[Editor’s Note: Just Security is holding a “mini forum” on the Report by the President’s Review Group on Intelligence and Communications Technologies. Others in the series include a post by Julian Sanchez examining the scope of the NSA’s section 702 program, a post by David Cole and Marty Lederman analyzing how metadata is used under section 215, a post by Jennifer Granick discussing the implications for non-US persons (with a follow-up post by Jennifer), and a post by Ryan Goodman discussing the effectiveness of the section 215 metadata program.]
The Report of the President’s Review Group on Intelligence and Communications Technologies (PRGICT) has made quite a splash. But what, exactly, is in it? Tons of stuff, actually, on a huge range of subjects. And 46 specific recommendations.
This post is a modest excavation of the Report, describing and clarifying what I see as its more interesting and important discussions and recommendations. I will largely leave to others the task of assessing the merits of the Report’s various proposals.
This post is far from comprehensive; I do not, for instance, discuss the vast majority of the Report’s recommendations. In particular, this post does not address one of the most important and controversial aspects of the Report–namely, its discussion of, and recommendations for, the Section 215 “telephony metadata” program and other bulk data collection programs. The Report’s important discussion of the risks associated with data-mining of vast collections of information has not received the attention it deserves, having been overshadowed by the Report’s recommendation that such databases be maintained by third-party custodians rather than by the NSA. David Cole and I will discuss these issues further in a separate post.
Here, I’ll start with some of the Report’s broader themes and general suggestions, and then proceed to some of the particulars.
1. WIDENING THE FOCUS
It is commonly assumed that policy choices about the matters covered in the Report require a balancing between national security, on the one hand, and privacy, on the other. As Jack Goldsmith rightly emphasizes, however, the single most important characteristic of the Report is its insistence that much more is at stake than this binary opposition.
The Report repeatedly insists that, in deciding how to craft our surveillance practices, we must take account of not only the expected national security benefits and any intrusions on privacy when the government obtains information about individuals, but also other vital interests and likely effects—for example, the impact on social practices, and norms of communication and creativity, if the public comes to believe that its government has “total information awareness” capabilities; the potential effect of the practices on the U.S.’s reputation and diplomatic interests abroad—including prospects for U.S. initiatives to establish multilateral norms; and the possible impact on U.S. firms, and the U.S. economy. Moreover, one of the important lessons of the Snowden revelations is that in assessing these various interests, policy makers should assume not that U.S. surveillance practices will remain secret, but instead that, for better or for worse, they may one day be publicized for all the world to see. Would the benefits be worth the costs, along all of these metrics and more, if the program were to be exposed? Much of the Report is written with that question in mind.
2. ESTABLISHING “FOUNDATIONS” THAT MIGHT WITHSTAND THE RISK OF OVERREACTION AFTER THE NEXT ATTACK
A central premise of the Report is that many of the decisions the government made in the wake of 9/11 were precipitous and unbalanced, if understandable, and that it is therefore imperative to establish “secure foundations for future decisions” now, when decision-makers can assess various interests clearly and are not driven to “overreaction” in light of the inevitable fear and panic that follow catastrophic events (pp. 54, 57). This passage on page 180 is representative:
[I]f a similar or worse incident or series of attacks were to occur in the future, many Americans, in the fear and heat of the moment, might support new restrictions on civil liberties and privacy. The powerful existing and potential capabilities of our intelligence and law enforcement agencies might be unleashed without adequate controls. Once unleashed, it could be difficult to roll back these sacrifices of freedom.
Our recommendations about NSA are designed in part to create checks and balances that would make it more difficult in the future to impose excessive government surveillance. Of course, no structural reforms create perfect safeguards. But it is possible to make restraint more likely. Vigilance is required in every age to maintain liberty.
