available to all Cyber Centers, designated SSAs, and other government agencies that directly support the cybersecurity mission by providing direct access through the SIPRNet42 Intelink-S connection from their home agencies. This will provide a foundation for strengthening the defenses of all participating agencies by allowing use of a universal application for near real-time coordination and collaboration of all cyber targeted entity notifications that meet the appropriate cyber incident severity threshold. Today, Cyber Guardian enables government agencies with cyber missions to be aware of and de- conflict cyber incidents. In the future, Cyber Guardian will be a platform for threat reports to be assimilated and made available for dissemination to the private sector, and is intended to have the capability to disseminate both unclassified and classified reports to critical infrastructure entities authorized to receive them. Any new capability, if developed, will be assessed for privacy and civil liberties protections, and the PIA will be amended as necessary. To gain access to the Cyber Guardian system, each agency and each individual designated to receive access to Cyber Guardian from such agency, as appropriate, must undertake the following:

• Complete on-site Cyber Guardian training; • Review, sign, and return the FBI Rules of Behavior for Other Government Agency (OGA)

Personnel Authorized to Access Cyber Guardian (FD-889d); • Possess and provide a valid Intelink Passport account (if accessing through SIPRNet); and • Obtain Agency Head authorization and signature on FBI’s Memorandum of Understanding

(MOU) for Access to Cyber Guardian

In June 2015, the FBI initiated Phase I of its Cyber Guardian training to all designated Federal Cyber Centers, select SSAs, and other select government agencies with a cybersecurity mission. To date, the NCIJTF/CyWatch43 has coordinated and provided multiple training sessions to DHS, DC3, Intelligence Community Security Coordination Center, Department of Energy, Treasury, and DSS. Also scheduled to receive training as part of Phase I are the following additional government agencies: NSA/CSS Threat Operations Center, U.S. Cyber Command, and the Central Intelligence Agency (CIA). The FBI will continue to work with its Cyber Partners to identify new requirements for Cyber Guardian to ensure that quality cyber threat information is increasingly shared in a timely manner to targeted private entities that are victims of cyber threats so that these entities may better protect 41 Under the Enhance Shared Situational Awareness initiative, the following Federal cybersecurity centers are developing an information-sharing framework and shared situational awareness requirements, for sharing cybersecurity information: Defense Cyber Crime Center (DC3); Intelligence Community Security Coordination Center (IC-SCC); National Cybersecurity and Communications Integration Center (NCCIC); National Cyber Investigative Joint Task Force (NCIJTF); National Security Agency / Central Security Service (NSA/CSS) Threat Operations Center (NTOC); and United States Cyber Command (USCYBERCOM) Joint Operations Center (JOC) 42 SIPRNet (SECRET Internet Protocol Network Router) is a service gateway function that provides protected connectivity to federal, IC, and allied information at the secret level. 43 The FBI’s 24-hour cyber command center.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

54 | P a g e

themselves from malicious cyber threats. Further, the FBI will continue to assess any modifications to Cyber Guardian that may affect privacy and civil liberties protections afforded to individuals affected by cyber threat reporting.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

55 | P a g e

Attachment A In accordance with Section 5(b) of the EO, this assessment includes an update of the activity that aligns with the EO during this reporting period against the FIPPs and other applicable privacy and civil liberties policies, principles, and frameworks. The FIPPs are instructive of the appropriate handling of personally identifiable information (PII) by the FBI’s Cyber Division (CyD) for the purpose of protecting the cybersecurity of critical infrastructure. In addition to the FIPPs, the FBI considers other applicable privacy and civil liberties policies, principles, and frameworks. For example, this chart includes information on how the FBI adheres to federal privacy laws such as the Privacy Act of 1974 (“the Privacy Act”)44 and Section 208 of the E-Government Act of 2002. The FBI has no indication of any activity that would warrant a separate civil liberties review. The Cyber Guardian MOU prohibits federal agencies accessing Cyber Guardian from submitting to Cyber Guardian, or retaining, disseminating, or otherwise using in connection with Cyber Guardian any information based solely on the ethnicity, race, gender, disability or religion of an individual or based solely on the exercise of rights guaranteed by the United States Constitution or the lawful exercise of any other rights secured by the laws of the United States. Cyber Guardian FIPPs Chart

(a) Transparency 1. How does the FBI incorporate the principle of transparency into Cyber Guardian? Response: The FBI incorporates transparency into Cyber Guardian45 by providing notice to users (currently U.S. government agencies with cyber missions) regarding its collection, use, dissemination, and maintenance of PII via the applicable System of Records Notices (SORNs), Privacy Act Statement, electronic banner, and MOU. For Privacy Act purposes, Cyber Guardian login information is covered under Privacy Act SORN, DOJ-002, DOJ Computer Systems Activity and Access Records.46 Upon login, each Cyber Guardian incident receives prompt, individualized review by the FBI’s National Cyber Investigative Joint Task Force (NCIJTF)/CyWatch to determine if additional action is warranted. Any information ultimately maintained by FBI would be covered under Privacy Act SORN, FBI-002, The FBI Central Records System, 63 Fed. Reg. 8671 (Feb. 20, 1998), as amended by 66 Fed. Reg. 8425 (Jan. 31, 2001), 66 Fed. Reg. 17,200 (Mar. 29, 2001), and 72 Fed. Reg. 3410 (Jan. 25, 2007); and FBI- 022, FBI Data Warehouse System, 77 Fed. Reg. 40630 (July 10, 2012). A SORN for the Guardian Prime System is presently under review by DOJ and encompasses Cyber Guardian. As Cyber Guardian develops, the FBI will continuously assess privacy and civil protections for the program and may develop a separate Cyber Guardian SORN, if warranted. Additionally, the FBI has conducted a PIA on Cyber Guardian, under review by DOJ, which assessed the privacy risks in accordance with the E-Government Act of 2002. Cyber Guardian is a National Security System,

44 5 U.S.C. § 552a (2012). 45 Cyber Guardian was developed from the Guardian system, which was created initially by the FBI to collect suspicious activity reports regarding terrorist threats and to triage, assign, and assess such information. However, the two applications are hosted on different sets of web application servers. 46 DOJ-002, the DOJ Computer Systems Activity and Access Records SORN, available at: https://www.gpo.gov/fdsys/pkg/FR-1999-12-30/pdf/99-33838.pdf.

https://www.gpo.gov/fdsys/pkg/FR-1999-12-30/pdf/99-33838.pdf

2016 EO 13636 Privacy & Civil Liberties Assessment Report

56 | P a g e

as determined by the FBI’s Security Division. Constructive notice of these systems is provided by the applicable SORNs. Before cleared U.S. government personnel of Cyber Partners are granted access to Cyber Guardian, the proposed users are provided with a comprehensive Privacy Act Statement and other detailed information related to system use, such as information regarding monitoring and auditing for security purposes. Although Cyber Guardian does not provide express notice regarding the treatment of third party information, the Cyber Partners must agree to the Cyber Guardian responsibilities, set forth in the MOU, that require submission of information that is directly relevant to the Cyber Incident submission. This helps ensure that Cyber Guardian only collects limited PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retains PII for as long as is necessary to fulfill the specified purpose(s). Pursuant to the MOU, each Cyber Partner agrees to notify each other if any erroneous information is disclosed pursuant to this program and take reasonable steps to correct such error, or if any PII is inadvertently disclosed. Moreover, determinations about the Cyber Guardian collected information are made promptly47 so that the data can move quickly through the review process. Further, before access to the system is granted, all authorized users will be under clear and conspicuous written notice through an electronic banner that information and data on the network may be monitored or disclosed to third parties or that the network users’ communications are not private. These users can then decide if they wish to use the system or not, and decide what information they want to transmit over the government system. All Cyber Guardian users must agree to an FBI MOU. Accordingly, each Cyber Partner must acknowledge, in writing, the need to incorporate transparency while recognizing the need to protect sensitive information, sources, and methods. Each Cyber Partner understands that information submitted to Cyber Guardian is subject to applicable federal laws, including but not limited to the Privacy Act, the Freedom of Information Act, the Federal Records Act, and discovery requirements. To the extent information exchanged as a result of the Cyber Guardian results in a request or demand for that (or related) information from FBI files pursuant to federal or state civil or criminal discovery or any other request by a third-party for FBI information, users are advised that such disclosure may only be made after consultation with, and upon approval by, the FBI, or as otherwise required by law. Cyber Guardian is committed to establishing an atmosphere of trust among its users, and this MOU promotes better data quality and integrity. Once users are granted access to Cyber Guardian, a completed form may include the following items of information:

(1) Submitter’s contact information (such as name, phone number, and email address); (2) Information about submitter’s organization (this includes work-related data such as name

and work address);

47 Upon identification and entry of new information, the FBI (CyWatch) immediately coordinates the information within their Operations Sections to assess investigative equities and impact of effecting notification. The FBI also utilizes the Cyber Incident Severity Schema, which was approved by the National Security Council, to assist in assessing urgency of coordination and notification.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

57 | P a g e

(3) Threat observation information (such as when the threat was detected, how the threat was detected, the name of the suspected threat actor, the internet protocol (IP) address of the source of the threat, and whether the threat has been reported to another government agency);

(4) Information regarding the threat’s target or objective (such as the incident sector, the incident type, and the IP address of the target); and

(5) Information regarding damage/impact to submitter’s organization. 2. How does CyD ensure that issues surrounding transparency are re-evaluated on a periodic basis? Response: Generally, the FBI requires all system owners to review and update privacy documentation every three years in accordance with the Federal Information Security Modernization Act of 201448 (FISMA) certification schedule and/or when the program changes in such a way that may raise new privacy issues. Because the system is evolving, the FBI anticipates continued oversight by the FBI’s privacy attorneys to ensure that issues surrounding transparency are appropriately addressed, and will re-evaluate whether the documentation for Cyber Guardian provides sufficient transparency.

(b) Individual Participation 3. Are victims asked for consent and given the opportunity to object to the collection of their PII? Response: Third party direct consent of the cyber threat actor is not practicable due to the need to protect the confidentiality of the law enforcement investigation. When Cyber Guardian users submit incident reports, those users consent to the use of their own PII, such as name, phone number, email address, and work-related data. All information that is submitted into an FBI database must be consistent with civil liberties policies, including prohibitions against collecting information solely on the basis of race.49 Cyber data, like information obtained in any other investigation, is evaluated for accuracy before use. In the law enforcement context, information is evaluated and analyzed prior to its use, including in any enforcement action involving a criminal statute. Insofar as accuracy of information is related to third party consent, the Department does not separately verify third party consent regarding the PII that may be included within the information provided by a Cyber Guardian user. However, the FBI and DHS are responsible for victim notification in accordance with applicable laws and policies. 4. How does Cyber Guardian ensure that the FBI CyD’s Victim Notification Process is implemented? Response: Currently, Cyber Guardian’s users consist of cleared U.S. government personnel of Cyber Guardian partners. Thus, in most cases, the victim will not be the same entity as the Cyber Guardian user, but instead the submission will be on behalf of a victim. However, the FBI notifies victims in accordance with applicable laws and policies. The FBI will still need to develop steps, or may consider using the FBI’s existing Victim Notification Process to make the private sector entity aware of the magnitude of the cyber incident and share information with that entity as appropriate. 5. Are Cyber Guardian users given the opportunity to access and correct their PII?

48 See Federal Information Security Modernization Act of 2014, Pub. L. 113-283, December 18, 2014, codified at 44 U.S.C. §§ 3551 et seq., which superseded the Federal Information Security Management Act of 2002, formerly codified at 44 U.S.C. §§ 3541 et seq. 49 Guidance for Federal Law Enforcement Agencies regarding the Use of Race, Ethnicity, Gender, National Origin, Religion, Sexual Orientation, or Gender Identity (DOJ Use of Race Policy) (December 2014), at 2.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

58 | P a g e

Response: Yes. Users may access and correct their user account information. If Cyber Guardian users would like to update their submissions, users are required to make a new submission or contact the Cyber Guardian program. 6. Are victims given the opportunity to access and correct their PII? Response: To the extent that a victim’s information is retrieved by name or other personal identifier, it would be covered under Privacy Act SORN, FBI-002, and thus the access and amendment provisions available under the Privacy Act are applicable to such information. Although FBI-002 is exempt from the access and amendment provisions of the Privacy Act, the FBI, in the interest of accurate record-keeping, may waive such exemptions on a case-by-case basis. Moreover, FBI-002 is not exempt from the Privacy Act’s disclosure prohibition. Therefore, if an individual’s PII were covered by the Privacy Act and is accessed or wrongly disclosed in violation of the Act, the individual may bring a lawsuit as a form of judicial redress against the Department. Victim information, in addition to the mechanisms listed above, is covered under Privacy Act SORN, FBI-002, and thus the access and amendment provisions available under the Privacy Act are applicable to such information. Even though the SORN is exempt from access and amendment under the Privacy Act, the FBI reserves the right to waive such exemptions in individual cases. In addition, redress is available for wrongful disclosures. Individuals have the right to seek judicial redress for intentional or willful disclosures of protected information, as well as for refusals to grant access or to rectify any errors contained in that information. 7. Describe the mechanism provided for an individual Cyber Guardian user to seek redress in the event of inappropriate access to, or disclosure of, their PII. Response: System users may seek redress regarding their own contact information by contacting the Cyber Guardian program office. 8. What steps are taken to ensure information maintained in the system is accurate, timely, relevant, and complete? Response: Cyber Guardian incidents are reviewed in coordination with federal agencies with cybersecurity missions and by an FBI CyWatch investigator to determine if the incident warrants additional action. After this de-confliction, if the incident warrants additional action by the FBI, it is assigned to the appropriate FBI entity for additional review and investigation. Cyber Guardian has robust security mechanisms, audit capabilities, and strict user access. Cyber Guardian users are required to complete on-site Cyber Guardian training; review, sign, and return the FBI Rules of Behavior for Other Government Agency (OGA) Personnel Authorized to Access Cyber Guardian (FD-889d); possess and provide a valid Intelink Passport account (if accessing through SIPRNet); and obtain Agency Head authorization and signature on FBI’s MOU for access to Cyber Guardian. As previously discussed, the FBI’s MOU notifies users that any PII submitted must be authorized, relevant, and necessary to the submission. The obligation resides with the submitters to ensure they are authorized to provide information, including relevant and necessary PII, on the Cyber Guardian submission form. 9. Is PII collected directly from the individual or from a third party? If from a third party, please describe how the program ensures the information is accurate and complete. Response: As stated above, Cyber Guardian users are required to submit their contact information (such as name, phone number, and email address) and information about their organization (this includes work-related data such as name and work address). There may be cases where the Cyber Guardian user submits information about the particular threat actor, and

2016 EO 13636 Privacy & Civil Liberties Assessment Report

59 | P a g e

thus the submission may contain third party PII. As explained above, the information submitted will be evaluated as part of the case management process described in the Cyber Guardian PIA to ensure that the information submitted is accurate and complete.

(c) Purpose Specification 10. Please provide the specific purpose(s) for the maintenance of PII within the system. Response: Cyber Guardian is a sharing and integration platform for cleared personnel of federal agencies who have a cyber mission to share cyber threat information. Cyber Guardian enables the federal government to ensure that cyber threat incidents are shared among agencies with cyber missions to facilitate sharing of cyber threat reports to targeted private sector entities in accordance with Executive Order 13636. The specific purpose for the maintenance of PII related to cyber threat information is to facilitate information sharing and to implement Section 4(b) of EO 13636 (through the use of Cyber Guardian). Information lawfully obtained by the FBI is generally available to all authorized FBI personnel, and consequently, information may be appropriately shared and analyzed effectively to prevent and disrupt criminal and national security threats. Specifically, the Attorney General’s Guidelines for Domestic FBI Operations (AGG-DOM) “…do[es] not require that the FBI’s information gathering activities be differentially labeled as ‘criminal investigations,’ ‘national security investigations,’ or ‘foreign intelligence collections,’ or that the categories of FBI personnel who carry out investigations be segregated from each other based on the subject areas in which they operate.”50 The FBI is authorized to collect intelligence and to conduct investigations to detect, obtain information about, and prevent and protect against federal crimes and threats to the national security and to collect foreign intelligence, as provided in the FBI Domestic Investigations and Operations Guide (DIOG) Part II.51 As a practical matter, the information submitted on the Cyber Guardian incident form relates to cyber incidents only, and would not generally be relevant to other investigative matters. Within this framework, the FBI also strictly adheres to federal and Department information sharing procedures and safeguarding the information that it maintains. For example, the FBI is governed by federal information privacy laws, such as the Privacy Act, which permits the sharing of protected information only with individual consent or under specified statutory exceptions. Currently, FBI’s Cyber Guardian has only been used for cybersecurity purposes based on the submissions received during the reporting period. It is important to note that the FBI may also receive cybersecurity information through other channels not subject to the EO, including directly from FBI field offices. 11. What steps are taken to ensure the authority for the collection is valid? Response: For initial reporting, the FBI depends on the Cyber Guardian user to ensure the collection of information submitted to the FBI is validly collected. If the FBI plans to open a case, the FBI will follow its usual case management process to ensure that the information submitted was validly collected.

(d) Use Limitation 50 The Attorney General’s Guidelines for Domestic FBI Operations. 51 See FBI DIOG (updated November 18, 2015) (delineating protections incorporated in this report), available at http://vault.fbi.gov/FBI Domestic Investigations and Operations Guide (DIOG)/fbi-domestic-investigations-and- operations-guide-diog-2011-version/.

http://vault.fbi.gov/FBI%20Domestic%20Investigations%20and%20Operations%20Guide%20(DIOG)/fbi-domestic-investigations-and-operations-guide-diog-2011-version/

2016 EO 13636 Privacy & Civil Liberties Assessment Report

60 | P a g e

12. Describe steps taken to ensure the use of PII is limited to the purpose(s) specified in applicable notices. Response: To the extent that the FBI notices through analysis that the information submitted may be evidence of another crime unrelated to the purpose for the submission, the FBI follows applicable laws and policies, such as the AGG-DOM and DIOG. As previously indicated above, the FBI can share information as necessary to fulfill its law enforcement mission. The FBI, through a multilayered approach, will continue to update information sharing policies as necessary to examine the potential impact to privacy and civil liberties.

(e) Data Quality and Integrity 13. What steps are taken to ensure that data is accurate, timely, relevant, and complete? Response: For cyber threat information submitted, the likelihood that the information will be inaccurate, untimely, irrelevant, or incomplete is relatively low. Much of the information submitted is expected to be technical in nature. For information submitted that may be in narrative form describing the incident, and perhaps the specific threat actor, the information must be relevant pursuant to the FBI’s MOU that all Cyber Partners enter into. Moreover, the FBI will review the information in accordance with case management procedures to determine whether the information is actionable and relevant. In a typical scenario, information is determined to be relevant when there is an articulable nexus to a known or suspected cyber incident. This information is reviewed by trained CyWatch specialists. These multiple layers of checks and balances ensure that only relevant information is transferred to FBI agents.

(f) Accountability and Auditing 14. What methods are in place to audit access to records maintained within the system? Response: Cyber Guardian is hosted on the FBI’s Secret Enclave and monitored by the FBI. As part of FBI’s security functions, audit trails and user access are to be reviewed on a regular basis. Such compliance shall include tracking logons and logoffs, creating audit logs, review of opening and closing incident reviews, and other appropriate measures. Audit records will be protected against unauthorized access, modifications, and deletion, and will be retained for a sufficient period to enable verification of compliance. As noted above, Cyber Guardian is a National Security System maintained on the Secret enclave, which is subject to strict audit and access procedures. Further, all FBI employees must complete privacy training regarding the proper use of FBI information systems. 15. Describe any oversight mechanisms that apply to the system. Response: Generally, the FBI requires all system owners to review and update privacy documentation every three years in accordance with the FISMA certification schedule and/or when the program changes in such a way that may raise new privacy issues. Because Cyber Guardian is still in its beginning stages, privacy attorneys are embedded at the program level and advise on the development and use of the system. As part of this advisory role, the privacy attorneys are examining whether additional oversight will be needed beyond general oversight.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

61 | P a g e

PART V: DEPARTMENT OF HEALTH AND HUMAN SERVICES

2016 EO 13636 Privacy & Civil Liberties Assessment Report

62 | P a g e

Introduction: Executive Order (EO) 13636 seeks to ensure that the national and economic security of the U.S. is secure and resilient in the face of the ever–increasing occurrence of cyber intrusions and cyber threats. The main focus of EO 13636 is the nation’s critical infrastructure, which is defined in § 2, as “systems and assets, physical or virtual, [that are] so vital to the United States that the[ir] incapacity or destruction . . . would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The major components of the effort to enhance our nation’s cybersecurity resiliency are collaboration and information sharing across the public and private sectors, as well as establishing partnerships with the owners/operators of critical infrastructure. The Department of Health and Human Services (HHS) engages in information sharing in its capacity as Sector Specific Agency for the Healthcare and Public Health (HPH) Sector under the National Infrastructure Protection Plan. HHS maintains a partnership with approximately 150 major trade associations and companies in the HPH Sector, as well as Federal, State, Local, Tribal and Territorial agencies. However, as information is shared, agencies must coordinate their activities in order to ensure that risks to privacy and civil liberties are minimized or mitigated. HHS shares vetted and cleared cybersecurity information with Sector partners through meetings, conference presentations, webinars, teleconferences, newsletters, and an HHS-moderated page on the Homeland Security Information Network (HSIN) secure Web portal. Information that is shared is usually in the form of a finished product highlighting general threats, vulnerabilities, and/or protective measures, and often originates from Federal sources outside of HHS.

EO 13636 § 5(c) requires “the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of [the Department of Homeland Security (DHS) to] consult with the Privacy and Civil Liberties Oversight Board” (PCLOB) in reporting recommendations to “minimize or mitigate” the “privacy and civil liberties risks of the functions and programs” undertaken by DHS and other agencies, such as the Department of Health and Human Services (HHS), in compliance with their responsibilities under EO 13636. In addition to supplying DHS with information on its functions and programs related to privacy and civil liberties, HHS is responsible, under EO 13636 § 5, for “coordinat[ing] their activities . . . with their senior agency officials for privacy and civil liberties and ensur[ing] that privacy and civil liberties protections are incorporated into [their] activities,” which are aimed at improving the security and resilience of physical and cyber critical infrastructure. This assessment represents HHS’s contribution to the publicly-available report DHS supplies annually which contains agencies’ evaluations of their activities related to privacy and civil liberties. Establishing a strong national policy related to critical infrastructure security and resilience is a shared responsibility and requires effective organization among critical infrastructure owners and operators, as well as government agencies and their partners. As part of its function under Presidential Policy Directive 2152, HHS was designated the Sector-Specific Agency for the

52 Presidential Policy Directive 21, Critical Infrastructure Security and Resilience, Feb. 12, 2013 (PPD-21), available at: http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical- infrastructure-security-and-resil.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

63 | P a g e

Healthcare and Public Health Sector, as well as the Co-Sector Specific Agency for the Food and Agriculture Sector alongside the Department of Agriculture. Summary Description of Agency Privacy and Civil Liberties (PCL) Organization and Processes HHS assists Healthcare and Public Health Sector partners in protecting their systems from unauthorized access, exploitation, or harm by sharing cybersecurity information and best practices with government agencies and external stakeholders. Through its participation in working groups, discussions, and other activities, HHS also works to ensure that parties have open communication channels to maximize the utility of cyber threat information sharing. HHS’s EO 13636 activities are not expected to have any significant impact on privacy or civil liberties. However, HHS is aware of its responsibility to analyze and mitigate risks to constitutional liberties that any of its activities may present. It partners with other organizations and working groups to propose activities and collaborate on procedures that relate to the Department’s EO 13636 efforts, ensuring an overall Department-level of preparedness. HHS is striving to ensure that, however small its footprint is in counter-terrorism-related privacy and civil liberties risk management footprint, it has mechanisms in place to proactively and effectively respond to any threats to individuals’ privacy and civil liberties protections that may arise. Due to the sensitivity and risks associated with collecting, using, storing, and sharing personally identifiable information (PII), HHS works to protect PII by leveraging technologies or programs that are sensitive to those concerns. As part of the effort to mitigate risks, HHS incorporates risk management into every phase of its system and program development and will continue to do so. When HHS is charged with regulating parties that collect information about individuals, the Department is obligated to identify, analyze, and mitigate any concerns individuals may have about the impact on their privacy. The HHS Privacy Program Many offices across HHS share the overall privacy policy and compliance responsibilities for the Department, each with its own particular role and/or subject-matter focus. One aspect of these responsibilities is to coordinate with one another to effectuate comprehensive implementation of the Department-wide response to EO 13636. The HHS privacy program collects, assesses, and uses significant amounts of data as part of its role as the United States Government’s principal agency charged with protecting the health of all Americans and providing essential human services. HHS focuses on collaborative efforts to address privacy concerns common to all information systems that are comprised of PII, working internally with Operating Divisions (OpDivs) and with external stakeholders to identify the most efficient platform for recognizing, assessing, and mitigating privacy risk. HHS will continue its current activities that focus on the protection of individuals’ privacy and civil liberties, such as holding regular privacy incident response team meetings, working with OpDivs to assist them with the responses to such incidents, and collaborating with and keeping open channels of communication with other privacy officials throughout the Department with regard to policy considerations and information management. HHS continues participating in discussions, councils, and working groups with the

2016 EO 13636 Privacy & Civil Liberties Assessment Report

64 | P a g e

goal of creating and maintaining appropriate data collection, use, protection, and dissemination procedures.

Overview of Executive Order 13636 Implementation Activities to be Reviewed and Assessed We have no significant updates from our specific assessments from last year’s report; however we would like to report on the following areas of activity: Critical Infrastructure Protection (CIP) Program: The Healthcare and Public Health (HPH) Sector Critical Infrastructure Protection (CIP) Program leads a public and private sector partnership known as the Healthcare and Public Health Sector Critical Infrastructure Protection Partnership in protecting the essential goods, services, and functions of healthcare and public health that, if destroyed or compromised, would negatively affect the Nation. The HHS Office of the Assistant Secretary for Preparedness and Response (ASPR) has been coordinating this program for more than ten years. The CIP Program works with its partners to develop guides and checklists to prepare facilities to bounce back after a disaster; implement the National Infrastructure Protection Plan (NIPP) sector partnership and risk management framework; develop protective programs and actions to defend against, prepare for, and mitigate the consequences of a terrorist attack or other hazards; provide guidance on Healthcare and Public Health critical infrastructure protection; communicate the needs of the Healthcare and Public Health Sector throughout government; measure the sector’s performance toward sector protection priorities; encourage information sharing among all sector partners; and submit sector plans and reports to DHS.

Food and Drug Administration (FDA) Medical Device Security Efforts

At the FDA, all medical devices are regulated based on risk. Moderate- and high-risk devices are generally evaluated for their safety and effectiveness before they are allowed to be sold to the public. Increasingly, these devices are designed to be wireless, Internet and network connected, which enables remarkable advances that have the potential to transform patient care. At the same time, this interconnectivity means cybersecurity risks need to be addressed. The FDA recognizes that collaboration with the private sector is essential to enhancing medical device cybersecurity. Engaging with all of the stakeholders in the medical device ecosystem, including security researchers, is an important step toward strengthening medical device cybersecurity. White hat hackers study medical devices and systems, looking for flaws, weaknesses, or vulnerabilities that, if exploited, could cause harm. White hats work with manufacturers, regulators, and other stakeholders to safeguard patient care and privacy without putting patients at risk – by revealing flaws in a controlled setting and reporting them so they can be proactively addressed in both current and future designs. While skilled and persistent adversaries seek to harm, skilled and persistent external “white hat” protectors seek to safeguard. Distinguishing between malicious attack by adversaries and good faith effort by security researchers allows medical device manufacturers to discourage the former and derive value from the latter. The best outcomes happen when security researchers work with medical device manufacturers and federal partners in a coordinated manner to identify and help address medical

2016 EO 13636 Privacy & Civil Liberties Assessment Report

65 | P a g e

device cybersecurity concerns together. The FDA highly values the researchers’ technical expertise and regards their contributions as essential to identifying medical device cybersecurity vulnerabilities, which if exploited, may result in patient harm. Summary of Assessment Methodology As stated in last year’s report, HHS continues to consult the Code of Fair Information Practice Principles (FIPPs), as well as more recent formulations, in evaluating its privacy functions. They are a basis for the Privacy Act of 197453 and most other privacy laws and policies. The FIPPs, as well as both domestic and international privacy statutes and regulations, and federal and state policies, have been consulted whenever an HHS program or activity collects information or raises concerns involving the collection of PII. These authorities are also consulted whenever there is a deployment of technology or development of a proposed regulation that raises privacy risks for individuals. Summary of Findings and Recommendations We continue to engage with the HHS organizations most involved with programs potentially under the purview of EO 13636. Much of the input for this year’s report is from ASPR, who is well-suited to inform the HHS Privacy Program of new issues or programs across the Department suitable for reporting here. Conclusion As with our initial report, PCLOB understands the HHS position that we do not have specific systems or programs that would fall under the purview of EO 13636. HHS will continue to protect the data it collects and maintain the rights and civil liberties of the individuals to whom HHS provides benefits and services. HHS looks forward to increased collaboration with its internal and external partners, and improved awareness and efficiency of HHS policies and practices.

53 5 U.S.C. § 552.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

66 | P a g e

PART VI: DEPARTMENT OF ENERGY

2016 EO 13636 Privacy & Civil Liberties Assessment Report

67 | P a g e

Department of Energy Executive Order 13636, “Improving Critical Infrastructure Cyber Security,”

Section 5 Assessment of Privacy and Civil Liberties Protections

Pursuant to the requirements of Executive Order (E.O.) 13636, Improving Critical Infrastructure Cybersecurity, this update constitutes a review of Department of Energy (DOE) Privacy and Civil Liberties activities for the period ending September 31, 2015. DOE is the sector specific agency for energy and the Smart Grid. DOE’s previous assessment was submitted on December 2, 2014, for inclusion in the consolidated 2014 Department of Homeland Security Report, consistent with the mandate of the E.O. DOE’s Office of Electricity Delivery and Energy Reliability (OE), the lead office for the Smart Grid, in coordination with the Federal Smart Grid Task Force (Task Force), continues to work closely with Smart Grid stakeholders to protect the privacy of consumers’ customer data. As reported last year, DOE has no jurisdiction to regulate or monitor either utilities or third parties who will be collecting or using energy usage data. As such, DOE OE, in partnership with the Task Force, initiated a multi-stakeholder process to develop the Voluntary Code of Conduct (VCC) that was modeled on the Fair Information Practice Principles, a widely accepted framework of privacy principles that provides the basis for the Privacy Act of 1974 and other privacy laws and policies. In FY2015, the Cybersecurity Risk Information Sharing Program (CRISP) continued to expand under the management of the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC). CRISP is a government-energy sector collaboration to facilitate the timely bi-directional sharing of classified and non-classified threat information and develop and deploy situational awareness tools to enhance the sector’s ability to identify threats and coordinate the protection of critical infrastructure. As required by contracts with Pacific Northwest National Lab, NERC is slated to conduct its first independent audit of CRISP data handling procedures. Voluntary Code of Conduct Update

On January 12, 2015, President Obama announced the release of the VCC final concepts and principles related to the privacy of customer energy usage data for utilities and third parties. The final concepts and principles were developed through a 22-month multi-stakeholder effort that was facilitated by OE in coordination with the Task Force. The VCC reflects input from stakeholders across the electricity industry and incorporates comments from the public through open meetings and a federal register notice. The VCC was rebranded as DataGuard|Energy Data Privacy Program in early 2015 based on feedback from consumer focus groups. Below is a summary of activities for the rebranded program:

• A consumer-friendly mark was developed that provides adopting companies a visible means for communicating their adoption of the program and demonstrating their commitment to consumer privacy. DOE filed a trademark application for the DataGuard mark and is awaiting final approval.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

68 | P a g e

• Currently, 15 companies (7 utilities and 8 technology companies) have pledged to adopt DataGuard concepts and principles. Upon receipt of the trademark approval, a program launch event will take place with early adopters to highlight their leadership in this area and to raise awareness of the program. DOE OE will continue outreach efforts to recruit early adopters and raise program awareness.

