NSA reform report: End bulk metadata program, no more software backdoors

NSA reform report: End bulk metadata program, no more software backdoors

Summary: Two of the 40 recommendations — which the White House can still ignore — hints that private companies should be allowed to report data access figures.

TOPICS: Security

An outside panel's report on U.S. surveillance practices and programs says the National Security Agency (NSA) should not be allowed to carry on collecting vast amounts of phone metadata of Americans.

The report [PDF], which was released on Wednesday and set up in the wake of the U.S. mass surveillance leaks from former U.S. government contractor Edward Snowden, also said the NSA should "not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software." 

Noting a total of 46 recommendations, the report which was designed in efforts to overhaul the U.S. intelligence gathering machine had one overriding theme: the balancing of national security and personal privacy.

With this in mind, the report noted that the U.S. government should "promote transparency" about the number and type of data requests made to technology and phone companies. This appears to be a nod towards Silicon Valley giants who are fighting the government in court over the inability to transparently disclose how many secret court orders and data requests they are forced to comply with each year.

Some of the key points include:

On encryption and using zero-day attacks

  • Encryption should not be undermined in any way, the report says. Commercial software should not be directly or indirectly weakened by the NSA . 
  • Zero-day attacks should be "quickly blocked" by the U.S. government, so that federal networks and other networks are patched quickly. But, the report says U.S. policy "in rare instances" may briefly authorize using zero-day attacks for high priority intelligence collection.
  • The U.S. should "not use surveillance to steal industry secrets to advantage their domestic industry."

On the NSA's challenges and legal changes

  • The head of the NSA and the U.S. Cyber Command — currently Gen. Keith Alexander — should "not be a single official," suggesting the role should be split in two.

  • The government should "publicly disclose on a regular basis" general data about National Security Letters, Section 215, and Section 702 orders — which is designed to target only non-U.S. residents and citizens — and other similar orders. The only exception is if the government makes a "compelling demonstration" that such disclosures would endanger national security. This is one of the key arguments used by the Justice Dept. that currently prevents Silicon Valley giants from disclosing such figures.
  • Amend the Foreign Intelligence Surveillance Act (FISA) so that National Security Letters — de facto gagging orders — are given the same oversight, minimization, and retention standards as Section 215 order. This part of the law can (and is regularly used) to vacuum up every business record owned by a company.

  • That said, Section 215 should be amended to allow the Foreign Intelligence Surveillance Court, which oversees the NSA's secret programs, to disclose personal data only if the government has reasonable grounds that the data may protect against international terrorism. Also, such orders must be "reasonable" in scope and breadth.

  • New legislation should be enacted that "terminates the storage of bulk telephony meta-data by the government under section 215," the report says. It suggests the data should be transitioned "as soon as reasonably possible" to a system in which such meta-data is held instead either by private providers or by a private third party.

On maintaining privacy and civil liberties

  • The government should also commission a study, comprised of technology and legal experts, assessing the "distinction between metadata and other types of information."

  • Any data that is collected on a U.S. person "should be purged upon detection unless it either has foreign intelligence value or is necessary to prevent serious harm to others." Also, the report says any intelligence gathered on that U.S. person "may not be used in evidence" in any court proceeding.

  • The NSA and other intelligence agencies should consider if it is able to "conduct targeted information acquisition" over bulk-data collection, in efforts to reduce the dragnet-like programs it has now.

  • A "Public Interest Advocate" position should be created to represent privacy and civil liberties interests before the secretive Foreign Intelligence Surveillance Court. The court "should have greater technological expertise" made available to the judges.

On international relations

  • Surveillance efforts of foreign leaders should be considered carefully, the report says. One of the considerations asks if, "the other nation one with whom we share values and interests, with whom we have a cooperative relationship, and whose leaders we should accord a high degree of respect and deference?"

  • The U.S. government should use the mutual legal assistance (MLA) treaty — a cooperative treaty between countries in cross-border intelligence and law enforcement assistance — to obtain data, rather than covertly through its existing programs. This remains one of the key messages from the European Union in response to claims EU citizens were being spied on by the U.S. government.

On the Snowden case

  • The U.S. government should use a non-profit, private sector company or its own government employees for vetting personnel for security clearance.

  • Vetting should be "ongoing, rather than periodic," incorporating insider threat information and other ongoing things, such as changes in credit ratings or arrests or court proceedings.

