President Obama just announced big changes to America's massive government surveillance programs, promising to add new safeguards to protect Americans' privacy and place new restrictions on how the NSA can use the information it collects on ordinary citizens. We've graded the big changes below, comparing them to the reforms that were recommended by an independent review panel last year. All in all, the proposed changes mainly concern the NSA's bulk collection of Americans' phone records, not its spying on internet communications. Even accounting for that limitation, they seem good on paper — and far better than many privacy advocates feared — but we're still waiting to see how they will be enacted.
Our scoring takes into account the fact that Obama can’t single-handedly execute the reforms that the panel recommends; in several cases, Congress will need to pass legal reforms, and in others, departments themselves will need to develop and make changes under his direction. For purposes of grading, we’re also assuming some level of good faith: if a resolution is so broad as to be meaningless, it will affect the score, but guidelines that don’t come with a specific policy directive can still be graded well. Keep in mind that this categorically isn’t an evaluation of what’s going to happen, just what we’re being promised today -- for whatever that’s worth. This isn’t a wish list of how the program will ideally be reformed, but it’s holding Obama to the recommendations his panel made.
Reform bulk phone record collection
The White House has promised to "end the program as it currently exists," moving phone records out of the government’s direct control. What that is remains to be seen: Obama is asking the intelligence community, including the attorney general and the NSA, to come back in March with alternative ideas. The review panel recommended either asking phone companies to hold information or putting it in the hands of a private third party, both of which pose their own privacy concerns but would mark a step away from centralized collection. Obama also made direct changes to the program as it exists today, though. From now on, analysts can only query records with approval from the FISA court, and they can only search within two "hops" or degrees from the target number, rather than three.
Instead of collecting phone records in a central database, leave it in the hands of phone companies or another private third party
Each piece of information the NSA collects must be relevant to a national security investigation
As a general rule, "the government should not be permitted to collect and store all mass, undigested, non-public personal information."
Move metadata into the hands of a third party
Tighten Section 215 to require more specific requests
Commit to stop collecting and storing mass personal information
End national security letter abuse
National security letters – the secret government orders that compel companies like Google and Facebook to turn over user information to the FBI, without telling the users' themselves – don’t appear to be getting that much added oversight. The president said in his speech that he had directed Attorney General Eric Holder to "amend" the secrecy surrounding the letters so that the users who were targeted by them could be told and that tech companies could share more information with the public about the letters they received. But the scope of the letters isn't being narrowed. None of this is precisely a surprise; the FBI pushed hard to maintain NSLs’ ease of use, promising that last decade’s rampant abuse has been curbed and that the letters are a vital national security tool. We are, however, seeing significant reforms to the accompanying gag orders:
Letters should have to go through a court instead of being managed almost purely by the FBI
NSLs must be "reasonable in focus, scope, and breadth," subject to the same limits on keeping and distributing information as the court-managed Section 215 law
Unless a court says it would pose a significant risk, recipients shouldn’t be banned from talking about an NSL; if they are, the order should expire within 180 days unless renewed
Add judicial oversight for national security letters
Guarantee limits in the scope of national security letters
Loosen gag orders
Lock down the NSA email database
The president mostly defended the NSA's sweeping collection of ordinary citizens' emails at home and abroad, saying "the men and women of the intelligence community, including the NSA, consistently follow protocols designed to protect the privacy of ordinary people. They are not abusing authorities in order to listen to your private phone calls, or read your emails." Obama acknowledged "mistakes" had been made, but said they were quickly corrected. He pointed out that even intelligence workers "have kids on Facebook and Instagram," and so were not inclined to abuse their authority. It seems like this program will remain mostly unchanged for now.
If any information about a US citizen is collected under a law for non-American surveillance, it should be purged immediately unless it has foreign intelligence value
If data from a US person is kept, it shouldn’t be used as evidence in any case against them, and the government can’t specifically search for communications involving a particular US person
Non-US persons should only be surveilled for national security, and the US should make clear that it’s not targeting people for political or religious beliefs and is monitoring the program as closely as possible
Purge information about US persons
Limit using data involving American communications
Target non-Americans responsibly and only for national security
Give the FISA court teeth
Much of this work will have to be done by Congress, but the president made a strong commitment to many of the crucial FISA reforms, including the new position of Public Interest Advocate, which also now includes an unexpected technical component. The president also made gestures towards annual declassification reviews, a crucial but delicate transparency measure where the details of implimentation will be particularly important to watch. There was little word about the wonky details of how FISA judges are confirmed, but the larger push for FISA reform suggests those changes have a good chance of coming through.