• A program website was developed with both industry and consumer sections. It provides information on the program and its principles, and also serves as a public method for communicating which companies participate in the program. The industry section provides additional information on the importance of adopting and how to adopt, as well as a toolkit with communication materials that a company could use to explain the program to consumers or employees. Communication materials include a program fact sheet, newsletter and bill insert examples, website buttons, and sample press release content. In addition, a video targeting potential adopters was created which explains the program and the importance of protecting consumer privacy.

Federal Smart Grid Task Force website: http://energy.gov/oe/technology-development/smart-grid/federal-smart-grid-task-force DataGuard|Energy Data Privacy Program website: https://www.smartgrid.gov/data_guard.html

http://energy.gov/oe/technology-development/smart-grid/federal-smart-grid-task-force

https://www.smartgrid.gov/data_guard.html

2016 EO 13636 Privacy & Civil Liberties Assessment Report

69 | P a g e

PART VII: OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE

2016 EO 13636 Privacy & Civil Liberties Assessment Report

70 | P a g e

January 22, 2016

Ms. Karen L. Neuman Chief Privacy Officer U.S. Department of Homeland Security Washington, D.C. 20528 Ms. Megan H. Mack Officer for Civil Rights and Civil Liberties U.S. Department of Homeland Security Washington, D.C. 20528 Dear Ms. Neuman and Ms. Mack: I write as the Civil Liberties Protection Officer and the senior agency official for privacy and civil liberties of the Office of the Director of National Intelligence (ODNI). Pursuant to the requirements of Executive Order (EO) 13636 (February 12, 2013), Improving Critical Infrastructure Cybersecurity, this letter constitutes my review of ODNI’s cyber activities for the period ending September 30, 2015.1 Under the EO, ODNI is responsible for developing and disseminating guidance to the Intelligence Community (IC) for timely production of unclassified cyber products involving a specific, identifiable, target individual or entity. ODNI determined that the existing Intelligence Community Directive (ICD) 209, “Tearline Production and Dissemination,” satisfied this requirement. We nonetheless recommended that appropriate training be developed and, in our last submission, noted that ODNI CLPO in fact had completed an online training module suitable for that purpose. The Web-based training module (including a “knowledge check”) is now a mandated annual requirement for ODNI intelligence personnel, linked to system access for some purposes. The training addresses the requirements of the Privacy Act and the proper handling of personally identifiable information (PII), as well as safeguards for “protected” individuals in the Information Sharing Environment (ISE). The training is applicable to the production and dissemination of tearlines.2

1 This is our third review under EO 13636. Our first assessment was submitted on December 2, 2013 for inclusion in the first Department of Homeland Security (DHS) Cyber Report, published in April 2014. In that initial submission, we included a comprehensive assessment of the ODNI’s cyber activities under EO 13636. On February 13, 2015, we submitted our second review covering the period ending September 30, 2014 for inclusion in the second DHS Cyber Report, published in April 2015. In that second review, we did not resubmit the detailed civil liberties and privacy analysis that we had included in our first assessment, and instead focused on relevant updates. In this review, we again focus on relevant updates. For those interested in the original comprehensive assessment, please see the first DHS Cyber Report dated April 2014. 2 Moreover, ODNI is implementing training on the protections for non-U.S. persons as prescribed by Presidential Policy Directive 28: Signals Intelligence Activities (PPD 28). This training will be relevant to the use of tearlines that include signals intelligence information.

http://www.dhs.gov/person/megan-h-mack

2016 EO 13636 Privacy & Civil Liberties Assessment Report

71 | P a g e

Our submission last year also indicated several areas that we intended to explore in furtherance of our responsibility to provide guidance on producing unclassified cyber products involving identifiable targets. An update tracking our last submission follows below: • Data quality: The IC’s foundational guidance governing production and evaluation of

analytic products is Intelligence Community Directive (ICD) 203, “Analytic Standards.” This ICD was re-issued in January 2015, and now includes the requirement that IC elements adopt procedures to prevent, identify and correct errors in PII. In addition, the ICD explicitly reinforces the principle that PII may be included in analytic product only as it relates to a specific analytic purpose (e.g., necessary to understand the foreign intelligence or counterintelligence information or assess its importance).

• PPD 28: As we mentioned in our prior submission, Presidential Policy Directive 28: Signals Intelligence Activities (PPD 28) requires certain protections for personal information collected though signals intelligence activities, regardless of nationality. Consistent with PPD 28, all IC elements have published policies that implement those protections. These protections will apply to the extent that personal information from signals intelligence is included in a tearline.

• Efficacy of ICD 209: As stated in our last report, the Office of the ODNI National Intelligence Manager for Cyber conducted a study to assess whether ICD 209 provides IC professionals the requisite guidance to produce unclassified reports in a timely manner, including cyber reports that properly use or protect (as the case may be) information pertaining to a specific, identifiable, targeted entity. Feedback indicates that since the data call/study, the elements have worked to refine downgrade processes and handling instructions on disseminated FOUO products to allow them to be shared more broadly. Notably, the study did not produce any directly actionable result nor suggest that ICD 209 is insufficient. Accordingly, ODNI does not plan to revise existing or develop additional policy guidance in this area at this time.

• CTIIC: Our prior submission referred to the establishment of the Cyber Threat Intelligence Integration Center (CTIIC) within ODNI. CTIIC was recently authorized with the enactment of the Intelligence Authorization Act for Fiscal Year 2016. ODNI CLPO has assigned a CTIIC Civil Liberties and Privacy Officer to provide civil liberties and privacy guidance to CTIIC personnel. CTIIC’s activities currently focus on providing integrated analytic products to other government agencies. Accordingly, CTIIC personnel receive training regarding rules for disseminating information that contains information identifying or concerning a U.S. person. As stated in our prior submission, ODNI CLPO will assess CTIIC activities to the extent CTIIC becomes involved in activities covered by EO 13636.

2016 EO 13636 Privacy & Civil Liberties Assessment Report

72 | P a g e

It merits repeating that ODNI as an organization has not historically issued cyber tearlines within the scope of EO 13636, and this remains the case. Accordingly, no audit of ODNI cyber tearline activity has been conducted to ensure that products adequately protect identifiable targets’ privacy and civil liberties. Should CTIIC become directly involved with cyber tearline reporting, ODNI CLPO will provide CTIIC with guidance consistent with ICD 203 regarding inclusion of PII in analytic products, and with the training provided regarding PPD 28 (if applicable) and the rules regarding dissemination of U.S. persons information.

Sincerely,

Alexander W. Joel Civil Liberties Protection Officer Office of the Director of National Intelligence

FOREWORD
PART I: DEPARTMENT OF HOMELAND SECURITY
PART II: DEPARTMENT OF THE TREASURY
DEPARTMENT OF THE TREASURY
ASSESSMENT OF THE IMPLEMENTATION OF E.O. 13636, “IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY”
- Introduction
- Treasury’s Privacy and Civil Liberties (PCL) Organization and Processes
  - Overview of 13636 Relevant Activities
  - Treasury’s Continued Activities under the EO for the Reporting Period
- Summary of Assessment Methodology
Detailed Analyses of Private Sector Clearance Program under 4(d) of EO 13636
- Detailed Description of Private Sector Clearance Program
- Privacy and Civil Liberties (PCL) Assessment of Private Sector Clearance Program
  - PCL Protections and Compliance
    - PIAs or Other Documentation
- FIPPS and/or Civil Liberties Analysis:
- PCL risks/impacts:
- Private Sector Clearance Program Summary
Detailed Analyses of Cyber Security Information Sharing Under 4(a) of EO 13636
- Detailed Description of Cyber Security Information Sharing
  - Monthly Classified Cyber Information Meetings
- Cyber Security Information Sharing PCL Assessment
  - PIAs or Other Documentation
  - FIPPS and Civil Liberties Analysis:
  - PCL Risks and Recommendations
- Cyber Security Information Sharing Summary
Detailed Analyses of Identification of Critical Infrastructure at Greatest Risk under Sec. 9 of EO 13636
PART III: DEPARTMENT OF DEFENSE
PART IV: DEPARTMENT OF JUSTICE
PART V: DEPARTMENT OF HEALTH AND HUMAN SERVICES
PART VI: DEPARTMENT OF ENERGY
Department of Energy
Executive Order 13636, “Improving Critical Infrastructure Cyber Security,”
Section 5 Assessment of Privacy and Civil Liberties Protections
PART VII: OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE

INFO/Balancing Security and Liberty_ The Challenge of Sharing Foreign.pdf

Notre Dame Journal of Law, Ethics & Public Policy Volume 19 Issue 1 Symposium on Security & Liberty Article 10

February 2014

Balancing Security and Liberty: The Challenge of Sharing Foreign Signals Intelligence Michael V. Hayden

Follow this and additional works at: http://scholarship.law.nd.edu/ndjlepp

This Essay is brought to you for free and open access by the Notre Dame Journal of Law, Ethics & Public Policy at NDLScholarship. It has been accepted for inclusion in Notre Dame Journal of Law, Ethics & Public Policy by an authorized administrator of NDLScholarship. For more information, please contact [email protected].

Recommended Citation Michael V. Hayden, Balancing Security and Liberty: The Challenge of Sharing Foreign Signals Intelligence, 19 Notre Dame J.L. Ethics & Pub. Pol’y 247 (2005). Available at: http://scholarship.law.nd.edu/ndjlepp/vol19/iss1/10

http://scholarship.law.nd.edu/ndjlepp/?utm_source=scholarship.law.nd.edu%2Fndjlepp%2Fvol19%2Fiss1%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

http://scholarship.law.nd.edu/ndjlepp?utm_source=scholarship.law.nd.edu%2Fndjlepp%2Fvol19%2Fiss1%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

http://scholarship.law.nd.edu/ndjlepp/vol19?utm_source=scholarship.law.nd.edu%2Fndjlepp%2Fvol19%2Fiss1%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

http://scholarship.law.nd.edu/ndjlepp/vol19/iss1?utm_source=scholarship.law.nd.edu%2Fndjlepp%2Fvol19%2Fiss1%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

http://scholarship.law.nd.edu/ndjlepp/vol19/iss1/10?utm_source=scholarship.law.nd.edu%2Fndjlepp%2Fvol19%2Fiss1%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

http://scholarship.law.nd.edu/ndjlepp?utm_source=scholarship.law.nd.edu%2Fndjlepp%2Fvol19%2Fiss1%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

http://scholarship.law.nd.edu/ndjlepp/vol19/iss1/10?utm_source=scholarship.law.nd.edu%2Fndjlepp%2Fvol19%2Fiss1%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

BALANCING SECURITY AND LIBERTY: THE CHALLENGE OF SHARING FOREIGN

SIGNALS INTELLIGENCE

MICHAEL V. HAYDEN*

Those who would give up essential Liberty, to purchase a little

temporary Safety, deserve neither Liberty nor Safety. -Benjamin Franklin

While protecting our homeland, Americans should be mindful of threats to vital personal and civil liberties. This balancing is no easy task, but we must constantly strive to keep it right.

-The 9/11 Commission Report’

INTRODUCTION

What is the right balance between security and liberty? This

question is fixed in the national consciousness as the country faces unprecedented terrorist threats. It is particularly pressing

for me as the head of the National Security Agency/Central Security Service (“NSA”),2 the world’s largest collector of foreign signals intelligence. For signals intelligence (“SIGINT”), the

current balance was struck in the 1970’s as a result of congres-

* Lieutenant General, United States Air Force; Director, National Secur-

ity Agency; Chief, Central Security Service. President George W. Bush recently

appointed General Hayden to serve as the Nation’s first Deputy Director of National Intelligence.

1. NAT’L COMM’N ON TERRORIST ATTACKS UPON THE U.S., THE 9/11 COM-

MISSION REPORT 394 (2004) [hereinafter 9/11 COMMISSION REPORT].

2. The National Security Agency (“NSA”) is an element within the

Department of Defense. NSA is America’s cryptologic organization; it coordi-

nates, directs, and performs highly specialized activities to protect U.S. informa-

tion systems and produce signals intelligence. As a high technology

organization, NSA is on the leading edge of communications and data process-

ing. It is also one of the most important centers of foreign language analysis

and research within the Federal Government. The Director of the NSA is

responsible for overseeing the entire United States Signals Intelligence System,

which includes the cryptologic elements of the Military Services known as the

Central Security Service. For ease of reference, this essay will use “NSA” as an

umbrella term for the entire U.S. cryptologic system. 3. Signals intelligence is comprised of communications intelligence and

electronics intelligence. Communications intelligence consists of foreign com-

munications passed by radio, wire, or other electromagnetic means. Electronics

intelligence consists of foreign electromagnetic radiations such as emissions from a radar system.

248 NOTRE DAME JOUPVAL OF LAW, ETHICS & PUBLIC POLICY [Vol. 19

sional investigations into activities by NSA and others concerning the privacy of Americans. These investigations led to the crea- tion of the present oversight and legal structure in the executive, legislative, and judicial branches. The events of September 11, 2001, have caused people to assess once again the line between security and liberty. This reassessment manifests itself in a major issue confronting my agency today: how to share SIGINT more broadly while protecting U.S. privacy rights.

1. STRENGTHENING SECURITY: THE IMPERATIVE To SHARE

A great deal of attention has been paid in the aftermath of 9/11 to the need to share terrorism information more widely. The 9/11 Commission, for example, found that some informa- tion about the hijackers was not effectively communicated between federal entities. To rectify this, it recommended that information be shared horizontally, across new decentralized networks that transcended individual agencies.4 The President’s recent Executive Order 13,356 implements this recommendation by promulgating guidelines on the responsibility of federal departments and agencies to share terrorism information and to prepare it for maximum distribution; ordering the development of executive branch-wide collection and sharing requirements, procedures, and guidelines for terrorism information to be col- lected within the United States; and establishing an Information Systems Council charged with developing an automated environ- ment for sharing terrorism information.5 The President also established his Board on Safeguarding Americans’ Civil Liber- ties.6 On December 17, 2004, the President signed into law the Intelligence Reform and Terrorism Prevention Act of 2004.7 At the time this article was being prepared, agencies were studying how to implement the Act’s provisions creating an “Information Sharing Environment” along the lines recommended in the 9/11 Commission Report.

NSA was already moving aggressively to share more horizon- tally. Intelligence is not an end in itself. An intelligence agency’s main function is to gather the best information available on top- ics of interest to government clients and pass it to them in a timely and accurate fashion. Intelligence is useful only to the degree that it informs effective action on the part of its users.

4. 9/11 COMMISSION REPORT, supra note 1, at 417-18. 5. Exec. Order No. 13,356, 69 Fed. Reg. 53,599 (Aug. 27, 2004). 6. Exec. Order No. 13,353, 69 Fed. Reg. 53,585 (Aug. 27, 2004). 7. Pub. L. No. 108-458, 118 Stat. 3638 (2004).

BALANCING SECURITY AND LIBERTY

A. NSA’s “Traditional” Approach

In dealing with the type of SIGINT we call communications

intelligence, we have traditionally worked to add value for our

clients through a production process encompassing the (1)

acquisition of signals, (2) processing of signals into recognizable

data, (3) organization of data into knowledge (facts and relation-

ships), and (4) creation of intelligence (applied knowledge).

Only in the latter stages of this process have we traditionally pub-

lished a report to our clients. In dealing with electronic intelli-

gence, a form of SIGINT derived from radar and telemetry

signals, we generally have been more comfortable allowing cli-

ents to access our system at earlier stages of our production pro-

cess. This is partly because clients can add their own value to the

data, and partly because privacy concerns with this form of

SIGINT are minimal.

B. Increased Sharing

Today, however, NSA is moving to share more communica-

tions-based SIGINT and to do so earlier in the process. Driven

by the demands of the war on terrorism, our Intelligence Com-

munity partners and clients increasingly want, and need, to “swim upstream” in the production process and take a more

active role in the creation of our communications SIGINT prod-

ucts and services. NSA is making transformational changes in how we share

SIGINT with our Intelligence Community partners and clients.

This sharing is consistent with Executive Order 13,356, the Direc-

tor of Central Intelligence’s emphasis on greater collaboration,

and the Defense Department’s work on horizontal integration.

NSA has already demonstrated great success in sharing with mul-

tiple agencies in Operations Enduring Freedom and Iraqi Free-

dom. We have pioneered joint, multi-intelligence reporting with

Intelligence Community and Department of Defense (“DoD”)

components, embedded analysts with other intelligence agen-

cies, provided database access andknowledge sharing as part of

new partnerships with intelligence agencies, and begun a geospa-

tial analysis training course for joint military and multi-agency personnel.

NSA is willing to provide information in whatever form a cli-

ent may find useful, and the client’s information needs and abil-

ity to add value will determine how far up the SIGINT

production process he needs to swim. We understand that our

clients have a need for certain SIGINT data elements derived

from adversary communications. Some clients may even have

20051

250 NOTRE DAME JOURNAL OF LAW, ETHICS & PUBLIC POLICY [Vol. 19

the language skills to want the native language content of intercepts and transcripts. NSA is working hard to meet client information needs while maintaining legal obligations regarding U.S. privacy.

II. PRvACY CONCERNS ABOUT SHARING SIGINT

The 9/11 Commission is absolutely correct in noting that”the privacy of individuals about whom information is shared” must be safeguarded.8 There are special concerns when it comes to sharing SIGINT.

SIGINT is Electronic Surveillance. Producing SIGINT involves conducting electronic surveillance for foreign intelli- gence and counterintelligence purposes. In order to satisfy the breadth of the requirements for signals intelligence levied by our military and policymaker clients, NSA conducts electronic sur- veillance across a wide spectrum of media and in large volumes. We hunt for foreign intelligence on a broad range of topics, including terrorism, weapons proliferation, narcotics, money laundering, political and economic developments, tactical mili- tary issues, and arms control.

A key point: even though we do our best to avoid obtaining information about U.S. persons at the front end of our collection process, it is inevitable we will obtain it through incidental, or unintentional, collection. Even if the percentage of U.S. person information NSA incidentally obtains were very small compared to the total volume of communications NSA intercepts, we col- lect so much information that the amount of U.S. person infor- mation incidentally collected would not be insignificant.

A practical example illustrates the issue. In response to a client’s stated need for information on terrorism, NSA targets the communications of two suspected foreign terrorists, both communicating overseas. During the exchange, one suspected terrorist raises the issue of a prominent U.S. businessman. NSA was not intentionally targeting the businessman, but it inciden- tally acquired information about him during the legitimate targeting of two suspected foreign terrorists. The businessman’s privacy rights would be infringed if NSA were to distribute his name in an intelligence report across the breadth of the execu- tive branch in an unrestricted fashion. Rules are needed to guide intelligence agencies about the collection, retention, and dissemination of information about individuals with U.S. privacy rights so that these activities pass constitutional muster. The 9/

8. 9/11 COMMISSION REPORT, supra note 1, at 394.

BALANCING SECURITY AND LIBERTY

11 Commission reached the same conclusion: “[T]he sharing

and uses of information must be guided by a set of practical pol-

icy guidelines that simultaneously empower and constrain offi-

cials, telling them clearly what is and is not permitted.” 9

III. SAFEGUARDING LIBERTY: OVERSIGHT AND LAW

The 9/11 Commission is also right that increased and more

rapid sharing “calls for an enhanced system of checks and bal-

ances to protect the precious liberties that are vital to our way of

life.”‘ ° The American people, by experience and temperament,

distrust concentrations of power and government operations

conducted in secrecy. NSA is a very powerful, secret agency. To

keep the people’s trust, NSA must be extremely careful to follow

rules that have been laid down by elected representatives in the

legislative and executive branches, as well as by the courts. These

rules are reflected in a framework of oversight and law.

A. The Oversight Framework

In performing its mission, NSA constantly deals with infor-

mation that must remain confidential so that it can continue to

collect foreign intelligence on various subjects that are of vital

interest to the nation. Intelligence functions are of necessity

conducted in secret, yet the tenets of our democracy require an

informed populace and public debate on national issues. The

American people must be confident that the power they have

entrusted to NSA is not being, and will not be, abused. The

resulting tension-between secrecy on one hand and open

debate on the other-is best reconciled through rigorous over-

sight. It serves as a needed check on what has the potential to be

an intrusive system of intelligence gathering. The oversight

structure, in place now for nearly a quarter of a century, has

ensured that the imperatives of national security are consistent

with democratic values. United States intelligence today is a

highly regulated activity and properly so.

U.S. intelligence was not always so highly regulated. The

1970’s were a watershed for the Intelligence Community. Con-

gressional investigating committees led by Senator Frank Church

and Congressman Otis Pike found that government agencies,

including NSA, had conducted a number of intelligence activities

directed against U.S. citizens. This included a mail opening

effort and placing certain U.S. persons on surveillance watch

9. Id. at 419. 10. Id. at 394.

2005]

252 NOTRE DAME JOURNAL OF LAW, ETHICS & PUBLIC POLICY [Vol. 19

lists. The revelations of these committees resulted in new rules for U.S. intelligence agencies, rules meant to inhibit abuses while preserving intelligence capabilities. In other words, a concerted effort was made to balance the country’s need for foreign intelli- gence with the need to protect core individual privacy rights.

A wide-ranging, new intelligence oversight structure was constructed. A series of laws and executive orders established oversight procedures and substantive limitations on intelligence activities. In the aftermath of the Church and Pike committees’ revelations, Congress passed the Foreign Intelligence Surveil- lance Act (“FISA”), which created a special court for considering and approving surveillances that occur in the United States and thus have the potential to affect rights guaranteed by the Consti- tution. The House and Senate each established intelligence oversight committees. President Ford issued an executive order that established for the first time a formal system of intelligence oversight in the executive branch. Oversight mechanisms were established within the Department of Justice and within each intelligence agency. The President also established an indepen- dent Intelligence Oversight Board (“OB”). The result today at NSA is an intelligence gathering system that operates within detailed, constitutionally based, substantive, and procedural lim- its under the watchful eyes of Congress, numerous institutions within the executive branch, and-through FISA-the judiciary.

1. Legislative Oversight

The appropriations, armed services, and intelligence com- mittees of Congress conduct extensive review of NSA activities. The committees regularly call for detailed briefings on NSA’s activities. Committee staffers routinely visit NSA Headquarters and field sites. The intelligence committees also receive formal, semi-annual reports from the Department of Justice concerning NSA’s activities under FISA. NSA has in place procedures for its FISA and other activities to ensure that the Agency acts in a man- ner that protects the privacy rights of U.S. persons. These proce- dures, as well as any subsequent changes, are reported to the intelligence committees prior to implementation. Further, NSA is legally required to, and does keep the intelligence committees fully and currently informed of all intelligence activities, includ- ing any significant anticipated intelligence activity; furnish any information on intelligence activities requested by the commit- tees to carry out their oversight responsibilities; and report to the committees any illegal intelligence activity.

BALANCING SECURTY AND LIBERTY

2. Executive Branch Oversight

Within the Executive Office of the President, the Intelli- gence Oversight Board conducts oversight of intelligence activi- ties. The IOB reports to the President and the Attorney General on any intelligence activities the IOB believes may be unlawful. The IOB also reviews agency Inspector General and General Counsel practices and procedures for discovering and reporting intelligence activities that may be unlawful, as well as conducts any investigations deemed necessary to carry out their functions. Agency procedures for protecting privacy rights are provided to the IOB prior to implementation.

In the Department of Justice, the Office of Intelligence Pol- icy and Review (“OIP&R”) reviews compliance with the court- ordered procedures designed to protect the privacy rights of U.S. persons. This office also files semi-annual reports with Congress on electronic surveillance conducted under FISA and is inti- mately involved with NSA’s FISA applications. The Office of Legal Counsel at the Department of Justice as well as OIP&R have been involved in setting the legal standards under which NSA’s signals intelligence activities are conducted to ensure that these activities strike an appropriate balance between the coun- try’s intelligence needs and individual privacy rights.

In the Department of Defense, the Assistant to the Secretary of Defense (Intelligence Oversight) and the Office of General Counsel are engaged in intelligence oversight of NSA. Within NSA, the Signals Intelligence Directorate’s Center for Oversight and Compliance, the Inspector General, the General Counsel, and NSA’s Intelligence Oversight Board also conduct oversight of NSA activities. The NSA Office of General Counsel conducts extensive privacy protection and intelligence oversight training for all Agency employees who are involved in collection that implicates privacy rights. NSA also enforces a strict set of audit procedures to ensure compliance with the privacy rules.

3. Judicial Oversight

The Foreign Intelligence Surveillance Court (“FISC”) is authorized by FISA to issue court orders for electronic surveil- lance directed against foreign powers or their agents. In review- ing applications for court orders, FISC judges scrutinize the targets, the methods of surveillance, and the procedures for han- dling the information collected.

20051

254 NOTRE DAME JOURNAL OF L4W, ETHICS & PUBLIC POLICY [Vol. 19

B. The Legal Framework

A wide array of statutes and executive branch directives gov- ern NSA’s intelligence activities. We scrupulously follow these rules. Electronic surveillance conducted for foreign intelligence purposes is regulated by statutory provisions flowing from FISA and procedures flowing from Executive Order 12,333,11 which manifest themselves in the form of restrictions applicable to all intelligence collection activities and specific restrictions (Attor- ney General Procedures) regulating NSA’s electronic surveil- lance activities.

1. Statutory Restriction on Electronic Surveillance in the United States-FISA

Under FISA, NSA may only target communications of a U.S. person 2 in the United States if a federal judge finds probable cause to believe that the U.S. person is an agent of a foreign power. Probable cause exists when facts and circumstances within the applicant’s knowledge, and of which he has reasona- bly trustworthy information, are sufficient to warrant a person of reasonable caution to believe that the proposed target of the sur- veillance is an agent of a foreign power. Under the statute, a judge may determine a U.S. person to be an agent of a foreign power only if there is information to support a finding that the individual is a spy, terrorist, saboteur, someone who aids or abets them, or who enters the United States under false or fraudulent identity for or on behalf of a foreign power.

All FISA collection is regulated by special procedures approved by the FISA Court and the Attorney General. Since the enactment of FISA in 1978, there have been only a few instances of NSA seeking FISA authorization to target a U.S. person in the United States. In those instances, there was probable cause to believe the individuals were involved in terrorism. With regard to 9/11, the intelligence committees have stated that NSA should work more closely with the FBI to coordinate coverage of com- munications of any terrorists known to be in the United States. 3 The interception of communications in the United States for

11. Exec. Order No. 12,333, 3 C.F.R. 200 (1981). 12. FISA defines a “United States person” as a U.S. citizen; permanent

resident alien; an unincorporated association, a substantial number of mem- bers of which are U.S. citizens or permanent resident aliens; or a corporation incorporated in the United States. 50 U.S.C. § 1801 (i) (2000).

13. SENATE SELECT COMM. ON INTELLIGENCE & HOUSE OF REPRESENTATIVES PERMANENT SELECT COMM. ON INTELLIGENCE, JOINT INQUIRY INTO INTELLIGENCE COMM. A-TVITIES BEFORE & AFTER THE TERRORIST ATTACKS OF SEPT. 11, 2001, S. REP. No. 107-351, H. REP. No. 107-792, at 249 (2002).

BALANCING SECURITY AND LIBERTY

domestic security purposes is the proper purview of the FBI. NSA supports the FBI by passing any lead information it obtains regarding terrorist threats against the United States. There was close collaboration prior to 9/11, and it became even closer aftenvards.

2. Executive Order 12,333 Restrictions Imposed on All Intelligence Collection Activities

There are certain restrictions imposed by Executive Order 12,333 upon all intelligence collection activities engaged in by executive branch agencies. Intelligence collection must be con- ducted in a manner “consistent with the Constitution and appli- cable law and respectful of the principles upon which the United States was founded.”14 These include the Fourth Amendment’s prohibition against unreasonable searches and seizures. Intelli- gence collection must not be undertaken to acquire information concerning the domestic activities of U.S. persons. 5 The least intrusive collection techniques feasible must be used in the United States or against U.S. persons located abroad.” Finally, agencies in the Intelligence Community are prohibited from hav- ing other parties engage in activities forbidden by the Executive Order on their behalf. 7 This means that NSA cannot ask another country to illegally spy on U.S. persons on our behalf, and we do not.

Executive Order 12,333 authorizes NSA to collect, process, and disseminate signals intelligence information for national for- eign intelligence (and counterintelligence) purposes and in sup- port of U.S. military operations. 8 NSA is not authorized to collect all electronic communications. NSA is authorized to col- lect information only for foreign intelligence purposes and to provide it only to authorized government recipients. This means that NSA is not authorized to provide signals intelligence infor- mation to private U.S. companies, and we do not do so. Legal proscriptions and the fears of some privacy advocates notwith- standing, as a practical matter, it is not technically possible to collect all electronic communications everywhere in the world on an indiscriminate basis.

14. Exec. Order No. 12,333, § 2.1, 3 C.F.R. 210 (1981). 15. Id. § 2.3(b), 3 C.F.R. 211. 16. Id. § 2.4, 3 C.F.R. 212. 17. Id. § 2.12, 3 C.F.R. 214. 18. Id. §§ 1.12(b) (3)-(b) (7), 3 C.F.R. 208.

20051

256 NOTRE DAME JOURNAL OF LAW, ETHICS & PUBLIC POLICY [Vol. 19

3. Executive Order 12,333 Procedures-Specific Restrictions Imposed on NSA’s Collection Techniques

In delegating authority to the Director of NSA in Executive Order 12,333, the President recognized that certain intelligence gathering techniques, such as signals intelligence, are particu- larly intrusive and must be conducted in a “reasonable” manner to comport with Fourth Amendment and statutory requirements. The Executive Order requires, therefore, that certain written procedures be implemented regulating such techniques. The procedures are designed to protect constitutional and other legal rights and limit the use of information collected to lawful govern- mental purposes. The Executive Order requires that the head of the agency (i.e., for NSA, the Secretary of Defense) and the Attorney General approve the procedures.

