Data Processing

Overview

Once data has been collected and filtered, it must be stored, tagged, and later removed or destroyed. This phase of the SIGINT process is particularly relevant for both oversight bodies and the intelligence services because lawful and efficient data management is the basis for relevant data analysis.

Bulk data processing presents several complex governance challenges that will occupy oversight bodies for years to come. There is plenty of room for oversight innovation.

When drafting intelligence legislation, lawmakers should be sufficiently mindful of the role and depth of multilateral intelligence cooperation. Services exchange raw and evaluated data in enormous quantities with their foreign partners and jointly feed various databases. Legal frameworks should account for the joint responsibility that governments have for joint databases, even if they are not hosted on their territory. Furthermore, there is a pressing need to ensure effective oversight of shared databases, possibly in the form of multilateral oversight.

Many oversight bodies seem to agree that much more work needs to be done to independently verify that the services honor their obligations to delete data. Drafting standards for what constitutes proper deletion and how this can be verified would be one important step in this direction.

Relevant Aspects

For the sake of clarity, this phase is divided into four subcategories reflecting the different facets of data processing: storage, maintenance, sharing, and deletion.

Data Storage

Due to different retention periods, it may become necessary to keep separate databases, for example for encrypted data, metadata, and content data, or in order to distinguish data pools according to their legal basis or warranted purposes. It can therefore be relevant whether there are isolated data storage locations. Increasingly, bulk surveillance governance relies on the verifiable technical or institutional separation between the authority to intercept and the authority to analyze the data. In order to honor data protection obligations, a surveillance law should further restrict the extent to which databases may be linked or accumulated.

Transnational threats prompt closer trans-border cooperation among intelligence services. Intelligence data – both unevaluated and evaluated – is therefore not just shared bilaterally, but also stored in joint intelligence databases for different threats and purposes. When we speak of joint databases, we refer to a multilateral exchange of data that can be hosted either on national territory or abroad. Typically, joint databases are run multilaterally, with all participating services adding and accessing data.

Data Maintenance

This comprises all practices that concern the labeling and registration of intelligence databases. Data upkeep is not only required by data protection regulations, but also serves a practical end: It ensures that the services keep only relevant and accurate data.

For auditing purposes, data must be traceable throughout the entire lifecycle. It is also important to anonymize data to the greatest extent possible. The security and quality of the databases must be ensured to protect the sensitive information from being stolen or compromised. Adequate data maintenance also builds on clear restrictions of data access. Access to the stored data should be regulated by law and restricted to specialized personnel only.

Data-Sharing

Sharing data with foreign services entails a responsibility to assess and mitigate the risk of misuse of the shared data. Although SIGINT burden-sharing among partner services is a common practice, what rules and procedures are in place to evaluate partner services’ data quality and data veracity? Oversight of – and accountability for – data-sharing agreements and joint databases must be ensured. Finally, in times of advanced joint intelligence databases, how do oversight bodies cooperate internationally to control the permissible use of international data pools?

Data Deletion

The proper deletion of data is an enormous challenge. “Deleting” a file typically only marks the space it occupies as usable. Until the disk space is overwritten, the data is still there and can be retrieved. To ensure that the deleted data cannot be retrieved any longer, the physical records on a storage medium must be overwritten with other data several times (minimum of seven times, as per the US federal government’s guidelines). Although there are technical means to ensure that deleted data is actually unretrievable, it seems necessary to develop more detailed standards for what constitutes the proper deletion of data. Errors in this process could result in millions of datasets being falsely stored for years.

Moreover, it is now also “more costly to delete data, than retain it.” Therefore, legislators have found it difficult to insert the proper legal definitions of public standards for what “deletion” or “destruction” of data means into intelligence laws. By extension, then, the deletion problem also becomes a veritable oversight challenge. This is because review bodies need accurate audit trails to be able to check services’ compliance with data deletion requirements.

There is also a need for better guidelines on what data should be deleted at what point in time. Storage periods address this matter and define maximum time periods for which data may be retained. With adequate normative criteria at hand, the services or the competent oversight bodies could, theoretically, also decide to apply a shorter storage period.

Intelligence law should outline specific and short retention periods, after which the data must be permanently and unmistakably destroyed. There might be special requirements for the deletion of large amounts of data.

It is also relevant how data destruction is documented and reviewed by the competent oversight body. For example, is stored data linked to specific warrants, and does it have traceable time stamps for full and proper deletion? Adequate records of the data destruction are also important for possible notification purposes.

