Why the Obama administration should ignore recommendations from the panel it established to review NSA surveillance.
In mid-December, the President’s Review Group on Intelligence and Communications Technologies released its findings to great fanfare. The panel, established to evaluate government surveillance activities, joined a growing chorus of critics of the National Security Agency (NSA) and the Obama administration’s aggressive approach to intelligence. Yet the group’s report is seriously flawed. It reflects a misunderstanding of the function of foreign intelligence activities and offers some recommendations that are likely to harm these activities, while also doing little to nothing to protect individual rights.
The review group’s report calls for an end to bulk collection of metadata — information about when one person called another, but not the content of their conversation — as well as new steps to protect Americans against what panelists fear is unjustified government surveillance. The panelists recognize the tricky tradeoff between better intelligence and civil liberties, especially in an era of rapid technological change. Yet the unmistakable theme in their report is that policymakers and intelligence officials have gone too far in the direction of security. Now is the time to put the brakes on programs the panel believes create "risks to public trust, personal privacy, and civil liberty."
The report also calls for more stringent criteria about when the NSA can intercept the communications of foreign individuals. This recommendation is a response to news that the NSA listened in on cell-phone conversations of world leaders like German Chancellor Angela Merkel. Policymakers and intelligence officials, we are told, should be much more careful about whom they target and how much they data collect.
Already, the report has prompted criticism from those who see it as threatening the capabilities of the intelligence community. One of the report’s authors, former CIA deputy director Michael Morell, has recently attempted to rebut this criticism. He notes in a Dec. 27 Washington Post op-ed that the report does not say the NSA’s collection of metadata "is not important to national security, which is why we did not recommend its elimination."
Morell is right that the report did not find the metadata program worthless (and it is noteworthy that he goes on to argue that the program would have prevented the 9/11 attacks). Yet his argument that the review group did not recommend the program’s elimination is either disingenuous or backpedaling away from the report itself.
In its executive summary, the report clearly calls for an end to "government collection and storage of mass, undigested, non-public personal information about U.S. persons for the purpose of enabling future queries and data-mining for foreign intelligence purposes." Instead, the report calls for such information to be held by a third party, such as a private contractor. This outsources a large part of the NSA’s core business of signals intelligence. If not exactly elimination, this plan is quite close, preserving just some elements of the program in private hands.
More important than whether the plan constitutes an end to metadata collection, however, is the fact that it is perhaps the worst of all possible worlds. A public-private metadata-sharing protocol would face serious practical and legal obstacles, which is one reason both intelligence officials and industry leaders are opposed to the idea. At the same time, it would increase the risk of future leaks because more individuals (public and private sector alike) would have to be involved in sharing information. After the Snowden affair, it is bizarre that the review group finds putting more information in the hands of contractors comforting.
In addition, the review proposes two additional reforms that could inflict grave harm on U.S. intelligence collection, neither of which is mentioned by Morell in his op-ed. First, the panelists call for extending the protections enjoyed by American citizens and those living in the United States, such as the Privacy Act of 1974, to foreign citizens living abroad. The Privacy Act sharply restricts the government’s ability to collect data on Americans, while giving people the right to access whatever information the government does have on them. The report notes that the Department of Homeland Security already accords these protections to non-U.S. citizens and that the intelligence community is already bound by the Privacy Act in matters like background investigations it conducts on employees. By extension, the report asserts that it would not be too much for the intelligence community to extend similar protections to non-U.S. citizens outside our borders.
While this position is fashionably cosmopolitan, in practice, it would turn out to be either meaningless or extremely damaging to intelligence collection. The intelligence community would not be likely to collect significant data from non-U.S. citizens through voluntary means like background investigations. As the report itself notes, the Privacy Act does not apply to systems related to national security, such as networks used for storing and transmitting classified information; if this exemption were continued, in most cases, the information available to non-U.S. citizens would be trivial or nonexistent, as most intelligence is classified and would be held in systems that the Privacy Act does not cover.
On the other hand, if the intent is to make some information from national security systems available, then the impact would be devastating. The Privacy Act, for instance, permits "any individual to gain access to his record or to any information pertaining to him which is contained in the system." If the intelligence community faithfully implemented the act, it would also have to allow a target of its espionage and "a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him."
