Internet Metadata Collection

Lawfare Analysis of the PRG Report: A Summary

By Yishai Schwartz
Thursday, January 16, 2014, 7:36 AM

On December 18, the President’s Review Group on Intelligence and Communications Technology released its much anticipated report, Liberty and Security in a Changing World. Tomorrow, President Obama will give a major speech on intelligence reform, announcing which recommendations he means to accept and what he plans both to do himself and to ask of Congress. In advance of the speech, this post collects the various reactions, summaries and analyses of the report that have appeared on Lawfare since its release. 

Ben’s immediate reaction was that the report was “really awkward” for the Obama administration. He argued that the report undercut the president’s declared support for the 215 program, for national security letters and  for the status-quo on a host of other issues. Going forward, Ben predicted, any time the White House resists calls for reforms, the President will be vilified for ignoring his own review panel.

Peter Margulies gave a harsher attack on the report, arguing that the Review Group vastly underestimated the efficacy of the bulk metadata collection program, failed to consider the potential for abuse in trusting this data to the private sector and ignored safeguards currently in place.

A more moderate response came from Joel Brenner, who compared the report to a fruitcake, "chock full of tasty cherries—and other bits that are nuts." Brenner endorsed calls for greater transparency from the FISC but dismissed calls for separating NSA’s defensive and offensive operations or for unilaterally granting foreigners the same protections as American citizens.

By contrast, Jack embraced the “basic approach at the heart of the Report.” Jack explained that in a post-Snowden world, the government must balance security needs against citizens’ privacy concerns, diplomatic protests from allies, and potential economic costs for American businesses. In this new world, NSA must increase transparency and adopt procedures and policies that guarantee that its methods are cost-justified and the least privacy-intrusive means necessary.

Michael Leiter addressed himself to some of the most consequential recommendations that he believed weren't getting enough attention. Leiter argued that judicial approval for NSL requests would make counter-terror efforts more difficult than criminal investigations, that the recommendation to apply the Privacy Act to non-US persons badly underestimates the harm this will cause to national security and that the total effect of the PRG’s recommendations would be “a deadly and inefficient bureaucratic mix.” But, he urged the government to give special attention to recommendations for securing government data and for carefully weighing the economic interests of American technology companies.

Jack linked to some outside reactions to the report and expressed puzzlement at the PRG's implicit assumption that private companies storing metadata are less suspect of abuse and mismanagement than the government.

Raffaela offered us a detailed comparison between the PRG’s recommendations and the two major legislative proposals that preceded it: “Feinstein-Chambliss” and “Leahy-Sensenbrenner.” She explained that PRG’s report addresses many of the same issues as these two legislative proposals, but that the PRG generally suggests different means of resolving them.

Carrie Cordero gave a three part response to the Report: In Part 1, she concludes that the Report’s lack of discussion of methodology hurt its credibility, and that what we do know of the PRG’s “process” doesn't inspire confidence. In Part 2, she praises the PRG for its moderate tone and rhetorical support for NSA, but expresses concern that the cumulative effect of the recommendations would seriously degrade national security capabilities. And in Part 3, Carrie argues that the Report’s most important and undervalued recommendation is its call for the immediate "hardening" of the government’s classified networks. To her, the real scandal, after all, is that a single private contractor was able to inflict this kind of damage in the first place.

Ben also embarked on a detailed, piece-by-piece analysis of the report:

  • Chapter III: Recommendations 1-3: As 215 orders are relatively rare, Ben thinks that PRG’s recommendation that these orders be subject to more judicial scrutiny appears perfectly reasonable. By contrast, requiring prior judicial review for NSLs would be a major burden and the costs of such a requirement would outweigh the civil liberties benefits. Ben thus finds the parallel for recommendation NSLs to be implausible.
  • Chapter III: Recommendations 4-11: Ben tentatively endorses the PRG’s recommendation that individual metadata seed queries require prior judicial approval (the advantages are worth the slight logistical headache), but he raises a host of logistical and values objections to the suggestion that private entities act as custodians of the metadata database. He also endorses increased NSA reporting requirements and an easing of NSL-related gag-orders.
  • Chapter IV: Recommendations 12-13: Ben finds these recommendations confusing, badly developed and difficult to justify. He argues that concerns over data collected on US persons under Section 702 can better be addressed through minimization requirements than through purging data or a new exclusionary rule on lawful interceptions. Ben also hopes that our surveillance activities won’t be limited to a narrow definition of “national security.” Ben followed his own post with an even stronger statement on the topic from former NSA General Counsel Stewart Baker.
  • Chapter IV: Recommendation 14-15: Ben expresses moderate skepticism about applying the Privacy Act to non-US persons. He explains that he has received mixed messages about the efficacy of the precedent policy in DHS, and he urges the Government to insist on reciprocity in any decision to do so rather than playing “handmaiden to European hypocrisy.” Ben also endorses the idea that NSA ought be given statutory authority to  continue  surveillance on targets when they first enter the United States.
  • Chapter V: Recommendations 16-21: Ben largely embraces the PRG’s recommendation that only high-level decision-makers should make the sensitive decision to spy on foreign leaders. He also accepts the recommended procedures and criteria for ensuring that these decisions are made in a responsible way.
  • Chapter VI: Recommendations 22- 28: Ben agrees that NSA Director should be Senate confirmed, but argues that many of the other suggested reforms stem from a misguided attempt to split NSA’s defensive and offensive functions. He also delivers a mixed review of the PRG’s proposed reforms of the Privacy and Civil Liberties Oversight Board, endorses the recommendations for more transparency of FISC’s decisions and opinions, and (while accepting FISC appointment reforms as themselves unobjectionable) objects to the implication that FISC has been anything other than non-partisan.
  • Chapter VII: Recommendations 29 – 35: Ben treats this entire Chapter as mainly trivial platitudes, but he does urge caution about leaning too far in the direction of the Government refraining from “in any way” subverting general software security. Although the US should be supporting strong encryption standards, we do still need to be gathering intelligence.
  • Chapter VIII: recommendations 35-46: Ben explains that this chapter’s recommendations are under-developed, but their themes are broadly on-target. He embraces proposed reforms of security clearance and access systems, but also advocates for fewer top-level clearances and more disciplined (read: less) classification of documents. Although these recommendations are not the subject of political clamor, the beefing up of security in American intelligence needs to be a top priority.
  • Ben then delivered some final thoughts at the 40,000-foot level: He argued that the PRG thinks boldly and offers “a lot of sound ideas,” but ultimately did the President a disservice. The PRG may have offered a potential political compromise on bulk metadata collection, but its recommendations generally lacked specificity and development. Furthermore, the PRG gave very little thought to the cumulative effect of its recommendations, or even a hierarchy of priorities. And finally, the Report’s ambition and scope are going to cause political problems for the President with every recommendation that he chooses not to adopt.

Ben also shared a reply from DHS’s former Chief Privacy Officer Hugo Teufell III, the person who led the DHS initiative to apply the Privacy Act to non-US persons. Teufel explains precisely how the DHS policy worked, and explains why he supports doing NSA adopting the same standard.