Lastly, how are storage and deletion implemented in practice? Should intelligence data be stored in “clouds”? We can observe intelligence agencies’ close cooperation with commercial third parties, such as private cloud storage services. It must be ensured that such outsourcing – entailing the risk of shifting responsibility for a crucial phase of data processing to private companies – does not undermine democratic accountability and oversight.

Filter

Good Practices

no results found

Nerd Corner

Bellovin, Steven M., Matt Blaze, Susan Landau, and Stephanie K. Pell. 2016. “It’s Too Complicated: How the Internet Upends Katz, Smith, and Electronic Surveillance Law.” Harvard Journal of Law & Technology 30 (1). https://jolt.law.harvard.edu/assets/articlePDFs/v30/30HarvJLTech1.pdf.

BfDI (Federal Commissioner for Data Protection and Freedom of Information). 2016. “Stellungnahme zum Entwurf eines Gesetzes zur Ausland-Ausland-Fernmeldeaufklärung des Bundesnachrichtendienstes (BT-Drs. 18/9041).” September 21, 2016. https://www.bundestag.de/blob/459634/a09df397dff6584a83a43a334f3936a3/18-4-660-data.pdf.

BfDI. 2017. “26. Tätigkeitsbericht 2015–2016.”https://www.bfdi.bund.de/SharedDocs/Publikationen/Taetigkeitsberichte/TB_BfDI/26TB_15_16.pdf?__blob=publicationFile&v=7.

Bradford Franklin, Sharon. 2018. “Carpenter and the End of Bulk Surveillance of Americans.” Lawfare. July 25, 2018. https://www.lawfareblog.com/carpenter-and-end-bulk-surveillance-americans.

Carey, Bjorn. 2016. “Stanford Computer Scientists Show Telephone Metadata Can Reveal Surprisingly Sensitive Personal Information.” Stanford News (blog). May 16, 2016. https://news.stanford.edu/2016/05/16/stanford-computer-scientists-show-telephone-metadata-can-reveal-surprisingly-sensitive-personal-information/.

CTIVD (Commissie van Toezicht op de Inlichtingen-en Veiligheidsdiensten). 2017. “Start Project Toezicht 3.0.” April 25, 2017. https://www.ctivd.nl/actueel/nieuws/2017/04/25/index-2.

CTIVD. 2018. “Review Report: The Multilateral Exchange of Data on (Alleged) Jihadists by the AIVD.” CTIVD No. 56. https://english.ctivd.nl/documents/review-reports/2018/04/24/index.

Dorion, Pierre. 2008. “Data Deletion or Data Destruction?” SearchDataBackup. July 2008. https://searchdatabackup.techtarget.com/tip/Data-deletion-or-data-destruction.

Eijk, Nico van, and Cedric Ryngaert. 2017. “Expert Opinion – Legal Basis for Multilateral Exchange of Information.” Appendix IV of CTIVD rapport no. 56 to the review report on the multilateral exchange of data on (alleged) jihadists by the AIVD. Utrecht/Amsterdam. https://english.ctivd.nl/documents/review-reports/2018/04/24/appendix-iv.

EOS Committee. 2016. “Dokument 16 (2015–2016). Rapport til Stortinget fra Evalueringsutvalget for Stortingets kontrollutvalg for etterretnings-, overvåkings- og sikkerhetstjeneste (EOS-utvalget).” February 29, 2016. https://www.stortinget.no/globalassets/pdf/dokumentserien/2015-2016/dok16-201516.pdf.

Huber, Bertold. 2017. “Kontrolle der Nachrichtendienste des Bundes – Dargestellt am Beispiel der Tätigkeit der G10-Kommission.” Zeitschrift für das Gesamte Sicherheitsrecht 01. https://beck-online.beck.de/Dokument?vpath=bibdata%2Fzeits%2Fgsz%2F2017%2Fcont%2Fgsz.2017.12.1.htm.

Konkel, Frank. 2014. “The Details about the CIA’s Deal with Amazon.” The Atlantic. July 17, 2014. https://www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/.

Organisation for Economic Co-Operation and Development. 2013. “The OECD Privacy Framework.” https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.

Reardon, Joel, Hubert Ritzdorf, David Basin, and Srdjan Capkun. 2013. “Secure Data Deletion from Persistent Media.” In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security – CSS ’13, 271–84. Berlin, Germany: ACM Press. https://doi.org/10.1145/2508859.2516699.

Swedish State Inspection for Defense Intelligence Operations (SIUN). 2018. “Årsredovisning för 2017.” February 22, 2018. Stockholm. http://www.siun.se/dokument/Arsredovisning_2017.pdf.