NSA reform report: End bulk metadata program, no more software backdoors

Two of the 40 recommendations — which the White House can still ignore — hints that private companies should be allowed to report data access figures.
Written by Zack Whittaker, Contributor

An outside panel's report on U.S. surveillance practices and programs says the National Security Agency (NSA) should not be allowed to carry on collecting vast amounts of phone metadata of Americans.

The report [PDF], which was released on Wednesday and set up in the wake of the U.S. mass surveillance leaks from former U.S. government contractor Edward Snowden, also said the NSA should "not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software." 

Noting a total of 46 recommendations, the report which was designed in efforts to overhaul the U.S. intelligence gathering machine had one overriding theme: the balancing of national security and personal privacy.

With this in mind, the report noted that the U.S. government should "promote transparency" about the number and type of data requests made to technology and phone companies. This appears to be a nod towards Silicon Valley giants who are fighting the government in court over the inability to transparently disclose how many secret court orders and data requests they are forced to comply with each year.

Some of the key points include:

On encryption and using zero-day attacks

  • Encryption should not be undermined in any way, the report says. Commercial software should not be directly or indirectly weakened by the NSA . 
  • Zero-day attacks should be "quickly blocked" by the U.S. government, so that federal networks and other networks are patched quickly. But, the report says U.S. policy "in rare instances" may briefly authorize using zero-day attacks for high priority intelligence collection.
  • The U.S. should "not use surveillance to steal industry secrets to advantage their domestic industry."

On the NSA's challenges and legal changes

  • The head of the NSA and the U.S. Cyber Command — currently Gen. Keith Alexander — should "not be a single official," suggesting the role should be split in two.
  • The government should "publicly disclose on a regular basis" general data about National Security Letters, Section 215, and Section 702 orders — which is designed to target only non-U.S. residents and citizens — and other similar orders. The only exception is if the government makes a "compelling demonstration" that such disclosures would endanger national security. This is one of the key arguments used by the Justice Dept. that currently prevents Silicon Valley giants from disclosing such figures.
  • Amend the Foreign Intelligence Surveillance Act (FISA) so that National Security Letters — de facto gagging orders — are given the same oversight, minimization, and retention standards as Section 215 order. This part of the law can (and is regularly used) to vacuum up every business record owned by a company.
  • That said, Section 215 should be amended to allow the Foreign Intelligence Surveillance Court, which oversees the NSA's secret programs, to disclose personal data only if the government has reasonable grounds that the data may protect against international terrorism. Also, such orders must be "reasonable" in scope and breadth.
  • New legislation should be enacted that "terminates the storage of bulk telephony meta-data by the government under section 215," the report says. It suggests the data should be transitioned "as soon as reasonably possible" to a system in which such meta-data is held instead either by private providers or by a private third party.

On maintaining privacy and civil liberties

  • The government should also commission a study, comprised of technology and legal experts, assessing the "distinction between metadata and other types of information."
  • Any data that is collected on a U.S. person "should be purged upon detection unless it either has foreign intelligence value or is necessary to prevent serious harm to others." Also, the report says any intelligence gathered on that U.S. person "may not be used in evidence" in any court proceeding.
  • The NSA and other intelligence agencies should consider if it is able to "conduct targeted information acquisition" over bulk-data collection, in efforts to reduce the dragnet-like programs it has now.
  • A "Public Interest Advocate" position should be created to represent privacy and civil liberties interests before the secretive Foreign Intelligence Surveillance Court. The court "should have greater technological expertise" made available to the judges.

On international relations

  • Surveillance efforts of foreign leaders should be considered carefully, the report says. One of the considerations asks if, "the other nation one with whom we share values and interests, with whom we have a cooperative relationship, and whose leaders we should accord a high degree of respect and deference?"
  • The U.S. government should use the mutual legal assistance (MLA) treaty — a cooperative treaty between countries in cross-border intelligence and law enforcement assistance — to obtain data, rather than covertly through its existing programs. This remains one of the key messages from the European Union in response to claims EU citizens were being spied on by the U.S. government.

On the Snowden case

  • The U.S. government should use a non-profit, private sector company or its own government employees for vetting personnel for security clearance.
  • Vetting should be "ongoing, rather than periodic," incorporating insider threat information and other ongoing things, such as changes in credit ratings or arrests or court proceedings.
  • Security clearances should be "highly differentiated," including the creation of an "administrative access" clearance so that system administrators can do their job without granted them access to intelligence material. Snowden reportedly used his high-level "sysadmin" clearance to gather more than 1.6 million classified documents.
  • All "secret" and "top secret" networks should be built using the highest quality hardware and software. These networks should also be subject to "Network Continuous Monitoring" to record network traffic for anomalous activity and data breaches.

You can read the full report below.

Editorial standards