Review Group’s privacy recommendations for non-U.S. persons lack teeth

Last month the President’s Review Group on Intelligence and Communications Technologies released their report and recommendations on reform of U.S. surveillance programs. The criticisms in the report, and the detailed nature of the more than 46 recommendations, underscore how much the NSA’s current mass surveillance programs violate the fundamental privacy rights of people around the world.

We’re gratified to see the Review Groups agrees with us on a fact that we’ve long known: that non-U.S. persons deserve more privacy protections than currently offered under U.S. law. We’re also glad to see the Review Group acknowledge that international privacy protections shouldn’t be dictated by U.S. national interests, but by international human rights law. Unfortunately, the actual recommendations of the Review Group, even if implemented, would do little to practically increase privacy protections for non-U.S. users.

However, we’re pleased that the Review Group’s recommendations are unambiguous in their support for maintaining the integrity of the internet’s technical standards and infrastructure. If implemented, these recommendations would curtail the NSA’s ongoing practice of actively undermining cryptographic standards and encouraging known vulnerabilities to go unpatched. Ending these practices will benefit users globally, but would be especially beneficial to people in countries where these secret backdoors might be abused by their own governments or other adversaries.

So, what do the recommendations mean if you’re not a U.S. person? While the recommendations are expansive in their broadest reading, they can also be so carefully parsed as to be largely meaningless. Unfortunately, for non-U.S. persons, this means that the recommendations don’t offer much in the way of meaningful change.*


Understating the impact of mass surveillance of foreigners

While acknowledging the importance of increasing protections for ‘non-U.S. persons, the Review Group also understated the impact of U.S. surveillance policy. The Review Group acknowledges that Section 702 of the FISA Amendments Act did not authorize the mass collection of communications from ordinary non-U.S. people, and does require the use of certain identifiers to collect content. However, we’ve already seen the NSA abuse the use of these required identifiers to gather more information than reasonable. Their ability to combine identifiers, as well as the use of three-hop contact chaining, points to data collection practices that are limited in theory alone.

If PRISM, MUSCULAR, and other various SIGAD programs are not evidence of the breadth of data collection, then the size of the NSA’s new data storage facility should be convincing. Estimates indicate it will initially hold 12 exabytes of data, which is equal to 12 billion gigabytes, and will only continue to grow.

Because the Review Group’s interpretation of Section 702 significantly underplays collection of data of non-U.S. persons conducted under that statute, their recommendations are similarly underpowered, and mostly limited to reinforcing what existing protections are already in place. These include the “reaffirmation” that surveillance of non-U.S. persons be dictated by law, that it be directed at ‘legitimate’ national security interests, and that it not be ‘disseminated’ (passed on to other investigatory agencies) if not relevant to protecting national security interests. It also recommended “careful oversight and the highest degree of transparency,” to the point possible.

These are vague goals, and do little to advance a practical reform agenda. In fact, the Director of National Intelligence and Director of the NSA have argued all along that their surveillance is subject to oversight and warranted by national security interests, as a means of legitimizing their far-reaching and intrusive programs.


Metadata matters, too.

The Review Group should be commended for its recognition of the fact that just because the government is capable of mass collection doesn’t make that collection sound policy.

While discussing the mass collection of metadata, the Review Group makes the recommendation that “as a general rule, and without senior policy review, the government should not be permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes.” The recommendation is well worded and appropriate, but the Review Group should have extended this recommendation to collection practices of the data of non-U.S. persons.


Limiting surveillance to ‘legitimate’ threats

The Review Group also recommends ensuring that surveillance is not conducted based solely on the political or religious views of non-U.S. persons. Clearly, no one should be targeted for simply searching the web for “Allah” or “communism.” Limits should ensure that collection of non-U.S. persons data only happens when there is an actual suspicion of a threat to national security. Gathering intelligence based on political or religious beliefs — such as building dossiers to discredit religious ‘radicalizers’ for looking at porn — is often irrelevant to assessing the urgency of the legitimacy of a threat, and thus should be excluded from the NSA’s purview.

