A presidentially appointed, five member panel issued a more than 300-page report yesterday calling for nearly 50 recommendations for changes in the way that the National Security Agency conducts its increasingly public and controversial sweeping surveillance programs.
The entire report hinges on the oft-repeated notion that the country must strike a healthy balance between two adversarial desires; the necessity of maintaining constant vigilance in the face of international terrorism and other threats, and the hope that such protections will not erode the United Nations-recognized universal human right to personal privacy.
More specifically, the writers of the report urge its readers to carefully consider the following four principles:
- The United States Government must protect, at once, two different forms of security: national security and personal privacy.
- The central task is one of risk management; multiple risks are involved, and all of them must be considered.
- The idea of “balancing” has an important element of truth, but it is also inadequate and misleading.
- The government should base its decisions on a careful analysis of consequences, including both benefits and costs (to the extent feasible).
From the very beginning, the U.S. government has justified its surveillance programs by claiming its only intention is to target non-U.S. citizens for intelligence gathering. They have claimed there is no value in blindly collecting the email and other communications of U.S. citizens. Oddly, much of the media’s coverage has focussed not on the ethics of mass spying in general, but rather on the collateral impact such practices may have U.S. citizens. Beyond that, there have been constant accusations that NSA statements do not reflect reality, and that the communications-data of U.S. citizens are indiscriminately swept into the NSA dragnet as well.
Refreshingly, the report attempts to give equal consideration for those surveilled at home and abroad:
“We recommend that, in the absence of a specific and compelling showing, the US Government should follow the model of the Department of Homeland Security and apply the Privacy Act of 1974 in the same way to both US persons and non-US persons.”
Each time the NSA would like to monitor the communications of a non-U.S. person, the reports urges that it must be authorized by duly enacted laws or properly authorized executive orders; it must be directed exclusively at protecting national security interests; it must not be directed at illicit or illegitimate ends (such as the theft of intellectual property); it must not target any non-U.S. person based solely on that person’s views, religious, political, or otherwise; it must not disseminate irrelevant information; and it must be subject to careful oversight and transparency.
The panel consisted of Richard Clark, one-time deputy Central Intelligence Agency director Micheal Morell, former Chicago Law School dean and American Civil Liberties Union advisory board member Geoffrey Stone, legal scholar and former administrator of the Office of Information and Regulatory Affairs Cass Sunstein, and privacy law expert from the Georgia Institute of Technology Peter Swire.
Broadly speaking, regarding the collecting of information related to the communications of U.S. citizenry, the panel suggests several significant changes. First, an end to default metadata collection. Such information, they claim, should be stored privately – by companies or other third-party groups, but not by the NSA or the government directly. Second, the panel endorses more stringent protections of communication-data between U.S. and non-U.S. citizens. Third, they call for more limitations on the ability of the Foreign Intelligence Surveillance Court to compel the disclosure of data from third-parties to the government, both through National Security Letters and other means. Lastly, the group calls for legislative action aimed at promoting transparency on the part of the government and also those companies that receive government requests for data.
In order to curb frivolous data collection, the panel advises that the president create a new process, requiring highest-level approval of all sensitive intelligence requirements and the methods that the intelligence community will use to meet them. Those involved in this process should consider whether the information they seek to collect is truly valuable in the context of national security. They should also discuss the aims and means of their surveillance of foreign citizens and governments with the relevant leaders of closely allied nations.
The panel also calls for a number of organizational NSA reforms: they believe that the NSA director should be a Senate-confirmed position and urge the president to seriously consider appointing a civilian as the next director. However, that’s unlikely, given that the White House recently confirmed that the NSA director will retain oversight of Cyber Command, too, a military position. Furthermore, they argue the NSA should be clearly designated as a foreign intelligence organization, thus differentiating between the organizations responsible for offensive and defensive operations. Other missions (including that of NSA’s Information Assurance Directorate) should generally be assigned elsewhere. The head of the military unit, US Cyber Command, and the Director of NSA, they claim, should not be a single official. The report also asks for the creation of a public interest advocate to sit in on all FISC hearings.
Lastly, the report argues that the U.S. Government should take substantial steps toward bolstering international communication security.
“The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage. Among other measures relevant to the Internet, the US Government should also support international norms or agreements to increase confidence in the security of online communications.”
As for the information that meets the stated criteria and is collected by the government, the report says it must be better protected. They say the government should altogether eliminate the use of for-profit companies in the process of conducting personnel investigations and that the government needs to reexamine its system of security clearances, including the implementation of continual monitoring for individuals with high-level clearances.
Former NSA research scientist and current CTO of Immunity Inc., Dave Aitel, wrote in an analysis of the NSA report on his Daily Dave email list that the security clearance system is clearly and obviously broken, but he asserts that this document’s recommendations fail to address the real problems with that system and ultimately will not fix it. The real issue, he says, everywhere in the intelligence community is one of resources. As in all American companies, he writes, there is simply a shortage of qualified technical people.
The splitting of Cyber Command from the Information Assurance Directorate, Aitel says, would further exacerbate this lack of talent by restricting the mobility of skilled workers from positions in one division to position in the other.
One aspect of the report that hasn’t received as much attention as the bits about surveillance reform is the section on the purchase and usage of zero days. The panel says that it’s usually in the best interest of Americans for the government to fix bugs rather than use them for offensive purposes, an assertion that Aitel disputes.
“It is demonstrably true,” Aitel writes in his analysis, “that the IC fixes vulnerabilities in both government and commercial systems that it deems a great threat – but the document describes a process that would unilaterally disarm our offensive teams for no clear defensive benefit. Likewise, the US Govt does not always have the intellectual property rights to 0days that would allow it to disclose them to a vendor – and should it start ignoring the agreements with its supply chain, the supply chain (which may be individuals, companies, other governments, other parts of the USG, academic institutions, etc.) will quickly find other customers.
“The paper states without any supporting evidence ‘In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection.’ This is demonstrably not true since without these vulnerabilities a large segment of extremely valuable targeted collection would go blind and fixing all USG known vulnerabilities does not necessarily decrease the risk from running buggy commercial software.”
*Antenna image via Rikard Fröberg‘s Flickr photostream, Creative Commons