NSA has such procedures in place. The Secretary of Defense and the Attorney General have approved them. They are classified and are appended to DoD Directive 5240.1-R, the DoD regulation which implements Executive Order 12,333. The procedures are incorporated into an NSA Regulation and the substance of the procedures is promulgated throughout the sig- nals intelligence system in a detailed directive, U.S. Signals Intel- ligence Directive 18, signed by the Director of NSA. This Directive provides a single document in which all the restrictions, whether originating from constitutional, statutory, executive order, or regulatory provisions, may be found.

4. Executive Order 12,333 Restrictions on Electronic Surveillance Outside the United States

Under Executive Order 12,333 and implementing regula- tions signed by the Secretary of Defense and approved by the Attorney General, NSA must obtain the Attorney General’s approval before conducting electronic surveillance directed against a U.S. person abroad. The Attorney General must have probable cause to believe that the person is an agent of a foreign power, either an officer or employee of a foreign power, or a spy, terrorist, saboteur, or someone who aides or abets them. Occa- sionally, NSA seeks Attorney General authorization to target a U.S. person overseas. An example of such a request would be one seeking authorization to target a terrorist overseas who is a U.S. permanent resident alien.

BALANCING SECURITY AD LIBERTY

5. Executive Order 12,333 Restrictions Relative To Retention and Dissemination of Unintentionally Acquired U.S. Person Information

NSA’s collection of foreign intelligence from foreign indi- viduals and entities is designed to minimize the incidental or unintentional, collection of communications to, from, or about U.S. persons. When NSA does acquire information about a U.S. person, NSA’s reporting does not disclose that person’s identity, and NSA will only do so upon a specific request that meets the standard derived from statute and imposed by executive order regulation-that is, the information is necessary to understand a particular piece of foreign intelligence or assess its importance. Specifically, no information to, from, or about a U.S. person may be retained unless the information is necessary to understand a particular piece of foreign intelligence or assess its importance. Similarly, no identities of U.S. persons may be disseminated (that is, transmitted to another government department or agency) by NSA unless doing so is necessary to understand a particular piece of foreign intelligence or assess its importance. For example, if NSA intercepted a communication indicating that a terrorist was about to harm a U.S. person, the name of the U.S. person would be retained and disseminated to appropriate law enforcement officials.

IV. SHARING SIGINT TODAY AND ToMORRow

A key question in the debate about balancing security and liberty is whether information related to terrorism can be more effectively used to protect national and homeland security in a manner consistent with the current statutory and constitutional protections afforded to U.S. citizens. The answer is “yes.” SIGINT on terrorism can be effectively shared within the current oversight and legal framework. Improvements can and will be made in how NSA shares SIGINT, but these issues are primarily policy questions, not legal ones. The current framework is suffi- ciently flexible to accommodate the changes that need to be made.

For example, Executive Order 12,333 establishes the legal requirement that persons granted access to SIGINT databases likely to contain U.S. person information be made aware of the privacy considerations involved in handling material produced by sensitive electronic searches and be trained in the proper pro- cedures to handle such information. Intelligence analysts from any agency can be trained in this area, and NSA is doing so. The real challenge is the policy one of establishing and maintaining

2005]

258 NOTRE DAME JOURNAL OF LAW ETHICS & PUBLIC POLICY [Vol. 19

oversight of the sharing process to ensure Fourth Amendment- compliant procedures are being followed. As head of the U.S. SIGINT system, I am responsible for the lawfulness of that system and need to have confidence in the compliance of agencies that have been granted access to sensitive SIGINT data.

We must also ensure that sharing initiatives actually promote efficiency and effectiveness. Again, this is not a legal issue. Stew- ardship of public funds demands that inefficient use of resources be avoided. No one would be well served by unfounded analytic judgments published by analysts lacking the experience to han- dle the data provided. Specialization carries benefits in intelli- gence, as in medicine and other fields of endeavor. We must focus our efforts to share upon those who can truly act on or have the expertise to add value to what we can provide.

To use a sports analogy, we need to “play position.” Like a major league soccer team, we need players (i.e., agencies) who can utilize their unique and considerable talents at each position to work together in a coordinated fashion for the common goal of national security. There are certain skills agencies have devel- oped over the years that enable them to provide valuable services to clients, including substantive knowledge about the target. The country needs to find a smart way to share SIGINT that allows each party to use its strengths.

Perhaps the greatest challenge in sharing is “connecting the dots” across departments and agencies when the dots appear insignificant on their own. After processing the data they collect, intelligence agencies report information to fulfill client require- ments in accordance with established priorities and thresholds. Each agency is left with unreported data and information that do not appear to be of intelligence value and are well below any- one’s reporting thresholds. If such data points of SIGINT were married up with the data points ofhuman intelligence, imagery, or law enforcement information, perhaps we would end up with information of high value to national security. We have to deter- mine how we can create such linkages without fostering chaos regarding Fourth Amendment protections. The procedures required by Executive Order 12,333 to protect U.S. privacy rights have worked well for many years by preventing abuses and should serve as the model when expanding information sharing on terrorism.

While working to improve sharing, we need to keep funda- mental security concerns with regard to sources and methods firmly in mind. No matter how far upstream clients may swim in the intelligence production process, each intelligence agency has

BALANCING SECURITY AND LIBERTY

data that it is obliged to protect in order to ensure its continued ability to produce intelligence to serve those very clients.

There have been some special concerns raised about sharing SIGINT with law enforcement. Much has been said in recent congressional hearings and the 9/11 Commission Report about a “wall” between intelligence and law enforcement. I will speak

only of NSA but I think it fair to say that, historically, we have been able to be more agile in sharing information with some cli- ents (like the Department of Defense) than we have with others (like the Department of Justice). This is not something that we created or chose. For very legitimate reasons, Congress, the executive branch, and the courts erected some barriers that made sharing with law enforcement more careful, more regu- lated. We chose as a people before the attacks of September 11, 2001, to make it harder to conduct electronic searches for a law enforcement purpose than for a foreign intelligence purpose. This was so because law enforcement electronic searches impli- cate not only Fourth Amendment privacy interests, but also Fifth Amendment liberty interests. After all, the purpose of traditional law enforcement activity is to put criminals behind bars. The purpose of traditional foreign intelligence activity, in contrast, is to protect the country from foreign threats.

With the passage of the USA Patriot Act after 9/11 and a recent decision by the FISA appellate court lowering “the wall,” the line has been redrawn.1 9 More information is flowing between NSA and law enforcement agencies. By changing the “purpose test,” the Patriot Act made it easier for law enforcement

agencies to get approval from the FISA Court for foreign intelli- gence surveillance. Prior to the Patriot Act, the FISA required that the executive branch had to certify to the court that “the” purpose of the surveillance was to obtain foreign intelligence information.2″ Section 218 of the Patriot Act amended the law by requiring that the executive branch had to certify only that “a significant” purpose of the surveillance is to obtain foreign intel- ligence.21 Thus, purposes beyond foreign intelligence (i.e., crim- inal matters) may be served under the new formulation. This clarifies any ambiguity about when FISA Court approval is appro- priate in cases, such as terrorism, that can be both foreign intelli- gence and criminal matters. In addition, the Patriot Act clarified

19. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of

2001, Pub. L. No. 107-56, 115 Stat. 272 [hereinafter Patriot Act]; In re Sealed Case, 310 F.3d 717 (Foreign Int. Surv. Ct. Rev. 2002).

20. 50 U.S.C. § 1804(a)(7)(B) (2000). 21. Patriot Act § 218, 115 Stat. at 291.

2005]

260 NOTRE DAME JOURNAL OF LAW, ETHICS & PUBLIC POLICY [Vol. 19

that law enforcement agencies may pass information obtained in criminal matters to intelligence agencies.22 The Patriot Act is an important tool in fighting terrorism because it promotes infor- mation sharing in a regulated way.

The successful balancing of intelligence activities and pri- vacy protection requires effective oversight; yet, the 9/11 Com- mission has called congressional oversight of intelligence “dysfunctional.”2 3 The current oversight structure has worked in at least one regard: the privacy issues uncovered in the 1970’s have not returned and quality SIGINT continues to be produced. The process of reporting to legislative, executive, and judicial bodies has created a culture at NSA that respects the law and the need to protect U.S. privacy rights. Through training and job oversight mechanisms, this “culture of compliance” gets passed down to succeeding generations of employees. NSA is able to accomplish its mission within a culture of compliance, and this will continue.

CONCLUSION

in the post-9/11 environment, the nation is debating how to balance security and liberty. The 9/11 Commission has called for rules with oversight to protect privacy when expanding infor- mation sharing on terrorism. The President responded with a new executive order to promote increased sharing of terrorism information and by signing the Intelligence Reform and Terror- ism Prevention Act. A set of rules, along with an oversight struc- ture, has prevented government abuse of SIGINT for nearly a quarter of a century. Terrorism information may be shared more broadly today under this framework, suggesting that this is not a zero-sum game. That is, expanding the sharing of signals intelligence, under the law and in accordance with effective over- sight by the executive, legislative, and judicial branches, can strengthen security without diminishing the constitutional liber- ties of the American people.

22. Id. § 203, 115 Stat. at 278-81. 23. 9/11 COMMISSION REPORT, supra note 1, at 420.

Notre Dame Journal of Law, Ethics & Public Policy
- February 2014
Balancing Security and Liberty: The Challenge of Sharing Foreign Signals Intelligence
- Michael V. Hayden
  - Recommended Citation

INFO/Civil Liberties and Law in the Era of Surveillance Content Page for Resource #5 Civil Liberties and Law in the Era of Surveillance.docx

Illustration by Gérard Dubois

It may no longer be an exaggeration to say that big brother is watching. When Edward Snowden leaked classified government documents last year, many were surprised to learn just how much access the National Security Agency (NSA) has to the personal email and phone records of ordinary citizens. Those revelations about the scope and extent of surveillance by American intelligence agencies have prompted a national debate about civil liberties in an age of new technology that enables the government to both collect and store vast amounts of personal information about its citizens. The discussion is also surfacing in local communities where technology allows law enforcement to indiscriminately gather information on law-abiding citizens—information that is collected, kept, and shared with little to no oversight, or awareness by the general public.

Today, new technologies are changing the relationship between the citizen and the state, with the government and law enforcement able to access our information and observe our private activities, raising important civil liberties questions. Stanford Law School faculty and alumni are centrally involved in some of the most important questions surrounding this issue—working in key areas where the law is still catching up with technology.

Looming large over the debate is the post-9/11 war on terrorism, which has led to legislation such as the USA Patriot Act, designed to make it easier for the government to collect data that would help combat terrorism. At the same time, the incredible evolution in technology over the past two decades has revolutionized both the tools available to the government for surveillance and those used by individuals to live their lives.

“We’re living in the 21st century, but when it comes to issues concerning information technology, the law is still rooted in the 20th century,” says Anthony Romero, JD ’90, executive director of the American Civil Liberties Union (ACLU).

In striking a balance between constitutional rights, crime fighting, and national security, the legal doctrines at issue include everything from post-9/11 legislation that has given law enforcement access to electronic records, to constitutional rules governing criminal procedure, to the regulation of surveillance technology equipment by local governments.

Technology at the Local Level

The U.S. is a country of highways and cars, where Americans spend a lot of time behind the wheel. And tracking how we use our cars offers a picture of much more than simply our mode of transportation.

Automatic License Plate Reader/Recognition technology, ALPR, developed in the United Kingdom in the late 1970s, has been in use since the early 1980s as a tool to aid law enforcement agencies in various ways, from tracking stolen cars to identifying criminals. Since its introduction, this technology has become more powerful, mobile, and affordable. Today, more than 70 percent of police departments in the U.S. use some form of ALPR, recording thousands of plate numbers daily with cameras mounted on patrol cars and at key traffic areas such as highway overpasses and street lamps.

StanfordLawyerCoverFinal Illustration by Gérard Dubois

While capturing the license plate information, ALPR can also capture photos of the cars—and often the occupants, as well as where they live, where they shop, and where they drive. Put together, this technology can tell a story of how we go about our daily lives.

“Civil liberties problems arise when you engage in the mass tracking of hundreds of millions of Americans, most of whom are completely innocent of any wrongdoing,” says Catherine Crump, JD ’04 (BA ’00), who joined the Berkeley Law faculty this year as an assistant clinical professor of law and associate director of the Samuelson Clinic. She explains that technology is enabling the mass collection of data that can paint a detailed picture of how we interact, gleaning facts about us that the state couldn’t previously collect. As data storage has become more available and affordable, police departments are increasingly sharing gathered data regionally, and with the federal government, creating large databases of citizens, most of them law-abiding.

“No one denies that a license plate reader can be a useful investigative tool and it’s valuable to law enforcement to be able to check to see if a particular vehicle is stolen or associated with a suspected criminal,” says Crump, who was a staff attorney at the ACLU focusing on issues of government surveillance until earlier this year. “The civil liberties objection arises when law enforcement starts to pool massive amounts of location data and keep it for long periods of time based on the mere possibility that it might be useful someday. Because then you have a large database tracking people’s movements and that’s the type of information that can be misused.”

RELATED LINKS ON CATHERINE CRUMP:

· Watch a CSPAN report on Technology and Police Surveillance

· View a panel discussion about WikiLeaks

And currently, there are few regulations for how the data is used and how long it can be kept.

“There are no generally applicable laws placing limits, there are no federal laws,” she says. “In general it’s up to each state and law enforcement agency to come up with its own rules.”

Crump cites a few states that have introduced legislation for ALPR, including Utah, Maine, and New Hampshire, noting that it is largely a nonpartisan issue.

“It’s an issue where people on the left and right can find common ground between civil libertarian and law enforcement interests because everyone agrees that there are legitimate uses of the technology,” she says. “So the objections are not to the technology, but to certain uses.”

Crump thinks it important for all Americans to carefully consider these issues now, as new technologies are increasingly used by local law enforcement and the federal government.

“We should project forward to a world where it is possible to install a license plate reader on every street lamp,” she says. “And we should start planning for a world where that type of omnipresent surveillance is possible and figure out how we feel about it. And if people agree with my general view that that type of surveillance can be oppressive, it’s time to put rules and regulations in place to ensure that we take advantage of the positive aspects of this technology without suffering an undue loss to our civil liberties.”

Catherine Crump, JD ’04 (BA ’00)

New surveillance capabilities also raise concerns about how powerful investigatory tools typically reserved for investigations of criminal organizations may now be turned against certain communities.

Shirin Sinnar, JD ’03 (Photo by Jennifer Paschal)

“The government has a particular security interest in Muslim communities in the United States and abroad, yet these communities rarely have the political clout to resist overbroad surveillance,” says Shirin Sinnar, JD ’03, an assistant professor of law at Stanford.

RELATED LINKS ON SHIRIN SINNAR:

· Watch a CSPAN report on Transportation Security

· Watch Sinnar speak about airport profiling

Sinnar has written about the devastating mistakes made in associating people with terrorist activity in the United States––errors that have resulted from prejudicial attitudes, insufficient oversight, and lopsided incentives to err on the side of security. She has also noted cases in which the pervasive mapping, surveillance, and investigation of Muslim communities have “significantly harmed their ability to practice their faith and express their views.”

Crump offers an example of police surveillance of mosques. She explains that in 2012 as part of a program to gather information on the city’s Muslim community, the New York City Police Department mounted cameras directly outside of city mosques and used license plate-reading technology to record the identities of attendees and the cars they arrived in.

Although some of these practices have since been challenged in court, few have been resolved, Sinnar says. Most are dismissed for lack of standing or because the government invokes a national security-specific “state secrets” privilege, impeding any resolution of the constitutional questions at stake.

Reining in Mass Collection of Personal Data

In 2011, an unnamed telecommunications company received a demand from the Federal Bureau of Investigation (FBI) to hand over records about a customer (or customers). The demand came in the form of a National Security Letter (NSL), a type of legal demand that doesn’t require a court order and allows federal law enforcement to obtain information from telecommunications and Internet companies about their customers. NSLs have been issued by the government since about 1978, but the USA Patriot Act, passed overwhelmingly by Congress in 2001, greatly expanded their use. Critics have argued that the procedure raises major problems because NSLs lack judicial oversight and are almost always accompanied by a nondisclosure provision that prevents the recipient from revealing that it has received such a letter.

The company, whose name could not be revealed because of that secrecy order, challenged the NSL in court, arguing that both the nondisclosure provision and the limited judicial oversight were unconstitutional.

In March 2013, Judge Susan Illston, JD ’73, a federal district court judge in San Francisco, ruled that the statute authorizing the NSL violates the Constitution. In her decision, In re: National Security Letter, she wrote that even when “no national security concerns exist, thousands of recipients of NSLs are nonetheless prohibited from speaking out about the mere fact of their receipt of the NSL, rendering the statute impermissibly overbroad and not narrowly tailored.” She acknowledged “significant constitutional and national security issues at stake” and stayed her order to allow an appellate court to weigh in. The case was argued before the Ninth Circuit in October.

The case is one of a number of ongoing challenges to legislation that has expanded the government’s ability to access private data since the 9/11 attacks. Separately, the ACLU filed a lawsuit (now before the Second Circuit Court of Appeals) that challenges the government’s program of collecting phone records of all Americans under the Patriot Act. “It’s the first suit that hasn’t been kicked out because, thanks to Snowden, we can now establish standing—that is, show that the American public has been the subject of surveillance,” says Romero, who has met with Snowden twice in Moscow and is assisting with his legal counsel through the ACLU.

RELATED LINKS ON ANTHONY ROMERO:

· Read Romero’s Huffington Post article about Edward Snowden

· Watch Romero speak about the ACLU

· Watch Anthony Romero on the Colbert Report

· Watch a symposium presentation with Anthony Romero

Meanwhile, some members of Congress are pushing to revise the Patriot Act in light of recent developments. Under pressure from the public as well as many Internet and telecommunications companies, Congress is considering limiting surveillance with the USA Freedom Act. While the House and Senate passed differing versions of the bill, both versions propose to rein in the collection of data by the NSA and other government agencies. The aim is to increase transparency of the Foreign Intelligence Surveillance Court (FISC), a federal court established under the Foreign Intelligence Surveillance Act (FISA) of 1978 to oversee requests for surveillance warrants against suspected foreign agents inside the United States. The FISC’s powers were extended under the Patriot Act to include domestic information collection when relevant to a counterterrorism investigation. The act also calls for narrowing of the requirement that businesses hand over customer data to the government and the creation of an independent constitutional advocate to argue cases before the FISC. So far, the bill is pending.

“The Senate version of the bill goes much farther than the tepid House version in strengthening the system of checks and balances and ensuring greater government transparency, but we still need to look more stringently at the operations of the judicial system and the oversight mechanisms of Congress,” says Romero.

With deadlines approaching, Congress is likely to act. “In June 2015, section 215, the law under which the phone records collection is happening, is set to expire. Congress will have to address the concerns raised by the telephony metadata program before then,” says Laura Donohue, JD ’07, professor of law at Georgetown Law, director of Georgetown’s Center on National Security and the Law, and co-director of the Center on Privacy and Technology.

“The big-picture issue is how do we protect national security and conduct foreign intelligence without creating a surveillance state,” says Jennifer Granick, civil liberties director at the Stanford Center for Internet and Society. (Photo by Timothy Archibald)

National Security and Personal Privacy

In designing national security laws, the challenge for policymakers is to strike the right balance, says Jennifer Granick, civil liberties director at the Stanford Center for Internet and Society. “The big-picture issue is how do we protect national security and conduct foreign intelligence without creating a surveillance state,” she says.

RELATED LINKS ON JENNIFER GRANICK:

· Watch a CIS video on the “surveillance state”

· Watch a video on civil liberties in the post-Snowden era

· Watch Granick speak about NSA surveillance

Referencing the NSA’s program to obtain email and other private communications from Internet companies, she explains that “the government is engaged in a huge ‘dragnet’ in which an immense amount of information is getting sucked in about Americans as well as foreign targets. That raises all kinds of statutory and privacy questions. Is the law appropriate? Is the government collecting and using data lawfully and appropriately? Do we protect the rights of foreigners? When they get information about Americans, what do they do with it?”

“The three branches of the government were asleep at the switch when it came to protecting fundamental freedoms and privacy in the post 9/11 era,” says Romero. “The courts rubber-stamped the overzealous collection of data by the executive branch, and Congress exercised only limited oversight.”

Romero maintains that such acts have challenged not only the Fourth Amendment, which prohibits unreasonable search and seizures, but also the First Amendment, which prohibits the abridging of free speech and of the practice of religion.

“People who realize they’re being surveilled are less likely to write emails, place phone calls, and express themselves freely if they know they might be caught in government surveillance,” he says. “This will fundamentally change the way we live in our democracy.”

Granick asserts that a key priority should be ending government spying based on secret interpretations of law. “We don’t really know what laws the executive branch is following or how the Fourth Amendment and statutes already on the books are being interpreted. There’s an immense amount of classified information, including court opinions,” she says, referring to secret decisions of the FISC.

The Fight for Internet Freedom — featuring David Drummond, JD ’89 and Google VP

Ivan Fong, JD ’87, former general counsel of the Department of Homeland Security (DHS) agrees that data collection has to stay within constitutional limits, while lauding the importance of intelligence in national security investigations. “A certain amount of intelligence collection is, of course, necessary for the president to fulfill his constitutional duties and to act as commander in chief,” he says. “In a number of cases in which I was involved, the intelligence indeed played a significant role in preventing or disrupting actual terrorist threats.”

Fong is also sympathetic to civil liberties concerns. From 2009 to 2012, Fong was responsible for all legal determinations and regulatory policy at DHS. He provided legal counsel to the secretary of homeland security on questions of counterterrorism and national security law and policy and of cybersecurity law and policy. Fong believes current intelligence surveillance can both be lawful and serve our national security interests.

“Such collection should be, consistent with the law, as narrow as possible—in other words, a process known as minimization—and we should search for and embrace any new technological and other means to ensure stronger protection of privacy, civil rights, and civil liberties interests.”

Still, he agrees that courts, legislators, and policymakers “need to carefully articulate the core principles at stake to ensure outdated legal constructs or paradigms are reassessed in view of the new technology.” Fong points to the recent Supreme Court decision requiring police generally to obtain a warrant to search the contents of cell phones seized during an arrest as a good example of a case that updates existing legal doctrine in light of the power of new digital tools.

Members of the Riley team: Co-Director of the Stanford Supreme Court Litigation Clinic Jeffrey Fisher, with clinic students Kristin Saetveit, Alec Schierenbeck, and Tess Reed, all JD ’15 (Photo by Timothy Archibald)

Riley: Redefining the Limits of Legal Search

That decision [Riley v. California, which the Court decided along with a related case, U.S. v. Wurie] recognizes that privacy in a digital world may require new rules and “brings the Fourth Amendment into the 21st century,” says Jeffrey Fisher, professor of law at Stanford and co-director of the Supreme Court Litigation Clinic.

RELATED LINKS ON JEFFREY FISHER:

· Fisher discusses Riley v. California

· Watch Fisher talk about arguing cases in the Supreme Court

It was Fisher who argued Riley before the Supreme Court in April, supported by the research and brief writing of his clinic students. The clinic represented David Riley, a college student currently serving a prison term in part due to evidence found on his cell phone that linked him to gang activities and a drive-by shooting.

In general, the Fourth Amendment allows police to search items that are found on a person who has been arrested, which could include a cell phone. But until Riley and Wurie, it wasn’t clear whether that right extended to police reading and reviewing data stored on the phone—before first obtaining a warrant.

“We argued that smart phones are categorically different from any other kind of non-digital object that can be found on a person because of the vast quantities of sensitive personal information involved and we argued that they should therefore not be subjected to search without a warrant,” says Fisher. Because the Supreme Court agreed with that argument unanimously, handing down its decision in June, in the future police will be able to seize but not search cell phones until a warrant has been obtained. Riley himself may be entitled to a new trial that excludes the cell phone evidence, which was obtained without a warrant.

The implications of the case could go well beyond the context of law enforcement and cell phones, and Fisher argues it will have implications in the national security context. “The Riley decision essentially rejects the argument that the government is currently using to justify the NSA’s collection of data on individuals, which is that digital data is subject to the same legal rules as analog data,” says Fisher.

The case also resolved a tough question about how to apply long-standing legal standards to new technologies. “This is a game changer, showing that the Court agrees that information gleaned from digital devices can paint a portrait of us that creates privacy considerations that didn’t exist before,” says Fisher.

Professor Jeffrey L. Fisherdiscusses the work he did with Stanford Supreme Court Litigation Clinic students preparing for the important digital privacy case. Revisiting Third-Party Privacy Protection

One of the most serious places where the law has gone awry relates to the third-party doctrine, says Jonathan Mayer, JD ’13, a doctoral student in the computer science department who has taught Computer Security and Privacy at Stanford Law School.

Robert Weisberg, JD ’79 (Photo by Michael Johnson)

According to Robert Weisberg, JD ’79, the Edwin E. Huddleson, Jr. Professor of Law, that legal theory, which evolved in the 1970s, holds that people do not have a reasonable expectation of privacy in information volunteered to third parties, such as banks, phone companies, and perhaps even email services. Without that expectation of privacy, the government may constitutionally obtain information from third parties without a warrant.

“It’s an anachronistic doctrine, because these days we give all sorts of private information to third parties, including cloud services. That’s the modern way of life, and the law needs to catch up,” says Mayer, whose online Stanford University course Surveillance Law this fall explores how U.S. law facilitates electronic surveillance—but also substantially constrains it.

“Given the changes in technology over the past few decades, we definitely need new laws that revisit the third-party doctrine of Fourth Amendment concerns,” affirms Weisberg.

This past spring, Weisberg guided students in a policy practicum to prepare a background study of legal and policy issues regarding state law enforcement access to user records held by communications companies. The study, done for the California Law Revision Commission, considered civil liberties, public safety, and the scope of federal preemption.

“Our recommendation was that statutes imposing a warrant requirement be established for law enforcement access to user records of cell phone providers, Internet service providers, social media companies, and other mobile and Internet-based communication providers and that they be very specific about what they do and do not allow,” says Weisberg, who is co-director of the Stanford Criminal Justice Center.

Such a revision in California statutory law, Weisberg explains, would address some problems, at least at the state level, with the Electronic Communications Privacy Act (ECPA), a federal regulation regarding the government’s ability to intercept electronic communications and to demand disclosure of stored communications, customer records, and other user data. ECPA has been criticized for failing to sensibly protect communications and consumer records, mainly because the law is so outdated and out of touch with how people share, store, and use information today.

Drones Coming Home

Use of unmanned aerial vehicles, or drones, by the military has increased dramatically as part of the effort to combat terrorism overseas. But use of drones in the U.S., for a variety of purposes, may also be on the rise.

High-altitude drones can hover over cities for long periods of time and record everything that takes place. But they are not widely adopted yet because the FAA has largely prohibited their use due to safety concerns with airplane traffic. But after passage of a provision in the FAA Modernization and Reform Act of 2012, drone use in the United States looks likely to increase. The act calls on the FAA to integrate unmanned aircraft by 2015 and to start by relaxing restrictions. Drones are already used to patrol the Mexican border and increasingly by businesses including agriculture. And local law enforcement agencies are now also exploring how they might be applied to crime fighting. Here again, new technology useful to law enforcement is raising questions about surveillance and mass collection of data, with regulations to safeguard the civil liberties of citizens not yet in place.

“Drones’ ability to track people and their movements raises huge privacy concerns,” says Romero. “There’s a serious lack of oversight on how they are being deployed and used, where data is being accessed and stored, and who has access to it.”

And the public seems to agree. Crump offers examples of two cities that have purchased drones but have then backtracked: Seattle and San Jose. “When the purchase of drones became public, there was an uproar, with residents raising privacy concerns,” she says. In each case the program was shut down. “I think the idea of unmanned airborne vehicles hovering over people’s backyards and peering into their windows makes people deeply uncomfortable. Drones challenge people’s notions of privacy in a way that few other technologies have.”

A key concern with the introduction of this new surveillance technology is the lack of public review and consultation. “I think this raises important questions about the democratic process,” says Crump. “It’s what is known as ‘policymaking by procurement.’ Police departments simply acquire this equipment, often with funding from the federal government. And then they use it and it takes months or years for local government and the public at large to even learn about it.”

One exception—now—is Seattle. The city council passed an ordinance last year requiring the police department to first notify the council about surveillance purchases and to come forward with a proposal about how the information collected will be used.

Correcting the balance among social controls, governmental responsibilities for security, and individual liberty will require the public, Congress, and the courts understanding and navigating a maze of practices and policies, says Granick. “Over-classification, secret law, and intelligence jargon are getting in our way,” she says.

In reflecting on the secrecy regarding surveillance law and lack of robust oversight, Donohue observes, “The founders of the Constitution understood very deeply that not only must the government control the governed—but we must ensure that the government controls itself. Concentration of power in the hands of the few is the very definition of tyranny that the founders held—and that’s what we want to protect against, as we face issues of how government surveillance is being conducted in theglobal digital age.” SL

INFO/DISAPPEARING_LEGAL_BLACK_HOLES.pdf

1029

ESSAY

DISAPPEARING LEGAL BLACK HOLES AND CONVERGING DOMAINS: CHANGING INDIVIDUAL RIGHTS PROTECTION

IN NATIONAL SECURITY AND FOREIGN AFFAIRS

Andrew Kent*

This Essay attempts to describe what is distinctive about the way the protection of individual rights in the areas of national security and foreign affairs has been occurring in recent decades. Historically, the right to protection under the U.S. Constitution and courts has been sharply limited by categorical distinctions based on geography, war, and, to some extent, citizenship. These categorical rules carved out domains where the courts and Constitution provided protections and those where they did not. The institutional design and operating rules of the national security state tracked these formal, categorical rules about the boundaries of protection. There have been many “legal black holes” historically, domains where legal protections did not exist for certain people. Foreign affairs and national security have historically been areas defined by their legal black holes.

In recent years, legal black holes are disappearing, and previously distinct domains are converging. The importance of U.S. citizenship to protection under the Constitution and courts is decreasing, formal barriers to legal protection and judicial review based on geography and war are dissolving, and the dissolution of these categorical boundaries is changing the design and operation of the national security state. National security and foreign affairs law is being domesticated and normalized, as rights protections available in ordinary, domestic, peace- time contexts are extended into what were previously legal black holes. The jurisprudence of categorization and boundary-marking is fading away.

