Sweeping Review Group Recommendations Will Fuel NSA Reform Effort
Written by Greg Nojeim
A report (PDF) issued today by the Director of National Intelligence’s Review Group on Intelligence and Communications Technology makes sweeping recommendations that contribute to growing demands for reform at the NSA. The Review Group recommended that the NSA’s bulk telephone record collection program be “terminated.” It found that the program was not essential to preventing terrorist attacks and that the information sought could readily be obtained by using more targeted means.
Surprisingly, it called for the effective end of National Security Letter authority, which would be replaced with court orders. Recognizing encryption’s importance to digital commerce on the Internet, it issued a sweeping endorsement of the use of strong encryption and cautioned that the NSA should take no steps to weaken the security of commercially available software. The Review Group recommended divesting the NSA of its cybersecurity mission – which is at odds with its code-cracking mission – and placing it with a different DOD entity. There is a lot in here that the President should adopt, but also some elements that should raise red flags. Here are some preliminary thoughts about the recommendations the Review Group makes:
The Review Group recommends that NSA’s bulk collection of phone records under Section 215 of the Patriot Act be “terminated as soon as reasonably practicable” and that instead, the NSA query the records as they are maintained at the phone companies or by a private third party. The data could only be queried if a FISA Court judge had determined that there are reasonable grounds to believe that the information sought is relevant to an authorized terrorism or counter-intelligence operation, and that the order it would issue is reasonable in focus, scope and breadth. In making this recommendation, the Review Group has, in effect, rejected the NSA’s claim that bulk collection is the only feasible way to run the phone records program. As a general matter, the Review Group recommends that the presumption should be against bulk collection and in favor of more targeted surveillance.
The report does not recommend that the phone companies be statutorily required to retain call record data but rather, in effect, a voluntary “best practice” that phone companies retain the call detail records for two years so the NSA can query the data when it proves to the FISA Court that query will uncover information relevant to an investigation. If the voluntary approach does not work, the Review Group says “implementing legislation might be required.” The queries would have to be sent to multiple providers when the number to be queried is not served by a U.S. provider.
This is a significant improvement over the current practice in which the FISA Court orders the phone companies to turn over their call records to the NSA every day for 90 days at a time so NSA can query the data using a looser standard. Some providers of cellular service now retain call detail records for a longer period of time than two years, and others for a shorter period. Courtesy of the records the mobile communications providers gave Senator Markey a few weeks ago, those retention periods are:
- AT&T: 5 Years
- C Spire: 18 Months
- Cricket: 6 Months
- Sprint: 18 Months
- T-Mobile: Up to 7-10 Years
- Metro PCS: 2 Years
- US Cellular: 1 Year
- Verizon: 1 Year
As mentioned in the Review Group’s report, 47 CFR 42.6 requires retention of at least some call records for 18 months already. To the extent companies are required (or coerced) to retain phone call records for a period longer than they maintain the records for business reasons, it exposes the records to demands that they be disclosed for law enforcement purposes and in civil proceedings, such as divorce proceedings, and it increases the damage that would be done if a hacker was able to gain access. On balance though it appears that implementation of this recommendation is a step forward because the NSA would not retain the record and the phone companies would be under no statutory mandate to do so.
The Review Group also recommended that when Section 215 is used to obtain records about an individual, that there be a requirement that the FISA Court first find that the order “is reasonable in focus, scope and breadth,” like a subpoena. This new statutory requirement would be a way of ensuring that the government has reasonable grounds for intruding on the privacy interests of a particular individual or organization. While this is an improvement to the statute, we believe that the standard should be raised further, and require that the records sought pertain to a terrorist, spy or other agent of a foreign power, or to a person in contact with such person. A similar standard appears in the USA FREEDOM Act, S. 1599.
National Security Letters
In a surprisingly refreshing and far-reaching recommendation, the Review Group effectively recommends that National Security Letters (NSL) be done away with in favor of judicial authorization of the demands now made with these letters. An NSL is a letter issued by the FBI or another element of the intelligence community under one of six laws demanding that information be disclosed for an intelligence investigation. NSL use has been fraught with controversy because NSLs are issued on a very low standard (relevance to an investigation) for sensitive personal data (phone call records, some Internet records, bank records, credit information and more) without judicial authorization and with a gag that makes it a crime for the NSL recipient to disclose the fact that an NSL was received or a disclosure was made under it. The DOJ Inspector General has issued a series of reports about abuse of NSLs, including using NSLs to obtain information that a court had indicated was constitutionally protected against disclosure, and using NSL authority to issue “exigent letters” demanding disclosure when there was no exigency.
The Review Group acknowledges this, and without saying that it is doing so, recommends the end of National Security Letter authority. It would be replaced with court orders issued by judges of the FISA Court, or newly-appointed FISA Court magistrates, under the same standard as the Review Group recommends for Section 215 orders. The major difference between the two would be the type of records and things that could be obtained (215 orders can be issued for any “tangible thing”).
Cybersecurity and Encryption
The Review Group’s report rightly recognizes the importance of strong encryption to the proper functioning of the Internet. It indicates that it found no systematic effort by the NSA to undermine the security of communications by coercing companies to build in backdoors to the Internet-based services they offer or by inserting backdoors surreptitiously. Documents released by Edward Snowden and interviews with industry officials reportedly showed the opposite, including that the NSA “began collaborating with technology companies in the United States and abroad to build entry points into their products,” as the New York Times reported on September 5. My colleague, Joseph Lorenzo Hall, blogged about concerns from the cryptographic community that the NSA may have attempted to undermine the NIST cryptographic standard, SHA-3. These concerns came on the heels of allegations that the NSA deliberately inserted a backdoor into a particular random number generator. The Review Group did not address these reports.
