A presidential advisory panel on government surveillance recommended satisfying a demand of Internet companies such as Yahoo! Inc. (YHOO) and Facebook Inc. (FB) while putting new burdens on telecommunications providers to retain data for future snooping.
The five members of the Review Group on Intelligence and Communications Technology offered 46 policy changes that would allow U.S. surveillance programs to continue while limiting worldwide collection of communications by the National Security Agency.
The panel recommended that the NSA retain access to bulk phone-calling records, with two changes: Phone companies, not the spy agency, should keep the records, and the NSA should have to obtain court orders for specific customer data.
The proposals, which Obama isn’t obligated to adopt, aim to alter spy programs in response to a domestic and international backlash over the extent of U.S. surveillance exposed by former NSA contractor Edward Snowden.
Senator Charles Schumer, a New York Democrat, said he expected Congress to vote on legislation adjusting the NSA programs, including expanding disclosure and judicial review aspects, early next year. “My view is that there are reforms that can be made that don’t interfere, don’t get in the way of our security,” Schumer told reporters today.
White House press secretary Jay Carney said the administration will take several weeks to “study the review group’s report and determine which recommendations we should implement.”
“Broadly speaking, it is our view that the report is thoughtful, comprehensive and serious work,” Carney said.
Internet companies have been lobbying President Barack Obama and Congress to let them make public the extent of government prying into their data. The panel agreed with their argument that the secrecy poses a risk to their businesses.
“If the government is working closely or secretly with specific providers, and if such providers cannot assure their users that their communications are safe and secure, people might well look elsewhere,” the report said.
The panel recommends legislation allowing Internet companies to publicly release “general information” about government orders compelling them to turn over data, including how many users are affected.
Obama, who met with technology executives on the matter on Dec. 17, plans to announce next month what actions he’ll take. He already rejected one of the recommendations -- that the NSA get civilian leadership instead of being directed by the military officer in charge of the U.S. Cyber Command.
AT&T Inc. (T), T-Mobile US Inc. (TMUS) and other telecommunications carriers could face new burdens to retain customer data if Obama accepts another of the panel’s recommendations. They might be required to store and secure bulk phone records, such as numbers dialed and call durations, for longer than they do now on behalf of the government -- a proposal that some privacy advocates say would outsource spying.
“The government should not be permitted to collect and store mass, undigested, non-public personal information about U.S. persons for the purpose of enabling future queries and data-mining for foreign intelligence purposes,” the panel wrote.
The current program under which the NSA obtains and stores the data “was not essential to preventing attacks,” and information needed to thwart terrorist plots “could readily have been obtained in a timely manner using conventional” court orders, the panel wrote.
The panel also recommended that the U.S. not do anything to undermine or weaken encryption standards, and establish international norms to prevent a splintering of the Internet.
Google Inc. (GOOG) and other companies have expressed outrage over reports that the NSA has broken encryption and hacked into fiber-optic cables abroad to obtain data on their users.
The report also said there should be new criteria for eavesdropping on foreign leaders, and the NSA’s electronic spying operations should be separated from the agency’s computer network defense operations.
The government should be allowed to take advantage of vulnerabilities in computer code when necessary -- commonly known as zero-day exploits, the panel said.
The proposal to shift the retention of phone records to the telecommunications companies or other third-party providers “doesn’t solve the problem of how much is gathered, when it’s gathered, how it’s gathered and how it’s used,” Ed Black, president and chief executive officer of the Computer and Communications Industry Association in Washington, said in a phone interview.
“It’s an attempt to outsource surveillance,” he said. “Realistically it winds up trying to make private companies the agents of government, quasi-governmental agents, and it really isn’t going to work.”
Senator Dianne Feinstein, a California Democrat and chairman of the Senate intelligence committee, has said an NSA analysis persuaded her that it would be too costly to store the metadata with the carriers.
The only acceptable revision is to stop the collection of bulk data, Kevin Bankston, policy director for the Washington-based Open Technology Institute, a policy and research organization, said in a phone interview.
The phone companies also might resist being required to retain bulk records for the government.
“I expect our members would oppose the imposition of data retention obligations that would require them to maintain customer data for longer than necessary,” Jot Carpenter, vice president of government affairs for CTIA-The Wireless Association, said before the final report was released. The Washington-based trade group represents AT&T and T-Mobile.
While not ending bulk records collection, the panel makes “solid recommendations,” including stronger judicial review and legal standards for spying, James Lewis of the Center for Strategic and International Studies in Washington, said in a phone interview.
“It means that the operators won’t be making the decisions themselves, they’re going to have to go to a court,” he said. “It goes a long way to strengthening oversight.”
Bankston said his group was “cautiously optimistic” about the proposed restraints. “We hope that the president and Congress will heed the group’s recommendation against bulk data collection and act immediately to end the NSA’s metadata dragnet,” he said.
Obama should accept the recommendations and end the bulk-data collections, Anthony Romero, executive director of the American Civil Liberties Union, said in a statement. “NSA’s surveillance programs are un-American, unconstitutional, and need to be reined in,” he said.
The panel, established by Obama in August, is made up of Richard Clarke, a former U.S. cybersecurity adviser; Michael Morell, a former deputy CIA director; Geoffrey Stone, a University of Chicago law professor; Cass Sunstein, a Harvard Law School professor who once worked in the administration; and Peter Swire, who served on Obama’s National Economic Council.
The panel’s report was the second blow this week to the government’s collection of bulk data. A federal judge ruled Dec. 17 that the NSA’s phone records collection program is probably illegal.
“We are not in any way recommending the disarming of the intelligence community,” Morell told reporters yesterday. “I do not believe as a 33-year intelligence officer that our recommendations will in any way undermine” the intelligence community or national security.