The core of this Essay identifies, names, and discusses these trends, seeking to give a vocabulary and conceptual and historical coherence to current discussions of individual rights protection in national security and foreign affairs contexts. Secondarily, this Essay suggests some fac- tors that might be driving convergence and closing of legal black holes

*. Professor, Fordham Law School; Faculty Adviser to the Center on National Security at Fordham Law. This Essay benefited from presentations at a faculty workshop at Fordham Law School and a symposium on the Future of National Security Law at Pepperdine Law School. Thanks to Corey Brettschneider, Karen J. Greenberg, Duncan B. Hollis, Robert Kaczorowski, Sonia Katyal, Joseph Landau, Thomas H. Lee, Ethan J. Leib, Martin Flaherty, Martha Rayner, and Benjamin C. Zipursky for helpful discussions and/or comments on earlier versions of this project.

1030 COLUMBIA LAW REVIEW [Vol. 115:1029

today. Because most of these potential causal drivers are still exerting their force on the shape of the law, this Essay concludes that the future of national security law will likely see more convergence and fewer black legal holes and then offers several specific predictions.

INTRODUCTION

It has been quite common in the last decade, when difficult legal questions were raised about individual rights and judicial review—the rights, for example, of noncitizen military detainees at Guantanamo, or of U.S. citizens targeted with drone strikes in Yemen or elsewhere—to hear lawyers assert that centuries-old understandings, precedents, and practices support their arguments. For instance, in the Rasul1 and then the Boumediene2 litigation, lawyers and law professors supporting the detainees confidently asserted that common law and constitutional principles and practices dating back to the eighteenth century and even earlier clearly mandated that the detainees had a right to habeas review, while lawyers and law professors on the other side just as confidently asserted the opposite.3 Supporters of rights for detainees and others affected by post–9/11 security actions contended that the Bush Administration’s claims that, under traditional understandings, the Constitution did not protect certain persons or places, were attempts to create “legal black holes,”4 something which was said to be shocking and even un-American.5

1. Rasul v. Bush, 542 U.S. 466, 470–73 (2004) (concerning habeas corpus review of U.S. military detentions of suspected al Qaeda and Taliban supporters at military base in Guantanamo Bay, Cuba).

2. Boumediene v. Bush, 553 U.S. 723, 732–33 (2008) (same). 3. Compare Brief for Professors of Constitutional Law and Federal Jurisdiction as

Amici Curiae Supporting Petitioners at 5–25, Boumediene, 553 U.S. 723 (Nos. 06-1195), 2007 WL 2441580 (arguing historical case law and practice show persons such as detainees have long been protected by habeas corpus and Suspension Clause), with Brief for the Foundation for Defense of Democracies et al. as Amici Curiae Supporting Respondents at 5–12, Boumediene, 553 U.S. 723 (No. 06-1195), 2007 WL 2972242 (arguing there is no historical precedent of habeas corpus protection of persons such as detainees).

4. Kate Zernike, McCain and Obama Split on Justices’ Guantanamo Ruling, N.Y. Times (June 13, 2008), http://www.nytimes.com/2008/06/13/us/politics/13candidates .html (on file with the Columbia Law Review) (quoting Senator Barack Obama). The term seems to have been coined by Johan Steyn. See Johan Steyn, Guantanamo Bay: The Legal Black Hole, 53 Int’l & Comp. L.Q. 1, 1 (2004) (“The most powerful democracy is detaining hundreds of suspected foot soldiers of the Taliban in a legal black hole at the United States naval base at Guantanamo Bay, where they await trial on capital charges by military tribunals.”).

5. See Countdown with Keith Olbermann (MSNBC television broadcast June 22, 2007) (statement of Prof. Neal Katyal, Salim Hamdan’s attorney), transcript available at http://www.nbcnews.com/id/19415786/ns/msnbc-countdown_with_keith_olbermann/t/ countdown-keith-olbermann-june/#.VNVdS1PF_lQ (on file with the Columbia Law Review) (“[T]he administration’s argument is that Guantanamo is an [sic] legal black hole where

2015] DISAPPEARING LEGAL BLACK HOLES 1031

The effect of all this has been to suggest a kind of continuity in legal thought about how people are protected from overreaching by the U.S. government. But any suggestion of continuity is mistaken. Rather than continuity, there has been enormous change. Research about the Founding period,6 the Civil War,7 the age of imperialism at the turn of the twentieth century,8 and the period spanning the two World Wars and early Cold War,9 reveals that historical understandings about the protec- tion of individual rights in national security and foreign affairs contexts10

were profoundly different than modern understandings. During these earlier eras, there was a stable and identifiable form or

structure to the legal thought about individual rights and judicial review in foreign affairs.11 In the last few decades, however, it has begun to

they can do whatever they want . . . . [T]hat is . . . fundamentally un-American to say, These people have no rights whatsoever.”).

6. See generally Philip Hamburger, Beyond Protection, 109 Colum. L. Rev. 1823, 1826 (2009) (showing in Founding era, persons who did not owe allegiance received no legal protection); J. Andrew Kent, A Textual and Historical Case Against a Global Constitution, 95 Geo. L.J. 463, 464–65 (2007) [hereinafter Kent, Global Constitution] (finding no evidence Founding generation thought U.S. Constitution provided extra- territorial protections but finding much evidence it did not).

7. See generally Andrew Kent, The Constitution and the Laws of War During the Civil War, 85 Notre Dame L. Rev. 1839, 1845–52 (2010) [hereinafter Kent, Civil War] (showing during Civil War, persons resident in enemy territory and members of enemy’s armed forces lacked protection of Constitution and laws).

8. See generally Andrew Kent, Boumediene, Munaf, and the Supreme Court’s Misreading of the Insular Cases, 97 Iowa L. Rev. 101, 103, 112–13 (2011) [hereinafter Kent, Insular Cases] (showing Insular Cases held or assumed Constitution did not protect persons outside sovereign territory of United States, military enemies wherever located, and persons within newly-acquired sovereign territory in which congressional civil government had not yet been established); Andrew Kent, Habeas Corpus, Protection, and Extraterritorial Constitutional Rights: A Reply to Stephen Vladeck’s “Insular Thinking About Habeas,” 97 Iowa L. Rev. Bull. 34, 37–40 (2012) (showing in two little-known Insular Cases, Supreme Court apparently assumed noncitizens located in Panama Canal Zone and in newly-annexed Puerto Rico, which was still governed by U.S. military, were not protected by the Constitution’s Suspension Clause or other procedural rights).

9. See generally Andrew Kent, Do Boumediene Rights Expire?, 161 U. Pa. L. Rev. PENNumbra 20, 33–34 (2012) [hereinafter Kent, Boumediene Rights], available at http:// scholarship.law.upenn.edu/penn_law_review_online/vol161/iss1/6/ (on file with the Columbia Law Review) (contrasting approaches mid-nineteenth-century Court applied to court access for enemy aliens); Andrew Kent, Judicial Review for Enemy Fighters: The Court’s Fateful Turn in Ex parte Quirin, the Nazi Saboteur Case, 66 Vand. L. Rev. 153, 156– 57 (2013) [hereinafter Kent, Enemy Fighters] (arguing until 1942 Quirin case, enemy fighters had never been thought to be entitled to access U.S. courts during wartime to claim protections from Constitution or other municipal laws).

10. This refers to contexts where the United States is involved in warfare, relations with foreign countries, or extraterritorial intelligence gathering, covert action, or law enforcement.

11. See infra Part I (discussing how entitlement to individual rights was understood to be delimited by territorial location, enemy status during wartime, and citizenship).

1032 COLUMBIA LAW REVIEW [Vol. 115:1029

change, and this change has recently accelerated.12 The longstanding form or structure of rights protection was based on categorical rules and boundary-drawing. The primary axes along which the protections of the Constitution and domestic laws and courts were delimited were territo- rial location, citizenship, and enemy status during wartime.13 For instance, enemy aliens (citizens or subjects of a nation at war with the United States) were barred from accessing U.S. courts during wartime unless they resided in America and had refrained from taking hostile actions against the United States.14 And all aliens who were outside the United States lacked any rights under the U.S. Constitution.15 Even if present in the United States (say, as prisoners of war), enemy fighters lacked any right to access U.S. courts and any individual rights under the Constitution.16 And even citizens could lose protection from the Constitution and courts during wartime when present at sites of actual battles.17

The domain of protection was therefore based on formal, categori- cal distinctions between U.S. territory and abroad, war and peace, resi- dent and nonresident, citizen and noncitizen, enemy fighter and not, and zone of battle and elsewhere. Many legal black holes existed where persons, places, or contexts were on the wrong side of the categorical divide and were outside the protection of the law. This is not a claim that inter arma enim silent leges—in times of war, the laws are silent18—that is, that existing legal restraints tend to disappear in practice during wartime as government stretches the boundaries of the permissible. The claim is that the accepted boundaries of legal protection were limited by categori- cal distinctions as to place, person, and context.

12. See infra Part III (discussing recent changes to individual rights in foreign affairs and national security contexts).

13. See infra Part I (summarizing historical evidence that these categorical distinc- tions prevailed).

14. See infra notes 36–41 and accompanying text (discussing historical treatment of enemy aliens).

15. See infra notes 29–33 and accompanying text (discussing importance of geography in constitutional protection); see also Kent, Global Constitution, supra note 6, at 485–505 (identifying “background assumptions and conceptions” of legal status of aliens outside United States at Founding).

16. See infra Part I (summarizing historical evidence); see also Kent, Enemy Fighters, supra note 9, at 180–88, 193–96, 198–99, 202–05 (discussing treatment of enemy fighters in England and during early American wars and Civil War).

17. See infra Part I (summarizing historical evidence); see also Andrew Kent, Are Damages Different?: Bivens and National Security, 87 S. Cal. L. Rev. 1123, 1165 (2014) [hereinafter Kent, Damages] (summarizing rules of common law and law of nations).

18. The phrase dates back to Cicero and is frequently used today to describe, and criticize, the way courts are said to become much more deferential to political branches’ responses to emergencies than ordinary legal rules should allow. See Richard H. Pildes, Law and the President, 125 Harv. L. Rev. 1381, 1385 & n.19 (2012) (reviewing Eric A. Posner & Adrian Vermeule, The Executive Unbound: After the Madisonian Republic (2010)) (noting origin of phrase and modern usage).

2015] DISAPPEARING LEGAL BLACK HOLES 1033

Importantly, these categorical limitations on the domain of protec- tion from the Constitution and courts in the national security area were instantiated by structural doctrines and institutional design choices by Constitution drafters, Congress, and the executive branch.19 The sharp point of the spear of the national security state was aimed outside the United States. The U.S. military and, when they developed later in American history, foreign-intelligence organizations like the Central Intelligence Agency and National Security Agency, were generally deployed outward against noncitizens abroad, while internally it was law enforcement agencies like the Federal Bureau of Investigation that took the lead.20

In recent years, the older understandings and practices have started to break down. The distinctions between domestic and foreign, enemy and friend, peace and war, and citizen and noncitizen are breaking down, both in the real world and in the law determining the domain of rights and the right to access the courts. Formal barriers to legal protec- tion and judicial review based on categorical distinctions about citizen- ship, geography, or war are dissolving, and the dissolution of these categorical boundaries is also reflected in changes to the design and operation of the national security state. I call this process “conver- gence”—previously distinct boundaries are softening and previously distinct spheres are becoming more alike. National security is becoming less an exceptional zone of limited or nonexistent legal protection and instead more like the domestic sphere where robust judicial review pro- vides significant protections from government overreaching. Legal black holes are shrinking or closing entirely.

This Essay aims first to identify and describe these trends, seeking to give a vocabulary as well as a conceptual and historical coherence to cur- rent discussions of individual rights protection in national security and foreign affairs contexts. Second, as a kind of research agenda for further inquiry, it suggests some possible causal factors that might be driving these changes and, in light of this, makes some predictions about the future.

Legal black holes in contemporary law have been examined by other scholars. David Dyzenhaus, in advocating that a robust, substantive ver- sion of the rule of law should prevail even when government is respond- ing to contemporary security emergencies, decries legal black holes as “lawless void[s]” where the executive can act without legal constraint, either because the substantive law does not cover the situation or judicial

19. See infra Part I (summarizing categorical distinctions established in Founding period).

20. See infra Part II.B (describing formation of modern national security system and division of responsibility).

1034 COLUMBIA LAW REVIEW [Vol. 115:1029

review is unavailable.21 Dyzenhaus, who focuses primarily on the United Kingdom, Canada, and Australia, sees evidence that courts are gradually closing legal black holes in those countries by “put[ting] a rule-of-law spine into the adjudication of national security.”22 His account is thus broadly congruent with my description of the trend in U.S. law and practice.23

Other scholars writing about national security and foreign affairs have recently noted the blending and converging of previously distinct

21. David Dyzenhaus, The Constitution of Law: Legality in a Time of Emergency 1–3 (2006).

22. Id. at 174. 23. Dyzenhaus also coined the term “legal grey holes” to describe “disguised black

holes,” that is, situations where “there are some legal constraints on executive action—it is not a lawless void—but the constraints are so insubstantial that they pretty well permit government to do as it pleases.” Id. at 3, 42. Adrian Vermeule has argued that contemporary U.S. administrative law is full of legal grey holes and even a few black holes, because of the standards for judicial review under the Administrative Procedure Act, 5 U.S.C. §§ 551–559, 701–706 (2012). Adrian Vermeule, Our Schmittian Administrative Law, 122 Harv. L. Rev. 1095, 1096–97 (2009). According to Vermeule, the large body of legal rules and practices that govern review of administrative agencies is pervasively founded upon “open-ended standards or adjustable parameters—for example, what counts as ‘arbitrary’ or ‘unreasonable’ . . . .” Id. at 1097. Vermeule argues “that courts can and do adjust” these open-ended standards “during perceived emergencies to increase deference to administrative agencies,” often in practice being so deferential as to represent only “a sham” of legal constraint. Id. Unlike Dyzenhaus, Vermeule thinks that legal grey holes are inevitable and, it appears, often have benefits as well as drawbacks. Id. at 1033, 1136; cf. Evan J. Criddle, Mending Holes in the Rule of (Administrative) Law, 104 Nw. U. L. Rev. 1271, passim (2010) (questioning Vermeule’s descriptive account); Joseph Landau, Chevron Meets Youngstown: National Security and the Administrative State, 92 B.U. L. Rev. 1917, 1974–77 (2012) (same).

With his co-author Eric Posner, Vermeule has also argued that the modern U.S. President is, in practice, “unbound” by law: The “law does little to constrain the modern executive.” Posner & Vermeule, supra note 18, at 15. In both ordinary domestic and national security contexts, and during both peacetime and emergencies, Posner and Vermeule suggest that legal constraints such as statutes and constitutional rules are typically vague enough, and courts are sufficiently deferential when law is invoked against executive action, that the executive in practice exists almost entirely in a legal grey hole. See, e.g., id. at 15, 52–58, 84–112. This Essay is not concerned with whether lax enforce- ment of legal constraints renders them merely nominal (legal grey holes); it focuses instead on well-accepted categorical rules and structures embodying those rules that, for much of American history, made certain persons, places, and contexts legal black holes. And, in any event, I join those critics who think that the suggestion that the modern U.S. executive operates in a pervasive legal grey hole is significantly overstated as an empirical matter. See, e.g., Jack Goldsmith, Power and Constraint (2012) (describing how national security actions of modern executive are restrained and made accountable by various mechanisms and institutions); Curtis A. Bradley & Trevor W. Morrison, Presidential Power, Historical Practice, and Legal Constraint, 113 Colum. L. Rev. 1097, 1149–52 (2013) (calling for additional empirical research on presidential legal constraints); Pildes, supra note 18, at 1392–403 (reviewing Posner & Vermeule and noting evidence that executive is restrained by law). This Essay suggests instead that the clear historical trend is toward greater legal constraint enforced by courts on the executive in the areas of foreign affairs and national security.

2015] DISAPPEARING LEGAL BLACK HOLES 1035

domains, akin to the processes I will describe. Robert Chesney has shown how the U.S. legal authorities and operating rules governing military ver- sus intelligence operations have been converging.24 Chesney and Jack Goldsmith have argued that the substantive and procedural law govern- ing detention in military versus law enforcement contexts have been con- verging.25 Joseph Landau has written about how the due process revolution in domestic law, primarily in the “new property” area, was assimilated into both immigration and national security law, helping spur greatly increased judicial protection for noncitizens in those areas.26 And Richard Pildes and Samuel Issacharoff have shown how changes in law, political culture, and military technology are putting increasing pressure on the military to “individuate,” that is, to apply force in a surgical man- ner so that it only impacts individuals who have been deemed targetable or guilty in some fashion through fair procedures.27 All of these insights provide context for the convergence in rights protection and the disap- pearance of legal black holes that I describe below.

Parts I–III are the core of this Essay. Part I sketches the historical structure of legal protections in national security and foreign affairs domains, characterized by categorization, boundary-drawing, and legal black holes. Part II shows how demarcations of the Constitution’s and courts’ domain for protecting individual rights based on geography, war, and citizenship were mirrored by the institutional design choices and operating rules at the heart of the national security state. Part III docu- ments the convergence that has been taking place recently in rights protection and the closing of legal black holes. Part IV, the more specula- tive section, offers some thoughts about the reasons for convergence and closing of legal black holes, suggests areas for future research, and predicts that convergence is likely to continue if not accelerate.

I. THE HISTORICAL DOMAIN OF THE CONSTITUTION AND RIGHT TO ACCESS THE COURTS

People can be protected from government overreaching in a num- ber of ways. In the U.S. system, they may or may not have rights under

24. See Robert Chesney, Military-Intelligence Convergence and the Law of the Title 10/Title 50 Debate, 5 J. Nat’l Security L. & Pol’y 539, 544–83 (2012).

25. See Robert Chesney & Jack Goldsmith, Terrorism and the Convergence of Criminal and Military Detention Models, 60 Stan. L. Rev. 1079, 1100–20 (2008) (discussing convergence in era of post–9/11 military detention).

26. See Joseph Landau, Due Process and the Non-Citizen: A Revolution Reconsidered, 47 Conn. L. Rev. 879, 894–911 (2015) [hereinafter Landau, Due Process] (highlighting influence of Matthews v. Eldridge on due process in contexts of immigration and national security).

27. Samuel Issacharoff & Richard H. Pildes, Targeted Warfare: Individuating Enemy Responsibility, 88 N.Y.U. L. Rev. 1521, 1596 (2013) [hereinafter Issacharoff & Pildes, Targeted Warfare] (arguing changes are part of “profound but partial transformation regarding the legitimate use of military force”).

1036 COLUMBIA LAW REVIEW [Vol. 115:1029

the Constitution, international law, the common law, or statutory or regulatory law. They may be able to access U.S. courts to seek protection, or they may not. Government institutions may or may not be structured in ways that provide legal or practical protection. Historically, the tradi- tional rules determining who had what kind of protections from the laws, courts, and other institutions in the national security domain have been based on a series of sharp, categorical distinctions.

This Part summarizes the traditional, categorical rules about protec- tion from the laws and courts. I am generalizing a great deal here because the supporting research is presented in detail in other places28

and, in any event, this Essay is focused on big themes that span historical epochs rather than doctrinal nuance at a given point in time.

Geography or territorial location has historically been a crucial determinant of protection from the Constitution and the courts. Gener- ally speaking, both citizens and noncitizens within the United States were protected by the Constitution and could access the courts to claim protection.29 But, before the twenty-first century, noncitizens outside the sovereign territory of the United States were held to lack any constitu- tional rights.30 On the other hand, U.S. citizenship or lawful permanent residence in the United States did at times provide some extraterritorial rights protection. Most of the controversial and coercive national security activities of the U.S. government occur outside the United States, and hence the expansion and use of U.S. power around the globe in the late twentieth and early twenty-first centuries have generated recurring controversies about extraterritorial constitutional rights.31

28. See Hamburger, supra note 6, at 1834–44, 1955–73 (documenting relationship between allegiance and protection in colonial and Founding periods); Kent, Damages, supra note 17, at 1163–67 (analyzing historical and other reasons for Supreme Court’s reticence to extend Bivens to national security sphere); Kent, Insular Cases, supra note 8, at 103–18 (disputing that Insular Cases provide support for Boumediene’s extension of constitutional habeas corpus to alleged enemy fighters held outside United States); Andrew Kent, Citizenship and Protection, 82 Fordham L. Rev. 2115, 2118–23 (2014) [hereinafter Kent, Citizenship] (exploring role traditionally played by territorial location, domicile, enemy status, and citizenship in determining scope of constitutional protections); Kent, Civil War, supra note 7, at 1872–1911 (discussing reconceptualization of legal rights during Civil War era); Kent, Boumediene Rights, supra note 9, at 28–32 (assessing scope of enemy combatants’ rights under Boumediene and prior law); Kent, Enemy Fighters, supra note 9, at 169–213 (analyzing inability of enemy fighters to access courts via habeas corpus or otherwise); Kent, Global Constitution, supra note 6, at 485– 505 (analyzing extraterritorial rights of noncitizens at time of Founding).

29. See Kent, Citizenship, supra note 28, at 2118–20. 30. See Kent, Insular Cases, supra note 8, at 123–32; Kent, Global Constitution, supra

note 6, passim; see also Boumediene v. Bush, 553 U.S. 723, 770 (2008) (“It is true that before today the Court has never held that noncitizens detained by our Government in territory over which another country maintains de jure sovereignty have any rights under our Constitution.”).

31. See, e.g., Boumediene, 553 U.S. at 732–39 (concerning constitutional challenge to Congress’s stripping of habeas jurisdiction to review military detentions of non-U.S.

2015] DISAPPEARING LEGAL BLACK HOLES 1037

In earlier centuries, this general approach to determining the domain of rights was described as a reciprocal relationship between alle- giance and protection. Those who owed and gave allegiance—all citizens and any noncitizens who were peacefully resident or traveling within the United States—were generally within the protection of the domestic laws, courts, and government of the United States.32 In contrast, persons who owed no allegiance received no protection.33

Wartime also exposed a domestic–international law divide in protec- tion. Both U.S. citizens and aliens on the home front remained protected by constitutional and other domestic law rights during war,34 but all per- sons resident in an enemy nation, enrolled in an enemy’s armed forces (enemy fighters), or present at the site of actual combat were out of the protection of the Constitution.35

Wartime used to be understood as an exceptional state during which all ordinary civil intercourse between persons of warring nations was, in theory if not in practice, interdicted.36 Since the first decade under the Constitution, Congress has empowered the President to detain or expel enemy aliens during declared wars or invasions of the United States.37 In previous nation-to-nation wars, large numbers of civilian enemy aliens were excluded from the United States, detained in the United States, or

citizens at U.S. military enclave at Guantanamo Bay); Hamdan v. Rumsfeld, 548 U.S. 557, 566–69 (2006) (concerning constitutional and statutory challenges to military commission trial of non-U.S. citizen at Guantanamo Bay); United States v. Verdugo-Urquidez, 494 U.S. 259, 262–63 (1990) (concerning application of Fourth Amendment to search of Mexican residence conducted by U.S. and Mexican law enforcement while Mexican property owner was in custody of U.S. law enforcement); In re Terrorist Bombings of U.S. Embassies in E. Afr. (Fifth Amendment Challenges), 552 F.3d 93, 103–05, 108, 115 (2d Cir. 2008) (concerning application of Fifth Amendment to interrogation by U.S. law enforcement of foreign nationals held by Kenyan law enforcement).

32. See Kent, Civil War, supra note 7, at 1853–55 (discussing legal rights of and availability of judicial review to individuals present in and pledging their allegiance to United States).

33. See Hamburger, supra note 6, passim; Kent, Enemy Fighters, supra note 9, at 176– 211; Kent, Global Constitution, supra note 6, at 503–05.

34. See Ex parte Milligan, 71 U.S. (4 Wall.) 2, 118–31 (1866) (holding unconstitutional military trial of noncombatant in Union state not under martial law); Kent, Damages, supra note 17, at 1163–65 (summarizing relevant legal authorities).

35. See Milligan, 71 U.S. at 118, 123, 131 (suggesting persons in those contexts lacked protection from constitutional rules announced by Court); Kent, Civil War, supra note 7, passim (documenting nearly universal belief and practice persons in those categories lack protection from Constitution and laws); Kent, Enemy Fighters, supra note 9, at 176–211 (same).

36. See, e.g., Matthews v. McStea, 91 U.S. 7, 9–10 (1875) (“It must also be conceded, as a general rule, to be one of the immediate consequences of a declaration of war and the effect of a state of war, even when not declared, that all commercial intercourse and dealing between . . . the contending powers is unlawful, and is interdicted.”).

37. See Alien Enemies Act, ch. 66, 1 Stat. 577 (1798) (codified at 50 U.S.C. § 21 (2012)) (giving President such power with respect to “all natives, citizens, or subjects of the hostile nations or government, being of the age of fourteen years and upward”).

1038 COLUMBIA LAW REVIEW [Vol. 115:1029

repatriated.38 Under both the common law and the law of nations, all commercial intercourse, including contracts, between civilian residents of warring nations was illegal during wartime.39 And ancient rules allowed the military and, in some circumstances, even private citizens to seize the private property of enemy aliens during war.

Thus, according to Chancellor James Kent: [W]hen the sovereign of a state declares war against another sovereign, it implies that the whole nation declares war, and that all the subjects of the one are enemies to all the subjects of the other . . . . When hostilities have commenced, the first objects that naturally present themselves for detention and capture are the persons and property of the enemy, found within the territory at the breaking out of the war. According to strict authority, a state has a right to deal as an enemy with persons and property so found within its power, and to confiscate the property, and detain the persons as prisoners of war.40

The Supreme Court colorfully summarized these traditional under- standings:

In the state of war, nation is known to nation only by their armed exterior; each threatening the other with conquest or annihilation. The individuals who compose the belligerent states, exist, as to each other, in a state of utter occlusion. If they meet, it is only in combat.41

Wartime was thus an exceptional state of greatly diminished or even nonexistent legal rights for residents and citizens of the enemy nation.

Prior to the twentieth century, the common law and international law were as or more frequently invoked than the U.S. Constitution to provide protections against the U.S. government.42 Therefore, questions

38. See, e.g., Kent, Enemy Fighters, supra note 9, at 208–09 (noting during First World War, United States interned several thousand enemy civilians); J. Gregory Sidak, War, Liberty, and Enemy Aliens, 67 N.Y.U. L. Rev. 1402, 1418 (1992) (enumerating enemy aliens interned and repatriated during and immediately after World War II).

39. See Hanger v. Abbott, 73 U.S. (6 Wall.) 532, 535 (1867) (“[A]s soon as war is commenced all trading, negotiation, communication and intercourse between the citizens of one of the belligerents with those of the other, without the permission of the government, is unlawful.”).

40. James Kent, Commentaries on American Law 56 (1826). 41. The Rapid, 12 U.S. (8 Cranch) 155, 160–61 (1814). See generally Richard R.

Baxter, So-Called ‘Unprivileged Belligerency’: Spies, Guerrillas, and Saboteurs, 28 Brit. Y.B. Int’l L. 323, 325 (1951) (“The courts of the United States have been particularly prone to start from the premiss that all inhabitants of the enemy state and all persons adhering to it are enemies, notably in connexion with property rights, treasonable conduct, and commercial intercourse with the enemy at common law.”).

42. David Sloss, Polymorphous Public Law Litigation: The Forgotten History of Nineteenth Century Public Law Litigation, 71 Wash. & Lee L. Rev. 1757, 1760 (2014) (documenting “forgotten history of nineteenth century public law litigation” and noting “federal courts routinely applied a mix of international law, statutes, and common law to protect fundamental rights and restrain government action” rather than Constitution as done today); see also Kent, Damages, supra note 17, at 1163–67 (noting same effect).

2015] DISAPPEARING LEGAL BLACK HOLES 1039

of domain and how it has changed over time cannot only examine entitlement to constitutional protection. Because common law and international law often functioned as effective substitutes for constitu- tional protection,43 it should not be surprising that the availability of those protections also depended on war, geography, and citizenship. Access to protection under common law or international law was con- trolled both procedurally and substantively—by both procedural and standing doctrines about who could access the courts to seek legal protection and substantive doctrines about the scope of rights.44 Civilian enemy aliens (nationals of a country at war with the United States) domi- ciled abroad did not have the right to access U.S. courts during war- time.45 Enemy fighters, no matter their nationality, domicile, or actual location, could not access U.S. courts during wartime.46 Even U.S. citi- zens domiciled in an enemy nation during wartime lacked the right to access U.S. courts.47 Moreover, it was generally held that “[l]east of all[] will the common law undertake to re-judge acts done flagrante bello in the face of the enemy.”48

International law was also a realm of categorical distinctions and legal black holes where no protection was available. Until the mid- twentieth century, international law provided very little and often no pro- tection to a country’s own nationals, concerned as it was with state-to- state relations and treatment of foreign nationals.49 In earlier eras, even within the domains where international law applied, there were categori- cal exclusions from protection. It was generally thought that interna- tional law bound only “civilized” nations in the mutual relations50 and

43. See Kent, Damages, supra note 17, at 1163–67 (recounting historical use of common law tort suits instead of federal law or Constitution by U.S. citizens against government officials).

44. See id. 45. Kent, Enemy Fighters, supra note 9, at 188–93, 196–98, 207–09, 212. 46. Id. at 193–96, 198–99, 204, 206, 209. 47. See Kent, Civil War, supra note 7, at 1905–07. 48. Tyler v. Pomeroy, 90 Mass. (8 Allen) 480, 484–85 (Mass. 1864). And complying

with the laws of war was a complete defense to a common law tort suit. See, e.g., Terrill v. Rankin, 65 Ky. (2 Bush) 453, 457 (Ky. Ct. App. 1867) (“Unless the order was authorized by the laws of war, it conferred on the appellee no legal authority and, consequently, his act was illegal.”).

49. See Curtis A. Bradley & Jack L. Goldsmith, Customary International Law As Federal Common Law: A Critique of the Modern Position, 110 Harv. L. Rev. 815, 818 (1997) (“Historically, CIL [customary international law] primarily governed relations among nations, such as the treatment of diplomats and the rules of war. Today, however, CIL also regulates the relationship between a nation and its own citizens, particularly in the area of human rights.”).

50. See, e.g., Henry Wheaton, Elements of International Law 17–18 (Richard Henry Dana ed., 8th ed. 1866) (“Is there a uniform law of nations? There certainly is not the same one for all the nations and states of the world. The public law, with slight exceptions, has always been, and still is, limited to the civilized and Christian people of Europe or those of European origin.”).

