Tag

Liberty and Security in a changing world

Browsing

Brett Daniel Shehadey
Special Contributor for In Homeland Security

The Review Group on Intelligence and Communications Technologies was a diverse five member panel consisting of representatives from: counterterrorism, intelligence, oversight, privacy and civil liberties. Together the team typed up a lengthy 308 page report called, “Liberty and Security in a Changing World” and met with the President last Wednesday to discuss their recommendations.

The main purpose of the report was to push the idea of changing current and established accepted practices of signals intelligence (SIGINT); and particularly SIGINT concerning domestic and international private and personal information big data gathering without regard to any specific threat or probable cause. They were commissioned by the President in light of the Edward Snowden leaks which have been building up and on-going. The evidence of the US spying on its allies was the pinnacle that forced the President’s hand.

There are some very good recommendations. The overall feel is that there is a genuine convergence of civil liberty advocates and security types; however, the report’s recommended reforms will increase domestic intelligence and tighten restrictions on their use which they claim is predicated on a new threat and security landscape. The trick will be to incorporate more innovative law and intelligence practices that accommodate both privacy and national security concerns responsibly and accountably.

White House statements:

“In light of new technologies, the United States use its intelligence collection capabilities in a way that optimally protects our national security while supporting our foreign policy, respecting privacy and civil liberties, maintaining the public trust, and reducing the risk of unauthorized disclosure.”

“Just because we can do something doesn’t mean we necessarily should.”

“I’m going to make a pretty definitive statement about all of this in January.”

Some concessions are expected with the President’s announcement come January by foreign allies and American citizens that will not affect any loss to intelligence gathering and national security. Already President Obama has ignored a recommendation on separating US Cyber Command, the NSA director as separate executive positions and the push for a civilian only NSA director.

It is also of important note that the Supreme Court still has yet to address the Fourth Amendment and national security issues of the present day, recently caught up in this exposure cycle. This comes after a federal judge ruled that NSA phone surveillance of metadata was unconstitutional. Thus, we have yet to hear from the full third branch of government. It is likely that this will simply be overturned in a Federal Appeals court, as many national security issues do.

General big data collection on an entire population is not traditionally intelligence gathering but raw information collection. The difference being that gathering raw information must then be stored or viewed in real-time and go through the intelligence process. This means there is something or some question that needs to be answering- generally an unknown, a query, and investigation, gathering the specific intelligence requested and then the analysis process before it reaches the client/consumer. This final product is the typically considered the actual intelligence.

Obviously, spying on the unassuming public is much easier than spying on closed governments, clandestine agents, terrorists and criminals or persons that cover their tracks and shield their data from clandestine and or outside intrusions.

The problem becomes one of temptation. Gathering everyone’s junk data through data mining as is a capability and bypassing laws using third-parties is an optional practice. In the future, raking total societal and personal information, financial data, credit cards, emails, social security numbers, birth-dates, social networking, complete phone records and all transmissions across various security professionals, data centers, government agencies or even corporations without the direct consent of the individuals involved, will be possible and may even be easy to pull off.

The US and other states will move beyond the ability to sift through metadata in the form of phone calls or web logs in which users remain anonymous. Stored emails with low level encryption are already legal to take after 180 days of inactivity by the user, if they are stored on a third-party server (not directly from one’s home computer). The technology for some time has been far ahead of any 21st century privacy law that defends individual rights of innocent people from government or corporate surveillance.

Is it okay to monitor or record private and personal information without permission or is this data theft? Technically it is not, because you are copying or watching it digitally and the activity is taking place outside of the house—so the argument for big data collection goes. But the argument is flawed. Of course, it is theft at the digital level from government or corporations involved and targeting the individual and taking information they did not consent to give. It is no different from paper mail, which is a felony if any person opens it (with probable cause, reason and warrants all being the exception).

The question should then follow, is this necessary in the changing world where more and more people and technology can cause greater damage in cities and centers with increased population densities to access this information to prevent them? Does the NSA/FBI need to track all channels and transmissions to secure the nation most efficiently? Is it possible to prevent the overuses or abuse of National Security Letters to obtain private information from internet companies?

Will blanket and bulk privacy intrusions lead to political persecutions in the USA by subsequent presidents? Should the NSA target foreign nationals globally in particular and leave the American people alone? As terrorism or public safety become more difficult to protect, will the temptation of building larger social profiles on American citizens be considered? Many of these types of questions were in the report; some were not.

One solution not entirely represented in the final report would be to mask the individuals of an entire population, track everything- all information- anonymously and never build a case file or profile until needed and only on reasonable suspects and leads.

From a needed statistic level this makes more sense and when a particular lead emerges and it involves a potential threat, the people’s identities can be revealed only as necessary for the purposes of national security and public safety.

A warrant from the Foreign Intelligence and Surveillance Court (FISC) would have a code number that would be inserted in the program to access the identity and an expiration date and there would not be a way to copy the personal data or access it outside the specific purpose. If another lead or another warrant is needed, the FISC would be revisited again.

