:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/71360550/obama_reflecting_wikipedia-1.1419980260.0.jpg)
It's time for a change at the NSA. But will President Obama deliver it? After former National Security Agency contractor Edward Snowden leaked documents showing the agency was engaged in widespread and often unchecked surveillance of phone and internet activity, calls to reform America's top spy organization have come from all corners.
This week, we find out whether those calls will be answered — but unfortunately, early reports from Washington insiders suggest that the president won't be making big changes.
Obama is giving a speech on Friday to address the recommendations made by an independent review panel, which he set up last year to help reform the American intelligence community. But so far, officials have been reluctant to endorse any big changes, and US lawmakers have also defended the programs, despite little to no evidence to suggest they've thwarted terrorist plots. We’ve taken a look at the reforms proposed by the review group, and we’ll be back tomorrow to see how the president's speech stacked up.
Reform bulk phone record collection
The NSA’s comprehensive database of phone records was the first thing revealed by last year’s leaks, and it’s still one of the most hotly debated issues. The panel’s proposal basically shifts everything back a step: the standard for collecting information would become more like the current standards for looking up a particular number, and phone companies or some other private entity would need to keep information ready for the NSA to access quickly — though phone companies have said they don’t want to keep the records. Obama has said this plan could be feasible, and there are bills addressing it in both houses of Congress. The reform panel has insisted that they’re only suggesting a "change in approach," but moving metadata out of the government’s direct control is a step away from the laissez-faire system the FISA court has authorized so far.
Recommendations
Instead of collecting phone records in a central database, leave it in the hands of phone companies or another private third party
Each piece of information the NSA collects must be relevant to a national security investigation
As a general rule, "the government should not be permitted to collect and store all mass, undigested, non-public personal information."
Move metadata into the hands of a third party
Tighten Section 215 to require more specific requests
Commit to stop collecting and storing mass personal information
Grade
End national security letter abuse
National security letters have actually gotten less attention since the NSA leaks, but the subpoenas, which don’t require court approval and come with a gag order that prevents recipients from revealing their existence, are still a major issue for privacy advocates. Investigations have revealed that the FBI has widely abused national security letters, and the letters as they stand now have been ruled unconstitutional by a district court. The review panel recommends significant reforms: subjecting NSLs to judicial oversight, tightening the scope, and making gag orders harder to get. The USA FREEDOM Act, the bill meant to dismantle the NSA’s phone records database, also proposes reforms to the national security letter system. But FBI director James Comey has pushed back heavily on the reform group’s recommendations, saying that judicial review would cripple a "very important" national security investigation tool, although he indicated willingness to compromise on changes to the gag orders.
Recommendations
Letters should have to go through a court instead of being managed almost purely by the FBI
NSLs must be "reasonable in focus, scope, and breadth," subject to the same limits on keeping and distributing information as the court-managed Section 215 law
Unless a court says it would pose a significant risk, recipients shouldn’t be banned from talking about an NSL; if they are, the order should expire within 180 days unless renewed
Add judicial oversight for national security letters
Guarantee limits in the scope of national security letters
Loosen gag orders
Grade
Lock down the NSA email database
Section 702 allows the intelligence community to sweep up emails, social media data, and other information for long-term storage, so long as the information is confined to non-US citizens outside the US. This rule, however, doesn’t seem to have been followed religiously by the NSA: the FISA court chided it in 2011 for apparently accidentally collecting thousands of purely domestic communications a year. The review group insists that the NSA keep as little American data as possible and reassure non-Americans that operatives can only target them under narrow circumstances and strict supervision.
Recommendations
If any information about a US citizen is collected under a law for non-American surveillance, it should be purged immediately unless it has foreign intelligence value
If data from a US person is kept, it shouldn’t be used as evidence in any case against them, and the government can’t specifically search for communications involving a particular US person
Non-US persons should only be surveilled for national security, and the US should make clear that it’s not targeting people for political or religious beliefs and is monitoring the program as closely as possible
Purge information about US persons
Limit using data involving American communications
Target non-Americans responsibly and only for national security
Grade
Give the FISA court teeth
Under the current system, FISA courts are the primary check on NSA power, overseeing and approving the bulk of the agency's data requests. To the extent that the NSA has gone too far in surveilling phone records, it's because the FISA court failed, granting warrants with unprecedented power and scope. What was meant to be oversight turned into a rubber stamp, approving nearly everything submitted to the court. The new measures are aimed at changing the culture of the FISA court, a tricky and nebulous task, but taken together, they have a good chance of restoring the court as a check on surveillance power, and potentially bringing a sorely absent sense of restraint into the NSA's requests. They're also comparatively easy reforms to make, if the President wants to make them.
Recommendations
This post would be a citizen’s advocate, arguing against the NSA’s surveillance demands.
Before now, the court’s rulings have been secret by default.
The new procedure would tie FISA judges to the Supreme Court, separating the court further from the executive branch.
Create Public Interest Advocate for FISA court
New declassification review for FISA rulings
New appointment procedure for FISA judges
Grade
Create external oversight for the NSA
Perhaps the biggest problem with the NSA is the lack of effective accountability for the agency. Congress and even the President seem to have been kept in the dark on key programs, while internal checks like the FISA court grew too closely aligned with the agency to offer an effective counterpoint. As a result, the NSA was given free rein over its data, with no one able to tell the agency when it had gone too far. The review panel would create new checks on that power, but the balance between secrecy and accountability is not an easy one to strike, and the bureaucratic details of the new agencies will be hugely important.
Recommendations
The independent office woud monitor classified collection activities, and object when they seem inappropriately broad.
This would give the president more of a say in the tools the NSA uses, and what it uses them for.
Establish a Sensitive Activities Office
Senior policymakers will review requirements, methods and targets.
Grade
Stop weakening encryption standards
The review panel suffered from poor timing on this one, stating that, "we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data." Just a few days after the recommendations were made public, Reuters proved them wrong with hard evidence that the NSA had purposefully weakened RSA's BSafe program, in conjunction with earlier efforts to insert certify faulty standards through the NIST approval process. It's particularly troubling to the observers since it endangers anyone using cryptography on the web, including the encryption that secures webmail and online banking. If those standards were seeded with an NSA-built backdoor, they'd be vulnerable not just to the government but to any third-parties that stumbled onto the key.
Recommendations
After inserting its own backdoors, the NSA has no credibility as an encryption authority.
New efforts are needed to regain the world’s trust in American IT products.
Right now, the NSA retains encrypted communications automatically, holding them as suspicious by default.
Separate NSA from NIST’s cryptography approval process.
Assistant Secretary of State will lead diplomacy of international information technology issues
The NSA will not hold encrypted communication as a way to avoid retention limits.
Grade
End spying on foreign leaders
Some of the most politically damaging news to come out of the Snowden docs was the revelation that the NSA had been tapping the phone of German chancellor Angela Merkel, along with more than 30 other world leaders. It's been a diplomatic disaster ever since the news was made public, with Merkel openly comparing the agency to the East German Stasi that surveilled her as a child. Still, without an agency overseeing those highly classified operations, enforcement is likely to be a problem.
Recommendations
It’s likely the President didn’t even know the NSA was tapping the German chancellor’s phone. New reforms would require explicit approval before other world leaders could be surveilled.
Institute a new process requiring high-level approval for politically sensitive operations
Grade
By Adi Robertson, Russell Brandom, and Carl Franzen. Design by Dylan Lathrop.
Photograph of Angela Merkel courtesy of European People's Party via Flickr