Sophos Cloud Optix
The White House on Wednesday released a 303-page report from a panel of presidential advisors who recommended that the National Security Agency’s (NSA’s) massive data trawling carry on, but that the data be kept in private hands for “queries and data mining” only by court order.
The panel – former White House counter-terrorism advisor Richard A. Clarke, Michael J. Morell, Geoffrey R. Stone, Cass R. Sunstein, and Peter Swire – delivered 46 recommendations to US President Barack Obama in the report.
According to the Agence France-Presse (AFP), Obama spokesman Jay Carney said that the report was released earlier than a planned January date due to the media getting the contents wrong:
While we had intended to release the review group's full report in January ... given the inaccurate and incomplete reports in the press about the report's content, we felt it was important to allow people to see the full report to draw their own conclusions.
Obama met with members of the panel earlier on Wednesday to work through the recommendations.
As far as surveillance of US persons goes, the panel isn’t recommending that the government stop collecting and storing bulk telephony metadata – i.e., telephone numbers that originate and receive calls, along with the time and date of calls.
Rather, the panel wants to see Congress merely transfer all that metadata over to private hands, from whence it can be queried “when necessary for national security purposes.”
The panel also recommended boosting the privacy of non-US persons to the point where they would get the same protections now given to Americans under the Privacy Act of 1974.
That act keeps the government from disclosing information about people without the written consent of a given individual – unless, that is, disclosing the information falls under a smorgasbord of statutory exceptions, one of which being law enforcement purposes.
(Am I missing something here? One imagines that “for law enforcement purposes” could actually be used to exempt pretty much all intelligence agency access to people’s records without their permission. Legal experts, your input would be welcome in the comments section below.)
Another recommendation must surely have been dubbed the “Appease the Very Indignant and Very Spied Upon German Chancellor Angela Merkel” clause when the panelists were working on it, given that it addresses “unjustified or unnecessary” surveillance of foreign leaders – particularly leaders of countries with which that the US shares “fundamental values and interests”.
The group also suggested that any operation that entails spying on foreign leaders should pass a rigorous test to see if the intelligence gained would outweigh the economic and diplomatic problems that could erupt if the operation were to become public.
The panel also wants the NSA to back off from its work to undercut attempts to create secure encryption standards.
One such effort is the NSA’s attempts to peel apart the layers of the Tor anonymizing service.
The recommendation:
We recommend that, regarding encryption, the US Government should:
(1) fully support and not undermine efforts to create encryption standards;
(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and
(3) increase the use of encryption, and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.
The panel would also like to see the NSA be headed up by a Congressional appointee, which could be a civilian – a possibility the panel suggested President Obama seriously consider.
Beyond maybe sticking a civilian into the top job at the NSA, the panel also thinks it would be nice to split the NSA between a military commander in charge of the Pentagon’s cyberwarfare unit – US Cyber Command – and another individual as director of the NSA.
That recommendation was dead in the water before the panel’s report ever saw the light of day, however.
Last week, the White House said that the Obama administration likes the positions of NSA Director and Cyber Command commander just fine the way they are, all rolled up into one “dual-hatted” position.
The recommendations are just that: recommendations. It’s unclear which, if any, will actually be adopted, particularly given that, as the New York Times pointed out, some would require Congress to enact new legislation.
At any rate, the recommendations shy away from the strong condemnation delivered by the US federal judge who on Monday ordered the NSA to stop collecting phone metadata, calling the agency’s collection technology “almost Orwellian” and deeming it likely unconstitutional.
It’s also worth noting how dated much of the material Edward Snowden has disclosed in the months following his triggering of NSA-gate in June.
For example, the presentation published by The Guardian concerning XKeyscore, the NSA search engine, goes back to 2008. So is the panel five years behind the curve? Are the recommendations based on current technologies and practices?
Also, might we perhaps demand deeper change than tweaks that mostly involve who gets to authorize searches and that the NSA is directed up by one or two heads?
It’s the trawling of both domestic and foreign data that seems to be the biggest problem, not who issues the warrants for searching it.
Image of spyglass courtesy of Shutterstock.
COME ON Justify your searches NSA when most people wouldn’t even consider being a terrorist and even though you have put files in my computer to spy, you won’t find a damn thing. why? because what I don’t want you to know you will not know..so go suck eggs. So Mr President sort this mess out, your allies are your allies not your enemy.
The term “law enforcement purposes” is overly broad and would not be included in any act passed by Congress. The actual language included in the Privacy Act of 1974 reads:
“matches performed, by an agency (or component thereof) which performs as its principal function any activity pertaining to the enforcement of criminal laws, subsequent to the initiation of a specific criminal or civil law enforcement investigation of a named person or persons for the purpose of gathering evidence against such person or persons.”
If the NSA were to comply with this doctrine, the scope of their searches would be limited to specific persons that were currently under investigation. This standard would be effective in curtailing NSA agents that abuse their rights to this data, rumors have detailed NSA agents spying on ex-lovers or eavesdropping on conversations between spouses. Unfortunately, the Foreign Intelligence Surveillance Court (FISC), which is responsible for monitoring the actions of the NSA for legal compliance, has yet to deny a NSA surveillance request. Requiring the NSA to adhere to the standards of the Privacy Act of 1974 is a half measure, in order to ensure full compliance; the FISC must serve as an adequate check to the NSA.
“Private hands” have even less oversight and accountability than the NSA does.