Center for Applied Cybersecurity Research
Dec. 20, 2013
FOR IMMEDIATE RELEASE
BLOOMINGTON, Ind. -- The President’s Review Group on Intelligence and Communications Technologies has produced a “bold and decisive” report on NSA surveillance that can only be described as sweeping in the breadth and likely impact of its recommendations, according to an Indiana University cybersecurity and privacy expert.
Maurer School of Law Distinguished Professor Fred H. Cate, who met with the review committee in September, lauded the group’s work but said the its proposals may still fail to result in substantial changes in National Security Agency operations.
“It seems unlikely that President Obama, who up until now has appeared to kowtow to the NSA, will pursue most of its recommendations,” Cate said. “Washington is littered with reports calling for similar reforms that the president and Congress have ignored. The recommendations of this report are far more sweeping than any of the reform legislation currently pending in Congress or that the White House -- or perhaps anyone else in Washington -- expected.”
The report’s 46 recommendations are far-ranging, but are largely focused in six major areas: repudiating the “collect everything” approach of the NSA and other federal agencies; expanding privacy rights for U.S. and non-U.S. citizens and significantly curtailing surveillance of foreign leaders; restructuring the NSA and its leadership; subjecting the NSA to new oversight; putting surveillance in a broader context with other important national interests; and expanding transparency.
Many of the recommendations were part of Cate’s written comments to the Review Committee. Those comments were submitted last month and are available here in their entirety.
The report repudiates the “collect everything” approach of the NSA, to focus instead on a “cost-benefit, risk-management” approach to surveillance and intelligence gathering.
For example, the report calls on Congress to enact legislation dismantling the bulk telephone metadata surveillance program first made public by Edward Snowden, and to prohibit such programs in the future except in limited circumstances when the president or other senior policy official determines the program is necessary to serve a “compelling” governmental interest. The report recommends that Congress amend section 215 of the USA Patriot Act, the provision on which the NSA based its bulk telephone metadata program, to require that all orders be “reasonable in focus, scope and breadth.”
The report recommends extending significant privacy rights to non-U.S. citizens, including limiting U.S. surveillance of these persons to “exclusively” protecting national security interests.
“No more surveillance of foreign heads of state (or anyone else) for purely political or trade purposes,” Cate said. The report would also extend the Privacy Act of 1974 to non-citizens, end the NSA’s subterfuge of collecting data on U.S. citizens while claiming to be seeking information only on non-U.S. persons, and, under the proposed recommendations, limit the retention and use of inadvertently collected data on U.S. persons.
The report is equally sweeping in its recommendations about the structure and management of the NSA.
“The call to separate the leadership of the NSA from that of the U.S. Cyber Command is one of the bolder actions recommended,” Cate said, “but President Obama reviewed the report last week and has already rejected it.”
The report also recommends that the head of the NSA be a civilian and subject to Senate confirmation. Most strikingly in this context, the report recommends removing the NSA’s Information Assurance Directorate, effectively splitting the agency into two separate parts.
The report recommends the creation of new powers to oversee the NSA and other surveillance organizations.
“Creating a special assistant to the president for privacy, expanding and enhancing the powers of the existing Privacy and Civil Liberties Oversight Board and creating a public interest advocate to represent privacy and civil liberties interests before the Foreign Intelligence Surveillance Court are all positive steps toward restoring faith in the American public,” Cate said. “The NSA programs revealed by Mr. Snowden this summer have eroded the trust between the government and its people. Acknowledging -- and respecting -- the privacy rights of Americans is a critical need and a key focus of the report.”
The report devotes considerable time to the broader range of interests -- other than conducting surveillance for national security -- that should concern the federal government.
For example, the report urges that neither the NSA nor any other federal agency do anything to “subvert, undermine, weaken or make vulnerable generally available commercial software” or encryption standards, Cate said. The report also recommends that the surveillance mission be brought into line with the Obama Administration’s 2011 International Strategy for Cyberspace, which advocated freedom of expression and protection of civil liberties for all people online. The Review Group also recommends the creation of an assistant secretary of state position to “lead diplomacy of international information technology issues.”
The report is equally sweeping in its recommendations for enhancing transparency about government surveillance.
“This would include the frequency and duration of non-disclosure orders and permitting industry to provide general information about the frequency and extent of compelled disclosure of customer records to the government,” Cate said. “High-tech companies have been pushing to allow them to disclose that the NSA demands from them. Two weeks ago, eight of the largest companies, including Google and Microsoft, took out full-page ads in major newspapers calling on the Obama Administration to rein in the NSA and allow broader disclosure.” The report calls for far more disclosure of surveillance activities to Congress and, ultimately, to the public.
“The Review Group has done its part,” Cate noted. “Now it is up to the president and Congress to do theirs.”
Fred H. Cate is the director of the Indiana University Center for Applied Cybersecurity Research and the C. Ben Dutton Professor of Law. He is a member of the inaugural U.S. Department of Homeland Security Data Privacy and Integrity Committee Cybersecurity Subcommittee and one of the founding editors of the Oxford University Press journal International Data Privacy Law. He can be reached at 812-855-1161 or firstname.lastname@example.org.