It did, however, make three important statements and recommendations about cybersecurity and encryption:
Support Strong Encryption and Secure Software. The Review group said in no uncertain terms in Recommendation 29 that the U.S. should “fully support and not undermine efforts to create encryption standards; not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and, increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.” These are exceedingly strong statements that recognize that global online commerce, infrastructure, and increasingly social activity are mediated by products that must be secure so people can trust them when they are used. Much of the uncertainty in recent months about the surveillance disclosures has centered around how secure or insecure are the products and services we use every day at work and at home. The Review Group’s ringing support for secure communications, software, and interoperable standards go some way towards reducing this uncertainty. Its recommendation that the government not subvert the security of commercial software is particularly welcome.
Move NSA’s Cybersecurity Activities To a Different DOD Element. NSA has two conflicting missions: breaking into the computers and networks of foreign adversaries and securing the computer networks of elements of the U.S. intelligence community and certain government contractors. The NSA’s Information Assurance Directorate does the cybersecurity work and the Review Group recommended (Recommendation 25) this function be removed from NSA to the Department of Defense (DOD). Cisco, for example, recently reported that its overseas business was being hurt by a perception that NSA was requiring it and other companies to build in backdoors so the NSA could listen in. Removing the Information Assurance Directorate from the NSA could enhance trust in its mission and in the products the Directorate helps make more secure. However, the Directorate would stay within the Department of Defense, which could diminish the desired effect of this move. Putting the cybersecurity function where it belongs, at the Department of Homeland Security or at the Department of Commerce would have been a more effective reform and refute inferences that the separation of these functions was not sufficient.
Disclose Zero Day Vulnerabilities. Like other intelligence agencies, and like commercial and other hackers, the NSA uses software vulnerabilities to gain access to computers and steal information from adversaries. The most useful vulnerabilities are the “zero day” vulnerabilities – those that have never been exploited before, and which the software maker therefore has not yet developed and distributed to users a patch for the vulnerability.
When the NSA discovers a zero day vulnerability, it has a decision to make: does it sit on it and use the vulnerability to gain access to an adversary’s computer, or does it reveal the vulnerability to the software maker so it can be patched? Or, to put it another way, does NSA’s intelligence collection mission trump its cybersecurity mission when it comes to zero days? The Review Group’s recommendation is that cybersecurity should almost always win out and that such vulnerabilities should be immediately disclosed to the software manufacturer, except in very narrow cases with very tight oversight from the White House. The presumption is that NSA will inform the software so a patch can be fashioned, but that in rare instances, the intelligence community could briefly exploit a zero day for a high priority target before informing the software manufacturer.
PRISM Program Surveillance Under Section 702
The report recommends significant reforms to Section 702 of FISA to protect U.S. persons (U.S. citizens and lawful permanent residents) but its recommendations about non-U.S. persons do not go far enough. Section 702 authorizes the government to compel communications service providers to disclose the contents of communications of persons reasonably believed to be abroad. It forms the legal basis for the government’s PRISM program under which there were more than 117,000 targets in April of 2013, according to reports based on documents released by Edward Snowden. Section 702 surveillance, though targeted at non-U.S. persons abroad, sweeps in a lot of communications of Americans, including “incidental” collection on Americans who are in the U.S. communicating with people abroad, as well as “inadvertent” collection of wholly domestic communications.
The Review Group found that minimization guidelines governing Section 702 surveillance do “not adequately protect the legitimate privacy interests” of Americans whose communications are incidentally acquired under section 702. It recommended closing the “backdoor search loophole” by prohibiting the government from searching for the information acquired pursuant to Section 702 for information about a particular U.S. person unless the government has a court order, absent an emergency. Second, the report recommends immediate deletion of any information about U.S. persons acquired under Section 702 unless it relates to foreign intelligence or is necessary to prevent serious bodily harm. Third, it recommends prohibiting use of any information about U.S. persons acquired under Section 702 from being used in any criminal proceedings. If implemented, these recommendations would go a long way toward narrowing the overbroad uses to which this information can be put under the current minimization guidelines.
The Review Group’s recommendations are lacking in terms of the rights of non-U.S. persons (people who are not U.S. citizens or lawful permanent residents). It recognizes “the simple and fundamental issue of respect for personal privacy and human dignity” enshrined in Article 12 of the Universal Declaration on Human Rights and Article 17 of the International Covenant on Civil and Political Rights, but it does not say how governments should implement these fundamental human rights obligations. It also falls far short of calling for governments, including the U.S. government, to honor these rights when governmental actions have an extraterritorial impact on people’s rights to privacy and freedom of expression. The Review Group recommends that Section 702 surveillance “be directed exclusively at the national security of the United States or our allies,” and that targeting not be “based solely on that person’s political beliefs or religious convictions.” However, whether this recommendation will effectively narrow the scope of this surveillance is unclear.
On the other hand, the Review Group does recommend that Privacy Act protections enjoyed by U.S. persons be extended to non-U.S. persons as well – something that people in Europe in particular have sought for some time. However, in the national security arena, the effect of such an extension may well be limited.
CDT will have additional analysis of the Review Group’s report in the coming days. In particular, the report makes very strong recommendations about transparency of intelligence surveillance that warrants separate treatment, as do its recommendations for reform of FISA court procedures, and other matters.
The Review Group’s recommendations to end the bulk collection of telephony metadata, effectively end the use of national security letters, enhance cybersecurity and encryption, and provide additional back end protection for PRISM surveillance are all significant wins for privacy and civil liberties.