Tag: national security agency

It’s Time to Break up the NSA

says security guru Bruce Schneier on CNN.com.

His brief, readable piece articulates the three distinct – and conflicting – missions the NSA now has, and how they should be handled. It’s no hit piece: Schneier calls NSA’s Tailored Access Operations group “the best of the NSA and … exactly what we want it to do.”

The generals who have built NSA into a fiefdom will fight tooth and nail against true reforms like these, of course, but they’re the kind of reforms we need. The most prominent measures under discussion are mere nibbles around the edges of the problem, or worse.

Good First Steps, But Real Surveillance Reform Will Require More

The president’s speech on surveillance today proposed some welcome first steps toward appropriately limiting an expanding surveillance state — notably, an end to the NSA’s bulk phone metadata program in its current form, and a recognition that judges, not NSA analysts, must determine whose records will be scrutinized.

The details are important, however. Obama’s speech left open the possibility that bulk collection might continue with some third party — which would in effect be an arm of government — as a custodian. If records are left with phone carriers, on the other hand, it’s important to resist any new legal mandate that would require longer or more extensive retention of private data than ordinary business purposes require.

It was disappointing, however, to see that many of the recommendations offered by Obama’s own Surveillance Review Group were either neglected or specifically rejected. While the unconstitutional permanent gag orders attached to National Security Letters will be time-limited, they will continue to be issued by FBI agents, not judges, for sensitive financial and communications records.

Nor did the president address NSA’s myopic efforts to degrade the security of the Internet by compromising the encryption systems relied on by millions of innocent users. And it is also important to realize that changing one controversial program doesn’t alter the broader section 215 authority, which can still be used to collect other types of records in bulk—and for all we know, may already be used for that purpose.

Most fundamentally, Congress must now act to cement these reforms in legislation — and to extend them —to ensure safeguards implemented by one president cannot be secretly undone by another.

How’s That Oversight Coming Along?

One of the claims made by defenders of NSA spying is that it’s overseen and approved by all three branches of the federal government.

Computer security expert Bruce Schneier provides some insight into how well congressional oversight is working in a short blog post entitled: “Today I Briefed Congress on the NSA.”

This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. Scott, Rep. Goodlate, Rep Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities, and they wanted me – as someone with access to the Snowden documents – to explain to them what the NSA was doing.

Many members of Congress have been derelict for years in not overseeing the National Security Agency. Now some members of Congress are asking questions, and they’re being stonewalled.

It’s the government so…

I suggested that we hold this meeting in a SCIF, because they wanted me to talk about top secret documents that had not been made public. The problem is that I, as someone without a clearance, would not be allowed into the SCIF.

Randy Barnett and I made the case last fall that the panels of judges who approve domestic spying under the Foreign Intelligence Surveillance Act should not be regarded as legitimate courts. Their use to dispose of Americans’ rights violates due process.

And the executive branch? Here’s President Obama: “I mean, part of the problem here is we get these through the press and then I’ve got to go back and find out what’s going on…”

How’s that tri-partite oversight coming along?

Ratifying NSA Spying, a Court Calls FISA ‘Courts’ Into Question

Two weeks ago, when D.C. District judge Richard Leon ruled that mass government surveillance of Americans’ telephone calling was likely unconstitutional, there was some well-poisoning about his opinion being “passionate.” The implication, of course, was that he was not being suitably judicial. The same could be said of this week’s ruling by Judge Pauley of the U.S. District Court in New York. When the first sentence intones: “The September 11th terrorist attacks revealed, in the starkest terms, just how dangerous and interconnected the world is,” and when the first citation is a “See generally” to the 9/11 Commission report, these are not signs that you’re about to get dispassionate application of law to facts.

Judge Pauley’s use of the 9/11 Commission report to argue that NSA data collection could have foiled the 9/11 plot is belied by the report’s clear statement with respect to Khalid Al-Mihdhar: “No one was looking for him.” (page 269) In our paper, “Effective Counterterrorism and the Limited Role of Predictive Data Mining,” Jeff Jonas and I detailed ways many of the 9/11 terrorists could have been found had anyone been looking. The argument that NSA spying would have prevented 9/11 is not a strong one.

