The break-up of the National Security Agency, an end to its collection of information on Americans’ communications, a scaling-back of its surveillance on foreign citizens and leaders and an end to the agency’s worst anti-encryption practices are some of the recommendations released by a review panel appointed by United States President Barack Obama to address revelations of systematic mass surveillance and lawbreaking by the NSA.
The report by the panel, established by the Obama administration in an effort to forestall mounting fury at revelations of the NSA’s surveillance by whistleblower Edward Snowden, was released early this morning. The panel was composed of long-serving counter-terrorism official Richard A. Clarke, former CIA deputy director Michael J. Morell, legal academic and American Civil Liberties Union adviser Geoffrey R. Stone, legal academic (and “nudge” theory advocate) Cass R. Sunstein and privacy expert Peter Swire. The report does not mention Snowden by name, although it recommends improving and making whistleblower processes more accessible.
The panel urges an end to automatic NSA collection of all internet and telephone metadata in favour of a mandatory data retention regime, in which either ISPs and telcos, or other private organisations, should retain metadata, which would only be able to be accessed by the NSA on the order of the (hitherto toothless) Foreign Intelligence Surveillance Court on the basis that it is relevant to an authorised investigation into terrorism or intelligence matters.
The panel also recommends far greater transparency about the NSA’s and the FBI’s hitherto secret use of their powers to collect information, including the indiscriminate use of gag orders to prevent companies from revealing they have been compelled to hand over data, sometimes even to their own lawyers. It also recommends a much higher bar for governments deciding to keep any surveillance programs secret from Americans.
The panel also wants hurdles placed before any use of information collected on non-Americans that also relates to Americans. Significantly, the panel also wants an end to commercial espionage by the NSA. The NSA has repeatedly denied that it engages in commercial espionage to benefit US companies, but Snowden has revealed a number of instances where surveillance of non-Americans was clearly motivated by commercial considerations, including one instance where the NSA admitted in internal documents that its surveillance was “economic”. Hence the panel’s recommendation that surveillance of non-Americans outside the US “be directed exclusively at the national security of the United States or our allies” and “must not be directed at illicit or illegitimate ends, such as the theft of trade secrets or obtaining commercial gain for domestic industries”.
If applied in Australia, that would ban the sort of spying Alexander Downer ordered the Australian Secret Intelligence Service to undertake against the Timor-Leste cabinet in 2004 for the benefit of Woodside.
The panel also recommended the banning of dissemination of information on foreign persons unless it was relevant to protecting national security — almost certainly a reference to the NSA’s plans to use metadata on the pornography-viewing habits of some of its Muslim targets to discredit or blackmail them. Also recommended is a new test for spying on foreign leaders, addressing whether there is evidence they are being duplicitous, whether it is actually necessary, and what the damage would be if it were revealed.
The NSA should also be split up, the panel suggests in a recommendation that has already reported to have been rejected by Obama. A large component of the NSA doesn’t engage in foreign intelligence gathering but in protecting the communications systems of the US Department of Defense, thereby creating, the panel believes, a conflict of interest between foreign intelligence goals — which involve undermining encryption and systems protections — and the objectives of the “Information Assurance Directorate”, which protects US communications, so the latter should be removed from the NSA. The panel also wants security vetting processes brought back within government and tightened up — this week the NSA admitted that it is unlikely to ever know exactly what documents Snowden took due to its poor internal systems.
“Now, over to the architect of this surveillance state, Barack Obama, to see whether he has the vision to implement the panel’s recommendations.”
The NSA’s extensive work in undermining encryption and exploiting software bugs to access the world’s internet communications systems also comes under fire from the report. The NSA has worked to deliberately undermine global encryption standards protecting internet traffic such as financial information, and has created a vast market in what are called zero-day exploits — software flaws that have yet to be patched (this aspect of the NSA’s operations was known long before Snowden’s revelations).
The undermining of encryption standards has the capacity to inflict major damage on industries reliant on encryption, such as the banking sector, quite apart from its impacts on privacy, because the NSA’s actions make it easier not just for it to access encrypted traffic but for criminals to do so as well. Accordingly, the panel recommends blocking, rather than exploiting, zero days except in extreme circumstances, and that:
“the US Government should: (1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.”
Worryingly, the review also suggests that “governments should not use surveillance to steal industry secrets to advantage their domestic industry; (2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems”, raising serious questions about whether the NSA has been engaged in stealing intellectual property and manipulating the world’s financial systems.
The report comes amid growing evidence that US companies have been significantly harmed by the foreign reaction to the NSA’s behaviour. This week Boeing lost a $4 billion contract with Brazil due to that government’s fury at being targeted by the NSA, while heavyweights from the biggest American IT companies used a presidential meeting about the Obama administration’s healthcare debacle to demand “aggressive” reform of the NSA because of the economic impacts US firms were suffering from the loss of user trust.
Also this week, a US (conservative) federal court judge ruled the NSA’s “almost Orwellian” surveillance was likely to be unconstitutional.
All in all, the panel recommendations do not amount to a major overhaul of surveillance, and they leave in place the apparatus that has turned the internet into a global surveillance tool. But they are a good start to introducing more transparency, reducing the NSA’s freewheeling violations of basic liberties, curbing economic espionage and, particularly, ending the malign and deeply harmful practice of undermining encryption standards.
The review thus rounds off a bad week for the critics of Snowden — among them surveillance apologists and state-identified journalists in Australia like Greg Sheridan, Cameron Stewart and Christopher Joye — who have insisted that Snowden is a US traitor who revealed nothing illegal and damaged US interests.
Without Snowden’s courageous decision to, in essence, ruin his life by whistleblowing on the numerous illegalities and global surveillance system established by the NSA, the UK’s Government Communications Headquarters, our own Australian Signals Directorate, the Canadians (who spied on Brazil’s mining sector) and the New Zealanders, this debate over surveillance and NSA reform would never have occurred. Snowden’s actions have convinced even diehard national security advocates in US Congress of the need to rein in rogue intelligence agencies like the NSA.
Now, over to the architect of this surveillance state, Barack Obama, to see whether he has the vision to implement the panel’s recommendations. And it also raises the question of when other “Five Eyes” governments, including our own, will rein in our own agencies, which are similarly out of control.