  • Security clearances should be "highly differentiated," including the creation of an "administrative access" clearance so that system administrators can do their job without granted them access to intelligence material. Snowden reportedly used his high-level "sysadmin" clearance to gather more than 1.6 million classified documents.

  • All "secret" and "top secret" networks should be built using the highest quality hardware and software. These networks should also be subject to "Network Continuous Monitoring" to record network traffic for anomalous activity and data breaches.

You can read the full report below.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It's a start

    National security letters should be abolished outright (a plain old search warrant should be good enough) and the standard for FISA warrants should be old fashioned probable cause, but the proposals that Zack reports would constitute a substantial improvement over the status quo and are therefore worthy of support.
    John L. Ries
    • Given there's no transparancy oor accountability they...

      ...could say they ceased the entire thing and there would be no way to know if they're lying or not. If it weren't for Snowden we wouldn't even know these programs existed.
      • Read the report

        That particular issue is addressed at length.
        John L. Ries
        • Are you serious?

          We're not reading your emails.

          OK, we're reading your emails, but we have a warrant.

          OK, we don't have a warrant, but we don't need one. Congress passed a law.

          Which one of those statements would you like to believe? They were all presented as the 'official' truth at some point over a months time. They are all obviously lies. And you would have me believe the "issue is addressed at length"? If the administration has addressed the issue, then they have lied about it. As is their way, and as was the administration before them.

          Remember "change"? Remember how "open and honest" this administration was going to be? What HAS actually changed since Bush was president? The stationary? Yea, that.

          And the vice-president hasn't shot anyone in the face. Yet.

          The issue has been addressed at length? By the Obama administration? And you believed them?

          You must be a child.
          • I said it was in the report

            And I think the recommendations therein with very few exceptions should be adopted. We can talk about whether they're enough to address concerns, but all or nothing thinking doesn't help here; nor does rejecting anything that the Administration or a commission appointed thereby might propose simply because it is assumed to be insincere. I've read the report and I think the commission did an excellent job.

            Whether or not the President or Congress will actually adopt any of those recommendations is not at all certain, but that's where citizens have to make their voices heard.
            John L. Ries
      • Exactly.

        This new policy will do nothing other than restore the illusion of altruism in the eyes of the sheeple. Intelligence agencies were committing these illegal acts (and worse) long before the Patriot Act. They will continue to break the law long after these policy changes are adopted and forgotten. They will simply work much harder to keep it secret. There are already so many deep black ops that even the President doesn't know about, that this will simply become one more on the pile. The trend toward a police state will continue unabated. It's just going to wear a thicker mask.
        • So what?

          It makes no difference that agencies will run illegal ops. The proposed changes will change what is legal. Then in future when the agencies get caught, there will be no way to claim it is legal.

          Make no mistake, agencies will be caught. The level of scrutiny they operate under has never been higher. Non-government hackers, whistleblowers and privacy advocates all have more ability to hold these agencies to account than ever before.
      • Snowden revealed their extent

        Not their existence. If you didn't know these programs existed before Snowden's revelations, you weren't paying attention.
  • An additional suggestion

    This has been talked about, but the FISA court should have one or more "devil's advocates": career DOJ or DOD lawyers who hold or can get top secret clearances and are within five years of retirement (so they don't have careers to consider). They should be appointed by the court itself, instead of by the Justice Department. Their job would be to argue against FISA warrant applications.
    John L. Ries
    • I see that one is already there

      Good thing. They should be appointed for fixed terms (perhaps 7 years) and retire with full pensions as soon as their terms are up.
      John L. Ries
    • Devils advocate?

      It was the justice department that argued to the Supreme Court that torture is not torture if we do it. And the Supreme Court agreed with that, like "Manifest Destiny' or something. Kinda the same as taking someones' property and throwing the family in a prison camp, and deciding it's completely constitutional. You know, because they're Japanese. They're not real people. Right? That would be the Supreme Court. So, no.

      I see where you're coming from, and you are right. Ideally. But this is the United States. We're not very bright here, and we are easily influenced by simple arguments, and when they say they have to listen to everyone's calls and read all the emails, to keep us safe, we go along with it. Having DOJ people on the review panel, no matter how long until their retirement, is stacking the deck. In fact, having Justice people on the panel would be a conflict of interest. Having DOJ people on the panel would just dumb it down, make it less legitimate.

      I'm surprised Obama hasn't thought of having his personal appointees review the courts' actions. Wait, he has. That's right. And they're cool with everything the NSA and the FISA court has done. Imagine that.

