EFF Submits Comments to 'Independent' Office of the Director of National Intelligence's Review Group
There's an eerie similarity between the National Security Agency spying uncovered in the 1970s, which included the intelligence community spying on political activists and the NSA's collection of every single international telegram being sent from the United States, and the NSA spying today. Back then, after journalists reported on the illegal actions of the NSA, President Gerald Ford appointed Vice President Nelson Rockefeller to spearhead a commission to look into the allegations of illegal actions by the intelligence community. The Rockefeller Commission was not sufficient to make serious reforms, which only arrived later, after the Congress created the Church Committee.
Today, after the Snowden leaks, President Barack Obama asked Gen. James Clapper, the Director of National Intelligence—whose office oversees the entire intelligence community, which includes the NSA—to form a "Review Group on Intelligence and Communications Technologies." The presidential memorandum establishing the Review Group did not mention the word privacy or civil liberties once, but the group is asking for comments on how the United States can "employ [its] technical collection capabilities…while respecting our commitment to privacy and civil liberties."
The Review Group, which has been furloughed during the government shutdown, will be collecting comments even after the due date of October 4. While we will likely need a new Church Committee to obtain needed reform, we recommend that you also tell the US government what you think about the illegal and unconstitutional spying.
The EFF submitted comments to the Review Group on Friday. Here's a summary and some selections from the full comments. Our technologists also contributed to a separate submission from prominent computer scientists, code, technologists and engineers.
Most importantly, we're asking the Review Group for
a review of the confluence of the technical collection capacities and advancing collection technologies with the Constitution, statutory authorities, and, more simply, users' privacy concerns. A full legal analysis is not expected in the Group’s report. However, the Group should focus on the everyday practical concerns about the collection of innocent users’ metadata, phone calls, and emails; and the collection of huge datasets that may provide voluminous amounts of intimate information."Metadata" is a vital aspect in answering the above questions. In today's modern age, metadata and other non-content information gleaned from modern telecommunications can reveal intimate details about one's life. It is imperative, in light of advancing technological collection capacities, that the Review Group analyze how the act of collecting innocent users' metadata impacts the public trust and public discourse around the NSA's surveillance capacities.Dragnet or bulk collection of information must be replaced with particularized, and targeted acquisition. The intelligence community must begin to think about questions like whether or not mass data collection is viable, if it's absolutely necessary, and what type of data is the most effective to acquire.
To address the dangers enabled by this vast increase in technical capacity, it is critical to stop the spying. Dragnet or bulk collection of information must be replaced with particularized, and targeted acquisition. The intelligence community must begin to think about questions like whether or not mass data collection is viable, if it's absolutely necessary, and what type of data is the most effective to acquire. With a frank and honest evaluation of these questions, the conclusion is inescapable—the mass spying program should be stopped.
We're also asking the Review Group to focus on three additional issues:
1) Advancing transparency issues, and offering solutions to the broken classification system; 2) Addressing the recent revelations around NSA's cryptographic strategy; and, 3) Obtaining an independent technologist to advise and provide assistance to the group.
While we hope you read the entire submission, here are some select portions from the rest of the document:
Fundamental to this review is how intimate personal information can be uncovered by mining the collection of metadata and other information about users. A report must include the practical policy considerations of what type of data to collect, if any privacy issues are triggered by such a collection, if such collection is within the mission of the intelligence community agency, and the effectiveness of such huge data sets of information. As we've witnessed from the public discourse around these programs, such collection betrays the public trust in the intelligence community—a trust that is vital to its success.
Section 1: Advancing transparency issues, and offering solutions to the broken classification system
After reviewing the privacy implications, the Review Group must examine issues around transparency, the lack of which is corrosive to democracy and the rule of law. At the core of any discussion on these programs is the unsustainable classification system. Congress, litigants, and the general public cannot have a full dialogue on these issues when overclassification is rampant. The recently disclosed information about the NSA programs strongly indicates that information is classified primarily to ensure that the public is unaware of the scope of domestic surveillance.
First, the committee must conduct itself in the most transparent way possible. This includes following the procedures in the Federal Advisory Committee Act (FACA). Currently the Review Group is not following the requirements of FACA, which would provide added transparency of, and public trust in, the Review Group. The committee must also hold public testimony and publish public reports—including its final report and recommendations to the Director of National Intelligence and to the President. This Review Group should follow up on the recent declassification of documents by recommending the declassification of documents it receives, or provide a listing of documents it has reviewed so that the public can be fully informed.
Section 2: Addressing the recent revelations around NSA's cryptographic strategy
Even before the latest information published about the NSA’s strategies for cryptography, there was significant concern in the technical community about the potential the subversion of international security standards and the use of legal or extra-legal processes to gain access to private keys held by major service providers. Both actions compromise the privacy and security of domestic data and communications on a mass scale.When the government pushes "cybersecurity" bills to protect our computer networks, and when law enforcement repeats its “going dark” talking point, it is unthinkable that the NSA is deliberately and covertly sabotaging our devices and networks. This seriously undermines privacy and security, as well as public trust in privacy and security technologies—and in all related government action. Moreover, the government has never explained how the NSA has the statutory authority to operate domestically to weaken or introduce vulnerabilities in the domestic data infrastructure. In short, the Review Group must investigate the extent to which the NSA's cryptologic strategy has decreased our national security.
Section 3: Obtaining an independent technologist to advise and provide assistance to the group.
As noted, a recurring challenge with effective oversight of the NSA spying is that major actors in the program lack sufficient technical knowledge to fully understand what NSA is doing or the implications of NSA activities. This extends from political officials to Congress to the FISA Court judges. No person or entity can successfully oversee programs without understanding the technical details of how that spying takes place and what its implications are. The panel should have an individual intimately familiar with computer technologies at both the level of “code” and in the broader network environment. That person needs to have a clearance at least as high as the members of the review committee.
The Review Group must look into and release the metrics used to conduct such an evaluation. It must also develop metrics and evaluations for other collection programs. Fundamental questions like whether there is a consistent evaluation of these programs beyond 30, 60, or 90-day reports, or if an evaluation is only conducted when asked, are vital to overseeing the programs. The Review Group must not rely exclusively on detailed employees from the Executive Branch or the intelligence community. It should reach out to the Technical Advisory Groups of both the SSCI and HPSCI. The Review Group could also hire an outside technologist to serve as an independent expert for the Review Group.