The advantage is instantaneous access to legitimate threats as well as a total real-time information environment tracking in the future. Even if SIGINT capabilities are not there yet, they could be and national security, public safety and privacy are all vouchsafed; as is the Fourth Amendment.

The data collection would have to be collected by the internet and phone companies, not the government. The government is technically not allowed to store certain personally held information without their consent (e.g. stored emails for less than 180 days without and without a subpoena). Yet even without this, is is wasteful to track social media today? Yes and no. Tracking everyone’s social media is not possible, according to official public statements from the FBI.

Still, the US government could access all transmissions upstream and downstream real-time through a special access to those companies. The information is already there. It is now a matter of maintaining individual privacy and installing anonymous surveillance procedure. The government would be directly responsible now and a primary mission would also be to guard all internet transmissions and the mega-pipe lines of the US with the latest encryptions. The government must spend an equal amount of time securing the information of US citizens from other governments and criminals and therefore maintain public safety, financial security and the US national advantage. It must also be increasingly more transparent, have more regulating bodies, and independence from special interests.

In any case, the report garnered 46 recommendations, dated December 12, 2013. Below are selected recommendations:

Non-disclosure orders should remain in effect no longer than 180 days without judicial re-approval.

We recommend that section 215 should be amended to authorize the Foreign Intelligence Surveillance Court to issue a section 215 order compelling a third party to disclose otherwise private information about particular individuals only if: (1) it finds that the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and (2) like a subpoena, the order is reasonable in focus, scope, and breadth.

We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:
(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and (2) like a subpoena, the order is reasonable in focus, scope, and breadth.

We recommend that, as a general rule, and without senior policy review, the government should not be permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes. Any program involving government collection or storage of such data must be narrowly tailored to serve an important government interest.

We recommend that legislation should be enacted that terminates the storage of bulk telephony meta-data by the government under section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party. Access to such data should be permitted only with a section 215 order from the Foreign Intelligence Surveillance Court that meets the requirements set forth in Recommendation 1.

We recommend that the government should commission a study of the legal and policy options for assessing the distinction between meta-data and other types of information.

We recommend that, building on current law, the government should publicly disclose on a regular basis general data about National Security Letters, section 215 orders, pen register and trap-and-trace orders, section 702 orders, and similar orders in programs whose existence is unclassified, unless the government makes a compelling demonstration that such disclosures would endanger the national security.

[Recommendation 13- strong protections for US citizens and reforming Section 702].

We recommend that the National Security Agency should be clearly designated as a foreign intelligence organization; missions other than foreign intelligence collection should generally be reassigned elsewhere.

The Civil Liberties and Privacy Protection Board should be an authorized recipient for whistle-blower complaints related to privacy and civil liberties concerns from employees in the Intelligence Community; (1) The charter of the Privacy and Civil Liberties Oversight Board should be modified to create a new and strengthened agency, the Civil Liberties and Privacy Protection Board, that can oversee Intelligence Community activities for foreign intelligence purposes, rather than only for counterterrorism purposes; (2) The Civil Liberties and Privacy Protection Board should be an authorized recipient for whistle-blower complaints related to privacy and civil liberties concerns from employees in the Intelligence Community;
(3) An Office of Technology Assessment should be created within the Civil Liberties and Privacy Protection Board to assess Intelligence Community technology initiatives and support privacy-enhancing technologies; and (4) Some compliance functions, similar to outside auditor functions in corporations, should be shifted from the National Security Agency and perhaps other intelligence agencies to the Civil Liberties and Privacy Protection Board.

Congress should create the position of Public Interest Advocate to represent privacy and civil liberties interests before the Foreign Intelligence Surveillance Court; the transparency of the Foreign Intelligence Surveillance Court’s decisions should be increased, including by instituting declassification reviews that comply with existing standards; and (4) Congress should change the process by which judges are appointed to the Foreign Intelligence Surveillance Court, with the appointment power divided among the Supreme Court Justices.

We recommend that, regarding encryption, the US Government should: (1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.

We recommend that the United States should support international norms or international agreements for specific measures that will increase confidence in the security of online communications. Among those measures to be considered are: (1) Governments should not use surveillance to steal industry secrets to advantage their domestic industry; (2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;

We recommend that for big data and data-mining programs directed at communications, the US Government should develop Privacy and Civil Liberties Impact Assessments to ensure that such efforts are statistically reliable, cost-effective, and protective of privacy and civil liberties.

We recommend that the vetting of personnel for access to classified information should be ongoing, rather than periodic. A standard of Personnel Continuous Monitoring should be adopted, incorporating data from Insider Threat programs and from commercially available sources, to note such things as changes in credit ratings or any arrests or court proceedings.

We recommend that security clearances should be more highly differentiated, including the creation of “administrative access” clearances that allow for support and information technology personnel to have the access they need without granting them unnecessary access to substantive policy or intelligence material.