At the risk of stating the obvious, this would demolish the whole purpose of spying.
The second major flaw in the report that Morell does not address is its call to eschew in almost all instances the exploitation of so-called "Zero Day vulnerabilities" in software. A Zero Day vulnerability is one whose existence is not known and therefore has not been addressed by the developer in a patch. These vulnerabilities can be used to infiltrate computer systems to collect intelligence, inflict harm, or both. The report asserts, with very little supporting argument, that fixing these vulnerabilities is more important than intelligence collected by exploiting them in all but a handful of cases. Though not discussed specifically in the report, this policy approach would likely rule out programs like the alleged exploitation of Microsoft Windows error reporting by NSA’s Tailored Access Operations, used to gain insight into target systems.
Put simply, the exploitation of vulnerabilities is the core of intelligence. The panel’s recommendation is akin to arguing that if one discovered a highly placed official of a foreign government with a drinking and gambling problem, then rather than attempting to exploit that problem, the intelligence community should guide him into rehab. Certainly, if a Zero Day or other system vulnerability affects sensitive U.S. government systems, then the NSA should act to repair it, but a general policy of non-exploitation needlessly handicaps the intelligence community. It flies in the face of the sort of careful analysis of costs and benefits that the review group’s report calls for in other circumstances.
The root of these flaws in the report is the failure to distinguish between domestic law enforcement and foreign intelligence. Law enforcement, by definition, is meant to uphold the Constitution and protect the civil liberties of U.S. citizens. Policemen and prosecutors must obey strict guidelines on how they conduct surveillance on suspects and what kind of evidence they can use in court. Foreign intelligence, on the other hand, operates by breaking other countries’ laws. Human intelligence organizations like the CIA try to convince foreign nationals to pass secrets to the United States. And signals intelligence organizations like the NSA consciously and deliberately steal private communications abroad without the target individuals’ knowledge or consent.
The review group, however, recommends that the same criteria be used to determine when the government can collect information about U.S. citizens and foreign individuals on the grounds of protecting rights. In addition to recommending extending the Privacy Act to non-U.S. persons, it declares that intelligence agencies "must not target any non-United States person solely on that person’s political views or religious convictions." While this is obviously crucial in terms of safeguarding the civil liberties of U.S. citizens, it makes no sense in the world of foreign intelligence. Intelligence agencies always collect information on foreign individuals because of their political views and other beliefs. Why else would they care about particular people, if not for the way they see and interact with the world?
Up to now, the debate about the NSA has focused on the balance between discovering information about terrorists and protecting the rights of citizens. This is understandable, as the legal basis for the NSA programs is the Patriot Act, and because the White House justifies metadata collection on the same grounds. But characterizing the issue as a choice between counterterrorism and civil liberties is simplistic and misleading. The review group admirably stresses that there are security concerns that go beyond terrorism, but it then fails to consider the value of metadata in addressing a host of challenges the intelligence community is facing. Efforts to combat state-sponsored industrial espionage, for example, require painstaking counterintelligence work. Efforts to break up transnational proliferation networks are also likely to benefit from metadata collection; this is a logical way to map the networks and see how they operate, which may be one reason why the Obama administration is fighting so hard to keep the NSA programs alive.
What’s more, despite some fears that the NSA could use metadata to create a "mosaic" of someone’s activities, in reality, this is a pretty inefficient way of encroaching on anyone’s privacy. In the past, when the intelligence community has violated civil liberties, it hasn’t bothered with such a roundabout approach. In the 1960s-1970s, for example, the CIA infiltrated various domestic political organizations, and the NSA intercepted the telegraphs of individual citizens. We have plenty of experience with intelligence agencies behaving badly, and they haven’t been very subtle about it. Collecting and storing metadata is thus very different from what we’ve seen in the past — and, in fact, Occam’s Razor suggests that it is not a violation of civil liberties at all.
Ultimately, while generated with an admirable desire to preserve people’s rights and privacy, the flawed recommendations in the review group’s report threaten to do more harm than good. As the Obama administration considers reforming the NSA, it would do well to ignore them.