1040 COLUMBIA LAW REVIEW [Vol. 115:1029

that it did not apply, or at least did not have to be followed, when the civilized interacted with those considered savage or uncivilized.51 During warfare against an uncivilized opponent, theorists of the law of nations and laws of war taught that law either did not apply or that it applied and allowed or even encouraged extreme violence, like summary execution of captured enemies or wholesale extermination of combatants and civil- ians.52 It was commonly said that barbarians or other “savage” opponents could be treated like wild animals—that is, simply slaughtered.53 Accord- ing to Thomas Hutchinson, a historian who was also lieutenant governor and later governor of the Massachusetts Bay Colony, military enemies who “have no regard to the law of nations . . . therefore deserve no human respect.”54 Western nations, including the United States, tended to act with extraordinary severity against foes deemed uncivilized or savage.55

The same general categorical rules and exemptions from legal obligation pertained to persons or groups that committed acts of vio- lence and plunder unlawfully, such as banditti, marauders, pirates, and guerillas.56 Even the theorist Emmerich de Vattel, an exponent of more civilized and peaceful norms of international conduct than generally pre- vailed in his day, taught that “[a] Nation that is attacked by enemies of

51. See S. James Anaya, Indigenous Peoples in International Law 26–27 (2d ed. 2004) (discussing view that international law only applied to European-recognized, “civilized” states).

52. See, e.g., 3 Emmerich de Vattel, The Law of Nations or the Principles of Natural Law § 34, at 246 (Charles G. Fenwick trans., Carnegie Inst. of Wash. 1916) (1758) (noting “nations are justified in uniting together . . . with the object of punishing, and even of exterminating savage peoples” like “those barbarians . . . who make war from inclination and not from love of country”); see also Antony Anghie, Imperialism, Sovereignty and the Making of International Law 27 (2005) (describing Vitoria’s views on lawfulness of violence against unbelievers or Indians who bear arms against Christians); Elbridge Colby, How to Fight Savage Tribes, 21 Am. J. Int’l L. 279, 279–80 (1927) (documenting widespread view that customary laws of war did not apply or applied much more loosely in conflicts with “savage” or “uncivilized” enemies).

53. See, e.g., Stephen C. Neff, War and the Law of Nations 30 (2005) (discussing Aristotle’s view that conflicts against “barbarians” were comparable to fights against wild beasts); Richard Tuck, The Rights of War and Peace 161–62 (1999) (discussing Samuel Pufendorf’s view that peoples like marauding Mongols and Turks could be hunted down like “Beasts of Prey”).

54. 2 Thomas Hutchinson, The History of the Province of Massachusetts-Bay 83 (2d ed., London, J. Smith 1768).

55. See generally Robert M. Utley, Frontier Regulars: The United States Army and the Indian, 1866–1891 (Bison Books 1984) (1973) (detailing various atrocities committed by United States in American Indian Wars); Russell F. Weigley, The American Way of War 153–63 (1973) (same).

56. 2 William Winthrop, Military Law 11 (Washington, D.C., W.H. Morrison, Law Bookseller and Publisher 1886) (noting guerillas are “regarded as criminals and outlaws, not within the protection of the rights of war, or entitled . . . to be treated as prisoners of war, but liable to be shot, imprisoned, or banished, either summarily where their guilt is clear or upon trial and conviction by military commission”).

2015] DISAPPEARING LEGAL BLACK HOLES 1041

this sort is not under any obligation to observe towards them the rules belonging to formal war.”57

In sum, under traditional domain rules, noncitizens located outside the United States, military enemies (wherever located), and all persons at a site of active combat were outside the protection of the Constitution. The right to access U.S. courts to claim protection from the Constitution or other laws was denied to military enemies and to nonresident enemy aliens. The domain of protection from domestic laws and courts was therefore based on formal, categorical distinctions between domestic and foreign territory, war and peace, citizen and noncitizen, resident and nonresident, enemy fighter and enemy nonfighter, and zone of battle and elsewhere. Protections of international law also depended on categorical distinctions between citizen versus noncitizen and civilized versus uncivilized.

II. INSTITUTIONAL DESIGN AND OPERATING RULES FOR THE NATIONAL SECURITY STATE

In their design and rules of the road, the national security institu- tions of the United States have observed and instantiated the categorical distinctions between foreign and domestic, enemy and friend, war and peace, and citizen (or noncitizen permanent resident) and noncitizen, and the like. These structures and internal operating rules therefore pro- vide either legal or practical protection to persons who might be affected by national security or foreign affairs activities of the United States. Nei- ther the statutory or regulatory operating rules for national security institutions that protect individual rights nor the institutional designs that provide structural protections to certain persons, places, and con- texts were universally protective, however. Largely paralleling the situa- tion with rules for individual rights protection discussed in Part I, the institutional structures and operating rules demarcated some persons, places, and contexts that were not protected. Often these subconstitu- tional operating rules and institutional design decisions have greater practical importance for protecting individual liberty and property inter- ests than do primary rules regarding individual rights and court access found in constitutional law, international law, or the common law, and it is thus important to sketch their outlines in order to understand the historical baseline against which modern changes can be discerned. In describing these institutional design features and operating rules, it is helpful to distinguish between the post–World War II period, when the modern national security state developed, and earlier eras of U.S. history.

57. de Vattel, supra note 52, § 68, at 258.

1042 COLUMBIA LAW REVIEW [Vol. 115:1029

A. Premodern Period

For much of American history, a zone of liberty within the United States was preserved primarily by institutional design, intentional neglect and weakness, and ideological aversion to a strong domestic military, intelligence, or law enforcement presence. The common law also played an important role in limiting the role of the military or militarized law enforcement within the United States.

The national government that would wield the military force of the nation was designed by the Founding generation to be small and con- cerned primarily with external objects, in order to protect the liberties of the American people.58 Thus, the level of government with more con- stant and encompassing control over the daily lives of Americans—the state governments and their subordinate, local bodies—would not be clothed with the awesome military and foreign affairs powers.59

The Constitution places the military firmly under civilian control by the U.S. government,60 ensuring that its strength, while needed against external foes, will not be turned inward to threaten domestic liberties. The Constitution also specifies that federally controlled military force may be used internally only to the extent necessary to “execute the Laws of the Union,” “suppress Insurrections,”61 or at the request of the state government affected, protect states “against domestic Violence.”62

The U.S. Army was generally tiny prior to the Civil War, and was garrisoned mostly on the frontiers, far away from the population cen- ters.63 The permanent defense establishment consisted primarily of

58. See, e.g., The Federalist No. 23, supra, at 142–43 (Alexander Hamilton) (“The principal purposes to be answered by Union are these—the common defence of the members; the preservation of the public peace as well against internal convulsions as external attacks; the regulation of commerce with other nations and between the States; the superintendence of our intercourse . . . with foreign countries.”); The Federalist No. 45, at 306 (James Madison) (Harvard Univ. Press ed. 2009) (“The powers delegated by the proposed Constitution to the federal government . . . will be exercised principally on external objects, as war, peace, negotiation, and foreign commerce.”).

59. See U.S. Const. art. I, § 10, cl. 3 (“No state shall, without the consent of Congress, . . . keep troops . . . in time of peace, enter into any agreement or compact with another state, or with a foreign power, or engage in war, unless actually invaded, or in such imminent danger as will not admit of delay.”).

60. See id. art. I, § 8, cls. 11–16, 18 (establishing military powers of Congress); id. art. II, § 2, cl. 1 (“The President shall be Commander in Chief of the Army and Navy of the United States, and of the Militia of the several States, when called into the actual Service of the United States.”).

61. Id. art. I, § 8, cl. 15. 62. Id. art. IV, § 4. 63. See Andrew J. Birtle, U.S. Army Counterinsurgency and Contingency Operations

Doctrine, 1860–1941, at 7 (1998) (describing pre-Civil War U.S. Army as “child of the frontier” and noting “antebellum Army spent the bulk of its time policing the nation’s ever-changing western boundary”).

2015] DISAPPEARING LEGAL BLACK HOLES 1043

coastal fortifications and a small Navy.64 During the Civil War, the Army expanded hugely in size and massively increased its domestic powers over the civilian population,65 but upon the surrender of Confederate forces, the extraordinary domestic powers were curtailed and the Army’s size greatly reduced.66 Within a few years, it was again a small frontier garrison force and remained that way until the 1898 war against Spain.67

In 1890, the United States was the richest country in the world but had only the fourteenth-largest army—an army smaller than Bulgaria’s.68 At the end of Reconstruction, legislators from the former Confederate States of America helped enact the Posse Comitatus Act, which required a specific act of Congress before the military could be used for domestic law enforcement purposes.69

There was essentially no federal law enforcement apparatus until the Civil War, and it was tiny and ill-funded for decades afterward.70 Although institutionalized military intelligence efforts began in the latter part of the nineteenth century, the efforts were wholly devoted to war planning and military analysis of potential external adversaries.71 Before World War II, there was no foreign-intelligence and espionage agency.72 Within

64. See Weigley, supra note 55, at 42–43 (describing U.S. defense strategy as based on fortresses to protect “vital parts of the American coast” and free-ranging Navy to ward off invading expeditions and protect waterborne commerce).

65. See, e.g., Mark E. Neely, Jr., The Fate of Liberty: Abraham Lincoln and Civil Liberties, at xii (1991) (noting Lincoln “suspended the writ of habeas corpus early in the [Civil War] and thereafter managed the home front, in part, by means of military arrests of civilians—thousands and thousands of them”).

66. The U.S. military continued to operate for some time in the former Confederate States, but the numbers involved were small. “During the 1870s the average size of the entire army was only 29,000, and only about 7,500 soldiers per year served in the South.” Joseph E. Dawson III, Army Generals and Reconstruction: Louisiana, 1862–1877, at 4 (1982).

67. See Graham A. Cosmas, An Army for Empire: The United States Army in the Spanish-American War 1–14 (1994) (“[T]he Army in 1897 . . . had no permanent troop formations larger than regiments . . . and neither detailed war plans nor a staff for making them existed.”).

68. Fareed Zakaria, From Wealth to Power: The Unusual Origins of America’s World Role 47 (1998).

69. See Army Appropriations Act, ch. 263, § 15, 20 Stat. 145, 152 (1878) (codified as amended at 18 U.S.C. § 1385 (2012)) (“[I]t shall not be lawful to employ any part of the Army of the United States . . . for the purpose of executing the laws, except in such cases and under such circumstances as . . . may be expressly authorized by the Constitution or by act of Congress. . . .”).

70. There were, for example, some postal inspectors, revenue agents, U.S. marshals, and Secret Service agents assigned to investigate counterfeiting and the like, but their numbers were small and their jurisdiction limited. See generally David R. Johnson, American Law Enforcement: A History 73–86, 167 (1981).

71. See David R. Rudgers, Creating the Secret State: The Origins of the Central Intelligence Agency 5–6 (2000) (tracing evolution of American intelligence-gathering agencies).

72. See id.

1044 COLUMBIA LAW REVIEW [Vol. 115:1029

the United States, the FBI—a relatively small law enforcement agency— was responsible for counterintelligence.73 Unlike many other countries, the United States has never had a stand-alone domestic intelligence agency.74 Housing domestic intelligence work within a law enforcement organization has been a conscious choice, designed to ensure that domestic rule-of-law norms govern intelligence work at home.

The judicially enforced common law helped protect the domestic zone of liberty in earlier eras. Habeas corpus and tort damages suits were available to ensure the military did not encroach on civilian life.75 Until the Civil War, there was no standing authority for statutory indemnifica- tion of sued federal officers,76 meaning that the prospect of a damages judgment could have significant deterrent effect on behavior. Prior to the Civil War, the common law and constitutional law of treason gener- ally assumed that U.S. citizens could be traitors, prosecutable in civilian court and liable to be opposed by military force if they arrayed them- selves militarily and in large numbers; they could not, however, be treated as full military enemies who were entirely outside the protection of the laws and courts.77Under the common law, deadly force could, of course, be used domestically, but only in order to prevent serious crime during its commission, apprehend fleeing felons, or put down rebellions and insurrections. When invasion or rebellion required the domestic use of military power, old common law rules—which the Supreme Court in 1866 held were incorporated into the Constitution’s individual rights protections—required that martial law could only prevail where the courts and other institutions of civil justice could not in fact function.78

B. Post–World War II Period

The modern national security state created during and after World War II would be orders of magnitude larger and more powerful than

73. See generally Tim Weiner, Enemies: A History of the FBI (2012) (discussing FBI’s evolution over time).

74. See Peter Chalk et al., Considering the Creation of a Domestic Intelligence Agency in the United States: Lessons from the Experiences of Australia, Canada, France, Germany, and the United Kingdom 8 (Brian A. Jackson, ed. 2009) (noting debate over “whether the United States needs a dedicated domestic intelligence agency”). In contrast, Australia, Canada, France, Germany, and the United Kingdom all have stand-alone domestic intelligence agencies. Id. at 9.

75. See Kent, Damages, supra note 17, at 1163–65 (detailing viable causes of action during Civil War period).

76. See generally James G. Randall, The Indemnity Act of 1863: A Study in the War- Time Immunity of Governmental Officers, 20 Mich. L. Rev. 589, 589 (1922) (discussing Civil War immunity statutes).

77. See Kent, Civil War, supra note 7, at 1860–61 (discussing treason and rebellion during Civil War period).

78. Ex parte Milligan, 71 U.S. (4 Wall.) 2, 121–22 (1866); see also Kent, Civil War, supra note 7, at 1927–29 (noting Milligan Court was signaling “it disapproved of military Reconstruction and the continued displacement of civil by military courts”).

2015] DISAPPEARING LEGAL BLACK HOLES 1045

what had existed previously, and hence more threatening to individual liberty at home. But its designers made a number of decisions that helped protect the zone of liberty within the United States and ensured military and other coercive force would be turned principally against the outside world. Especially since the reforms of the 1970s and 1980s, the national security state has reflected and instantiated the categorical distinctions demarcating zones, people, places, and contexts where protection was available and where it was not.

From the outset, the modern national security state was founded on a foreign–domestic divide, with the United States homeland and its peo- ple, institutions, and politics being shielded—for the most part—from the pointed end of the spear. For instance, the CIA’s organic act, dating from 1947, prohibits it from exercising “police, subpoena, law enforce- ment powers, or internal-security functions,”79 in part because Congress did not want to create an American Gestapo.80 The classified presidential directive that established the National Security Agency in 1952 stated that its primary purpose would be to “provide an effective, unified organiza- tion and control of the communications intelligence activities of the United States conducted against foreign governments.”81 National secu- rity policy also placed great reliance on policing a citizen–noncitizen and domestic–foreign divide with measures relating to exclusion or deportation of foreign nationals who posed national security threats,82

ideological bars to naturalization,83 denials of passports to U.S. persons who were members of communist organizations,84 and denationalization of persons who committed certain actions deemed sufficiently disloyal, such as taking an oath of allegiance to or serving in the armed forces or other government service of a foreign nation, or committing the crime of treason.85

But the full development of structural and rule-based protections for the people and territory of the United States did not develop until the 1970s and 1980s. After Watergate, the death of J. Edgar Hoover, and the

79. National Security Act of 1947, Pub. L. No. 80-523, § 102, 61 Stat. 495, 498 (codified as amended at 50 U.S.C. § 3036(d)(1) (2012)).

80. See Tim Weiner, Legacy of Ashes: The History of the CIA 5–6 (2007) (describing early fears surrounding creation of intelligence agency).

81. Christopher J. Seline, Eavesdropping on the Compromising Emanations of Electronic Equipment: The Laws of England and the United States, 23 Case W. Res. J. Int’l L. 359, 390 (1991) (presenting reprint of document).

82. See, e.g., Internal Security Act of 1950, Pub. L. No. 81-831, §§ 22–23, 64 Stat. 987, 1006–12 (outlining circumstances under which aliens might be excluded or deported).

83. See, e.g., id. § 25, 64 Stat. at 1013–15 (amending Nationality Act of 1940). 84. See, e.g., id. § 6, 64 Stat. at 993 (authorizing passport denials). 85. See Immigration and Nationality Act of 1952, Pub. L. No. 82-414, § 349, 66 Stat.

163, 267–68 (reenacting as amended provisions of Nationality Act of 1940). The Supreme Court substantially limited the government’s ability to denationalize in Afroyim v. Rusk, 387 U.S. 253, 257 (1967) (holding Congress lacks power to involuntarily divest person of U.S. citizenship).

1046 COLUMBIA LAW REVIEW [Vol. 115:1029

revelation of embarrassing CIA covert operations abroad, a series of investigations by Congress and the press revealed that the CIA, the FBI, and military intelligence components had engaged in surveillance and subversion of many domestic groups and persons. These agencies moni- tored everything from Communists and other left wing individuals and political organizations to civil rights leaders, hippies, anti-Vietnam War activists, student groups, and many others that posed no real threat of any kind to the security of the United States and were plainly inappropri- ate targets of the national security state.86

Reforms by Congress and the executive branch followed these revelations, creating the modern national security architecture that endured through the first decade of the twenty-first century, when it started to change again in response to the pressures of the war against al Qaeda, globalization, and other forces.

The modern national security state reinforced a foreign–domestic divide, designed to protect the United States homeland and its people, institutions, and politics from the most coercive types of military and intelligence activities. Specific protections for the American people are rarely reserved for citizens only. Instead, most statutory and regulatory protections are for “United States person[s],” a term of art that includes citizens and lawful permanent residents.87

The overall structure of government, by limiting coercive activities that may occur within the United States, protects the liberty of everyone in the United States, including aliens who are not lawful permanent resi- dents. For example, the military is hemmed in by strict legal rules that greatly reduce its authority to operate domestically and hence help pre- serve liberty at home. Building on rules enacted in earlier eras, Congress requires that military force only be used within the United States when ordinary criminal processes are insufficient,88 and that Congress must

86. See, e.g., 2 Select Comm. to Study Gov’t Operations, Final Report of the Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities: Intelligence Activities and the Rights of Americans, S. Rep. No. 94-755, at 5–9 (2d Sess. 1976) (Church Committee Report) (summarizing results of intelligence study).

87. See, e.g., 50 U.S.C. § 1801(i) (2012) (defining “United States person” as “citizen of the United States, an alien lawfully admitted for permanent residence . . . , an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation . . . incorporated in the United States . . . .”); Exec. Order No. 12333 § 3.5(k), reprinted as amended in Exec. Order No. 13,470, 73 Fed. Reg. 45,325 [hereinafter EO 12333] (defining “United States Person” to include citizens, aliens “known by the intelligence element concerned to be a permanent resident alien,” and the two types of corporations as described above).

88. 10 U.S.C. §§ 332–333 (2012) (authorizing military force when “President considers [it] . . . impracticable to enforce the laws of the United States . . . by . . . judicial proceedings” or “suppress . . . any insurrection, domestic violence, unlawful combination, or conspiracy, if it . . . hinders the execution of the laws of that State, and of the United States within the state”). Similar laws had been on the books since the first decade of the country’s existence. See Act of May 2, 1792, ch. 28, 1 Stat. 264 (authorizing President to

2015] DISAPPEARING LEGAL BLACK HOLES 1047

specifically authorize it before any U.S. citizen may be detained89 or the U.S. military may directly participate “in a search, seizure, arrest, or other similar activity” by law enforcement.90

As noted, the CIA’s organic act prohibits it from exercising “police, subpoena, law enforcement powers or internal security functions.”91 Law enforcement organizations, the DOJ and FBI, have primary responsibility for human-source foreign-intelligence collection within the United States, while the CIA has the responsibility for human-source collection abroad.92 This choice was made because law enforcement organizations are structured and trained to follow legal commands that protect civil liberties, while foreign-intelligence organizations must habitually break the laws of countries where they operate. To take one basic example, law enforcement organizations seize and detain individuals within a web of constitutional and statutory commands that impose ex ante requirements before a detention can begin and require quick approval by an independent judicial officer in order to continue a detention.93

Executive Order 12333, a 1981 reform directive which today, as amended, still structures the intelligence community, requires that “[e]lements of the Intelligence Community shall use the least intrusive collection techniques feasible within the United States or directed against United States persons abroad.”94 Covert actions, often the most coercive form of national security action besides kinetic military force, are generally barred domestically, and both statute and Executive Order 12333 provide that “[n]o covert action may be conducted which is intended to influence United States political processes, public opinion,

use military force in face of “imminent danger of invasion” or “insurrection in any state”); Act of Feb. 28, 1795, ch. 36, 1 Stat. 424 (same).

89. 18 U.S.C. § 4001(a) (2012) (added by Non-Detention Act, Pub. L. No. 92-128, 85 Stat. 347, 347–48 (1971)).

90. 10 U.S.C. § 375. This act is quite similar in intent and effect to the Posse Comitatus Act of 1878, now codified at 18 U.S.C. § 1385. See supra note 69 and accompanying text (discussing Posse Comitatus Act).

91. 50 U.S.C. § 3036(d)(1). 92. EO 12333, supra note 87, § 1.3(b)(20)(A)–(B); see also 50 U.S.C. § 3036(d)(3)

(“The Director of the Central Intelligence Agency shall . . . provide overall direction for and coordination of the collection of national intelligence outside the United States through human sources by elements of the intelligence community authorized to undertake such collection . . . .”). No intelligence community entity except the FBI is allowed to engage within the United States in “foreign intelligence collection . . . for the purpose of acquiring information concerning the domestic activities of United States persons.” EO 12333, supra note 87, § 2.3(b).

93. See, e.g., Cnty of Riverside v. McLaughlin, 500 U.S. 44, 56 (1991) (holding Constitution requires person arrested without judicially approved warrant must be brought before magistrate promptly, which generally means within forty-eight hours).

94. EO 12333, supra note 87, § 2.4.

1048 COLUMBIA LAW REVIEW [Vol. 115:1029

policies, or media.”95 The intelligence community is greatly restricted in its ability to secretly monitor or participate in domestic political groups.96

Entities other than the FBI are strictly limited in terms of the surveil- lance and searches they can perform within the United States, and some- what limited regarding activities against U.S. persons abroad.97 And the Foreign Intelligence Surveillance Act (FISA), enacted in 1978,98 limits the surveillance and physical searches the FBI can conduct domestically for foreign-intelligence purposes and puts these functions under the oversight of Article III judges.99 FISA is complex, but in its basic structure it requires both high-ranking executive and judicial approval for surveillance in the United States or against U.S. persons abroad,100 and sets up a number of substantive protections to make sure that everyone’s domestic communications and worldwide communications of U.S. persons are only targeted to the extent they are themselves agents of for- eign powers or are communicating with such agents.101 Strict rules for the intelligence community governing the collection, retention, and dis- semination of foreign-intelligence information generally only cover U.S. persons,102 and the general Privacy Act also only protects U.S. persons.103

95. Id. § 2.13; see also 50 U.S.C. § 3093(e) (“As used in this subchapter, the term ‘covert action’ means an activity or activities of the United States Government to influence political, economic, or military conditions abroad, where it is intended that the role of the United States Government will not be apparent or acknowledged publicly . . . .”); id. § 3093(f) (“No covert action may be conducted which is intended to influence United States political processes, public opinion, policies, or media.”).

96. See EO 12333, supra note 87, § 2.9 (barring undisclosed participation by intelligence community in domestic organizations except in certain circumstances). These restrictions can be eased according to procedures approved by the Attorney General and in cases where it is found “essential,” and barring attempts to influence domestic organizations unless “undertaken on behalf of the FBI in the course of a lawful investigation” or the domestic organization is largely composed of foreign nationals and “reasonably believed to be acting on behalf of a foreign power.” Id.

97. See id. § 2.4 (limiting “Intelligence Community” to “least intrusive collection techniques feasible” and enumerating restrictions to electronic surveillance and physical searches “in the United States”).

98. Foreign Intelligence Surveillance Act of 1978, Pub. L. No. 95-511, 92 Stat. 1783 (codified as amended at 50 U.S.C. §§ 1801–1811 (2012)).

99. 50 U.S.C. §§ 1803–1806, 1812, 1823–1825. 100. See id. §§ 1801–1805 (defining “[e]lectronic surveillance,”— communications

surveillance regulated by FISA). 101. See id. §§ 1801(a)–(b), 1802(a), 1805(a) (defining “[f]oreign power” and

“[a]gent of foreign power” who can be targeted). 102. See id. §§ 1801 (h)(1), 1806(a) (delineating “[m]inimization procedures”); EO

12333, supra note 87, § 2.3 (restricting collection of information “concerning United States persons”).

103. See 5 U.S.C. § 552a(b) (2013) (limiting disclosure of “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains”); see also id. § 552a(a)(2) (“[T]he term ‘individual’ means a citizen of the United States or an alien lawfully admitted for permanent residence . . . .”); id. § 552a(a)(4) (“[T]he term ‘record’ means any item,

2015] DISAPPEARING LEGAL BLACK HOLES 1049

FISA loosens restrictions of foreign-intelligence surveillance and searches in the United States during periods of declared war.104

Thus, although there were deeply unfortunate incidents during the early- to mid-Cold War period in which military and foreign-intelligence organizations were deployed against U.S. citizens domestically, the architecture and operating rules of the modern national security state, especially those that emerged in the 1970s and after as part of the reform movement, respect and further the categorical divides between home and abroad, U.S. persons and foreign nationals, and war and peace.

III. CONVERGENCE OF DOMAINS, DISAPPEARANCE OF LEGAL BLACK HOLES

Many aspects of the traditional protection framework described above were essentially unchallenged until the mid-twentieth century. The pace and extent of change has accelerated in the twenty-first century. A great convergence is underway. The distinctions between domestic and foreign, enemy and friend, peace and war, and citizen and noncitizen are breaking down, both in the real world, and in the constitutional and international law determining the domain of rights and the right to access the courts. The protections of the Constitution and the right to access the courts are expanding beyond the territorial borders of the United States to noncitizens abroad. Judicially enforceable constitutional protections are coming to cover military enemies. The battlefield is being constitutionalized to some extent. The institutional design and operating rules of the national security state are relaxing their traditional distinc- tions between foreign and domestic, enemy and friend, and U.S. person and non-U.S. person.

This Part offers evidence of convergence of domains and closing of legal black holes in a numbers of areas. First, the importance of citizenship and territorial location to determining rights is decreasing. Second, distinctions between wartime and peacetime are blurring. Third, the operating rules and institutional structures of the national security state are changing to reflect this convergence and softening of categorical distinctions. Fourth, the U.S. law governing foreign relations and national security is losing its distinctiveness, as it assimilates more and more norms from the domestic, peacetime legal regime. And finally, international law is changing in various important respects, most notably its broadening to protect a country’s own citizens in domestic matters, rather than just foreigners in foreign relations contexts.

collection, or grouping of information about an individual that is maintained by an agency . . . .”).

104. See 50 U.S.C. § 1811 (lifting surveillance restrictions “following a declaration of war”); id. § 1829 (noting same for physical-search restrictions).

1050 COLUMBIA LAW REVIEW [Vol. 115:1029

A. Citizenship and Territorial Location

The importance of an individual’s citizenship and territorial location to obtaining protection from the laws and courts has declined, and it is possible to imagine a future where they are largely irrelevant. But not all commentators see this kind of convergence. For example, since 9/11, it has been asserted that the U.S. government has targeted and oppressed noncitizens as never before.105 There is certainly some truth to that. Trial by military commission, detention at Guantanamo Bay, extraordinary rendition to foreign countries, and imprisonment in CIA black sites over- seas, where some of the worst interrogation abuses occurred, were all reserved for noncitizens.106 And noncitizen residents of the United States from Arab or Muslim countries were rounded up and temporarily detained in large numbers after 9/11, primarily using immigration laws.107 But I believe that the more important and more lasting trend in recent years has been toward convergence of the rights of citizens and noncitizens, as well as convergence in rights of people in the United States and abroad.

Even for U.S. citizens, location outside the sovereign territory of the United States often used to result in a lack of protection from the Constitution.108 All that changed with a landmark decision in 1957, Reid v. Covert.109 Since Reid, it has generally been assumed (though Supreme Court decisions have been very few) that U.S. citizens have the same

105. See, e.g., David Cole, Enemy Aliens 1–14 (2003) [hereinafter Cole, Enemy Aliens] (discussing treatment of noncitizens since 9/11).

106. See, e.g., 10 U.S.C. § 948b(a) (2012) (limiting military commission trials for “unprivileged enemy belligerents” to noncitizens); Hamdi v. Rumsfeld, 542 U.S. 507, 510 (2004) (plurality opinion) (noting Yaser Hamdi was transferred from custody at Guantanamo Bay to United States after U.S. officials learned he was U.S. citizen); Military Order of Nov. 13, 2001, Detention, Treatment, and Trial of Certain Non-Citizens in the War Against Terrorism, 66 Fed. Reg. 57,833 §§ 2–4 (Nov. 16, 2001) (limiting military detention and trial to noncitizens); David D. Cole, Against Citizenship as a Predicate for Basic Rights, 75 Fordham L. Rev. 2541, 2544 (2007) (noting post–9/11 immigration sweeps looking for terrorism suspects in United States and detention in Guantanamo Bay were both defended by administration on ground they were limited to noncitizens); Leila Nadya Sadat, Ghost Prisoners and Black Sites: Extraordinary Rendition Under International Law, 37 Case W. Res. J. Int’l L. 309, 318 (2006) (noting Bush Administration did not claim right to use extraordinary rendition to foreign countries against U.S. citizens).

107. Cole, Enemy Aliens, supra note 105, at 5. 108. See Neely v. Henkel, 180 U.S. 109, 122–23 (1901) (holding U.S. citizen

extradited from United States to Cuba for trial in local courts during U.S. military occupation not protected by “rights, privileges, and immunities that are guaranteed by the Constitution to persons charged with the commission in this country of crime against the United States”); In re Ross, 140 U.S. 453, 464 (1891) (holding sailor of U.S.-flagged vessel tried in U.S. consular court in Japan could not “invoke protection of the provisions [of the Constitution] . . . until brought within the actual territorial boundaries of the United States”). But see Kent, Citizenship, supra note 28, at 2121 n.20 (discussing evidence of extraterritorial constitutional rights for U.S. citizens prior to mid-twentieth century).

109. 354 U.S. 1 (1957).

2015] DISAPPEARING LEGAL BLACK HOLES 1051

constitutional rights whether they are located in the United States or abroad.110 This change was likely motivated, at least in part, by the large increase in the number of U.S. servicemen and their family members living abroad for extended periods of time in the aftermath of World War II. Reid, for example, involved civilian dependents of U.S. servicemen convicted of capital murder in military courts on U.S. military bases overseas.

Reid was explicit that it concerned only citizens, though,111 and so noncitizens remained outside the protection of the Constitution when they were outside the United States. But in 2008 in Boumediene v. Bush, the Court for the first time held that noncitizens detained by the govern- ment in another country have rights under our Constitution,112 and did so on behalf of detainees of the U.S. military charged with being enemy fighters in the armed conflict against al Qaeda and the Taliban.113

Although some of the language in Boumediene suggests that decision is limited to a single unique location (Guantanamo Bay, leased by the U.S. government from Cuba) and a single procedural clause of the Constitution (the Habeas Suspension Clause), the decision is not actually so limited. As I have explained elsewhere, Boumediene and other recent cases suggest that noncitizens abroad can now make constitutional claims involving at least Due Process and separation of powers claims in addition to habeas.114 And Boumediene’s test for extension of the Constitution abroad is in no way limited to Guantanamo.115 Eric Posner correctly identified a “cosmopolitan” impulse at the core of Boumediene, a non-instrumental concern for the liberties of noncitizens outside the United States.116

110. See Louis Henkin, Foreign Affairs and the United States Constitution 305–07 (2d ed. 1996) (“Outside the United States, constitutional protections for the individual against governmental action is enjoyed, we may continue to assume, by U.S. citizens . . . .”).

