A closer look at Obama’s reforms for the NSA

As you may be aware, at the end of last week President Obama announced a series of reforms to America’s intelligence gathering processes, and he was quick to claim that he had always intended to look at making changes – harkening back to a speech he gave last May. But it is impossible to believe that changes would have come as quickly, extensively, or perhaps at all without the massive leak of intelligence documents by Edward Snowden.

Clearly the White House and the intelligence community are hoping that this is the end of the story, and that the changes they have reluctantly agreed to will stop the public uproar. That doesn’t seem likely as in the US Congress, civil libertarians on both the right and the left have already gone on record to say that the reforms don’t go nearly far enough. In the meantime we can look at the new policies announced by the President.

Outline of the policy changes

The biggest substantive change is that intelligence agencies will need to get court permission before querying any of the metadata collected by the various bulk data collection programs. There will also be some type of non-governmental advocate as part of the FISA Court process to help represent privacy interests. This is definitely not a lawyer for the suspect, as typically they have no idea they are even targeted – it is a general advocate for making sure privacy considerations are taken into account. The bulk collection process will also be subject to annual review – reporting back to the President according to the Presidential Policy Directive (PPD-28), or to both the President and Congress according to what Obama said in his speech.

Most of the rest of the new Policy Directive reads like common sense mixed with motherhood and apple pie. My first reaction after reading it was: “If this is reform, what were we doing before now?” In fact, I suspect most of the document reflects exactly what US policies already are – such as only using covert sources when intelligence can’t get the data from public sources, not using the data obtained from spying to help corporations get a competitive advantage, etc.

There is one other substantive change, though. The personal information of foreign nationals is, for the first time, given similar protection to information about Americans. Clearly the White House has been stung by international disgust at the breadth of NSA data collection around the world. Obama definitely didn’t apologise for overseas spying and data collection, or make any claims that the US would implement any major changes to how it is done, only pointing out that safeguards on use of the data are equally important.

First healthcare.gov and now another contractor?

While Obama has refused to summarily end bulk metadata collection, he is putting in place a plan to keep the data out of the government’s hands until specific pieces of it are needed and access is approved by a court. Until that time, he has trimmed the sails of the collection efforts a bit, by limiting the collection to “two hops” from a known subject instead of three, and requiring court involvement before the information is accessed.

Unfortunately, the data itself is quite a hot potato. If the US government can’t be trusted with it, and ISPs are reluctant to play stooge by storing it on their behalf, talk has turned to keeping it somewhere else. With the healthcare.gov debacle fresh in our minds, it is a little astonishing to hear that one of the proposed solutions to keeping the government’s hands out of the bulk-data cookie jar is to store it with a “third party.” Now, if that organisation is the telcos and ISPs, and they have the data anyway, then that seems pretty sane. But there has been mention of some other group or organisation holding the data. I can only imagine how that contracting process would work, and how we would then ensure the security of the data and prevent that organisation from abusing it.

Unfortunately, as with most of the reforms Obama listed, the bulk data collection reform was short on specifics – since no one actually knows how to safely and securely collect that much data without the potential for abuse. Obama refused to consider walking back the entire idea of bulk metadata collection, despite his own review panel’s scepticism on whether it’s worth the effort.

What was left out

Critics quickly pointed out what was missing from Obama’s speech. There was no discussion of strengthening the protection for whistleblowers. Whether Snowden would have received any protection, as a contractor, under current whistleblower statues has been very controversial. It also was ominously silent about the issue of most interest to many of us in the software community – back doors placed in computer hardware and software by intelligence agencies and cooperative vendors.

Obama also didn’t back down from the policy of using bulk metadata collection as an intelligence tool, despite his own advisory panel recommending it be stopped. So stay tuned for some battles in the US Congress over legislation imposing additional safeguards, and some very amusing-to-watch Congressional hearings with a bunch of non-technical congress members quizzing security gurus and intelligence bureaucrats over the best way to store all that metadata safely.