3. DISTINGUISHING BETWEEN SURVEILLANCE POLICIES FOR COMBAT AND NON-COMBAT OBJECTIVES
Much has been made of Report’s recommendation (No. 22(3)) that the President should seriously consider appointing a civilian NSA Director. But few have focused upon one of the principal reasons offered for that suggestion—namely, a concern that decisions about the scope of surveillance for counterterrorism purposes generally have been driven by the particular needs of the military for combat operations on the battlefields of Iraq and Afghanistan, thereby resulting in an “increasing overlap between signals intelligence for military purposes and the communications of ordinary Americans and citizens of other countries” (p. 186). The authors suggest that perhaps surveillance policies and practices should be materially different in the two distinct settings (pp. 186-87):
The convergence of military and civilian communications is important in light of the drastically different expectations of government surveillance. In wartime, during active military operations, signals intelligence directed at the enemy must be highly aggressive and largely unrestrained. . . . [T]here are powerful arguments for strong measures to intercept communications to prevent or detect attacks on American troops in Iraq and Afghanistan. During military operations, the goal is information dominance, to protect the lives and safety of US forces and to meet military objectives. The same rules do not apply on the home front.
A significant challenge today is that a wide and increasing range of communications technologies is used in both military and civilian settings. The same mobile phones, laptops, and other consumer goods used in combat zones are often used in the rest of the world. The same is true for software, such as operating systems, encryption protocols, and applications. Similarly, routers, fiber optic, and other networking features link combat zones with the rest of the global Internet. Today, no battlefield lines or Iron Curtain separates the communications in combat zones from the rest of the world. A vulnerability that can be exploited on the battlefield can also be exploited elsewhere. The policy challenge is how to achieve our military goals in combat zones without undermining the privacy and security of our communications elsewhere. In responding to this challenge, it remains vital to allow vigorous pursuit of military goals in combat zones and to avoid creating a chilling effect on the actions of our armed forces there.
The public debate has generally focused on the counterterrorism rationale for expanded surveillance since the terrorist attacks of September 11, 2001. We believe that the military missions in Iraq and Afghanistan have also had a large but difficult-to-measure impact on decisions about technical collection and communications technologies. Going forward, even where a military rationale exists for information collection and use, there increasingly will be countervailing reasons not to see the issue in purely military terms. The convergence of military and civilian communications supports our recommendations for greater civilian control of NSA as well as a separation of NSA from US Cyber Command. It is vital for our intelligence agencies to support our warfighters, but we must develop governance structures attuned to the multiple goals of US policy.
The Report does not provide further details with respect to this suggestion; but it does offer food for thought about whether Congress and the Executive ought to consider developing a kind of “two-track” surveillance regime, in which the rules respecting surveillance in support of combat missions might be more robust, and subject to different checks, than the rules that govern national security surveillance for other objectives. In this respect, the Report is reminiscent of the President’s May 23d National Defense University speech, in which he suggested that perhaps the rules for use of force ought to be different “outside the Afghan theater,” where force protection is less of a concern. (See my post with Mary DeRosa for more along these lines.)
4. TRANSPARENCY AND WHISTLE-BLOWING
a. Transparency. One of the most important questions in the wake of the Snowden leaks is whether it was a mistake for the government to keep secret the existence of programs such as the telephony metadata bulk collection program; the general scope of other programs that are nominally acknowledged (such as FAA Section 702 surveillance); and the “minimization” rules that cabin such programs. Should the robust public debate we’re having now have occurred before these programs were initiated? Should the documents now prominently displayed on the ODNI website have been kept secret all these years? Or, more to the point, under what circumstances, and to what degree, should proposed future programs be publicly debated before they are authorized?
The Report’s authors conclude that “[t]here is a compelling need today for a serious and comprehensive reexamination of the balance between secrecy and transparency” (p.125); but they also recognize that the “most vexing problems” in this regard “arise when the public disclosure of secret information is both harmful to national security and valuable to informed self-governance” (p.125).
Their principal recommendation on this question, Recommendation No. 7, is somewhat indeterminate:
[L]egislation should be enacted requiring that detailed information about authorities such as those involving National Security Letters, section 215 business records, section 702, pen register and trap-and-trace, and the section 215 bulk telephony meta-data program should be made available on a regular basis to Congress and the American people to the greatest extent possible, consistent with the need to protect classified information. With respect to authorities and programs whose existence is unclassified, there should be a strong presumption of transparency to enable the American people and their elected representatives independently to assess the merits of the programs for themselves.
