Intelligence review panel calls for stricter NSA limits

Agency shouldn't store telephony metadata, panel says

A five member panel charged by President Obama in August to review intelligence surveillance has recommended new limits to current National Security Agency activities.

Among its recommendations is an end to NSA long-term storage of telephony metadata--the transaction records of all domestic and international telephone calls crossing through U.S. carrier switches--and a transition to a system in which those records are stored privately. NSA access to those records would require an order from the Foreign Intelligence Surveillance Court meeting a standard that the "particular information" sought is relevant to an investigation against international terrorism or foreign intelligence. That order would have to be "reasonable in focus, scope and breadth," the panel's report (.pdf) says.

The White House released the report days after a federal judge found the NSA likely violates the Fourth Amendment by storing bulk telephony metadata for five years. The program first became public knowledge in June through leaks from former intelligence community SharePoint administrator Edward Snowden. Obama administration spokesman Jay Carney has said the White House will complete a review of the panel's report during January, after which the president will address them publicly.

"As a general rule and without senior policy review, the government should not be permitted to collect and store mass, undigested, non-public personal information about U.S. persons for the purpose of enabling future queries and data-mining for foreign intelligence purposes," the report states.

In all, the panel--whose members include a former acting director of the CIA, a former Office of Information and Regulatory Affairs administrator and a law professor--made 46 recommendations.

They include a call to remove all non-foreign intelligence components from the National Security Agency, including its cybersecurity component, the Information Assurance Directorate. The panel says the NSA director shouldn't head Cyber Command--although the Obama administration has already rejected that suggestion, with a spokeswoman stating earlier this month that an interagency review concluded that "one, dual-hatted position is the most effective approach."

The position of NSA director should be subject to Senate confirmation and open to civilians, the panel adds. "The president should give serious consideration to making the next director of the National Security Agency a civilian."

NSA work in undermining commercial encryption gets a recommendation against it, with the report exhorting the federal government to "not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software."

Similarly, it should not "undermine efforts to create encryption standards." A possible NSA-created backdoor in a National Institute of Standards and Technology random bit generator has led NIST to call for cryptographers to suspend use of the algorithm and prompted NIST to review its cryptographic standards development process.

In fact, the government should encourage American companies to use encryption to better protect data--an encouragement that, the report does not note, it may have at least partially but unintentionally already achieved after leaks of more classified documents showed the NSA taking advantage of a lack of encryption between Google data centers.

When it comes to the interception of digital content permissible under Section 702 of the FISA Amendment Act--which allows the NSA to do so for counterterrorism and intelligence purposes, provided that it's looking for the communications of someone reasonably believed to be a non-U.S.-person who is also located abroad--the panel also recommends new restrictions.

Information about U.S. persons (citizens and legal permanent residents) swept up in Section 702 surveillance should be "purged upon detection" unless it has foreign intelligence value "or is necessary to prevent serious harm to others." However, "any information about the United States person [should] not be used in evidence in any proceeding against that United States person."

An Office of the Director of National Intelligence official said recently it's not always possible to determine when Americans are caught up in Section 702 surveillance, stating that achieving certainty could require even more invasiveness by the intelligence community. However, also among the panel's recommendations is that the federal government examine the feasibility of better surveillance targeting software.

When it comes to foreigner's data itself, the report calls for applying the Privacy Act of 1974 to both U.S. persons and non-U.S. persons and affirming that the purpose of surveillance is exclusively for the national security of the United States and its allies. The federal government should also promise not to disseminate information about foreigners if the information isn't relevant to that national security mission, the panel adds. Not included in national security is targeting based solely on political or religious convictions.

With a "small number of closely allied governments" the United States should also explore mutual understandings regarding intelligence collection regarding each other's citizens, the panel also recommends.

For more:
- download the panel's report (.pdf)

Related Articles:
Bulk telephony metadata likely unconstitutional, says federal judge
Now is the 'golden age of SIGINT' says NSA in document pushing for more authority
International trade tensions foreseen in differing legal regimes over government surveillance