After suggesting general reforms to both 215 collection and national security letters, the Review Group then turns to the subject of bulk metadata. It begins this discussion with what, to my mind anyway, is the first of its totally inconsequential recommendations (Recommendation #4), which states that "as a general rule, and without senior policy review, the government should not be permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes."
The problem with this recommendation is that because of its caveats, I don't think it actually describes a real policy change. In fact, as a general rule and without senior policy review the government is not permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries and data-mining. The metadata program was the subject, after all, of senior policy review in two administrations. And the email metadata program was too---and was ultimately terminated because of senior policy review. So unless you eliminate the caveats, the recommendation really is not suggesting a change. It seems, rather, like a hortatory reminder that bulk collection is a big deal and that we shouldn't be doing it without really thinking hard about it. As such, I agree with recommendation. But that doesn't amount to much. So look for the administration to embrace this recommendation by saying that it reflects practice in place long before the Snowden revelations ever put the issue of metadata on the public policy table.
By contrast, the next recommendation (Recommendation #5) would be highly consequential. Indeed, it's the one that has garnered perhaps the most attention of any in the entire report:
We recommend that legislation should be enacted that terminates the storage of bulk telephony meta-data by the government under section 215, and transitions as soon as responsibly possible to a system in which such meta-data is held instead either by private providers or by a private third party. Access to such data should be permitted only with a section 215 order from the Foreign Intelligence Surveillance Court that meets the requirements set forth in Recommendation 1.
Note, first, that this recommendation is not suggesting terminating the retention of bulk telephony metadata for data-mining purposes or terminating the government's ability to query that database. For all that Review Group report casts doubt on the value of the program, it actually does not suggest ending its core functionality. Note as well that this recommendation actually contains two distinct policy proposals: first, that the government not be the custodian of the metadata database, and second, that it should only be able to query that database with prior judicial approval. The merits of these proposal, in my view, differ substantially. And they are worth considering separately.
The case for requiring FISC review of individual metadata seed queries seems to me, on its face, a pretty strong one. After all, for a while, as a result of compliance issues, NSA actually lived under this regime, so we know it's doable. The major objection to it is that it would create a serious new workload burden in terms of 215 applications to the court; it would add roughly one application per day. This will slow things down significantly for analysts, and it will also create a significant new pile of work for the FISC to process. On the other hand, the layer of outside oversight would probably be helpful and would usefully allow NSA to say that it only queries the bulk metadata database with specific judicial permission. That may well be a worthwhile trade. If I were the administration or the NSA leadership, I would consider seriously how much of a headache---and how resource intensive---it would be to make this happen. And I might well embrace the idea.
I would not, however, embrace the other half of the recommendation: letting the telecommunications companies retain custody of the metadata database or creating some third-party consortium to be the custodian of the database. This strike me as a bad trade purely in civil liberties terms. Instead of having one actor with a metadata database---an actor that is politically accountable and subject to all kinds of oversight mechanisms---we would now have, depending on how one implemented this idea, several different ones, some with commercial interests. We'd have to build new oversight mechanisms from scratch. If we have the individual companies hold their own metadata, that will mean worrying about what commercial uses they might make of them, and we will have to create regulatory, enforcement, and oversight mechanisms to guard against abuse on that front. If we create a new outfit, that will mean worrying about the security of its systems and the conduct of its employees. It should be a truism that proliferating the number of people and organizations with access to a sensitive database creates proliferating opportunities for abuse by those organizations and people. I know what happens when an NSA employee makes typo when entering a query---let alone what happens one violates the rules on purpose. What happens when an employee of AT&T or an as-yet-nonexistent custodial entity decides he wants to know who else her boyfriend has been calling for the past five years? The temptation for President Obama to adopt this recommendation will be significant, as it has played in the press as the heart and soul of the Review Group report. Before he does so, however, he should ask himself one simple question: If people are concerned about bulk metadata collection and access, does it really make sense to make it more widely available to more people and organizations?
One alternative would be to embrace the judicial review component of Recommendation #5 but reject its custodial dimensions. This would leave NSA as the sole possessor of the metadata database but allow queries only with a judicially approved 215 order.
From here, the Review Group moves to two recommendations the administration can easily embrace. It proposes (Recommendation #6) "a study of the legal and policy options for assessing the distinction between meta-data and other types of information." I agree with the Review Group that this distinction is breaking down somewhat and warrants serious policy consideration. The group also suggests (Recommendation #7) "legislation . . . requiring that detailed information about authorities such as those involving National Security Letters, section 215 business records, section 702, pen register and trap-and-trace, and the section 215 bulk telephony meta-data program should be made available on a regular basis to Congress and the American people to the greatest extent possible. . . ." And it suggests (Recommendation #10) government disclosures of "general information" about these types of orders in the absence of compelling reason to think the disclosures would harm national security. I agree---and so does nearly everyone else. The various legislative proposals floating about Capitol Hill generally contain significant new reporting requirements, and the administration has been releasing large volumes of new information. So look for these recommendations to find a receptive audience just about everywhere.
Also in Chapter III are two recommendations that may be harder for administration to sign on to but which I think represent sound reform ideas that it should take to heart. The Review Group proposes (Recommendation #8) limiting the gag orders that tend to accompany national security letters and 215 orders. The Review Group would have such non-disclosure orders issue only with a specific finding that disclosure would threaten national security or otherwise threaten important interests. It would also limit their temporal duration to 180 days absent judicial re-approval and clarify that non-disclosure orders do not prevent a recipient from consulting with counsel. Moreover, the Review Group would make clear (Recommendation #9) that even when bound by a non-disclosure order, absent a compelling showing by the government that the release would endanger national security, a company "may publicly disclose on a periodic basis general information about the number of such orders they have received, the number they have complied with, the general categories of information they have produced, and the number of users whose information they have produced in each category. . . ." As I say, these proposals strike me as useful reforms that will free up companies somewhat to speak about the impact of US surveillance practices on their customers.
Finally, Chapter III closes with another recommendation that sounds big but is actually, at least as I read it, inconsequential. Don't keep secret major programs like the metadata program, the Review Group says (Recommendation #11) except "after careful deliberation at high levels of government" and "with due consideration of and respect for the strong presumption of transparency that is central to democratic governance." Specifically, keep such programs secret "only if (a) the program serves a compelling government interest and (b) the efficacy of the program would be substantially impaired if our enemies were to know of its existence." This is, of course, precisely what happened in the Obama administration with respect to the metadata program. The Review Group clearly has mixed feelings about how compelling the government interest here really was (it questions the program's value but does not suggest terminating the ability to make queries, after all), and it clearly doubts as well that disclosure of the program would have substantially impaired its efficacy. But that is what the Obama administration concluded after a lot of deliberation at high levels. So the administration will, I suspect, embrace this recommendation with the claim that it already reflects current practice.
From here, the Review Group---in Chapter IV---turns to surveillance of non-US persons.