The president's NSA review panel has recommended an end to bulk data collection, as reported by The Washington Post. The panel's statement speaks out against the NSA's pattern of bulk collection, stating as a general rule that "the government should not be permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries."
More specifically, the panel recommends the agency no longer be allowed to maintain its database of phone records, which was revealed this summer to include data on nearly all American phones. "In our view, the current storage by the government of bulk meta-data creates potential risk to public trust, personal privacy and civil liberty," one passage reads. Previous reports suggested the panel would recommend a higher burden of proof for bulk metadata collection, which was ruled to be likely unconstitutional by a federal court earlier this week. The panel recommends keeping the database with phone companies or a trusted third party, requiring requests when data is needed. In the past, the NSA has said that investigations could be delayed by the extra step of asking phone companies for records.
The panel would also ban the NSA from stockpiling zero-day exploits
The panel also suggested new restrictions on the use of National Security Letters and FISC warrants to compel data from third parties, applying the same evidence standard required for a subpoena. That would mean any requests would have to be "reasonable in focus, scope, and breadth." In the same spirit, the recommendations would bar the NSA from asking companies to build backdoors, addressing allegations that the agency had deliberately weakened cryptographical standards in the interest of easier data collection. In a nod to recent requests by Google, Facebook, and others, the recommendations would permit companies to report "general information" about the number of government requests they have received and the number of users affected.
The review panel is designed only to offer a template for executive action, so none of the panel's recommendations have the force of law. Still, it seems likely President Obama will act on the suggestions in the months to come. In a statement after the release of the document, the White House said that in the coming weeks, "the President will work with his national security team to study the Review Group’s report, and to determine which recommendations we should implement." At the same time, Congress has offered a number of avenues for potential NSA reform, including a bill from Senator Patrick Leahy (D-VT) and Rep. Jim Sensenbrenner that reportedly influenced the panel's findings.
The panel also recommends structural changes within the NSA, like separating the agency's defensive "information assurance" wing from the more central signals intelligence mission. On the cyberwar front, the recommendations would discourage the NSA from stockpiling zero-day exploits, the unpublished software vulnerabilities often used to gain unauthorized access to targeted computers, but not ban them outright. "In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection," the report reads. The report takes a stronger line on the controversial link between the NSA and US Cyber Command, stating clearly, "the head of the military unit, US Cyber Command, and the Director of NSA should not be a single person." That recommendation directly contradicts a recent statement by the White House that General Alexander's successor would hold both posts at once.
Already, many privacy advocates are cautiously optimistic about the recommendations. The American Civil Liberties Union was whole-heartedly positive, with executive director Anthony Romero saying, "We urge President Obama to accept his own Review Panel’s recommendations and end these programs." Others have had a more measured response. In a prepared statement, Kurt Opsahl, senior staff attorney to the Electronic Frontier Foundation said the panel "floats a number of interesting reform proposals, and we're especially happy to see them condemn the NSA's attacks on encryption and other security systems people rely upon." Still, Opsahl says the limitations on phone records don't go far enough. "Mass surveillance is still heinous, even if private company servers are holding the data instead of government data centers."