This begs the question somewhat, since the real difficulty is deciding when the information ought to be classified in the first instance. More important, then, is Recommendation No. 11, which suggests a strengthening of procedural and substantive standards for secrecy/classification decisions:
We recommend that the decision to keep secret from the American people programs of the magnitude of the section 215 bulk telephony meta-data program should be made only after careful deliberation at high levels of government and only with due consideration of and respect for the strong presumption of transparency that is central to democratic governance. A program of this magnitude should be kept secret from the American people only if (a) the program serves a compelling governmental interest and (b) the efficacy of the program would be substantially impaired if our enemies were to know of its existence. (Italics in original.)
b. Whistle-blowing and the CLPP Board. The Report also includes one intriguing recommendation (No. 27(2)) with respect to whistle-blowers—enactment of a statute that would give employees within the Intelligence Community who are concerned about secret programs the authority to “report their concerns directly” to a “newly chartered, strengthened, independent Civil Liberties and Privacy Protection Board.”
The Report does not describe the ways in which the CLPP Board would be “independent” from the President, nor what it would be empowered to do with the information it receives from such whistle-blowers—details that would need to be worked out in order for the Executive and Congress to fairly evaluate this recommendation.
Not surprisingly, Recommendation No. 29(2) has received a great deal of attention. It provides that the U.S. should not “in any way subvert, undermine, weaken, or make vulnerable generally available commercial software.” The Report further urges the government to “make it clear” that “NSA will not engineer vulnerabilities into the encryption algorithms that guard global commerce,” nor “demand changes in any product by any vendor for the purpose of undermining the security or integrity of the product, or to ease NSA’s clandestine collection of information by users of the product” (p. 218).
The Report itself suggests, without elaboration, that these proposals would not deviate substantially from the status quo, since “it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or ‘backdoor,’ that makes it possible for the US Government or anyone else to achieve unauthorized access” (p.217).
I’ll leave it to others to discuss in greater detail whether and to what extent these recommendations would alter current practices, and whether they would be too restrictive or not restrictive enough. I would simply note that the authors were very careful here to use terms and qualifications that avoid categorical assertions (“generally available,” “commercial,” “demand,” “appears,” “vast majority,” “generally used,” etc.). The Report might fairly be read, therefore, to leave plenty of play in the joints concerning how and to what extent adoption of Recommendation 29(2) would require changes in current practices.
6. SURVEILLANCE OF FOREIGN PERSONS OVERSEAS
This part of the Report has been subject to some unwarranted caricature. As far as I can tell, for instance, the Report does not, as Joel Brenner alleges, “recommend that we treat foreigners and U.S. persons alike under the law.”
It does, however, make one recommendation that would, I believe, have fairly significant ramifications.
At page 172, the Report explains that national security is hardly the only reason that the U.S. (or any other nation) engages in foreign espionage:
In [some] instances, information might be sought in order to learn about the intentions of the leaders of other nations, even when no threat to our national security is involved. The latter instances might involve an interest in acquiring information that might prove useful as United States officials plan for meetings and discussions with other nations on bilateral economic issues. In such circumstances, it might be helpful to know in advance about another nation’s internal concerns and priorities or about its planned negotiating strategy but it is not critical to national security. Different interests have different weights.
Yet in Recommendation No. 13(2), the authors urge the government to “reaffirm” (?) that “in implementing section 702, and any other authority that authorizes the surveillance of non-United States persons who are outside the United States, . . . such surveillance “must be directed exclusively at the national security of the United States or our allies” (emphasis added).
This appears to suggest that the sorts of economic, political and diplomatic surveillance the authors later describe as part of current practice would be out of bounds. I don’t know if that was their intent–perhaps, for example, this limit is not supposed to apply to surveillance of foreign officials and other public figures. But to the extent Recommendation No. 13(2) were construed to have such an effect, it could be very significant, indeed. It is unlikely the U.S. or any other nation would ever adopt any such “for national security purposes only” limitation. Placing greater limits on such non-security-based surveillance? Sure. But an absolute prohibition? Doubtful.
