Obama's proposed NSA 'reform' changes nothing

Obama's speech announcing a 'reform' of NSA surveillance changes little. It even opens the way for more sophisticated NSA hacking operations than ever before.
Written by Stilgherrian , Contributor

That was a pretty fine speech by US President Barack Obama on Friday, chock full of historical allusions to gladden the heart of every American patriot, and plenty of reminders about liberty. It certainly gave the impression, at least superficially, that Something Is Being Done to address the widespread concerns about the comprehensive digital surveillance being conducted by the National Security Agency (NSA).

Read it. It's lovely.

Does it actually change anything? Not really. Not in the national security realm, anyway.

But if you're an organisation involved in the oh-so-2014 business of "big data", watch out, 'cos Obama's about to forge some "international norms" on your behaviour — though given that America is already the most business-friendly regime when it comes to exploiting individuals' personal data for profit, maybe that'll be nothing to worry about. After all, it's not like it's Germany or any other EU country wanting to have a quiet chat about "international norms" for privacy.

The Washington Post has already identified the five big takeaways from Obama's speech:

  1. US intelligence agencies will no longer hold Americans' phone call records.

  2. There will, nevertheless, be some system for those records to be accessible when required.

  3. The US will no longer monitor the communications of the heads of state or government of "close friends and allies".

  4. A new panel will be created to provide additional input into the secret court that oversees the Foreign Intelligence Surveillance Act (FISA), including privacy specialists and other non-government folks.

  5. There will be new rules to extend some of the privacy provisions applying to US citizens to foreigners, unless there's a "compelling national security purpose".

Working from bottom to top, obviously, it remains to be seen how the last two will work out in practice — particularly given how the meaning of "national security" has become so flexible in recent years — though I think it's rather sweet that Mr Obama publicly acknowledged that 96 percent of us humans are not Americans.

Number three is pretty much BS. Obama gives himself the same out: That foreign leaders are off limits "unless there is a compelling national security purpose" — and just a few sentences later, he makes this observation:

Now let me be clear. Our intelligence agencies will continue to gather information about the intentions of governments, as opposed to ordinary citizens, around the world in the same way that the intelligence services of every other nation does. We will not apologize simply because our services may be more effective.

So if Obama wants to understand the intentions of, say, the Australian government, Prime Minister Tony Abbott's phone might be off limits, but it's still fair game for the NSA to hack into the phones of his chief of staff Peta Credlin, his private secretary, the foreign minister, the defence minister, the attorney-general, the chief of the defence forces, his wife, his doctor, his priest — and anyone and everyone else with whom he might choose to discuss his deepest thoughts.

It's a distinction without a difference. The "intentions" of the Australian government will soon be discovered.

But it's those first two points that we should watch closely. If the NSA doesn't hold the database of telephone metadata — and I note en passant that nowhere in Obama's speech does he mention internet metadata, as if we're all somehow still back in 1992 — then who does?

If it's a new agency dedicated to the purpose, rather than the NSA, then again, it's a distinction without a difference.

If it's the telcos themselves, and, presumably, internet service providers (ISPs), then it raises all those issues about the security and privacy of those data stores that opponents of a mandatory data retention regime have raised all along.

Oh wait. That's right.

Mandatory data retention.

Scroll back...

Two and a half years ago, a quintet meeting of attorneys-general — the law-officer level meetings that mirror the Five Eyes signals intelligence alliance of the US, the UK, Australia, Canada, and New Zealand — agreed that they'd adopt the Council of Europe Convention on Cybercrime as the key international legal instrument for tackling online crime, promote that convention, and use it as the basis for building their own crime-fighting capabilities and raising awareness.

At the core of that convention is the establishment of a mandatory data retention regime by ISPs.

So really, all that President Obama has proposed as the solution to potential NSA overreach is the plan they've had all along.

Except for one thing.

If the bulk collection of communications metadata becomes part of a publicly acknowledged program that's in turn part of an international treaty, then it'll presumably become cheaper to run, because it won't be wrapped in all the secrecy that's involved in an NSA black program. Which in turn means that the NSA's hypergeekspooks can turn their attention to even more sophisticated black operations. Why hack Google or Microsoft or Apple when they're required to maintain a database for you?

I see two messages in all of this for business. One, you really be need to be taking security seriously, as I've written previously. Two, if you're in the business of providing secure big data storage, get your sales people out there now.

Editorial standards