WASHINGTON — The Central Intelligence Agency has for years been collecting in bulk, without a warrant, some kind of data that can affect Americans’ privacy, according to a newly declassified letter by two senators.
The C.I.A. kept censored the nature of the data when it declassified the letter. At the same time, it declared that a report about the same topic, which had prompted the letter, must remain fully classified, except for some heavily redacted recommendations.
That report, called “Deep Dive II,” was part of a set of studies by a watchdog board scrutinizing intelligence community operations under Executive Order 12333, rules for intelligence activities that Congress has left unregulated by statute. The watchdog, the Privacy and Civil Liberties Oversight Board, and its staff members have access to classified information.
In March 2021, the Senate Intelligence Committee received a copy of the report. In a letter the next month, two Democrats on the panel, Senators Ron Wyden of Oregon and Martin Heinrich of New Mexico, urged Avril D. Haines, the director of national intelligence, and William J. Burns, the C.I.A. director, to declassify the activity and any internal rules about querying the data for information about Americans.
Complaining that the C.I.A. had not told the Intelligence Committee about the activity before, the senators suggested that its hidden existence cut against Americans’ understanding that various pieces of legislation enacted in recent years “limit and, in some cases, prohibit the warrantless collection of Americans’ records.”
However, an intelligence official, speaking on the condition of anonymity to discuss the sensitive matter, said that the Intelligence Committee did already know about the agency’s classified collection of the data itself. The Deep Dive II report, the official said, instead focused on repository and analysis tools for storing and querying that data after its collection — systems the committee may not previously have been told about.
After the disclosures in 2013 by the former intelligence contractor Edward J. Snowden that the National Security Agency was collecting bulk logs of all Americans’ phone calls using a disputed interpretation of the USA Patriot Act — and had until recently done the same for logs of emails — there was a period of uproar over the scope of government surveillance.
During that time, The New York Times reported that the C.I.A. had been paying AT&T to analyze its vast trove of call records for associates of the agency’s overseas terrorism suspects. It also found that the agency had been obtaining bulk records of international money transfers handled by companies like Western Union — including transactions into and out of the United States — using the same provision of the Patriot Act.
(On Thursday, the C.I.A. also released a redacted version of a report describing its tracking of international financial data under Executive Order 12333 as part of the agency’s efforts to combat the Islamic State.)
In 2015, Congress banned bulk collection of telecommunications metadata under the Patriot Act and limited other types of bulk collection by the F.B.I. under laws governing domestic activities like the Foreign Intelligence Surveillance Act, or FISA.
Yet “the C.I.A. has secretly conducted its own bulk program” under Executive Order 12333, the senators wrote.
“It has done so entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, congressional or even executive branch oversight that comes with FISA collection,” the letter continued. “This basic fact has been kept from the public and from Congress.”
In a statement, Kristi Scott, the C.I.A.’s privacy and civil liberties officer, defended the agency’s conduct.
“C.I.A. recognizes and takes very seriously our obligation to respect the privacy and civil liberties of U.S. persons in the conduct of our vital national security mission, and conducts our activities, including collection activities, in compliance with U.S. law, Executive Order 12333 and our attorney general guidelines,” she said. “C.I.A. is committed to transparency consistent with our obligation to protect intelligence sources and methods.”
But in their letter, Mr. Wyden and Mr. Heinrich pressed the C.I.A. to declassify the nature of its relationship with the sources — presumably companies providing the data — along with the kinds of records it was collecting and “the rules governing the use, storage, dissemination and queries (including U.S. person queries) of the records.”
In 2017, the government disclosed attorney general guidelines for C.I.A. activities under the executive order that lay out rules for some of those issues. But it is not clear if the C.I.A. has fully developed procedures for carrying them out; a set of recommendations from the Deep Dive II report said that at the time, it had not developed policies or procedures regarding how the guidelines apply to the unspecified data.
The recommendations also said that when C.I.A. officials use an American’s identifier as a query term when searching the unspecified data, a box pops up to remind them that the search must have a foreign intelligence purpose. But the officials are not required to record what that purpose was, and the recommendations urged the agency to do so.