      You may think that the FISA process can be fixed. And it could. Easily. But Obama is president. So it won't. Remember all that 'Change' this guy was going to bring? There has been no change. Nothing. He still lies about everything. Everything. Just like Bush.

      I'm waiting for Joe Biden to shoot someone in the face. That's the only difference between the Bush administration and the Obama administration. That someone was shot in the face.
      • So we should do nothing?

        If a proposal is good, then people should support it, even if they don't think it will be adopted and even if they don't like the proponent. Waiting until the Revolution comes and all of the Bad Guys are driven from power once and for all accomplishes nothing.
        John L. Ries
  • How sad....

    What has become of this country ? Where is the accountability and transparency we were promised ? I read reports of NSA activity and they giant data center in Utah a year in advance of Snowden coming out on this. How come it took a British newspaper to come out on this important story ?

    It's time to demand our Fourth and Fifth Amendment rights back. NDAA was passed in 2009 and includes some terrifying provisions our government can enforce on us including the military being able to claim you are a terrorist and detain you without a trial. Under the auspices of "we are trying to protect you" we are now the terrorists.

    The swamp in Washington is deeper than ever. They don't even read their bills (thousands of pages of crap) as evicenced with the the recent Ryan-Murray bill. Oopps...sorry Military families we just accidently cut your benefits by $6 billion.

    Barabara Walters was recently on CNN saying that "We thought Obama was the Messiah". That is the problem here. Never, ever put a politician on a pedestal. They all lie, steal, and cheat their way to where they are. How about "You can keep your health plan and doctor....period". Oopps.....another lie. Millions of you will lose your policies as of January 1st because of a poorly constructed law that dictates what you should have covered. Since when can the government tell me what I should pay for ? Your premiums will triple and you will see increases in your deductibles. Oopps....we won't be covering many of your prescriptions. Inferior health care for everyone ! This is what the government does well.....spread poverty and make things bad for everyone. We had 87% of the people in this country with health plans subsidized by your employer and the rest can go to a hospital and get their needs met paid for by the majority. After January 1st there will be a lot more that won't be covered.

    We don't need much from government. Roads, military, police, parks, and little else. The bigger government gets the more rights you lose. This is the most intimidating government I have ever seen operate in this country. If you are an opponent of this administration the IRS will audit you and put you out of business. Who works for us ? Or do we work for them ? This giant govoernment we have can't even build a web site correctly with good security after three years and $700 million being spent ? Then we pay the idiots who made this mess to fix it ? How about they fix it for free.

    Things in this country keep getting worse. Lot's of part time work out there if you want it. Who do we have to blame for this mess that is getting worse ? YOU VOTERS !!! When your income goes down and your expenses keep shooting up just remember you caused this yourself. Both parties aren't doing their jobs well. I say vote them all out of office and let's start over. If the next batch fails we get rid of them. Let's ditch political correctness and do the right thing !
    • Don't put politicians on pedestals...

      ...not because they're necessarily dishonest or evil, but because they're imperfect human beings like the rest of us (even when they're well intentioned, which I think most are). Likewise, don't expect a Messianic President to fix all our problems, because even the best Presidents have to persuade other imperfect politicians to accept their proposals and their imperfect constituents are unanimous on almost nothing.

      Such is the nature of democracy, which, as Winston Churchill once put it, is the worst possible form of government, except for all the others.
      John L. Ries
    • Size of government and level of intrusion unrelated

      There are many "smaller" governments in the world that are more intrusive, and many larger governments that are less.

      Most Scandinavian governments offer far more services than you list, but are much more conscientious of citizen privacy. The US has one of the smallest per-capita tax bases, but spies on any and every citizen as a routine matter.

      As for "roads, military, police, parks little else"... Really? Don't you realize it is the military that are largely responsible for this little problem?

      As far as I recall, regardless of scale, your government is supposed to consist of 3 separate parts - the legislature, the judiciary, and enforcement. The problem as I see it (again not one of scale) is that some "departments" have taken on 2 or 3 functions out of 3.

      Homeland Security should be scrapped. It is an Orwellian nightmare. The NSA should be constrained by all the safeguards just proposed. Supreme Court judges should not simply be appointees of the President (this is a serious problem in Canada too). There needs to be a balanced bi-partisan committee that both proposes and verifies candidates.

      In short, all elements of the government need to get back to constitutional basics, before Americans themselves lose all respect for their own country (joining many other countries in the process).
  • "no more software backdoors"?

    And, I'm supposed to believe this?

    Pfffffft, yea, right!!!!!!!