But passions pitted against one another is just one of the symmetries between the two rulings. Judge Leon distinguished Smith v. Maryland. He believes that the Supreme Court case allowing the use of phone call information to convict a suspected burglar and obscene phone caller does not ratify the collection of phone calling information about every innocent American. Judge Pauley treated Smith v. Maryland as controlling. If one burglar in Baltimore doesn’t have a Fourth Amendment interest in his phone calling data, 200 million Americans don’t either. We have appeals to sort these things out, and Judge Pauley’s ruling makes it more likely that such an appeal will reach the Supreme Court, which is good.

The interesting thing in Judge Pauley’s ruling is ammunition he offers to critics of the panels of judges created by the Foreign Intelligence Surveillance Act. People often refer to them as the “Foreign Intelligence Surveillance Court” or “FISC.”

While the FISC is composed of Article III judges, it operates unlike any other Article III court. Proceedings in Article III courts are public. And the public enjoys a “general right to inspect and copy public records and documents, including judicial records and documents.” (citation omitted) “The presumption of access is based on the need for federal courts, although independent—indeed, particularly because they are independent—to have a measure of accountability and for the public to have confidence in the administration of justice.” (citation omitted)

Later, he writes:

The two declassified FISC decisions authorizing bulk metadata collection do not discuss several of the ACLU’s arugments. They were issued on the basis of ex parte applications by the government without the benefit of the excellent briefing submitted to this Court by the Governent, the ACLU, and amici curiae. There is no question that judges operate best in an adversarial system. “The value of a judicial proceeding … is substantially diluted where the process is ex parte, because the Court does not have available the fundamental instrument for judicial judgment: an adversary proceeding in which both parties may participate.” (citation omitted) … As FISA has evolved and Congress has loosened its individual suspicion requirements, the FISC has been tasked with delineating the limits of the Government’s surveillance power, issuing secret decision [sic] without the benefit of adversarial process. Its ex parte procedures are necessary to retain secrecy but are not ideal for interpreting statutes.

This echoes an argument Randy Barnett and I offered in our brief to the Supreme Court about NSA spying. These so-called ‘courts’ that administer NSA spy programs lack many of the hallmarks of a true court, and their use to dispose of rights that protect our privacy is a violation of due process.

There will be much more to come in the judicial path of the NSA spying debate. The legitimacy of FISA panels should be a part of that discussion.

Reviewing the Review Group: Practice What You Preach

The “President’s Review Group on Intelligence and Communications Technologies” has issued their report. Convened in late summer to advise the president on what to do in the wake of the Snowden revelations (without mentioning Snowden), the group was rightly criticized for its ‘insider’ composition. The report has beaten the privacy community’s low expectations, which is good news. It advances a discussion that began in June and that will continue for years.

Some observations:

- Contrary to expectations, the report is outside the White House’s “comfort zone.” That’s good, because, as noted, this group could easily have decided to ratify the status quo, handing the administration and the National Security Agency a minor victory. The report positioned Senate Judiciary Committee chairman Patrick Leahy (D-VT) to say: “The message to the NSA is now coming from every branch of government and from every corner of our nation: You have gone too far.”

- There is no reason to treat the report as a reform “bible.” This was a problem with the 9/11 Commission report, for example, which was held up as sacrosanct even when it was wrong. The Review Group report is right about some things, such as eliminating administratively issued National Security Letters, it is wrong about some things, and it omits some key issues, such as the government-wide penchant for secrecy that created the current problems.

- Weaknesses are more interesting than strengths, and a particular weakness of the report is its call for retaining the phone calling surveillance program. Recommendation Five calls for legislation that “terminates the storage of bulk telephony meta-data by the government under [USA-PATRIOT Act] section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party.” The debate over data retention mandates ended some years ago, and the government was denied this power. The NSA’s illegal excesses should not be rewarded by giving it authorities that public policy previously denied it. Outsourcing dragnet surveillance does not cure its constitutional and other ills.

