President Obama today announced reforms to the National Security Agency’s bulk metadata collection program under Section 215 of the PATRIOT Act, ordering a transition that would end the program as it exists today, and prohibit the government from storing and accessing the data without secret court approval.
The reforms allow the NSA to continue collecting metadata on phone calls; metadata includes numbers calls are made to and from, along with their duration. What remained unclear is whether the agency will need a warrant to access it from telecommunications providers such as Verizon or AT&T, or whether the collected data will be managed by a third party.
The agency says it uses call metadata to map connections between foreigners thought to be involved in terrorism. Privacy advocates, meanwhile, point out that the NSA’s activities also ensnare metadata from Americans and that their civil liberties are being violated without just cause.
“I believe it is important that the capability that this program is designed to meet is preserved,” Obama said. He did concede, however, that the program opens the door to more intrusive bulk collection programs and requires oversight and change.
Outspoken opponents, such as CREDO Mobile CEO Michael Kieschnick, were not as optimistic.
“Whether the president moves his telephone data dragnet to AT&T and Verizon, to some other third party, or keeps it at the NSA makes no difference,” said Michael Kieschnick, CEO of CREDO Mobile. “It’s still clearly unconstitutional and must be dismantled.”
Obama’s announced reforms largely call for increased Executive branch oversight of the intelligence community’s dragnet surveillance activities. He ordered annual reviews by the Attorney General and Director of National Intelligence that would help declassify Foreign Intelligence Surveillance Court opinions that have broad privacy implications. Obama also called on Congress to establish a panel of privacy experts outside of government to render opinions on significant cases before the FISC hears them. He also promised changes to how National Security Letters are used and how long they can be kept secret. Obama said. A number of technology companies have petitioned the president and Attorney General to be more transparent about the number of National Security Letters they receive.
“I’ve directed the Attorney General to amend how we use National Security Letters, so that this secrecy will not be indefinite, so that it will terminate within a fixed time,” Obama said. “Unless the government demonstrates a real need for further secrecy.”
The president also ordered changes to the surveillance of foreign heads of state, a firestorm that was raised when it was revealed in one of the multitude Snowden leaks that German Chancellor Angela Merkel’s mobile phone was tapped by the NSA.
Missing from the president’s 45-minute address at the Justice Department was any mention of the agency’s alleged subversion of encryption standards and use of backdoors to keep watch on surveillance targets. The Snowden documents allege that the NSA undermined the National Institute of Standards and Technology (NIST) by introducing code into encryption standards that intentionally weakened them.
NIST-developed Dual_EC-DRBG, a random number generator at the core of RSA Security’s BSafe cryptographic library used in numerous commercial software products, has long been thought to have been backdoored by the NSA. That theory was given credibility after a Reuters report in late December said the security company entered into a secret $10 million contract with the NSA that set Dual_EC-DRBG as the default random number generator in BSafe despite publicly known concerns over its viability as a trustworthy algorithm.
Instead, Obama focused exclusively on the bulk metadata collection program and ordered immediate changes that include pursuing calls two steps removed from a terror suspect rather than three steps, as is the current procedure. Also, he ordered Attorney General Eric Holder to work with the secret Foreign Intelligence Surveillance Court (FISC) so that during this transition period, the database storing phone call metadata can be queried only after a judicial finding or in an emergency.
Overarching, the Attorney General and intelligence community must, before Section 215 comes up for re-authorization on March 28, develop options for a new approach that meets intelligence requirements without the government holding the metadata.
“The reforms I’m proposing today should give the American people greater confidence that their rights are being protected even as our intelligence and law enforcement agencies maintain the tools they need to keep us safe,” Obama said.
In December, a presidential review board recommended to the president that metadata be left with the telecommunications providers who already store it for business purposes, or that it be handed over to an independent third party. It also recommended at the time that the NSA director job be Senate-confirmed and a civilian. That was shot down, however, when Obama announced that the NSA director would continue to be the head of U.S. Cyber Command, a military position.
Obama also announced some organizational changes within government that include: a State Department-designated senior officer to coordinate diplomacy on issues related to technology and signals intelligence; a new White House appointed senior official who will implement any new privacy safeguards announced today; and a team of officials who will look at the challenges to privacy initiated by data collection efforts, not only in the public sector, but commercially as well.
“The President took several steps toward reforming NSA surveillance, but there’s still a long way to go,” said EFF Legal Director Cindy Cohn. “Now it’s up to the courts, Congress, and the public to ensure that real reform happens, including stopping all bulk surveillance–not just telephone records collection. Other necessary reforms include requiring prior judicial review of national security letters and ensuring the security and encryption of our digital tools, but the President’s speech made no mention of these.”