Each year, Congress passes the National Defense Authorization Act (NDAA), which designates specific budgets and policies for the U.S. military and a host of other government entities. The NDAA, while at its core a national defense bill, is sweeping in scale, with this year’s version providing $816,700,000,000.00 in funding to the Department of Defense. Given the sheer size of this allocation, the NDAA has impacts well beyond the military. This year, as in the recent past, there are many provisions that relate to privacy, surveillance, and AI. EPIC highlights those provisions here to help you understand where this money will be spent in the upcoming years. The full text of the NDAA (4408 pages) can be found here.
Surveillance-Related Provisions
First, §6318 of the NDAA includes “measures to mitigate counterintelligence threats from proliferation and use of foreign commercial spyware.” These measures include reporting requirements on the counterintelligence threats and other risks to U.S. national security posed by the proliferation and use of foreign commercial spyware. The NDAA also gives the Director of National Intelligence (DNI) discretionary authority to bar intelligence community procurement and use of foreign commercial spyware, whether directly from a covered foreign company or through a vendor with access to spyware.
The NDAA’s language—coupled with a rumored forthcoming Executive Order prohibiting the U.S. government from using spyware that poses counterintelligence or other security risks—appear to signal the United States’ intent to rein in the unchecked expansion of spyware. However, stronger measures were left out of the final NDAA; prior iterations had authorized the President to impose sanctions on foreign firms and individuals that sell, purchase, or use spyware. Further, the NDAA’s emphasis on counterintelligence risks does not address the fundamental risks to privacy and safety posed by the pervasive use of spyware, domestic or foreign in nature. Given reports that U.S. government agencies are already deploying spyware, action is still required.
Second, §6310 the NDAA directs the DNI to “conduct a review to ascertain the feasibility and advisability of compiling and making public information relating to activities of the intelligence community under Executive Order 12333” and brief Congress on that review. In particular, the NDAA calls for review of the feasibility of publicly disclosing the following information:
- The amount of United States person information collected pursuant to such activities;
- Queries of United States persons pursuant to such activities;
- Dissemination of United States person information pursuant to such activities, including masking and unmasking;
- The use of United States person information in criminal proceedings; and
- Quantitative data and qualitative descriptions of incidents in which the intelligence community violated Executive Order 12333 and associated guidelines and procedures.
Executive Order 12333 sets forth a large and complex framework for the United States’ foreign intelligence activities. Although Congress and the Privacy and Civil Liberties Oversight Board (PCLOB) have both played important roles in overseeing activities conducted under Executive Order 12333, the precise scope of these activities remains murky. The NDAA’s language will improve public transparency around these activities and align Executive Order 12333…