Last week, co-authors Michèle Flournoy, Richard Fontaine, and I released a Center for a New American Security report on the future of surveillance policy. The full report is available here; video of the launch event at Google DC is here. Peter Margulies analyzed the report last week on Lawfare here.
Our report offers 61 policy recommendations, ranging from the legal standard for government access to communications content, encryption, risk management in SIGINT decisionmaking, PPD-28 and other international surveillance-policy issues, and other topics. Collectively, the recommendations would enhance privacy and strengthen public confidence, protect U.S. technology leadership, and address international challenges attributable to surveillance policy—without sacrificing existing capabilities needed for law enforcement, counterterrorism, or other lawful purposes.
In the midst of an eventful transition, the key question is what surveillance policy might, and should, look like in a Trump administration. This post will examine what our approach can offer the new administration, given what its incoming members have said about surveillance issues and the commitments that the President-elect himself has made on the campaign trail.
In a Wall Street Journal op-ed this past January, President-elect Trump’s nominee for CIA Director Mike Pompeo challenged Obama-era surveillance policy in several ways (discussed below), but he also noted the “importance of building enduring public support” for surveillance activities on a bipartisan basis.
These are sound principles on which to build surveillance policy—but for those who doubt the new administration’s commitment to bipartisanship and public accountability in surveillance policy, it is important to note that enlightened self-interest could do much of the same work in shaping policy in this area during a Trump presidency. Any new administration comes in with a limited supply of political capital. Surveillance policy decisions that expend that political capital and unite and energize the opposition will limit what the administration can do in other, higher-priority areas. Setting surveillance policy that enjoys broad public and bipartisan support is the right thing to do, but it is also the canny thing to do.
At the same time, the President-elect campaigned on forward-leaning counterterrorism efforts to secure the homeland and defeat terrorist groups abroad. It is fair to assume that this administration will not surrender existing counterterrorism tools—nor, at a time of heightened threats at home and overseas, should it do so. A Clinton administration facing the same set of national security threats would not have been eager to forfeit important capabilities either.
The question is how the new administration can maximize those first two values—public support and bipartisanship—while retaining the capabilities needed to defeat ISIS, detect and disrupt homegrown plots, deal with regional challenges from Russia and China, monitor Iran’s nuclear program, and meet other threats where good intelligence can be decisive. The proposals below, and the many others in our report, offer a path to reconcile these competing imperatives.
Of course, it must be acknowledged that this administration will take office facing significant skepticism in certain quarters. The President-elect’s early outreach to the tech industry suggests, hopefully, that he is aware of this and is willing to work to overcome it. One way to build on that outreach, and on the President-elect’s election-night promise to be a “president for all Americans,” is to signal, early in his administration, that he will defend the nation against terrorism and other security threats in a manner that respects privacy and the rule of law.
Encryption is one of the thorniest challenges in this space—one the new team will be forced to confront sooner or later. In his Journal op-ed, Congressman Pompeo noted the very real challenge facing law enforcement, but also expressed opposition to mandated backdoors. Those two principles, while in tension with one another, at the same time suggest a path forward for policy. As our report recommends:
The new administration and Congress should work to help the FBI and state and local law enforcement cope with the status quo. Among other things, this means scaling up the FBI’s resources for gaining access to encrypted devices and communications without compelled assistance from providers. Germany, which has thus far not sought a decryption mandate, recently took similar steps: The government recently announced that it will create a new agency to help law enforcement and the domestic intelligence services break encryption and otherwise ensure that it is technically possible to carry out lawful surveillance. In a world of widespread strong encryption, the most likely alternative to “back doors” or some other kind of decryption mandate is “lawful hacking” authorized by search warrants.
This is an imperfect solution from the perspective of law enforcement, which has seen some important investigations frustrated by encryption. But it is the only meaningful response that the new administration and Congress could implement without triggering a massive political showdown with the tech industry.
Another aspect of the encryption challenge are the 15,000 state and local law enforcement agencies in the United States. It’s fair to assume that few, if any, have the technical or financial resources to crack encrypted devices or purchase vulnerabilities like that used to access the San Bernardino shooter’s iPhone.