7. INCIDENTAL COLLECTION OF U.S. PERSON COMMUNICATIONS AND INFORMATION
a. Minimization. Recommendation No. 12 is undoubtedly one of the most important and provocative in the Report. It would impose new limits (or minimization rules) on what can be done with communications of, and information about, U.S. persons that are collected during any surveillance of foreigners–under Section 702 of the FAA, Executive Order 12333, or otherwise:
We recommend that, if the government legally intercepts a communication under section 702, or under any other authority that justifies the interception of a communication on the ground that it is directed at a non-United States person who is located outside the United States, and if the communication either includes a United States person as a participant or reveals information about a United States person:
(1) any information about that United States person should be purged upon detection unless it either has foreign intelligence value or is necessary to prevent serious harm to others;
(2) any information about the United States person may not be used in evidence in any proceeding against that United States person; [and]
(3) the government may not search the contents of communications acquired under section 702, or under any other authority covered by this recommendation, in an effort to identify communications of particular United States persons, except (a) when the information is necessary to prevent a threat of death or serious bodily harm, or (b) when the government obtains a warrant based on probable cause to believe that the United States person is planning or is engaged in acts of international terrorism.
If I’m not mistaken, this would have at least two important effects. First, subsection (3) would prohibit the “secondary” search (I believe others have referred to it as a “back-door” search) of collected, foreign-targeted communications for U.S. person communications, except in circumscribed situations.
More importantly, perhaps, if foreign-targeted surveillance incidentally reveals information about U.S. person wrongdoing, or criminal activity, that information could not be used as evidence against the U.S, person, and indeed would have to be “purged” from government records altogether, and not be the basis for further investigation, “unless it either has foreign intelligence value or is necessary to prevent serious harm to others communications.”
I don’t know enough to be certain, but such limitations might be a significant change from current practices.
b. Limits on Section 702 Surveillance? The Report contains an interesting clue about how the government is presently using Section 702 that I do not recall being previously disclosed—and raises a related question about legal authorities under that provision of the FAA:
The Report explains (page 136) that in implementing Section 702, “NSA identifies specific ‘identifiers’ (for example, e-mail addresses or telephone numbers) that it reasonably believes are being used by non-United States persons located outside of the United States to communicate foreign intelligence information within the scope of the approved categories (e.g., international terrorism, nuclear proliferation, and hostile cyber activities). NSA then acquires the content of telephone calls, e-mails, text messages, photographs, and other Internet traffic using those identifiers from service providers in the United States.” A footnote adds that “[i]llustrative identifiers might be an e-mail account used by a suspected terrorist abroad or other means used by high-level terrorist leaders in two separate countries to pass messages. The number of identifiers for which NSA collects information under section 702 has gradually increased over time.”
Later, on pages 152-53, the authors “emphasiz[e] that, contrary to some representations, section 702 does not authorize NSA to acquire the content of the communications of masses of ordinary people. To the contrary, section 702 authorizes NSA to intercept communications of non-United States persons who are outside the United States only if it reasonably believes that a particular ‘identifier’ (for example, an e-mail address or a telephone number) is being used to communicate foreign intelligence information related to such matters as international terrorism, nuclear proliferation, or hostile cyber activities.” (Italics in original.)
I may be mistaken, but I don’t believe that there’s anything in the statute itself that imposes the limitations in bold–neither that the NSA must use such “identifiers,” nor that international terrorism, nuclear proliferation, and hostile cyber activities are the only topics of acceptable foreign intelligence information that can be sought. Perhaps the FISC Court has insisted upon such limits; but, as far as I know, the Section 702 authority as currently codified is not so circumscribed.
8. NATIONAL SECURITY LETTERS
As I read it, the Report in effect proposes (page 93 and note 83) the wholesale repeal of National Security Letter (NSL) authorities:
We are unable to identify a principled reason why NSLs should be issued by FBI officials when section 215 orders and orders for pen register and trap-and-trace surveillance must be issued by the FISC. . . . NSLs should not issue without prior judicial approval, in the absence of an emergency where time is of the essence. . . . It is essential that the standards and processes for issuance of NSLs match as closely as possible the standards and processes for issuance of section 215 orders. Otherwise, the FBI will naturally opt to use NSLs whenever possible in order to circumvent the more demanding – and perfectly appropriate – section 215 standards.
That would certainly be a significant change from current law.