- The data retention recommendation is in conflict with another part of the report, which calls for risk management and cost-benefit analysis. “The central task,” the report says, “is one of risk management.” So let’s discuss that: Gathering data about every phone call made in the United States and retaining it for years produces only tiny slivers of security benefit, the NSA’s unsupported claims to the contrary notwithstanding. Considering dollar costs alone, it almost certainly fails a cost-benefit test. If you include the privacy costs, the failure of this program to manage security risks effectively is more clear. The Review Group’s conclusion about communications surveillance is inconsistent with its welcome promotion of risk management.

Most legal scholars and most civil liberties and privacy advocates punt on security questions, conceding the existence of a significant threats, however undefined and amorphous. They disable themselves from arguing persuasively about what is “reasonable” for Fourth Amendment purposes. Concessions like these also prevent one from conducting valid risk management and cost-benefit analysis. Some of us here at Cato don’t shy from examining the security issues, and we do pretty darn good risk management. The Review Group should practice what it preaches if it’s going to preach what we practice!

A Data Retention Mandate? NO

The Wall Street Journal reports that a panel convened by the president to review the National Security Agency’s programs will recommend that “the records of nearly every U.S. phone call now collected in a controversial NSA program be held instead by the phone company or a third-party organization.” That recommendation is a non-starter.

Mandatory data retention has been floated for years using the most politically appealing rationale, child predation. In 2007, we characterized the idea as costly, outsourced surveillance, and Congress has consistently denied that power to the government. In fact, child protection bills containing data retention mandates were introduced in several Congresses but only passed once provisions deputizing communications providers into government surveillance were stripped out. Randy Barnett and I made this point in our brief urging the Supreme Court to take up the NSA’s mass surveillance of Americans’ telephone calling.

“Congress has declined to institute mandatory data retention laws because the costs, risks, and privacy consequences for innocent citizens outweigh their law enforcement and security benefits,” we wrote. “The Verizon order reverses this Congressional policy by requiring a telecommunications provider to turn all data over to the government for retention by the National Security Agency.”

How ironic it would be if the NSA’s illegal excesses delivered it a victory on a policy initiative that it lost years ago. Is secretly violating Americans’ communications privacy really rewarded by a policy requiring the violation of Americans’ communications privacy?

Rep. Jim Sensenbrenner (R-WI), who claims authorship of the USA-PATRIOT Act, came to Cato two months ago to lament the NSA’s use of that law for domestic spying he did not intend the NSA to have. In the past, he has said that data retention “runs roughshod over the privacy rights of people who use the Internet for thousands of lawful purposes.” Assumedly, he believes the same as to people’s use of the phone, and he will continue working with other privacy-minded legislators to relegate data retention mandates to the dustbin of history.

The NSA’s Rent Is Too Damn High

For months, the American public has received a steady stream of new information detailing the massive scale and scope of the United States’ spying activities. Of course, maintaining a surveillance state powerful enough to reach into the inboxes of world leaders, friend and foe, is not cheap. Indeed, as the Washington Post revealed when it released portions of the so-called Black Budget, this year’s price tag on America’s spook infrastructure comes out to a whopping $52.6 billion.

This is, of course, a tremendous sum – more than double the size of the Department of Agriculture, more than triple the size of NASA; the list goes on… But, what really puts this number into perspective is its average cost to each American taxpayer, or what I would call the NSA and associated agencies’ “rent.”

Yes, the NSA’s rent, charged to every taxpayer living under its web of surveillance, comes out to an exorbitant $574 per year. If this is the price the federal government is charging American taxpayers to have their own privacy invaded, then I say the NSA’s rent is too damn high.

Normally, at the end of one of these blogs, I would ask a rhetorical question like: “Washington, are you listening?” But, in this case, we know Washington is listening, and now we know how much we’re being charged for it.

Pages