111. See Kent, Global Constitution, supra note 6, at 474–75 (“[T]he Court is discussing the unique relationship between the U.S. government and its ‘citizens.’”).

112. Boumediene v. Bush, 553 U.S. 723, 770 (2008) (“It is true that before today the Court has never held that noncitizens detained by our Government in territory over which another country maintains de jure sovereignty have any rights under our Constitution.” (emphasis omitted)).

113. Regarding enemy fighters, who had traditionally lacked constitutional rights or access to U.S. courts, the Supreme Court had earlier allowed detained enemy fighters who were present in the United States to use habeas corpus. Kent, Enemy Fighters, supra note 9, at 156–57. After 9/11, this right was extended tacitly to enemy fighters held at Guantanamo Bay in Hamdan v. Rumsfeld, 548 U.S. 557 (2006) (entertaining constitutional separation of powers objections to military commission trial of alleged enemy fighter). Boumediene was the first direct, express holding on this point.

114. Kent, Enemy Fighters, supra note 9, at 245–48. 115. See id. (“[T]he Court surely intended to leave itself the maximum flexibility as

to where the Constitution applies extraterritorially . . . .”). 116. Eric A. Posner, Boumediene and the Uncertain March of Judicial

Cosmopolitanism, 2008 Cato Sup. Ct. Rev. 23, 32–34.

1052 COLUMBIA LAW REVIEW [Vol. 115:1029

Noncitizens have seen their rights converge somewhat with those of citizens in immigration law as well. For at least a century, the so-called plenary power doctrine has meant significant judicial deference almost amounting to a lack of constitutional restraint on federal immigration statutes and also a view that “aliens lack the right to seek judicial review of the constitutionality of immigration policy.”117 Because of its connec- tions to foreign affairs and national security, and the fact that noncitizens were the primary subjects of its application, immigration law was conceived as a zone apart where ordinary constitutional restraints did not apply.118 But in the twenty-first century, immigration law is becoming increasingly normalized, with more and more constitutional protections available and enforced by the courts.119 As Landau explains, the Supreme Court’s doctrine in immigration law for analyzing claims of individual right used to be based on great deference to the political branches and “categorical, group-based analysis grounded in status, territoriality, and sovereignty that generally resulted in the denial of the claims of foreign nationals.”120 But recently the Court has asserted “a more involved judi- cial role in assessing both the government’s claimed need for border con- trol and national security and the foreign national’s unique liberty inter- ests and overall circumstances,” with a concomitant greater protection of individual rights.121 The stark, categorical view of the reach of constitu- tional protection is starting to break down.

117. Adam B. Cox, Citizenship, Standing, and Immigration Law, 92 Calif. L. Rev. 373, 375 (2004).

118. In one particularly stark formulation, the Court said that “[w]hatever the procedure authorized by Congress is, it is due process as far as an alien denied entry is concerned.” United States ex rel. Knauff v. Shaughnessy, 338 U.S. 537, 544 (1950).

119. See Landau, Due Process, supra note 26, at 882 (arguing application of Mathews v. Eldridge, 424 U.S. 319 (1976), to immigration has “produced surprisingly rights- affirming outcomes”); Peter J. Spiro, Explaining the End of Plenary Power, 16 Geo. Immigr. L.J. 339, 339 (2002) (positing Supreme Court decisions from 2000 Term show expansion of “quantum of constitutionally mandated rights owed aliens in immigration proceedings”).

120. Landau, Due Process, supra note 26, at 884. 121. Id. at 885. For example, the Supreme Court recently “narrowly interpreted . . .

statutes stripping . . . jurisdiction; imposed limits on the amount of time that foreign nationals can be detained; narrowed the meaning and scope of Chevron [Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984)] deference . . . or ignored Chevron altogether; and rejected or narrowed agency-created procedures that, with Congress’s blessing, limited or foreclosed procedural rights of foreign-nationals.” Id. at 885–86 (citing Kucana v. Holder, 558 U.S. 233, 233, 235 (2010); Nken v. Holder, 556 U.S. 418, 418 (2009); Negusie v. Holder, 555 U.S. 511, 522–23 (2009); Boumediene v. Bush, 553 U.S. 723, 724–25, 728 (2008); Dada v. Mukasey, 554 U.S. 1, 2 (2008); Rasul v. Bush, 542 U.S. 466, 466 (2004); Zadvydas v. Davis, 533 U.S. 678, 679 (2001); INS v. St. Cyr, 533 U.S. 289, 309–10 (2001)).

2015] DISAPPEARING LEGAL BLACK HOLES 1053

B. Enemy Status in Wartime

The way the law regards both citizen and noncitizen enemies in war- time has changed significantly over the centuries, with older, categorical distinctions fading in importance as judicial review and protection of the law expands to cover more and more people and contexts.

1. Enemy Citizens. — Although the rules were somewhat unsettled and disputed coming out of the Revolutionary War and its debates about how to treat American colonists who adhered to the Crown, it was gener- ally accepted in the Founding and antebellum periods that a citizen could not be deemed outside the law’s protection even when committing a serious breach of allegiance such as supporting military enemies or levying war against the United States.122 The traditional rule was that such an individual was subject to criminal prosecution for treason or crimes but could not be subject to military detention or trial. “A citizen could be a ‘traitor’ but could not be an ‘enemy,’ that is, someone out of the protection of the law.”123

These older understandings broke down during the early part of the Civil War. Congress, the executive, and the Supreme Court agreed that all residents of the Confederate States of America were liable to be treated as de facto enemy aliens who lacked protection of the laws.124

Many residents of Union states were also so treated in practice, for exam- ple, Confederate-aligned guerrillas in loyal border states like Missouri and Kentucky. And although the Supreme Court in Milligan tried after the war ended to reimpose some of the older, categorical protection for U.S. citizenship,125 the Court nevertheless acknowledged that U.S. citi- zens who were enemy fighters or residents of the Confederacy could be treated as military enemies lacking protection from the Constitution and laws.126

So it was that during World War II, the Supreme Court reiterated that U.S. citizens “who associate themselves with the military arm of the enemy government” and fight against the United States can be treated as “enemy belligerents” outside the protections of the Constitution and detained or tried by military commission just like noncitizen enemy

122. See Kent, Civil War, supra note 7, at 1860 (explaining far reach of protection of law in antebellum period).

123. Id. at 1860–61. 124. See id. at 1872–1911. 125. Ex parte Milligan, 71 U.S. (4 Wall.) 2, 120–21 (1866) (“The Constitution of the

United States is a law for rulers and people, equally in war and in peace, and covers with the shield of its protection all classes of men, at all times, and under all circumstances.”).

126. See supra note 35 and accompanying text (noting all persons resident in enemy nation, enrolled in enemy’s armed forces (enemy fighters), or present at site of actual combat were out of protection of Constitution); see also Kent, Civil War, supra note 7, at 1842, 1927–29 (discussing differences among prisoners of war, persons residing in enemy territory, and persons residing in loyal U.S. territory).

1054 COLUMBIA LAW REVIEW [Vol. 115:1029

fighters.127 The infamous internment of U.S. citizens of Japanese ancestry during World War II in effect treated certain civilian U.S. citizens, resi- dent in the United States, as de facto enemy aliens. This was broadened beyond Japanese Americans during the early Cold War. In the Emergency Detention Act of 1950 (Title II of the Internal Security Act), Congress authorized the President to detain any person in the United States, including U.S. citizen civilians, during a declared war, invasion, or insurrection in aid of a foreign enemy.128

When a U.S. citizen was detained after 9/11 during the war in Afghanistan and brought to the United States in military custody, Justice Scalia opined in a dissent that “the categorical procedural protection” of the Constitution for U.S. citizens barred his military detention.129 But he was 150 years too late. The majority of the Court had no trouble conclud- ing that “[t]here is no bar to this Nation’s holding one of its own citizens as an enemy combatant.”130 Scalia excoriated what he called the “judicious balancing” that replaced the older “categorical” protec- tions.131 I call it convergence.

2. Court Access. — Rights without a judicial remedy often provide little protection. Hence, the right and ability to access courts is a crucial part of being protected by the laws.

At common law and during the American Founding period, a very strict rule was applied barring all alien enemies—wherever domiciled, and no matter whether civilians or enemy fighters—from access to the courts during wartime. In the first decades of the nineteenth century, the rule softened so that civilian enemy aliens who were peacefully present in the United States could access the courts.132 The categorical bar remained, however, for nonresident alien enemies and enemy fighters, no matter where located.133

In retrospect, a major moment in convergence occurred during World War II when, in the famous Quirin case, the Supreme Court reversed course and held that the German enemy fighters held for mili-

127. Ex parte Quirin, 317 U.S. 1, 37–38, 44 (1942). 128. Emergency Detention Act of 1950, Pub. L. No. 81-831, §§ 102–103, 64 Stat. 987,

1019–21 (noting “detention of persons who there is reasonable ground to believe” will commit espionage is “essential to the common defense . . . of the United States”).

129. Hamdi v. Rumsfeld, 542 U.S. 507, 575 (2004) (Scalia, J., dissenting). 130. Id. at 519 (plurality opinion). Justice Thomas, the fifth vote against the

detainee, would have gone even further in rejecting the U.S. citizen’s claims for protection from the courts. See id. at 585 (Thomas, J., dissenting) (“[T]he question whether Hamdi is actually an enemy combatant is of a kind for which the Judiciary has neither aptitude, facilities nor responsibility . . . .” (internal quotation marks omitted)).

131. Id. at 575 (Scalia, J., dissenting). 132. Cf. supra note 29 and accompanying text (discussing ability of noncitizens to

access the courts at the time). 133. See Kent, Enemy Fighters, supra note 9, at 188–95 (discussing court access for

nonresident alien enemies and enemy fighters).

2015] DISAPPEARING LEGAL BLACK HOLES 1055

tary commission trial in the United States had a constitutional right to access the courts.134 Since that time, it has been assumed that literally any person present in the United States may access the courts, at least via habeas corpus, to challenge executive detention. But even after Quirin, nonresident enemy fighters continued to be barred from the courts, a lingering remnant of the old categorical rule applicable to all enemy aliens.135 Boumediene contributed to additional convergence when it held in 2008 that noncitizens held as alleged enemy fighters in territory under the control but not sovereignty of the United States had a constitutional right to access the courts via habeas to challenge their detentions. The constitutional right to access the courts is not yet fully universal— extraterritorially, the right might only apply to habeas corpus, and there might be some places or persons where it does not reach136—but it is getting there.

3. The Legal Effects of War on Persons and Property. — Wartime used to be understood as an exceptional state during which all ordinary civil intercourse between persons of warring nations was, in theory if not in practice, interdicted, and the persons and property of enemy aliens, even law-abiding civilians, liable to seizure.

Today, it is very unusual for the United States to go to war with a nation state.137 Even when the United States fights a nation state, the old apparatus of detention of peaceful enemy alien civilians and private property confiscation is forgotten.138 The stark distinctions between peacetime and wartime are dissolving. There are no “enemy aliens” in the long war against al Qaeda and related terrorist groups, because the United States is not fighting a nation state. Using terminology from a landmark Supreme Court case about how to understand the Civil War, we can say that war used to commonly be “territorial,” with people’s status determined not by their personal conduct but by their citizenship or geography (domicile), while today war is much more “personal,” with guilt and hence authority to use force against a person determined more by individual behavior.139

134. See id. at 165–69 (discussing Quirin’s holdings). 135. See Johnson v. Eisentrager, 339 U.S. 763, 769–71 (1950) (“It is war that exposes

the relative vulnerability of the alien’s status.”). 136. Maqaleh v. Hagel, 738 F.3d 312, 317 (D.C. Cir. 2013) (declining to extend

Boumediene to detainees at U.S. military base at Bagram, Afghanistan). 137. Eric Talbot Jensen, Future War, Future Law, 22 Minn. J. Int’l L. 282, 298 (2013)

(“The vast majority of the armed conflicts in recent decades have not been between states, but between states and non-state actors or between two groups of non-state actors. Advancing technologies will make this phenomena even more pronounced.”).

138. See Sidak, supra note 38, at 1405 (noting Alien Enemy Act was not invoked during Korean War, Vietnam War, or Gulf War because those were not formally declared wars).

139. See The Prize Cases, 67 U.S. (2 Black) 635, 694–95 (1863) (Nelson, J., dissenting) (discussing transition from territorial war to personal war). See generally Issacharoff & Pildes, Targeted Warfare, supra note 27, at 1522–23 (“Whereas the

1056 COLUMBIA LAW REVIEW [Vol. 115:1029

Prior to 9/11, threats from non-state groups like terrorists were largely handled as a matter of law enforcement and intelligence gather- ing. But it has been clear for about fourteen years that non-state groups’ successful perpetration of mass-casualty attacks and the U.S. govern- ment’s military response were blurring the lines between peacetime ver- sus wartime, crime versus warfare, and law enforcement versus military responses.140 It is frequently said that the old notion of a “battlefield” as distinct from areas where armed conflict is not occurring is fading away.141 In this new era, convergence of domains has been rapidly occurring.

Extended, indefinite military detention became a leading way that the U.S. government responded to the threat from al Qaeda and affili- ated groups. Even some suspected terrorists captured in the United States, including a U.S. citizen, were put initially into military detention instead of the Article III system.142 Some suspected terrorists caught abroad were held in CIA or military detention and interrogated without Miranda warnings even though they were eventually sent to the United States to answer for ordinary criminal indictments.143 Even when deten- tion stayed within the civilian Article III system, the government’s prac- tices changed significantly, blurring the line between criminal and extraordinary, noncriminal detention.144 The Supreme Court upheld (albeit not on the merits) the government’s apparent practice of pretextually using the material-witness detention statute against both

traditional practices and laws of war defined ‘the enemy’ in terms of categorical, group- based judgments that turned on status . . . we are now moving to a world that . . . requires the individuation of enemy responsibility of specific enemy persons before the use of military force is considered justified . . . .”).

140. See, e.g., Rosa Ehrenreich Brooks, War Everywhere: Rights, National Security Law, and the Law of Armed Conflict in the Age of Terror, 153 U. Pa. L. Rev. 675, 677 (2004) (“[B]inary distinctions are no longer tenable.”).

141. See, e.g., Frédéric Mégret, War and the Vanishing Battlefield, 9 Loy. U. Chi. Int’l L. Rev. 131, 141 (2011) (“The deconstruction of the battlefield is, in fact, well under way . . . .”).

142. See al-Marri v. Wright, 487 F.3d 160, 164 (4th Cir. 2007), rev’d sub nom. al-Marri v. Pucciarelli, 534 F.3d 213 (4th Cir. 2008) (en banc) (per curiam), vacated sub nom. al- Marri v. Spagone, 555 U.S. 1220 (2009); Padilla v. Hanft, 423 F.3d 386, 388 (4th Cir. 2005).

143. See, e.g., Butch Bracknell & James Joyner, Ahmed Abu Khattala and the Miranda-Rights Question, Nat’l Int. (July 8, 2014), http://nationalinterest. org/feature/ahmed-abu-khattala-the-miranda-rights-question-10828 (on file with the Columbia Law Review) (recounting initial un-Mirandized interrogation aboard Navy ship of captured Libyan jihadist and subsequent transfer to U.S. soil to appear before federal judge).

144. See Chesney & Goldsmith, supra note 25, at 1100–08 (arguing federal prosecutors in post–9/11 terrorism cases increasingly pursue membership-based liability, akin to traditional military detention).

2015] DISAPPEARING LEGAL BLACK HOLES 1057

U.S. citizens and noncitizens in the United States for counterterrorism purposes.145

On the same day as it decided Boumediene, the Court, in Munaf v. Geren,146 heard habeas cases from dual U.S. citizens detained as security threats under the control of the U.S. military in Iraq during the insur- gency. The Court implied that the substantive due process clause might provide limits on the treatment of these individuals—who were held by U.S. forces in a zone of active combat.147 It is unclear at this point how far Boumediene and Munaf will extend habeas corpus and constitutional rights into war zones. But what is clear is that being a noncitizen or an enemy fighter in a foreign war zone is no longer a categorical bar to constitutional rights and judicial review.

The Anwar al-Awlaki drone strike also highlights these trends of extending rights abroad and to enemy fighters. Al-Awlaki was a U.S. citi- zen who became a high-ranking leader of al Qaeda in the Arabian Peninsula, helping to direct terrorist attacks against U.S. targets from hiding places in ungoverned regions of Yemen.148 Because he was an enemy fighter in an armed conflict authorized by Congress, and was located outside the United States in a hostile area, older understandings would have treated al-Awlaki as beyond the protection of the Constitution. But in al-Awlaki’s case, the U.S. executive branch now recognized that geography and war no longer served as impermeable barriers against constitutional protections, in particular because he was a U.S. citizen. An Office of Legal Counsel (OLC) opinion and a DOJ white paper prepared for public release opined that al-Awlaki had Fourth and Fifth Amendment rights that the executive had to respect.149 The DOJ’s

145. See Ashcroft v. al-Kidd, 131 S. Ct. 2074, 2080–83 (2011) (finding no constitutional violation in using material-witness arrest warrant to detain U.S. citizen, at least where there is no dispute individualized suspicion supported issuance of warrant).

146. 553 U.S 674 (2008). 147. See Kent, Insular Cases, supra note 8, at 107 & n.22 (citing Munaf, 553 U.S. at

702) (noting Court disclaimed any intent to rule out potential due process claim arising from more extreme cases of detention, such as transferring detainee to foreign control if torture is likely).

148. See Charlie Savage & Peter Baker, Obama, in a Shift, to Limit Targets of Drone Strikes, N.Y. Times (May 22, 2013), http://www.nytimes.com/2013/05/23/us/us- acknowledges-killing-4-americans-in-drone-strikes.html (on file with the Columbia Law Review) (discussing drone strike against al-Awlaki and U.S. government’s legal rationale for it).

149. See DOJ, Lawfulness of a Lethal Operation Directed Against a U.S. Citizen Who Is a Senior Operational Leader of al-Qa’ida or an Associated Force 5–10, available at http://msnbcmedia.msn.com/i/msnbc/sections/news/020413_DOJ_White_Paper.pdf (on file with the Columbia Law Review) (last visited Mar. 8, 2015) (considering whether and in what circumstances legal operation against U.S. citizen abroad violated Fourth and Fifth Amendment constitutional protections); DOJ Office of Legal Counsel, Applicability of Federal Criminal Laws and the Constitution to Contemplated Lethal Operations Against Shaykh Anwar al-Aulaki 38–41 (2010), available at https://www.aclu.org/sites/default/ files/assets/2014-06-23_barron-memorandum.pdf (on file with the Columbia Law Review)

1058 COLUMBIA LAW REVIEW [Vol. 115:1029

analysis revealed that the executive believes that the Constitution places important limitations on its ability to target U.S. citizens, even when they are enemy fighters in hostile or ungoverned territory. At the same time, the executive has suggested that it will follow with regard to noncitizen targets the same or similar procedural rules that it says the Constitution requires for U.S. citizens.150

Another example of this rights convergence and softening of categorical boundaries is the change in the rules regarding blocking and seizing the property for national security or foreign affairs purposes. Old rules allowed the U.S. government to detain the property of foreign nations, foreign nationals, and U.S. persons residing in enemy nations during wartime. But in recent years, the U.S. government has applied these rules to U.S. persons within the United States and has successfully argued to several lower federal courts that only the most minimal constitutional protections limit that seizure authority.151

C. Institutional Arrangements and Operating Rules

As discussed above, there is an important kind of protection in addi- tion to legal protections in the form of rights and judicial review: practi- cal protections derived from the institutional structures or operating rules of national security institutions. Convergence of previously distinct domains is also occurring in that area. Individual rights and interests of groups previously excluded from protection—such as military enemies

(same); Charlie Savage, Justice Department Memo Approving Targeted Killing of Anwar Al-Awlaki, N.Y. Times (June 23, 2014), http://www.nytimes.com/interactive/2014/06/ 23/us/23awlaki-memo.html?_r=0 (on file with the Columbia Law Review) (providing electronic version of OLC memo).

150. President Obama articulated this point during a speech at the National Defense University in 2013:

Beyond the Afghan theater, we only target al Qaeda and its associated forces. And even then, the use of drones is heavily constrained. America does not take strikes when we have the ability to capture individual terrorists; our preference is always to detain, interrogate, and prosecute . . . . [W]e act against terrorists who pose a continuing and imminent threat to the American people, and when there are no other governments capable of effectively addressing the threat. And before any strike is taken, there must be near-certainty that no civilians will be killed or injured—the highest standard we can set.

President Barack Obama, Remarks by the President at National Defense University (May 23, 2013), http://www.whitehouse.gov/the-press-office/2013/05/23/remarks-president- national-defense-university (on file with the Columbia Law Review).

151. See Islamic Am. Relief Agency v. Gonzales, 477 F.3d 728, 735–36 (D.C. Cir. 2007) (finding no constitutional violation in government decision to block Muslim organization’s assets); Holy Land Found. for Relief & Dev. v. Ashcroft, 333 F.3d 156, 164– 66 (D.C. Cir. 2003) (same). But see Kindhearts for Charitable Humanitarian Dev. v. Geithner, 647 F. Supp. 2d 857, 919 (N.D. Ohio 2009) (holding U.S.-based charity targeted by government blocking order for alleged terrorist ties had significant Fourth Amendment and Due Process rights that had been violated by government).

2015] DISAPPEARING LEGAL BLACK HOLES 1059

and noncitizens abroad—are increasingly being protected by structures and operating rules of national security institutions.

This can be seen in the area of intelligence collection. At least since the enactment of FISA, there has been a stark divide: Intelligence collection for national security purposes conducted outside the United States could proceed with little legal limit and essentially no judicial oversight (though U.S. citizens and lawful permanent residents received somewhat more protection), whereas within the United States, much stricter limits and judicial oversight applied. But convergence is occurring. As a result of recent legislation, the federal judiciary is now reviewing ex ante the legality of some surveillance requests directed at foreign targets overseas152 while at the same time, as the recent revelations by Edward Snowden have shown, approving sweeping collection of telephony and internet metadata of U.S. citizens’ domestic communications.153 There is pressure for further convergence. The recent Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies recommended that non-U.S. persons be given significantly greater privacy protections from electronic surveillance than they currently possess under the Constitution and laws of the United States,154 and the President responded affirmatively in the new Presidential Policy Directive (PPD-28) on Signals Intelligence Activities.155 In a similar vein, even though the Privacy Act protects only U.S. persons with regard to government records, the Department of Homeland Security has administratively extended some protections to noncitizens.156

152. FISA Amendments Act of 2008, 50 U.S.C.A. § 1881a (West 2008). 153. See ACLU v. Clapper, 959 F. Supp. 2d 724, 730 (S.D.N.Y. 2013) (“Edward

Snowden’s unauthorized disclosure of Foreign Intelligence Surveillance Court (‘FISC’) orders has provoked a public debate and this litigation. While robust discussions are underway across the nation, in Congress, and at the White House, the question for this Court is whether the Government’s bulk telephony metadata program is lawful.”).

154. Liberty and Security in a Changing World: Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies 29–30 (2013) (Recommendations 13–14), http://www.lawfareblog.com/wp-content/uploads/ 2013/12/Final-Report-RG.pdf (on file with the Columbia Law Review).

155. Presidential Policy Directive/PPD-28—Signals Intelligence Activities, pmbl. (Jan. 17, 2014), http://www.whitehouse.gov/the-press-office/2014/01/17/presidential- policy-directive-signals-intelligence-activities (on file with the Columbia Law Review) (stating U.S. signals-intelligence practices must protect “legitimate privacy and civil liberties concerns of U.S. citizens and citizens of other nations”); id. § 4, 4(a) (“All persons . . . have legitimate privacy interests in the handling of their personal information. . . . To the maximum extent feasible consistent with the national security . . . policies and procedures are to be applied equally to the personal information of all persons, regardless of nationality.”).

156. See Memorandum from Hugo Teufel III, Chief Privacy Officer, U.S. Dep’t of Homeland Security, Privacy Policy Guidance Memorandum § III, (Jan. 7, 2009), http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2007-1.pdf (on file with

1060 COLUMBIA LAW REVIEW [Vol. 115:1029

Judicialization and greater rights protection through institutional change have been evident in the electronic surveillance area since at least 1978. Based on hints from the Supreme Court,157 a number of courts of appeals affirmed the constitutionality of warrantless evidence gathering by the executive—either electronic surveillance or physical searches—for foreign-intelligence purposes, even when U.S. citizens were the target or the search occurred in the United States.158 But Congress in 1978 imposed a regime of judicial oversight through the FISA statute.

Military targeting presents another area in which national security institutions are changing in ways that provide greater protection to previ- ously vulnerable groups. Up through the end of the Vietnam War, American commanders did not seek or receive legal advice about battlefield matters such as targeting.159 In the last several decades, there has been a “comprehensive integration of military lawyers into the target- ing process”160 and all other aspects of war-fighting.161 One result has been the development of internal rules and processes that give great weight to minimizing anticipated harm to foreign civilians and foreign civilian infrastructure.162

A similar phenomenon exists in intelligence agencies. Before the mid-1970s, a small number of agency lawyers “were not consulted” dur- ing the planning of intelligence collection or covert actions.163 As a result of the revelations of CIA scandals in the 1970s, everything changed. The Office of General Counsel at the CIA increased in size nearly tenfold

the Columbia Law Review) (extending some protections of Privacy Act of 1974 to non-U.S. citizens).

157. See United States v. U.S. Dist. Court, E.D. Mich., 407 U.S. 297, 321–22 (1972) (imposing limits on domestic surveillance but identifying surveillance regarding foreign entities as separate matter).

158. United States v. Truong Dinh Hung, 629 F.2d 908, 912–16 (4th Cir. 1980); United States v. Butenko, 494 F.2d 593, 604–05 (3d Cir. 1974) (en banc); United States v. Brown, 484 F.2d 418, 425–27 (5th Cir. 1973).

159. Goldsmith, supra note 23, at 125. 160. Peter Margulies, Valor’s Vices: Against a State Duty to Risk Forces in Armed

Conflict, 37 Vt. L. Rev. 271, 303 (2012) [hereinafter Margulies, Valor’s Vices]. 161. See Goldsmith, supra note 23, at 125–35 (surveying growing role of lawyers in

reviewing operational plans, giving advice on battlefield, and educating soldiers on legal issues).

162. See id. at 135–46 (summarizing role of lawyers in “elaborate, multi-layered, lawyer-vetted process” aimed at minimizing collateral damage); Margulies, Valor’s Vices, supra note 160, at 303–04 (arguing military lawyers are well-equipped to develop process- based approach to analyzing targeting decisions in light of collateral effects). For an overview of current targeting doctrines and practices, see generally Gregory S. McNeal, New Approaches to Reducing and Mitigating Harm to Civilians, in Shaping a Global Framework For Counterinsurgency Law: New Directions In Asymmetric Warfare 127 (William Banks ed., Oxford University Press 2013).

163. Goldsmith, supra note 23, at 87.

2015] DISAPPEARING LEGAL BLACK HOLES 1061

from late 1970s to the present.164 Congress imposed restrictions on CIA covert actions that were meant to increase presidential accountability to Congress and therefore decrease excesses like the attempted assassina- tion of foreign leaders.165 All of the new lawyers enforced these and other restrictions. Based on interviews with participants, Goldsmith estimates that today over 100 government officials, including at least ten lawyers “and often more” review any proposed covert action.166 All of this law, review, and oversight has the effect of providing practical protections to the foreign nationals who otherwise would have been impacted by covert actions, as either targets or collateral damage.

D. Decline of Foreign Affairs Exceptionalism and Deference

For at least a century,167 if not more, foreign affairs law has been understood to be different than ordinary constitutional law in both rules about authority of government and rights of individuals. This “foreign affairs exceptionalism”168 has manifested itself in many ways. There has been a generalized posture and rhetoric of deference by the courts.169

Courts have given great deference to factual and predictive claims by the

164. Id; see also John Rizzo, Company Man 48 (2014) (discussing expansion of Office of General Counsel from 1970s to turn of twenty-first century).

165. Goldsmith, supra note 23, at 87–95 (outlining accountability mechanisms imposed upon intelligence community by Congress following Iran–Contra scandal).

166. Id. at 89. 167. There is significant debate about how exceptional foreign affairs law was—how

deferential courts were to the political branches in foreign affairs cases—during the Founding and antebellum periods. Recent scholarship suggests that courts actively entered the fray in cases raising significant foreign affairs questions and did not apply deference doctrines. See, e.g., David Sloss, Judicial Deference to Executive Branch Treaty Interpretations: A Historical Perspective, 62 N.Y.U. Ann. Surv. Am. L. 497, 498–99 (2007) (examining treaty interpretation by Supreme Court in early Republic). Other scholars disagree.

168. See Curtis A. Bradley, A New American Foreign Affairs Law?, 70 U. Colo. L. Rev. 1089, 1096 (1999) (defining foreign affairs exceptionalism as “view that the federal government’s foreign affairs powers are subject to a different, and generally more relaxed, set of constitutional restraints than those that govern its domestic powers”); see also Louis Henkin, The Constitution for Its Third Century: Foreign Affairs, 83 Am. J. Int’l L. 713, 716 (1989) (suggesting foreign affairs are likely to remain “constitutionally ‘special’” in U.S. law).

169. See, e.g., Haig v. Agee, 453 U.S. 280, 292 (1981) (reviewing suit for declaratory and injunctive relief concerning Secretary of State’s administrative revocation of passport and approaching task of statutory construction with view “[m]atters intimately related to foreign policy and national security are rarely proper subjects for judicial intervention”); Harisiades v. Shaughnessy, 342 U.S. 580, 588–89 (1952) (rejecting constitutional challenge to deportation of former members of Communist Party and stating “contemporaneous policies in regard to the conduct of foreign relations [and] the war power . . . [are matters] so exclusively entrusted to the political branches as to be largely immune from judicial inquiry or interference”).

1062 COLUMBIA LAW REVIEW [Vol. 115:1029

executive branch.170 The political question, standing, and related justiciability doctrines were often applied to dismiss suits raising national security and foreign affairs issues.171 Courts often gave deference to the executive branch’s interpretations of treaties.172 Courts allowed the executive to decide on a case-by-case basis questions of immunity for for- eign officials and, before enactment of FISA, foreign governments too.173

Courts allowed the executive to unilaterally make domestically binding law in foreign affairs in ways that would be unthinkable under ordinary, domestic constitutional rules.174 Courts applied much more expansive preemption doctrines in foreign affairs cases than they did in ordinary domestic cases.175 When cases were heard on the merits raising questions about individual rights in wartime or other national security crises, the courts often upheld the government actions if they found endorsement by both Congress and the President, without fully grappling with the individual rights questions.176 Many other examples could be given.

