President Obama’s address on Friday outlining surveillance reforms for the NSA hit the mark in both substance and tone. He defended without apology the necessity of intelligence gathering, outlined the real dangers to privacy and civil liberties of unchecked spying, and acknowledged for the first time that the privacy rights of foreigners should not be ignored by the United States government in its intelligence activities.
The American national security establishment should fully embrace the value of privacy as a universal right that is not limited to Americans. In reality, the intelligence oversight system already does this, by uncovering and punishing unauthorized activities even when they are directed only against foreigners. External surveillance is not unchecked, and there is no reason the United States should defend unchecked surveillance—even against foreigners—when, in practice, it already restrains these activities in a wide variety of ways, as I explain in more detail in an opinion piece for the Guardian.
What about bulk surveillance? According President Obama, he will “end the Section 215 bulk metadata program as it currently exists and establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata.” He then points out serious problems with the approaches suggested by his own review group: requiring the telecommunications companies to hold metadata would create new privacy problems, and a quasi-public, quasi-private third party would create new accountability problems.
NSA skeptics are understandably wary of Obama’s promise of a transition away from bulk collection. Apparently the program will end just as soon as the government comes up with an alternative that provides the same intelligence capabilities. It seems more than a little bit like Obama’s promise to close Guantanamo—just as soon as we figure out what to do with the terrorists being held there.
Nevertheless, examining alternatives to bulk collection is a worthwhile enterprise, and there may be innovative ways to square this particular circle. While the program is valuable to national security, the dangers of having the entire nation’s phone records in the hands of the NSA are hardly trivial. Abuse is only one danger; foreign governments and other bad actors will find the metadata storehouse a particularly juicy target. The intelligence community’s ability to maintain the secrecy of its data in recent years does not exactly inspire confidence.
The bulk collection program should be gradually phased out and replaced with a more privacy-preserving program that uses advanced cryptographic techniques that would make bulk collection obsolete. One helpful technique, private information retrieval, allows a client to query a server without the server learning what the query is. This would allow the NSA to query large databases without revealing their subjects of interest to the database holder, and without collecting the entire database. Recent advances should allow such private searches across multiple, very large databases, a key requirement for the program. The use of these cryptographic techniques would make the need for a separate consortium that holds the data unnecessary. I discussed this in more detail in my testimony before the Senate Select Committee on Intelligence last fall. Seny Kamara of Microsoft Research points out these techniques were first outlined over fifteen years ago, while the state of the art is outlined in “Useable, Secure, Private Search” from IEEE Security and Privacy.
There are still obstacles, such as the question of whether telecommunications companies would retain data voluntarily long enough for the program to be useful to national security. Requiring companies to retain data for a longer period of time may be even worse for privacy than the status quo of NSA bulk collection, since the data would then be available for a much larger variety of purposes than mapping international terrorist networks—a point the President’s review group inexplicably overlooked.
President Obama is right to express unease about bulk collection. Even with effective safeguards, it is far from ideal and should not be used unless there are no viable alternatives, and even then only if the value of the program justifies the dangers to privacy. Innovations in privacy-enhancing technologies provide the best hope for a way forward.