This post would be a citizen’s advocate, arguing against the NSA’s surveillance demands.
Before now, the court’s rulings have been secret by default.
The new procedure would tie FISA judges to the Supreme Court, separating the court further from the executive branch.
Create Public Interest Advocate for FISA court
New declassification review for FISA rulings
New appointment procedure for FISA judges
Create external oversight for the NSA
This is a serious point of disagreement between Obama and the review panel, although it's not necessarily a bad one. The review panel's oversight mechanisms are all focused in the executive branch, adding new presidentially appointed offices and stronger oversight from the presidential staff. Obama's directives ignore that entirely, favoring oversight from the judicial branch. In many ways it's a better solution, offering a stronger check on from a separate branch of government. It's also a challenge the judiciary is better equipped to handle in many ways. Still the judges in question are unlikely to be as sensitive to public opinion as the proposed Sensitive Activities Office. There were a few nods towards more review from department heads, but anyone hoping for strong oversight from civilian agencies is coming away empty-handed.
The independent office would monitor classified collection activities, and object when they seem inappropriately broad.
This would give the president more of a say in the tools the NSA uses, and what it uses them for.
Establish a Sensitive Activities Office
Senior policymakers will review requirements, methods and targets.
Stop weakening encryption standards
For the cryptography geeks and civil liberties advocates, this was the main event, proof that the US government was undermining the essential tools of online privacy. Unfortunately, Obama hasn't touched this yet, possibly betting that most Americans care more about their phones than their HTTPS layer. The president also hasn't made any moves to separate the NSA from the US Cyber Command, or touched the NSA's status as the government's codemaker general. Anyone waiting for a sweeping affirmation of the sanctity of encryption would be advised not to hold their breath.
After inserting its own backdoors, the NSA has no credibility as an encryption authority.
New efforts are needed to regain the world’s trust in American IT products.
Right now, the NSA retains encrypted communications automatically, holding them as suspicious by default.
Separate NSA from NIST’s cryptography approval process.
Assistant Secretary of State will lead diplomacy of international information technology issues
The NSA will not hold encrypted communication as a way to avoid retention limits.
End spying on foreign leaders
This was one of the most damaging leaks, and while most of the backpedaling has happened on the diplomatic stage, it’s been a key example of NSA power run amok. Spying on Angela Merkel was a key example where diplomatic risk outweighed the benefits of the information involved. In today’s speech, the president explicitly said he had instructed intelligence agencies to refrain from surveilling friendly heads of state, and while there’s no specific program to stop it from happening again, the president has asked Secretary of State John Kerry to appoint a new official, a "Coordinator for International Diplomacy," to handle complaints and questions about international surveillance from foreign leaders and dignitaries.
It’s likely the President didn’t even know the NSA was tapping the German chancellor’s phone. New reforms would require explicit approval before other world leaders could be surveilled.
Institute a new process requiring high-level approval for politically sensitive operations
In sum, President Obama’s new reforms offer some hope, but little change. If, as the President suggested, the most controversial program was the collection of phone records, then today’s news is reassuring. The collection of bulk phone records is on the cusp of real and lasting reforms, far beyond the illusory reforms many were predicting. But for those who were more concerned with the NSA reading emails or monitoring web browsing, the president offered surprisingly little.
Neither the speech nor the directive addressed PRISM or the tapping of private company networks at Google and Yahoo. Long-standing issues like national security letters received some instructions for future reform, but only after a process of negotiation with the FBI and with no assurance that they would see greater oversight. The NSA will continue its quiet war against encryption tools. Even the promised progress is only a first step, a seed of reform which could easily perish in a hostile legislature or an unresponsive bureaucracy. The next test will come when intelligence agencies respond to the proposals, and Congress moves forward with existing bills for FISA reform.