To address this, Congress could empower the FBI to serve as a centralized repository of expertise and technical assistance for state and local law enforcement. As we explain:
The FBI’s Criminal Justice Information Center serves as a national center of excellence and knowledge repository for fingerprint analysis; the Justice Department should explore and report to Congress how the Bureau could perform a similar role for communications technologies, and what resources it would need.
In his op-ed, Congressman Pompeo also proposed revoking Presidential Policy Directive 28. We agree that PPD-28 is not perfect and could better serve American interests. But the new administration could gain more by modifying PPD-28 than by scrapping it altogether.
There are several reasons why abandoning PPD-28 altogether would be counterproductive. PPD-28 is perhaps the strongest card the United States can play in our mostly amicable but undeniably costly spat with Europe over the adequacy of our privacy protections. Not one European country has offered equivalent privacy protections to Americans as President Obama gave Europeans in PPD-28. That is a powerful argument that the United States can wield—an argument the new administration would forfeit by scrapping the directive. Revoking PPD-28 would also increase the risk that the Court of Justice of the European Union will invalidate the Privacy Shield agreement, which would be a major headache and distraction at a time when the new president is pursuing other priorities.
At the same time, PPD-28 can be modified to better advance American interests. Specifically, we propose conditioning the most forward-leaning commitments in Sections 2 and 4 of PPD-28 on reciprocity by other countries: If U.S. allies want these courtesies for their citizens, they would have to credibly promise them to Americans too. (“Credibly” would exclude authoritarian regimes, like Russia and China, where government surveillance is not constrained by independent institutions.)
Demanding reciprocity would be privacy-enhancing, as Americans would gain new protection from surveillance by other nations. It would give the intelligence community more leeway to collect against the most dangerous and challenging targets. And it would accord with President-elect Trump’s frequent emphasis on restructuring international arrangements to ensure that the United States is not getting a raw deal.
Perhaps most importantly, reciprocity would force Europeans to confront the fact that U.S. privacy practices are in many ways equal to or better than their own governments. Despite the best efforts of many on the American side, Europeans remain unaware of this. We suspect that this is because the concessions in PPD-28 were offered as a one-way gift, inadvertently suggesting that the United States was uniquely culpable on surveillance and privacy. Countering this misimpression would help shore up Privacy Shield, which supports many American jobs but is under challenge in European courts.
Of other areas in which the new Administration will presumably seek to defend current authorities, Section 702 will be the most prominent early battle. While the administration will almost certainly push hard for reauthorization—as it should, given the law’s importance for counterterrorism and other missions—it could build public trust and make the program more sustainable for the long term by accepting greater transparency about sensitive aspects of the program. The most prominent is the practice of querying databases containing 702 information (sometimes dubbed “backdoor searches”) for data about U.S. persons, particularly in criminal investigations. As I will discuss in a future post, enhanced transparency would strengthen public confidence without sacrificing any existing capabilities under Section 702.
What Not to Do
Then there are policy changes that incoming principals have proposed in the past, but that would make it difficult for the new administration to expand public support and maintain bipartisanship. Most prominently, Congressman Pompeo’s January op-ed proposed that Congress repeal the core element of the USA FREEDOM Act by passing “a law re-establishing collection of all metadata, and combining it with publicly available financial and lifestyle information into a comprehensive, searchable database.” Attorney General nominee Senator Jeff Sessions has also supported bulk collection of communications metadata.
Whatever the merits of bulk collection as a counterterrorism tool, reviving and expanding it would raise widespread civil-liberties concerns (many will note that China is creating its own system “link[ing] a large amount of public and private data, with the goal of building the world’s first all-encompassing system of cybersurveillance”), alienate the technology industry, and galvanize opposition across the political spectrum, from the left to the libertarian right.
And from the perspective of pure political self-interest, restoring bulk collection would entail a hefty expenditure of the new administration’s limited political capital. Whatever benefits the new national security team hopes to obtain from such a move would have to be weighed against the President-elect’s other priorities, including immigration, replacing Obamacare, and judicial nominations.
Alternatively, if the new administration chooses its battles wisely it can protect existing tools and add some new ones, while avoiding distracting feuds with the tech industry and other important constituencies. The new national security team’s early moves will signal which path the Trump administration intends to travel.