Foreign affairs exceptionalism buttressed and even exacerbated the categorical distinctions in individual rights protection that demarcated legal black holes. Justiciability doctrines and formalized or de facto defer- ence to the political branches could provide an additional reason why no judicially enforceable individual rights protections were available to cer- tain persons, places, or contexts, thereby reinforcing the categorical distinctions. And even for persons, places, or contexts that in theory were

170. See, e.g., Korematsu v. United States, 323 U.S. 214, 218–19 (1944) (deferring to Congress and military to determine exclusion order was necessary to prevent espionage and sabotage by U.S. residents of Japanese ancestry).

171. See, e.g., Baker v. Carr, 369 U.S. 186, 211–14 (1962) (listing foreign affairs issues found to be nonjusticiable political questions); Rodric B. Schoen, A Strange Silence: Vietnam and the Supreme Court, 33 Washburn L.J. 275, 278–303 (1994) (describing how Supreme Court avoided ruling on merits of suits raising legal questions about U.S. participation in Vietnam War).

172. See, e.g., Sumitomo Shoji Am., Inc. v. Avagliano, 457 U.S. 176, 184–85 & n.10 (1982) (noting “meaning attributed to treaty provisions by the Government agencies charged with their negotiation and enforcement is entitled to great weight”).

173. Samantar v. Yousuf, 130 S. Ct. 2278, 2284–85 (2010) (discussing history of these doctrines and practices).

174. See, e.g., Am. Ins. Ass’n v. Garamendi, 539 U.S. 396, 413–27 (2003) (preempting state law because it interfered with presidential foreign policy initiative).

175. See, e.g., Hines v. Davidowitz, 312 U.S. 52, 63 (1941) (“Our system of government is such that the interest of the cities, counties and states, no less than the interest of the people of the whole nation, imperatively requires that federal power in the field affecting foreign relations be left entirely free from local interference.”).

176. See Samuel Issacharoff & Richard H. Pildes, Between Civil Libertarianism and Executive Unilateralism: An Institutional Process Approach to Rights During Wartime, 5 Theoretical Inquiries L. 1, 5 (2004) (finding courts are reluctant to inquire into tradeoff between security and liberty when other two branches have acted together).

2015] DISAPPEARING LEGAL BLACK HOLES 1063

within the zone of protection, deference or justiciability doctrines could render protections unavailable.177

As Goldsmith, Ingrid Wuerth, Peter Spiro, and others have written, foreign affairs exceptionalism has been in decline since the 1990s, and the changes have seemed to accelerate recently. For instance, the Supreme Court has been gradually backing away from the political ques- tion doctrine, making it easier for courts to hear foreign affairs cases on the merits.178 Courts are giving less deference to the government’s fact- finding and predictive judgments about foreign affairs or security issues.179 The Court is reining in executive lawmaking in foreign affairs.180

In the post–9/11 era, Goldsmith and others have observed federal judges “discard[ing] their traditional reluctance to review presidential military decisions and thr[owing] themselves into questioning, invalidating, and supervising a variety of these decisions.”181 The Supreme Court is making it very difficult for Congress to remove federal court jurisdiction over habeas challenges to executive detentions in foreign affairs and national security settings.182 Many other examples could be given of the decline of foreign affairs exceptionalism or domesticization of foreign affairs.183

177. See, e.g., Korematsu v. United States, 323 U.S. 214, 220 (1944) (justifying detainment of Japanese American U.S. citizens with idea that military’s “power to protect [against foreign threats] must be commensurate with the threatened danger”).

178. See Zivotofsky ex rel. Zivotofsky v. Clinton, 132 S. Ct. 1421, 1430 (2012) (rejecting executive’s argument that challenge to its refusal on Article II grounds to comply with congressional statute regarding U.S. passports and status of Jerusalem was nonjusticiable political question).

179. For example, in Boumediene, the Court independently determined that the government had presented “no credible arguments” or evidence to corroborate its claim “that the military mission at Guantanamo would be compromised if habeas corpus courts had jurisdiction to hear the detainees’ claims.” Boumediene v. Bush, 553 U.S. 723, 769 (2008).

180. See Medellin v. Texas, 552 U.S. 491, 498–99 (2008) (holding President lacked authority to order state courts to reconsider criminal convictions that, according to International Court of Justice decision, violated defendants’ treaty-based rights).

181. Goldsmith, supra note 23, at xi. 182. See Boumediene, 553 U.S. at 724–25, 728 (holding unconstitutional statute

providing federal judiciary had no jurisdiction to hear habeas petitions from noncitizens detained at Guantanamo Bay); Hamdan v. Rumsfeld, 548 U.S. 557, 576–84 (2006) (applying exacting clear statement rule to hold Congress had not barred with sufficient clarity federal court jurisdiction over Guantanamo detainee’s habeas corpus petition); INS v. St. Cyr, 533 U.S. 289, 309–10 (2001) (applying clear statement rule to narrowly interpret jurisdiction-limiting provisions of immigration statutes and permitting habeas petition by foreign nationals to proceed in habeas corpus).

183. As Goldsmith has pointed out, in some areas of foreign relations law, the Court has become more formalist, rejecting free-form balancing by courts of foreign relations interests in favor of more rule-like approaches. See Jack L. Goldsmith, The New Formalism in United States Foreign Relations Law, 70 U. Colo. L. Rev. 1395, 1424 (1999) (arguing “[s]ince the end of the Cold War, the Supreme Court and lower federal courts have begun to adopt a more formalistic approach” to foreign relations doctrines). One can see this in the act of state doctrine, dormant foreign affairs preemption, the political question doctrine, and doctrines about the extraterritorial reach of U.S. statutes. See id. at 1425–29

1064 COLUMBIA LAW REVIEW [Vol. 115:1029

These developments support and extend the convergence of individual rights protection by making it more likely that judicial review will be available and, if it is, less likely that the courts will defer to the govern- ment’s position.184

E. International Law

Convergence of previously distinct domains, closing of legal black holes, and greater protection of rights can be seen in international law as well. The development of international human rights law meant that international law now protected a country’s citizens against their own government. International law became universal, no longer just the law of a club of “civilized” countries. The international laws of war developed greatly, bringing widely accepted, robust legal protections to previously at-risk groups, like civilians in occupied territory, prisoners of war, and the wounded. Other developments in the international laws of war and human rights law meant that it was no longer acceptable to treat gueril- las, pirates, and other practitioners of “uncivilized” warfare as outside of all legal protection. While this is a complex subject, it can fairly be said that the traditional, categorical distinctions between the laws of war and the law of human rights are dissolving,185 as are the categorical divisions within the laws of war between the law governing international versus non-international armed conflicts.186

Like U.S. law, international human rights law is also gradually expanding its protections geographically. Important U.S. government actors, and many foreign governments, NGOs, and commentators have been arguing that treaties like the Convention Against Torture and the International Covenant on Civil and Political Rights do not only apply in U.S. territory but also wherever the government exercises effective

(discussing Court’s adoption of rule-like approach in various foreign relations doctrines). Although this formalism reduces judicial subjectivity and freedom, the net effect is often to treat cases that were previously considered foreign affairs more like ordinary cases, and to resolve them under ordinary rules. See id. at 1437 (noting rule-like approach minimizes judicial foreign policy judgments).

184. Of course the Court has not wholly abandoned its practice of treating foreign affairs and national security cases as exceptional. See, e.g., Aziz Z. Huq, Structural Constitutionalism as Counterterrorism, 100 Calif. L. Rev. 887, 897–98 (2012) (criticizing Court’s decision in Holder v. Humanitarian Law Project, 561 U.S. 1 (2010), for deferring too much to government’s factual claims and failing to apply ordinary, domestic First Amendment analysis to challenge to statute banning provision of material support to foreign terrorist organizations).

185. See Cordula Droege, Elective Affinities? Human Rights and Humanitarian Law, 90 Int’l Rev. Red Cross 501, 501–05 (2008) (“[T]here is today no question that human rights law comes to complement humanitarian law in situations of armed conflict.”); Hans- Joachim Heintze, On the Relationship Between Human Rights Law Protection and International Humanitarian Law, 86 Int’l Rev. Red Cross 789, 789–91 (2004) (noting human rights laws now apply to both war- and peacetime).

186. See Jensen, supra note 137, at 290–91 (arguing bifurcation between laws for international conflict and laws for non-international conflicts is “under fire”).

2015] DISAPPEARING LEGAL BLACK HOLES 1065

jurisdiction and control,187 such as at detention facilities run by the U.S. government in foreign countries.

IV. WHAT MIGHT TODAY BE DRIVING THE CONVERGENCE OF DOMAINS AND THE CLOSING OF LEGAL BLACK HOLES?

This Essay has described convergence of domains and closing of legal black holes through changes in constitutional law, common law, international law, statutory law, judicial attitudes and practices, and executive-branch structures and operating rules. Though change has been most pronounced in recent decades, some of the legal, institu- tional, and attitudinal changes have taken place over centuries. Pinpoint- ing causal factors would clearly be a difficult undertaking.

What might be more feasible, and more useful, would be to suggest some forces that, whether or not they have been responsible for pushing toward convergence and the closing of legal black holes in the past, today seem to be associated with and supportive of further movements in those directions.

A. The Expansion of Rights, Jurisdiction, and Remedies

When the Constitution had a fairly limited domain of protection, even in ordinary domestic settings, it would not have seemed strange or troubling that large areas of national security and foreign affairs were outside the Constitution’s protective umbrella. And when the jurisdiction of the federal courts was fairly limited, doctrines that blocked access to the courts in foreign affairs and national security cases on the basis of citizenship, geography, or territorial location would also not have seemed strange or troubling either. But over the course of American history, both the substantive coverage of the Constitution and the jurisdiction of the courts has increased greatly.

For many decades, constitutional rights were interpreted narrowly and rarely, and the rights protected relatively few people. The Supreme Court’s first holding on the Fifth Amendment Due Process Clause came in 1856.188 The Court’s first decision addressing the Sixth Amendment jury trial guarantee and Confrontation Clause came in 1878.189 The

187. See, e.g., Peter Margulies, Extraterritoriality and Human Rights: Time for a Change in the U.S. View?, Lawfare (Mar. 8, 2014, 8:11 AM), http://www.lawfareblog.com/ 2014/03/extraterritoriality-and-human-rights-time-for-a-change-in-the-u-s-view/ (on file with the Columbia Law Review) (arguing against U.S. position that treaties do not apply extraterritorially).

188. See Murray’s Lessee v. Hoboken Land & Improvement Co., 59 U.S. (18 How.) 272, 280–81 (1856) (ruling statute allowing for property liens on debtor did not violate Fifth Amendment’s Due Process Clause).

189. See Reynolds v. United States, 98 U.S. 145, 168 (1878) (ruling grand jury in polygamy case did not violate Sixth Amendment).

1066 COLUMBIA LAW REVIEW [Vol. 115:1029

Court’s first important Fourth Amendment case was decided in 1886.190

The First Amendment had little bite until the 1940s.191 Very little in the Constitution applied as rights-based limits to the activities of state and local governments until the Reconstruction Amendments. Either for- mally or practically, for many purposes, whole categories of people were outside the protection of the Constitution: slaves, African Americans including freed slaves, incarcerated convicts, and the institutionalized mentally ill. The federal courts’ jurisdiction was also relatively narrow for many decades: It was not until 1875 that general federal question jurisdiction was given to the federal courts.192 The most important judicial tools for remedying unconstitutional government actions also developed slowly. Throughout the nineteenth century, injunctions and mandamus were often unavailable.193

Starting gradually in the latter part of the nineteenth century, follow- ing on the heels of the extension of federal question jurisdiction, and increasing exponentially after World War II, there has been an expansion in the substantive coverage of constitutional rights. Today, it is a dense code that pervasively regulates many of the activities of all branches and levels of government. Previously excluded groups, mentioned above, have over time come within the protections of the Constitution, either by formal amendment or interpretation or both.194 There has been a crimi- nal procedure revolution that vastly expanded protections for suspects and defendants, primarily in the 1960s and 1970s, though its roots

190. See Boyd v. United States, 116 U.S. 616, 634–35 (1886) (holding “compulsory production of . . . private books” was “unreasonable search and seizure—within the meaning of the Fourth Amendment”).

191. See, e.g., Abrams v. United States, 250 U.S. 616, 624 (1919) (affirming conviction under Espionage Act for urging curtailment of production of war material with intent to hinder war effort).

192. See Judiciary Act of 1875, ch. 137, § 1, 18 Stat. 470 Congress did briefly establish general federal question jurisdiction in the Midnight Judges Act of 1801, see Act of Feb. 13, 1801, ch. 4, § 11, 2 Stat. 89, 92, but it was quickly repealed, see Act of Mar. 8, 1802, ch.8, § 1, 2 Stat. 132.

Though over time the expansion of federal jurisdiction aided the expansion of individual constitutional rights, in 1875, the intent was more nearly the opposite. Both the jurisdiction and size of the federal judiciary were increased by a Republican Party that had largely abandoned the cause of black civil rights and wanted to entrench a nationalist economic vision. See Howard Gillman, How Political Parties Can Use the Courts to Advance Their Agendas: Federal Courts in the United States, 1875–1891, 96 Am. Pol. Sci. Rev. 511, 517–19 (2002) (attributing late nineteenth-century federal court jurisdiction expansion to Republican efforts to control national economy).

193. See Kent, Damages, supra note 17, at 1170–71 (explaining nineteenth-century judicial preference against equitable remedies like mandamus and injunctions).

194. Kent, Citizenship, supra note 28, at 2117; see also G. Edward White, Observations on the Turning of Foreign Affairs Jurisprudence, 70 U. Colo. L. Rev. 1109, 1117–18 (1999) (noting “unprecedented expansion in judicial protection for the civil and political rights of selected minorities . . . which characterized American constitutional jurisprudence for three decades after the close of the Second World War”).

2015] DISAPPEARING LEGAL BLACK HOLES 1067

appeared decades earlier.195 At approximately the same time, constitu- tional law witnessed an enormous growth in the reach and bite of proce- dural due process.196 Constitutional law and rights expanded in numerous other domains, from privacy and sexual liberty, to regulation of voting, and protections for speech, expression, and religious liberty.197

And the courts have developed powerful remedial tools and doctrines with which to grant injunctive relief and restructure government to pro- tect individual rights.198 As these developments have proceeded, it has seemed more unusual and more normatively troubling to have any zones remain where rights are nonexistent or very limited and where courts decline to exercise jurisdiction or grant remedies.

At the same time, nineteenth-century formalism in legal doctrine and reasoning, characterized by a legal landscape divided into separate spheres or categories, has been declining. Formalist legal doctrine, which was often about drawing lines and deciding which side of the boundary line different phenomena fell on,199 has been gradually supplanted by different styles of legal analysis. Modern constitutional doctrine is often based around rights and interest balancing, rather than categorical rules.200 This shift in reasoning makes it less likely that legal analysis will find any person, place, or context to be categorically outside the protec- tions of the Constitution.

These expansions in individual rights and remedial protections for them have, of course, not happened in a vacuum. Contemporary moral psychology and conceptions of equality seem also to be consistent with

195. See, e.g., Joseph L. Hoffmann & William J. Stuntz, Habeas After the Revolution, 1993 Sup. Ct. Rev. 65, 77–80 (describing “criminal procedure revolution” of 1960s and 1970s).

196. See, e.g., Richard J. Pierce, Jr., The Due Process Counterrevolution of the 1990s?, 96 Colum. L. Rev. 1973, 1974–80 (1996) (exploring background and combined effect of “five landmark opinions issued between 1970 and 1972” that drastically expanded due process protection).

197. See generally Morton J. Horwitz, The Warren Court and the Pursuit of Justice 74–98 (1998) (discussing opinions from Warren era of Supreme Court expanding protection of rights such as decisions on voting regulation and police searches); Lucas A. Powe, Jr., The Warren Court and American Politics 209–335 (2000) (exploring history of Warren Court from 1962–1968 and discussing its rulings on freedom of expression and other personal rights).

198. See, e.g., Abram Chayes, The Role of the Judge in Public Law Litigation, 89 Harv. L. Rev. 1281, 1292–96 (1976) (discussing increasing availability of equitable remedies in twentieth century); Kent, Damages, supra note 17, at 1167–72 (describing shift in courts’ preferences toward equitable remedies in suits against government officials during latter part of twentieth century).

199. Morton J. Horwitz, The Transformation of American Law 1870–1960, at 17 (1992) (stating “[n]ineteenth-century legal thought was overwhelmingly dominated by categorical thinking” and “[l]ate-nineteenth-century legal reasoning brought categorical modes of thought to their highest fulfillment”).

200. See T. Alexander Aleinikoff, Constitutional Law in the Age of Balancing, 96 Yale L.J. 943, 948–63 (1987) (explaining emergence of “balancing” competing interests in modern constitutional jurisprudence).

1068 COLUMBIA LAW REVIEW [Vol. 115:1029

and supportive of convergence and closing of legal black holes. When the United States was founded, the structure of social life, morality, and legal thought probably contributed to or buttressed the view that protec- tion from the law and courts was very unevenly divided between distinct categories or spheres of persons, places, and contexts. As G. Edward White writes, Americans of the eighteenth and early nineteenth centuries were used to putting people into categories, often binary ones, that entailed social, economic, and sometimes legal differences in powers, privileges, and responsibilities.201 Thus, there were important categorical differences in status between men and women, children and adults, squires and artisans, Indians and non-Indians, slaves and free persons, free whites and free people of color, property holders and those without property, aliens and citizens, and resident aliens and nonresident aliens.

Already in the early nineteenth century, the social and legal distinc- tions between different kinds of people were coming into some tension with what White calls “the equality principle.”202 Since that time, one of the most important developments in U.S. history has been the expansion of “We the People” to include previously marginalized groups, especially during the huge expansions of civil rights and civil liberties protections from the 1940s onward.

Changes in the moral psychology of residents of the developed West might also be relevant to convergence. As psychologist Jonathan Haidt observes, all societies must confront the question of how to balance needs of the group and those of individuals, and there are two main ways that societies answer this question. According to Haidt, the West has been moving from a sociocentric moral approach to allocating power, rights, and resources—one that places the needs of groups and institutions first and subordinates the needs of individuals—to a more individualistic approach that places individuals at the center and makes society a serv- ant of the individual.203 Gradually increasing recognition of the dignity and rights of all individuals, in both U.S. constitutional law and interna- tional human rights law, has proceeded apace with this underlying change in moral psychology. At the same time, an older moral framework based on loyalty, authority, and sanctity has been breaking down. This framework, according to Haidt, valued “self-control over self-expression, duty over rights, and loyalty to one’s groups over concerns for out-

201. G. Edward White, History of the Supreme Court of the United States: The Marshall Court and Cultural Change, 1815–1835, at 20 (1988).

202. Id. at 32. 203. Jonathan Haidt, The Righteous Mind: Why Good People Are Divided by Politics

and Religion 14–15 (2012) (“The individualistic answer largely vanquished the sociocentric approach in the twentieth century as individual rights expanded rapidly, consumer culture spread, and the Western world reacted with horror to the evils perpetrated by the ultrasociocentric fascist and communist empires.”).

2015] DISAPPEARING LEGAL BLACK HOLES 1069

groups.”204 Over time, persons on the liberal or left side of the ideologi- cal spectrum in the West, have come to value the former much more.

These underlying moral changes have proceeded apace with formal changes in constitutional law and remedies, helping create our present circumstances where it seems more and more “un-American”205 to hold that any person, place, or context is categorically outside the protection of the Constitution and laws.

B. Role and Self-Conception of the Supreme Court and Federal Judiciary

Certain institutional changes within the U.S. government, notably the rise to prominence and power of the Supreme Court, seem conceptu- ally and historically linked to convergence and closing of legal black holes. Today, the Court’s fairly aggressive vision of judicial supremacy, especially in the area of individual rights, is clearly supportive of further convergence and closing of legal black holes.

In Marbury v. Madison, the Court sketched a very limited role for judicial review. First, the Court emphasized that its duty and power to say what the law was could properly be exercised only in service of the court’s duty to provide a remedy for violations of an individual’s private right.206 Second, the Court broadly described categories of “political” issues that could not be decided judicially but lay within the “constitutional or legal discretion” of another branch.207 And, famously, the Court exercised the power of judicial review in service of limiting the Court’s power in the particular case before it and ducking confrontation with the President and Congress.

But in a gradual process spanning centuries, the modern imperial Court emerged from these humble beginnings. Only two acts of Congress were declared unconstitutional in the entire period prior to the Civil War (in Marbury and Dred Scott).208 The pace quickened over the subsequent decades. As of 2002, a Government Printing Office publica- tion had counted 157.209 The Court barely maintains any longer the fic- tion that it decides constitutional issues only when it unavoidably must to protect an individual’s private rights. It is often very self-conscious and forthright about its modern role of declaring constitutional doctrines and rules that will operate prospectively as binding rules of law applica-

204. Id. at 192–93. 205. See Countdown with Keith Olbermann, supra note 5 (quoting Neal Katyal). 206. See Marbury v. Madison, 5 U.S. (1 Cranch) 137, 163, 177–78 (1803). 207. Id. at 165–66. 208. See Jed Handelsman Shugerman, A Six-Three Rule: Reviving Consensus and

Deference on the Supreme Court, 37 Ga. L. Rev. 893, 907 (2003) (“The Court invalidated federal laws only twice before the Civil War (Marbury v. Madison and Dred Scott).”).

209. Gov’t Printing Office, Acts of Congress Held Unconstitutional in Whole or in Part by the Supreme Court of the United States (2002), http://www.gpo.gov/fdsys/ pkg/GPO-CONAN-2002/pdf/GPO-CONAN-2002-10.pdf (on file with the Columbia Law Review).

1070 COLUMBIA LAW REVIEW [Vol. 115:1029

ble to all government actors facing circumstances within the scope of those rules or doctrines.210 The scope, density, and ambition of the mod- ern Court’s constitutional jurisprudence are astounding. It is difficult to think of any important area of social, political, economic, or educational life that entirely evades its reach.

The Court is less and less willing to see any zones of U.S. govern- ment activity as categorically immune to judicial review and oversight.211

At the Supreme Court level, if not yet in the lower federal courts, the scope of things considered nonjusticiable political questions has shrunk. Out of quasi-departmentalist beginnings, the modern Court has decided that it “alone among the three branches has been allocated the power to provide the full substantive meaning of all constitutional provisions.”212

The modern Court’s supremacy is widely accepted. “Governments at all levels . . . have essentially acceded to the Supreme Court’s demand in Cooper v. Aaron that the constitutional doctrines and rules announced by the Court in its decisions be treated as equivalent to the Constitution itself.”213

For this enormously powerful and self-confident modern Court, it must seem increasingly quaint to hear the government argue in national security and foreign affairs cases that the judiciary lacks competence or authority to decide a given issue.214

As has been widely recognized, the Court has also shifted the focus and intensity of its judicial review over time. One salient change is the shift that became most obvious in the late 1930s and 1940s, and was noted by the Court itself in, among other places, the famous footnote in the Carolene Products decision.215 As the Court moved toward a more deferential posture to legislative and executive action when reviewing law

210. See, e.g., Pearson v. Callahan, 555 U.S. 223, 236 (2009) (discussing value of “promot[ing] the development of constitutional precedent” by issuing rulings on constitutionality of official conduct); Saucier v. Katz, 533 U.S. 194, 201 (2001) (stressing importance of federal courts issuing written decisions on constitutionality of officers’ conduct); Cnty. of Sacramento v. Lewis, 523 U.S. 833, 841 n.5 (1998) (same).

211. See Kent, Damages, supra note 17, at 1128–30 (“[T]he Supreme Court has arguably never been more assertive in adjudicating national security and foreign relations issues than it has in recent years.”).

212. Rachel E. Barkow, More Supreme Than Court? The Fall of the Political Question Doctrine and the Rise of Judicial Supremacy, 102 Colum. L. Rev. 237, 241 (2002).

213. Kent, Damages, supra note 17, at 1158–59. 214. Even in national security cases involving core competencies of the Congress and

executive, the modern Court often does not deign to even mention its doctrines that counsel deference to the political branches, much less apply them. See, e.g, id. at 1133 n.38 (discussing Hamdan v. Rumsfeld, 548 U.S. 557 (2006)).

215. United States v. Carolene Prods. Co., 304 U.S. 144, 152–53 n.4 (1938) (suggesting more searching inquiry might be appropriate when, among other things, rights of discrete and insular minorities are at stake).

2015] DISAPPEARING LEGAL BLACK HOLES 1071

in the economic and regulatory spheres, it has moved quite strongly to protect civil rights and civil liberties.

This is not to say that the Court entirely sets its own agenda or pro- ceeds further and faster on behalf of individual rights than the national political order will tolerate. Courts are part of that political order, as Mark Tushnet and others emphasize, and when they exercise judicial review it is generally in collaboration with one part of the political order against another, understood either vertically (working with the federal government against state or local governments) or temporally (working with the current order against policies of a prior generation).216

Political coalitions can also amend the Constitution in ways that change individual rights protections directly217 or allow Congress to enforce constitutional rights protections,218 change the jurisdiction or structure of the federal judiciary in ways that promote the protection of individual constitutional rights,219 or enact legislation that supports affirmative constitutional litigation and change,220 declares the punish- ment of deprivations of constitutional rights,221 tasks the bureaucracy with protecting and extending constitutional rights,222 or promotes pre-

216. See Mark E. Tushnet, The Supreme Court and the National Political Order: Collaboration and Confrontation, in The Supreme Court and American Political Development 117–37 (Ronald Kahn & Ken I. Kersch eds., 2006) (examining Court’s role in shaping political order); see also Keith Whittington, Political Foundations of Judicial, Supremacy 4 (2007) (arguing “political incentives facing elected politicians . . . often lead politicians to value judicial independence and seek to bolster, or at least refrain from undermining, judicial authority over constitutional meaning”).

217. See, e.g., U.S. Const. amends. XIII, § 1 (banning slavery and involuntary servitude), XIV, § 1 (defining and protecting national citizenship and barring states from abridging privileges or immunities of U.S. citizens or denying persons of due process of law or equal protection of laws), XV, § 1 (barring discrimination in voting on account of race or previous condition of servitude).

218. See id. amends. XIII, § 2, XIV, § 5, XV § 2 (giving Congress power to enforce amendments).

219. See, e.g., Judiciary Act of 1875, ch. 137, § 1, 18 Stat. 470 (granting general federal question jurisdiction of federal courts); Civil Rights Act of 1866, ch. 31, § 3, 14 Stat. 27 (giving federal courts jurisdiction over actions challenging civil and criminal deprivations of civil rights).

220. See, e.g., Voting Rights Act of 1965, Pub. L. No. 89-110, §§ 3–6, 10, 79 Stat. 437 (authorizing Attorney General to initiate and federal courts to hear cases to protect voting rights); 42 U.S.C. § 1983, enacted as section 1 of the Enforcement Act or Ku Klux Klan Act of 1871, ch. 22, 17 Stat. 13 (creating private right of action for deprivation of constitutional rights by persons acting under color of state law).

221. See, e.g., Voting Rights Act of 1965 § 10 (declaring poll taxes violate Constitution and authorizing Attorney General to institute suits to ban them); Civil Rights Act of 1866 § 2 (making it crime for states and state actors to deprive persons of their civil rights or impose increased punishments on account of race).

222. See, e.g., Civil Rights Act of 1964, tit. IV–VI, Pub. L. No. 88-352, 78 Stat. 241 (granting authority to offer grants and technical assistance to promote desegregation of public schools; empowering investigations of racial discrimination in voting, education, housing, employment, use of public facilities, and administration of criminal justice; and

1072 COLUMBIA LAW REVIEW [Vol. 115:1029

ferred values of constitutional dimension, and hence entrench those norms in the legal and political culture.223

Collaboration with other national political actors has marked the Court’s push for greater protection of civil rights and civil liberties gener- ally and, more recently, the moves toward convergence of domains and closing of legal black holes. Instances of sharp conflict between the fed- eral courts and the George W. Bush Administration, and a more general- ized but subtler difference in perspectives about the extent to which foreign affairs and national security should be legalized and judicialized, should not be allowed to obscure the role of Congress, the executive, and other parts of the national political order in supporting the judiciary in greater convergence and closing of legal black holes. During the Bush Administration, for example, Congress legislated to protect noncitizen detainees against torture in foreign locations224 and to provide federal court review of detentions and military commission trials,225 albeit not the full-blown habeas corpus that the Court later mandated in Boumediene. The earlier statutory protections were expanded by President Obama and a later Congress.226 For decades Congress has been instrumental in introducing Article III judicial oversight of certain kinds of foreign-intelligence surveillance and searchers.227

C. International Relations and International Law

There have been deep changes in the structure of the international system that seem connected with and supportive of convergence and the closing of legal black holes. At a very broad level, the increasing cross– border flows of people, information, money, goods, and services—in a word, globalization—has likely contributed to a softening of the distinc- tions between foreign and domestic affairs and between citizen and noncitizen. Sociologist Saskia Sassen describes “denationalization” driven by globalization, where “[t]erritory, law, economy, security, authority, and

directing federal agencies to ensure entities receiving funding do not practice racial discrimination).

223. See, e.g., id., tit. VII (barring discrimination in employment on basis of race, color, sex, religion, or national origin).

224. See Detainee Treatment Act, Pub. L. No. 109-148, § 1003(a), 119 Stat. 2680, 2739 (2005) (“No individual in the custody or under the physical control of the United States Government, regardless of nationality or physical location, shall be subject to cruel, inhuman, or degrading treatment or punishment.”).

225. See id. § 1005 (providing for federal-court review of military trials); see also Military Commissions Act of 2006, Pub. L. No. 109-366, § 950, 120 Stat. 2600 (same).

226. See Military Commissions Act of 2009, Pub. L. No. 111-84, 123 Stat. 2190 (providing greater procedural protections, with Article III judicial review, of military commission trials); Exec. Order No. 13,491, 74 Fed. Reg. 4893 (Jan. 22, 2009) (banning torture and mistreatment, including harsh interrogation tactics).

227. The original Foreign Intelligence Surveillance Act of 1978 has been extended numerous times by later Congresses.

2015] DISAPPEARING LEGAL BLACK HOLES 1073

membership” are no longer constructed solely as “national.”228 But these phenomena operate at such a deep level that any causal role in changes in U.S. law and institutions relevant to this Essay is likely remote and highly mediated. I will instead look for more specific forces.

As I noted earlier in Part III.E, the structure of international law has changed dramatically. It is now universal, not limited in its coverage to civilized states and groups. It protects both noncitizens and citizens from their own governments. It used to have hugely different rules for peace- time and wartime, but those distinctions are collapsing somewhat.