The Review Group also outlines the difference between the collection standards for U.S. and non-U.S. persons, including the fact that current policy does not fully extend minimization requirements to non-U.S. persons. Minimization requirements are the standards that dictate the government discard any irrelevant information it collects — a privilege not afforded to non-U.S. people. Access believes that when the NSA gathers information on non-US persons, and those people didn’t actually qualify for collection under the required identifiers, the NSA should be required to destroy that information. If the government is truly committed to the privacy of non-U.S. persons then it should extend the same minimization standards to non-U.S. persons as those nominally protecting U.S. users.


Broken and outdated authorities

The distinction between collecting within and outside the U.S. has broken down. When the original Foreign Intelligence Surveillance Act was passed in 1978, the system made sense: it spoke to a largely analog world confronting the threat of hostile state actors. More than 35 years later, this paradigm is outdated. Section 702 of the FISA Amendments Act controls the collection of content within the U.S., while Executive Order 12333 addresses the collection of content outside the U.S. And although the Review Group acknowledged this distinction makes little sense in a borderless digital world, they failed to recommend any changes. Even if the NSA is able to collect much of the world’s content as it transits the U.S. under the authority of Section 702, there should still be a review of policies under EO 12333 to ensure privacy is protected in those instances where data is collected abroad.

The Review Group further recommends applying the Privacy Act of 1974 in the same way to non-U.S. persons. These protections, already afforded to U.S. persons, would allow people inside and outside the United States to access their records held by the NSA and make any needed corrections. Although this change would likely help mollify U.S. allies in Europe, it is unlikely to have any substantive impact: The Privacy Act exempts content that is properly classified or sensitive. For this recommendation to be truly effective, the extension of the Privacy Act to non-U.S. persons should be accompanied by with increased declassification, in order to ensure non-U.S. persons have meaningful access to the records in question.


Ensuring the integrity of the internet

An unequivocal point of agreement between the Review Group and the team at Access comes in the Group’s recommendations on ensuring fundamental network integrity — recommendations that, If implemented, should benefit non-U.S. persons and U.S. users alike.

The Review Group acknowledged the NSA’s success in cracking much of the encryption that is fundamental to the operation of a secure internet, and recommended that the U.S. government not take any measures to undermine encryption standards. Backdoors in commonly used products, services, and standards make all users vulnerable to malicious attacks, weaken the integrity of the network as a whole, and undermine trust that is critical to commerce and creativity.


Respect for international norms

The Review Group recommended the government embrace common-sense norms for online communication, such as as not stealing industry secrets or manipulating bank accounts and increasing transparency for service providers. They also embraced a multi-stakeholder approach to internet governance, recognizing, for instance, that US control over the Internet Corporation for Assigned Names and Numbers (ICANN) is outdated, and the organization should transition to a more inclusive governance structure. These recommendations conform to a general theme of the Review Group: limiting abuse on the internet. We’re glad to see the Review Group’s recognition that threats to the internet go beyond surveillance. These efforts, if implemented, should make a better internet for all users.

The Review Group expressed support for the U.S. embracing international norms on human rights and internet freedom and security, marking an unexpected — and welcome — acknowledgement by the United States of international law and standards. As they noted, “[t]he pursuit of Internet freedom represents the effort to protect human rights online. These rights include the right to speak out, to dissent, and to offer or receive information across national borders. Citizens ought to be able to enjoy these rights, free from fear that their words will result in punishment or threat.” If the U.S. government does believe that sharing information across borders is a right, then the Obama administration should also embrace the right of privacy, and afford greater protections for the communication of non-U.S. internet users.

The Review Group also call for a U.S.-led agreement on “Internet Norms of Cyberspace,” intended to prevent economic espionage and protect financial services. Such measures, if fully developed, implemented, and respected, would go a long way towards furthering global trust in the internet, but reflect the unfortunate tendency of the U.S. to institute policy reforms on the basis of economic pressure, rather than respect for human rights.

We anticipate continued conversation over the privacy implications of U.S. surveillance policy for international internet users. Later this month, President Obama is expected to address the findings of the Review Group’s report in a speech. And the Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency of the US government, will soon release its own study on the bulk collection of foreign data. While we embrace some of the recommendations of the Review Group, we look to the PCLOB for leadership in providing more developed recommendations for the privacy of non-U.S. persons.

* – (For clarity, a ‘U.S. person’ is generally someone who is either a U.S. citizen or a permanent resident. A ‘non-U.S. person’ fits neither of those descriptions.)