Too Much and Too Little

With the release of the Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies reporters and commentators have scrambled to make sense of the 308 pages of relatively arcane and often vague language.  In doing so many have missed the forest for the trees and equally often, confused those recommendations that are headline grabbing with those that are likely to have the greatest impact. The issue that has most dominated commentary is of course the so-called “termination” of the telephone metadata program.  This isn’t altogether surprising given the privacy interests at stake, the Review Group’s strong questioning of the program’s utility, and their bold language of “termination.”  But in truth as important as this issue is many are mistaken in thinking that the Review Group’s recommendation (even if accepted in toto, an outcome I consider rather unlikely) means the end of extensive use of U.S. persons’ telephone metadata.  In fact the Review Group’s recommendation would likely permit NSA to continue to be able to use the same metadata, albeit without holding said data and subject to greater judicial oversight.  Undoubtedly, this is a meaningful change and offers more significant privacy protection but it is a far cry from ending the use of U.S. telephone metadata, which will continue to be useful to counterterrorism investigations. Much coverage has also focused on the Review Group’s recommendation to narrow spying authority on foreign leaders and our closer allies.  This issue of course garnered significant attention with the revelations about Chancellor Merkel’s cell phone and in that sense narrowing the authority to conduct such surveillance is important.  But in the big scheme of things, the Review Group’s recommendation isn’t likely to change much at all—nor is this sort of targeting a remotely large part of what the NSA does.  Moreover, the likelihood of successful “no spy” agreements being concluded even with close allies like Germany is relatively small.  In short, this is a decent incremental step in rebuilding diplomatic bonds, but the substantive impact is marginal. There are, however, embedded in the recesses of the Review Group’s report, some very significant issues that require careful consideration—and in some cases, focused implementation—going forward. One of the most significant issues that has garnered limited attention involves FBI National Security Letters (NSL)—requests by agents to organizations for records on people that are being investigated.  Specifically, the report recommends that such requests should require approval by a federal judge.  Unlike the relatively tiny number of NSA searches of U.S. person telephone metadata (i.e., hundreds), the FBI issues more than 20,000 NSLs a year.  In this regard, greater oversight might be appropriate.  But if adopted this recommendation would make FBI counterterrorism investigations more difficult than criminal investigations, where such administrative subpoenas are often issued without any judicial involvement.  Such a step strikes me as unwise given the real terrorist threat we continue to face. Even less noticed by most commentators is the Review Group’s recommendation that to a great extent the U.S.’s Privacy Act protections be applied to information gathered on non-U.S. Persons.  As support for this, the report notes that he Department of Homeland Security (DHS) already handles information in such a manner and thus these protections should be more widely applied.  What this misses is that the practical application of the Privacy Act to non-U.S. person information by DHS has had serious and quite negative information sharing results.  In my experiences as the Director of the National Counterterrorism Center, we spent literally years negotiating for access and retention to certain DHS data about non­-U.S. persons and often the Privacy Act protections posed significant practical obstacles.  Thus, the Review Group’s rather stealth recommendation should be read with extreme skepticism as it would likely do far more harm than good. More than 200 pages into the report are some of its most important recommendations—making sure data is better secured by the Intelligence Community and ensuring that the Intelligence Community workforce (government and contractor) are being properly cleared for access to sensitive information.  On both fronts, the Intelligence Community has not performed well over the past decade.  Technology exists to better secure information, ensure that information is not misused to violate privacy and civil liberty rules, and to ensure that individuals who hold security clearance lose that privilege if they become less trustworthy.  The Executive Branch and Congress should, in my view, focus intently on these two areas that have escaped much of the current public discourse. Also missing from much of the recent coverage—although certainly not in the U.S. technology community—are the report’s recommendations on ensuring that U.S. economic interests are weighed when considering intelligence operations.  Indeed, our international economic opportunities in technology have been badly stung by Snowden’s revelations as countries look to domestic industries rather than U.S. information technology providers.  In this sense the report’s recommendations are wise.  But ensuring this occurs is easier said than done.  Decisions of this sort have previously been, perhaps unsurprisingly, debated and decided far from the halls of the Commerce Department, the U.S. Trade Representative, and others.  Integrating these voices into the larger national security debate will take time and a concerted effort by the Executive Branch. But perhaps most “under discussed” is how the recommendations would in combination affect intelligence collection and national security.  Greater involvement by judges, a far more adversarial Foreign Intelligence Surveillance Act court, more oversight by the Office of Management and Budget, an operational President’s Civil Liberties Oversight Board, privacy assessments on all intelligence operations, and the like may sound good in isolation—but they can combine to form a deadly and inefficient bureaucratic mix.  And we must remember that these newly recommended steps would not stand alone, but instead be layered upon the already existing scores of Inspectors General, Offices of General Counsel, the President’s Intelligence Advisory Board, the Intelligence Oversight Board, the Office of the Director of National Intelligence, numerous privacy and civil liberty offices, and Congressional oversight. It is impossible to predict precisely the effect of this additional oversight.  What is clear, however, is that these additional layers will almost certainly have an intelligence “cost” even if they simultaneously produce a transparency and privacy “benefit.”  As the White House and Congress move forward, both would be well advised to focus their attention on these potentially concrete effects.  From here on out, we must not just look for good sound bytes, but instead on what combination of reforms will accomplish a worthy set of privacy and security goals for years to come.