In international law and international relations, there has been a centuries-long shift from diplomacy and coercion at the nation-state level toward a more individualized, judicialized view of how aliens are to be protected. Since at least the eighteenth century, it has been thought that international law has required that a host nation provide some minimum level of fair treatment to alien residents or visitors.229 “Denial of justice” to aliens within the country—for instance, refusing or hindering access to domestic courts—was treated by international law as an injury to the alien’s home state for which the territorial state that had denied justice was responsible.230 The offended home state could, if it chose to “espouse” the claim of its national, seek redress diplomatically.231 Force could also be used if redress were refused; denial of justice was consid- ered a justifiable cause of reprisal.232 In more extreme circumstances such as riot or war, where justice was not so much denied as absent, cus- tomary international law allowed the state whose nationals were in peril

228. Saskia Sassen, Territory, Authority, Rights: From Medieval to Global Assemblages 1–2 (2006).

229. See, e.g., de Vattel, supra note 52, §§ 104–114, at 145–48 (describing rights retained by foreigners abroad by virtue of membership in society and mankind); 3 G.F. Von Martens, A Compendium of the Law of Nations, Founded on the Treaties and Customs of the Modern Nations of Europe 88 (William Cobbett trans., Cobbett & Morgan 1802) (1795) (suggesting fair treatment of alien visitors was required by law of nations); 8 id. at 273. This norm was often embodied in bilateral treaties. See, e.g., Treaty of Amity, Commerce, and Navigation, U.S. –United Mexican States, arts. XIV–XV, Apr. 5, 1832, 8 Stat. 410 (offering governmental protection of civil rights and immunities to each nation’s citizens when in states of treaty signatories); Treaty of Friendship, Limits and Navigation, U.S.–Spain, art. XX, Oct. 27, 1795, 8 Stat. 138 (same); Treaty of Amity and Commerce, U.S.–Prussia, art. II, July 9–Sept. 10, 1785, 8 Stat. 84 (same); Treaty of Amity and Commerce, U.S.–Swed., art. XVII, Apr. 3, 1783, 8 Stat. 60 (same); Treaty of Amity and Commerce, U.S.–Neth., art. VIII, Oct. 8, 1782, 8 Stat. 32 (granting protections from arbitrary detention and capture of vessels by party signatories of each other).

230. See Francesco Francioni, The Right of Access to Justice Under Customary International Law, in Access to Justice as a Human Right 1, 9–13 (Francesco Francioni ed., 2007) (describing aliens’ access to justice).

231. Id. at 9. 232. See de Vattel, supra note 52, §§ 348–353, at 230–31 (noting instances where

force is appropriate); The Federalist No. 80, supra note 58, at 522–23 (Alexander Hamilton) (noting denial of justice as just cause of war).

1074 COLUMBIA LAW REVIEW [Vol. 115:1029

to intervene forcibly to protect lives or even property,233 something the United States has done many times.234

Modern trends are away from force and more toward judicial reme- dies. Post–UN Charter, military force is only allowed to be used in self- defense or through authorized collective security processes. International human rights law is increasingly recognizing a right to court access—a right of anyone, citizen or alien, to access domestic courts in the state where they are located to seek redress for violations of domestic or international legal norms.235

More generally, as Samuel Moyn argues, the idea of rights was untethered from citizenship in the state, allowing the idea of universal human rights as against the state to be possible.236 The enormous growth and success of the idea of international human rights in the post–World War II period means that it seems increasingly anachronistic and arbi- trary to deny rights protection on the basis of citizenship. For example, the International Covenant on Civil and Political Rights, one of the most important modern human rights instruments to which 167 states are par- ties, provides that rights of personal security and access to the courts are available to all human beings without distinction.237 The famous Third

233. See Lillich on the Forcible Protection of Nationals Abroad 41 (Thomas C. Wingfield & James E. Meyen eds., 2002) (discussing evidence showing state use of force to protect property and life).

234. See Edwin M. Borchard, The Diplomatic Protection of Citizens Abroad or the Law of International Claims 448 (1915) (“The army or navy has frequently been used for the protection of citizens or their property in foreign countries in cases of emergency where the local government has failed, through inability or unwillingness, to afford adequate protection to the persons or property of the foreigners in question.”).

235. See, e.g., International Covenant on Civil and Political Rights, art. 2(3), Dec. 16, 1966, 999 U.N.T.S. 171 (“Each State Party to the present Covenant undertakes: (a) To ensure that any person whose rights or freedoms . . . are violated shall have an effective remedy . . . (b) . . . that any person claiming such a remedy shall have his right thereto determined by competent judicial . . . authorities, or . . . any other competent authority . . . .”); see also Universal Declaration of Human Rights, art. 8, G.A. Res. 217 (III) A, art 8, U.N. Doc. A/RES/217(III) (Dec. 10, 1948) (“Everyone has the right to an effective remedy by the competent national tribunals for acts violating the fundamental rights granted him by the constitution or by law.”); Charter of Fundamental Rights of the European Union, 364/01, art. 47, 2000 (“Everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law. Everyone shall have the possibility of being advised, defended and represented.”); Organization of American States, American Convention on Human Rights, art. 8(1), Nov. 22, 1969, 1144 U.N.T.S. 143 (“Every person has the right to a hearing with due guarantees and within a reasonable time, by a competent, independent, and impartial tribunal . . . for the determination of his rights and obligations of a civil, labor, fiscal, or any other nature.”); African Charter on Human and Peoples’ Rights, art. 7(1), June 27, 1981, 1520 U.N.T.S. 217 (“Every individual shall have the right to have his cause heard.”).

236. Samuel Moyn, The Last Utopia: Human Rights in History 44–85 (2010). 237. International Covenant on Civil and Political Rights, art. 2(1), Dec. 16, 1966,

999 U.N.T.S. 171 (“Each State Party . . . undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized . . . without distinction of any kind, such as race, colour, sex, language, religion, political or

2015] DISAPPEARING LEGAL BLACK HOLES 1075

Geneva Convention bans the detaining power from making invidious distinctions between prisoners of war on the basis of “nationality” or “similar criteria.”238 In light of these trends, protection under U.S. law that turns on categorical distinctions between different classes of persons is increasingly seen as a potential human rights violation.

D. Changes in National Security and Foreign Affairs Activity of U.S. Government

Concerted pressure for extending rights beyond the sovereign terri- tory of the United States began when the U.S. government started projecting power abroad in sustained ways. When extraterritorial action by the U.S. government was irregular, brief, and primarily involved war- fighting or similar coercive activities, it seemed natural that constitu- tional rights developed for peacetime; domestic application would not be extended. But, as the twentieth century opened, the United States came to be involved in many extraterritorial activities that looked less like epi- sodic coercion and more like governing, such as nation-building, ruling civilian populations of non-sovereign zones where military bases were located, or staffing and running U.S. courts in foreign countries like China. For example, an important case about whether constitutional rights applied outside the United States arose in Cuba during the time of temporary U.S. military government,239 as part of this country’s first attempt at self-described humanitarian intervention. And the long-term occupations of Germany and Japan after World War II raised questions about whether constitutional rights limited U.S. government actions.240

At first these developments merely generated calls in some quarters for convergence and closing of black holes but did not actually change U.S. law in that direction. If anything, categorical distinctions were invigorated and new ones developed in order to give more flexibility to the government. The classic example is the so-called incorporation doc- trine developed in the Insular Cases of 1901 and thereafter. The best

other opinion, national or social origin, property, birth or other status.”); id. art. 14(1) (“All persons shall be equal before the courts and tribunals.”); id. art. 9(1) (“Everyone has the right to liberty and security of person. No one shall be subjected to arbitrary arrest or detention. No one shall be deprived of his liberty except on such grounds and in accordance with such procedure as are established by law.”).

238. Geneva Convention Relative to the Treatment of Prisoners of War, art. 16, Aug. 12, 1949, 6 U.S.T. 3316.

239. Neely v. Henkel, 180 U.S. 109, 112 (1901) (extraditing U.S. citizen to Cuba, then governed by U.S. military, for criminal trial).

240. See, e.g., Eisentrager v. Forrestal, 174 F.2d 961, 963–65 & 963 n.9 (D.C. Cir. 1949) (holding Fifth Amendment Due Process and Habeas Suspension Clauses protect “any person,” anywhere in world, including admitted agents of German government convicted of war crimes by U.S. military commission in China and detained in U.S.- occupied Germany), rev’d sub nom. Johnson v. Eisentrager, 339 U.S. 763, 785 (1950) (holding German petitioners lacked constitutional rights, including right to access U.S. courts).

1076 COLUMBIA LAW REVIEW [Vol. 115:1029

understanding of U.S. law and practices at the time was that during peacetime, full constitutional rights should be available to the people and entities present in territory that was de jure part of the United States.241 But in response to pressures generated by the imperialism of 1898 and thereafter, the Supreme Court in the Insular Cases acceded to the government’s wish to have fewer constitutional restrictions on its colonial governments, holding that not all constitutional restraints were applicable until Congress decided to fully “incorporate” a territory into the United States.242

But over time, the changing nature of U.S. foreign relations and national security activity has seemed to cause changes in U.S. law. In gen- eral, when a government is seen to wield great power, it leads to calls for more legal restraint. For example, once the breadth and intrusiveness of what the NSA has been doing in domestic and foreign surveillance became known as a result of the Snowden leaks, calls for the courts or Congress to rein it in have increased exponentially.

In recent conflicts with non-state actors like al Qaeda or insurgents in post–Saddam Hussein Iraq, U.S. government activities like long-term preventive detention, extensive interrogation for intelligence purposes, and counterinsurgency campaigns seem to many observers to be close enough to ordinary law enforcement and governance that norms of constitutional protection should be applicable.

There are other features of conflicts with non-state actors that create pressure for increased rights protection and judicialization. There are pervasive and factually complex disputes about whether a given individ- ual detainee or military or intelligence target is, in fact, an enemy fighter. The likelihood of “false positives” is increased by the fact that citizenship cannot be used as an easy proxy for enemy status and that detainees who in fact are enemy fighters lack an incentive to self-identify as such because they will not receive prisoner-of-war protections but instead might be tried for unlawful belligerency or domestic crimes.243 There is great indeterminacy about which international legal protections apply to detainees who are alleged terrorists. Skimpiness of those that do apply, like Common Article 3 of the Geneva Conventions of 1949, suggests to some observers that more robust and certain protections of domestic rights enforced by courts are needed. The indefinite and highly mallea- ble scope and length of the conflict raises the discomfiting prospect of

241. See Kent, Citizenship, supra note 28, at 2127–28. There were minor exceptions based on territories’ unique status as proto-states. For instance, federal courts in the territories were not staffed with Article III judges with life tenure—a kind of structural protection for individual rights—because territorial courts would be abolished once statehood was attained.

242. See id. (discussing outcome and impact of Insular Cases). 243. See generally Issacharoff & Pildes, Targeted Warfare, supra note 27, at 1545–46

(discussing pressures and incentives for military force to be used based on individual guilt rather than group status).

2015] DISAPPEARING LEGAL BLACK HOLES 1077

war without end or limits, and hence we see increasing calls to make armed conflict more like peacetime in terms of judicial involvement and rights protection. The fact that the home governments of many detainees are U.S. allies in the conflict against al Qaeda and the Taliban and there- fore do not always advocate strongly for the detainees’ interests also likely increases the calls for judicial oversight under robust domestic law norms.

On the other hand, the enormous destructive power that can be har- nessed by non-state groups suggests to many that simple law enforcement methods are not sufficient, and that harder-edged military and intelli- gence assets and techniques must be deployed as well. Territorial loca- tion matters less as well. Whether through cyber attacks, dispersal of biological weapons, or the use of ordinary objects like commercial airplanes as weapons, destructive attacks can potentially be launched from anywhere and everywhere, putting pressure on the U.S. govern- ment to militarize the homeland. At the same time, changes in communications technologies mean that it is often difficult to determine the geographic location or identity of the parties to the communication, and hence traditional rules about electronic surveillance, based on a foreign–domestic distinction concerning citizenship and territorial loca- tion, are increasingly unworkable.

As Pildes and Issacharoff have argued, changes in military technol- ogy—such as the development and spread of precision munitions and drone technology—are putting increasing pressure on the military to “individuate,” to apply force in a surgical manner so that it only impacts individuals who have been deemed targetable or guilty in some fashion through fair procedures.244

As non-state threats rise in importance, the U.S. government and courts are less likely to confront a noncitizen as a representative of a for- eign government. Spiro has noted that foreign affairs law often treated aliens for constitutional purposes “not as individuals but rather as components of other nations.”245 This is seen, for example, in immigra- tion cases giving great deference to the U.S. government because of con- cerns about the potential disloyalty of noncitizens to the United States. And courts often justified deference and fewer constitutional rights for noncitizens with the assumption “that their interests will be protected on the international plane by their country of nationality, so that even as they are deprived of individual constitutional rights, their rights will be protected through diplomatic channels.”246 As non-state groups became

244. Id. at 1525–28 (“[T]he use of military force against terrorists necessarily must shift, and has shifted, away from traditional group-based membership attributions of responsibility to individuated judgments of responsibility.”).

245. Peter J. Spiro, Globalization and the (Foreign Affairs) Constitution, 63 Ohio St. L.J. 649, 704 (2002) [hereinafter Spiro, Globalization].

246. Id. at 706.

1078 COLUMBIA LAW REVIEW [Vol. 115:1029

more important to U.S. foreign policy, exceptional treatment of noncitizens seems less justifiable.247

And even though threats from non-state actors are serious, they pale in comparison to the threat of annihilation from superpower conflict. Today’s reduced-threat environment has led some to argue that doctrines limiting judicial review and individual rights in foreign affairs and national security contexts have less justification today.248

Spiro correctly observes that much of the deference to the U.S. gov- ernment from courts in foreign relations cases came from an asserted need to protect diplomatic secrecy and from concerns about provoking confrontation with another nation. The greatest deference to the govern- ment often came in cases that directly implicated the interests of third- party foreign countries.249

Thus, the very kinds of national security and foreign affairs activities that are most salient today tend to be ones that lead observers and, often, courts and other political actors to think that ordinary legal norms and perhaps even judicial review should govern.

E. Trust in Government, Growth of New Media, and Relations Between the Government and the Press

Paul Stephan has suggested that the attractiveness of judicial defer- ence to the political branches in foreign relations waxes and wanes based on the legal elite’s view of the competence and probity of the Executive and Congress.250 Large portions of the American public have always been skeptical of the federal government, but it may be a distinctively modern phenomenon that large swaths of the legal and economic elites are today.

The Vietnam War and the Watergate scandals are commonly said to mark the beginning of a dramatic decline of trust and confidence in the federal government. For a brief period after 9/11, the shock of the attack and sense of crisis and national purpose may have rallied legal elites behind a posture of judicial deference to the political branches. But soon, the enormous credibility crisis of the Bush Administration surrounding WMDs in Iraq and revelations of behavior (e.g., intentional torture of captives) that many members of the legal elite found shocking and obviously illegal, among other things, led to the elite bar and, seem- ingly, even Justices of the Supreme Court to harbor distrust of the execu-

247. See id. at 707 (arguing historical justifications for distinguishing noncitizens for constitutional purposes “offer no support for its persistence”).

248. See id. (arguing prevalence of non-state threats erodes historical justifications for differential constitutional treatment of aliens).

249. See id. at 680 (noting “courts have shown a demonstrably greater willingness to entertain foreign relations matters that do not directly implicate other countries”).

250. See Paul B. Stephan, Courts, the Constitution, and Customary International Law: The Intellectual Origins of the Restatement (Third) of the Foreign Relations Law of the United States, 44 Va. J. Int’l L. 33, 58–59 (2003).

2015] DISAPPEARING LEGAL BLACK HOLES 1079

tive branch.251 Public approval of and trust in the executive has remained low during the Obama years.252

Congress’s painfully obvious dysfunction and partisanship, which is reflected in very low public approval,253 has not helped its standing with the elite bar and the courts. It seems likely that the Supreme Court’s assertiveness vis-à-vis Congress, seen for example in the record number of congressional statutes declared unconstitutional in recent decades and in cases like City of Boerne, Garrett, and Shelby County,254 results at least in part from a decline in respect for Congress by members of the Supreme Court.255 In the title of her recent Harvard Law Review foreword, Pamela

251. See, e.g., Boumediene v. Bush, 553 U.S. 723, 765–69 (2008) (rejecting traditional bright-line rule that noncitizens outside United States lacked constitutional protections in part because such rule was “subject to manipulation” by President or Congress); Hamdan v. Rumsfeld, 548 US 557, 587–88 (2006) (stating process for review of military commission convictions that includes Secretary of Defense and ends with President “clearly lack[s] the structural insulation from military influence that characterizes the Court of Appeals for the Armed Forces,” hence Article III courts should not abstain from adjudicating legality of military commission proceedings); Hamdi v. Rumsfeld, 542 U.S. 507, 530 (2004) (plurality opinion) (“[A]s critical as the Government’s interest may be in detaining those who. . . pose an immediate threat. . . , history and common sense teach us that an unchecked system of detention carries the potential to become a means for oppression and abuse of others who do not present that sort of threat.”).

252. See Gallup, Trust in Government, http://www.gallup.com/poll/5392/trust- government.aspx (on file with the Columbia Law Review) (last visited Mar. 7, 2015) (displaying poll results from 1972 through 2014 asking respondents about trust in federal executive branch, showing both George W. Bush and Barack Obama Administrations received high marks at beginning of their first terms but soon were trusted by less than half of respondents).

253. See Gallup, Congress’ Approval Rating Remains Near Historical Lows (Aug. 13, 2013), http://www.gallup.com/poll/163964/congress-approval-rating-remains-near-histor ical-lows.aspx (on file with the Columbia Law Review) (showing over eighty percent of Americans disapprove of job Congress is doing).

254. See Shelby Cnty. v. Holder, 133 S. Ct. 2612, 2630–31 (2013) (invalidating key section of Voting Rights Act in part because Court disagreed with Congress’s fact-finding about extent of voting discrimination); Bd. of Trustees of the Univ. of Ala. v. Garrett, 531 U.S. 356, 368 (2001) (invalidating part of Americans with Disabilities Act because Court determined Congress had failed to document in legislative record sufficient pattern of misconduct by states); City of Boerne v. Flores, 521 U.S. 507, 536 (1997) (finding limit on Congress’s authority to enforce Fourteenth Amendment where it assertedly encroached on Court’s prerogative of defining meaning of Constitution).

255. The Court has become more and more detached from Congress, and from high-level politics generally. The last Supreme Court Justice who served in Congress prior to joining the Court was Sherman Minton, who retired from the Court in 1956. The last former governor was Earl Warren, who retired in 1969. The last former Attorney General of the United States was Tom Clark, who retired from the Court in 1967. See Pamela S. Karlan, Foreword: Democracy and Disdain, 126 Harv. L. Rev. 1, 5 (2012) (“[T]he current Supreme Court is the first in U.S. history to lack even a single member who ever served in elected office.”).

1080 COLUMBIA LAW REVIEW [Vol. 115:1029

Karlan suggests that the current Court has “disdain” for Congress and politics more generally.256

Even as trust in Congress and the executive branch have declined, a new media environment scrutinizes the activities of government like never before. As Goldsmith has argued, “[t]he growth of global television and the Internet” since the 1990s has given unprecedented publicity to the foreign affairs and national security activities of the United States and other governments, and by shining a light on them, has made their “perceived fairness” and compliance with law matters of public concern and debate.257 The information and media revolution has gone hand-in- hand with decreased trust in government. Important segments of the American public and much of the press have, since Watergate and other scandals of the 1970s and the associated congressional hearings and press reporting that revealed abuses through the executive branch, become rather skeptical about U.S. government assertions that it should be trusted to do the right thing in secret. The transparency and checks and balances that come with judicial review therefore seemed more desirable. And, as Spiro argues, when the executive and Congress lose their monopoly over information about foreign affairs and national security, courts are less receptive to pleas for deference.258 Recent decades have seen the rise of very active and sophisticated press and advocacy networks that ferret out and publicize unsavory government secrets.

The same information revolution that has changed the media land- scape has also made it much easier for government insiders to leak large amounts of national security information to reporters or advocacy groups. And at the same time, many advocacy organizations have sprung up dedicated to using information about government misdeeds to expand constitutional and other legal protections for groups such as noncitizens abroad and military targets who would previously have been categorically unprotected.

CONCLUSION

The historical trajectory toward the closing of legal black holes and converging of domains is clear. Most of the forces I have suggested might be supportive of this change today seem unlikely to abate any time soon.

256. Id. at 12 (“The current Court, in contrast to the Warren Court, combines a very robust view of its interpretive supremacy with a strikingly restrictive view of Congress’s enumerated powers. The Roberts Court’s approach reflects a combination of institutional distrust . . . and substantive distrust . . . .”); see also Vicki C. Jackson, Standing and the Role of Federal Courts: Triple Error Decisions in Clapper v. Amnesty International USA and City of Los Angeles v. Lyons, 23 Wm. & Mary Bill Rts. J. 127, 181 (2014) (“At times the Court seems to show a particular lack of respect for Congress as compared with state legislatures.”).

257. Goldsmith, supra note 23, at 125–35. 258. Spiro, Globalization, supra note 245, at 683 n.127.

2015] DISAPPEARING LEGAL BLACK HOLES 1081

Part of the reason is that many of the trends seem to reinforce each other. For example, the increase in the number and potency of individ- ual constitutional rights and associated remedies gives authority and legitimacy to the role of federal courts restraining the political branches, and hence increases the self-confidence and assertiveness of the courts. In turn, greater assertiveness and self-confidence will lead the courts to elaborate and apply more rights and remedies. Moral psychology that increasingly values the autonomy and equality of individuals will tend to support increased individual constitutional rights and vice versa.

Many of these trends I have identified are probably also individually self-reinforcing. Take, for example, the increasing confidence of the U.S. judiciary about its right and capacity to adjudicate foreign affairs and national security cases. As the courts hear more such cases, they will likely gain both confidence in their ability to handle them and the confidence of outside observers. Courts create precedents when they decide cases, and a growing body of precedent will make it seem increasingly natural and accepted that courts are adjudicating these cases. The federal judici- ary’s involvement adjudicating applications for foreign-intelligence surveillance since 1978259 has, for example, recently led to calls for a simi- lar kind of judicial review of targeted killings.260

Because these trends toward the closing of legal black holes and con- verging of domains appear to be longstanding and mutually reinforcing as well as self-reinforcing, the future will probably bring more rather than less convergence in rights protection and the further closing of legal black holes. That does not mean that the trend lines will always be steady. A military or other catastrophe, such as the 9/11 attacks, can temporarily lead political actors, including the courts, to adopt and countenance fewer individual rights protections than they ordinarily would.261 A major nation-to-nation war involving the United States, unlikely as that may seem today, would probably push the country further off the course of convergence and closing of legal black holes, and for a longer time.262

But even that is unlikely to be permanent and almost certainly would not

259. Foreign Intelligence Surveillance Act of 1978, Pub. L. No. 95-511, 92 Stat. 1789 (codified as amended at 50 U.S.C. §§ 1801–1885c (2012)).

260. See Scott Shane, Debating a Court to Vet Drone Strikes, N.Y. Times (Feb. 9, 2013), http://www.nytimes.com/2013/02/09/world/a-court-to-vet-kill-lists.html (on file with the Columbia Law Review).

261. See Janet Cooper Alexander, The Law-Free Zone and Back Again, 2013 U. Ill. L. Rev. 551, 551 (showing national security policies were less protective of individual rights during first Bush term immediately after 9/11 than during second term or Obama presidency).

262. See generally Jack Goldsmith & Cass R. Sunstein, Military Tribunals and Legal Culture: What a Difference Sixty Years Makes, 19 Const. Comment. 261, 281 (2002) (discussing different reactions to Franklin D. Roosevelt versus George W. Bush’s use of military tribunals and observing “[f]or better or for worse, solicitude for the interests of accused belligerents will diminish when the risks to the Nation seem most serious and tangible”).

1082 COLUMBIA LAW REVIEW [Vol. 115:1029

roll back the developments of the last several decades. As Goldsmith and Cass Sunstein argue, U.S. history shows a ratchet effect, where perceived abuses of individual rights in the name of security during wartime are criticized and rejected afterwards and thus develops a new, higher base- line for treatment of individuals going forward.263

The future of national security and foreign affairs is thus likely to see more and more aggressive judicial review and further application and extension of ordinary constitutional and other legal norms. The number of persons, places, or contexts that are legal black holes will continue to shrink, perhaps to zero. National security and foreign affairs will become less and less legally exceptional, as convergence continues apace.

Some more specific predictions might be ventured. Pildes and Issacharoff are surely right that there will be increased pressure, includ- ing by legal means, for the U.S. military to “individuate” by applying force in a surgical manner so that it only impacts individuals who have been deemed targetable or guilty in some fashion through fair proce- dures.264 Calls for a “drone court” similar to the Foreign Intelligence Surveillance Court are an example of this phenomenon.265

Because the political actors driving convergence and closing of legal black holes tend to be more associated with the political left of center— for instance, it was the left of the Supreme Court plus Justice Kennedy that produced the narrow margins of victory for the detainees in Rasul, Hamdan, and Boumediene266—we will likely see more and faster conver- gence and closing of legal black holes on issues where the right can join in too. So, for example, issues involving property or other economic rights or First Amendment rights for commercial or other entities are ones to watch.

The Supreme Court, in an opinion by Chief Justice Roberts, recently held that the First Amendment rights of organizations that provided funding and assistance regarding HIV/AIDS in foreign countries were violated by the statutory requirement conditioning receipt of U.S. government grants on having “a policy explicitly opposing prostitu-

263. See id. at 284–85 (“During every serious war in our nation’s history, civil liberties have been curtailed. Following . . . each war, elites regret these restrictions . . . [as] unwarranted or extreme . . . . This dialectic produces a ratchet effect, over time, in favor of more expansive civil liberties during wartime.”).

264. See supra note 27 and accompanying text (describing Pildes and Isacharoff thesis on pressures on military to “individuate”).

265. See, e.g., Benjamin Wittes, The New York Times Proposes Judicial Review of Nearly All Drone Strikes, Lawfare (Feb. 15, 2013, 7:21 AM), http://www.lawfareblog.com/ 2013/02/the-new-york-times-proposes-judicial-review-of-nearly-all-drone-strikes/ (on file with the Columbia Law Review) (discussing proposed “drone court”).

266. Rasul v. Bush, 542 U.S. 466 (2004), and Boumediene v. Bush, 553 U.S. 723 (2008), were 5-4 decisions, while Hamdan v. Rumsfeld, 548 U.S. 557 (2006), would have been 5-4 if Chief Justice Roberts had not recused himself after having voted for the government when the case was at the D.C. Circuit.

2015] DISAPPEARING LEGAL BLACK HOLES 1083

tion.”267 The Court relied entirely on case law involving ordinary, domes- tic issues—such as restrictions on using federal funds to counsel women about abortions,268 and evinced no awareness of the separation of powers concerns with constraining U.S. foreign policy activities in foreign coun- tries with judicially imposed constitutional restrictions.

The recent D.C. Circuit decision concerning the Committee on Foreign Investment in the United States (CFIUS) is on point here. A stat- ute empowers the President, through CFIUS, an executive branch committee chaired by the Secretary of Treasury and staffed by senior officials with national security and economic portfolios, to investigate and block “any merger, acquisition, or takeover . . . by or with any foreign person which could result in foreign control of any person engaged in interstate commerce in the United States.”269 CFIUS reviews these transactions for effects on the national security of the United States.270

The statute provides that presidential decisions are not subject to judicial review.271 In a case where CFIUS blocked a transaction of a U.S. corpora- tion owned by Chinese nationals on national security grounds, the D.C. Circuit first applied an exacting clear statement rule to find that the stat- ute did not clearly enough bar a due process challenge to the decision of CFIUS; held that the political question doctrine did not apply; and, with only the barest hint of deference toward the national security equities, held that the corporation had been denied its property without due pro- cess because it was not given all unclassified evidence used in the review process or any opportunity to rebut that evidence.272

In the same vein, decisions that are only a little more than a decade old abruptly rejecting constitutional challenges to asset blocking orders for national security reasons by the Office of Foreign Assets Control273

are almost certainly going to be superseded by precedent imposing more traditional constitutional restrictions on this national security activity.274

267. Agency for Int’l Dev. v. Alliance for Open Soc’y Int’l, Inc., 133 S. Ct. 2321, 2326 (2013).

268. See id. at 2328 (citing Rust v. Sullivan, 500 U.S. 173, 195 & n.4 (1991)). 269. 50 U.S.C. app. § 2170(a)(3) (2012). 270. Id. § 2170(f). 271. Id. § 2170(e). 272. See Ralls Corp. v. Comm. on Foreign Inv. in U.S., 758 F.3d 296, 311, 314, 319

(D.C. Cir. 2014). 273. See, e.g., Holy Land Found. v. Ashcroft, 333 F.3d 156, 163–66 (D.C. Cir. 2003)

(upholding asset-blocking order against Muslim charitable foundation designated as terrorist organization); Global Relief Found., Inc. v. O’Neill, 315 F.3d 748, 754 (7th Cir. 2002) (rejecting Global Relief Foundation’s constitutional arguments against seizing of its assets).

274. See, e.g., Al Haramain Islamic Found., Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 988, 1001 (9th Cir. 2012) (holding OFAC violated foundation’s due process and First Amendment rights); KindHearts for Charitable Humanitarian Dev., Inc. v. Geithner, 647 F. Supp. 2d 857, 919 (N.D. Ohio 2010) (holding OFAC violated corporation’s Fourth Amendment rights).

1084 COLUMBIA LAW REVIEW [Vol. 115:1029

Whether these particular predictions prove correct or not, the ten- dency in our law, political institutions, and culture will be toward greater convergence and closing of legal black holes.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

INFO/web link.docx

https://www.aclu.org/other/top-ten-abuses-power-911

admin

Found something interesting ?

We don't just promise. Here is what we guarantee!

• On-time delivery guarantee
• PhD-level professional writers
• Free Plagiarism Report

• 100% money-back guarantee
• Absolute Privacy & Confidentiality
• High Quality custom-written papers

UniversityEssayServices

Centralizing Freedom of Information Act (FOIA) and Privacy Act operations to provide policy and programmatic oversight, to support operational implementation within the DHS components, and to ensure the consistent handling of disclosure requests

INFO/Balancing Security and Liberty_ The Challenge of Sharing Foreign.pdf

INFO/Civil Liberties and Law in the Era of Surveillance Content Page for Resource #5 Civil Liberties and Law in the Era of Surveillance.docx

INFO/DISAPPEARING_LEGAL_BLACK_HOLES.pdf

INFO/web link.docx

Found something interesting ?

We don't just promise. Here is what we guarantee!

Related Model Questions

Explain why a business might decide to change from a closed to an open plan office

Identify and describe four technologies developed and/or advanced by Amazon or Google and explain how each impacts society positively and negatively.

Explain the concept of throughput accounting.

UniversityEssayServices.com

Plagiarism-free! Unique! On-time Delivery!

Sales Offer