Those NSA 'reforms' in full: El Reg translates US Prez Obama's pledges

Managing mass slurping of metadata

This brings me to the program that has generated the most controversy these past few months – the bulk collection of telephone records under Section 215. Let me repeat what I said when this story first broke: This program does not involve the content of phone calls, or the names of people making calls. Instead, it provides a record of phone numbers and the times and lengths of calls – metadata that can be queried if and when we have a reasonable suspicion that a particular number is linked to a terrorist organization.

That the NSA doesn't listen to the content of calls has been central to the arguments of pro-NSA types. But you could argue that phone numbers (for most of us, at least) are directly personally identifiable and the amount of data you can get from numbers, call times and dates, and other metadata records makes its collection highly intrusive. You don't need to know what was said in a call, in other words; just knowing who is talking to whom and when and where can be enough to discern your intentions.

The mass hoarding of this metadata isn't being done in a targeted way against suspected terrorists, nor is it solely being analyzed on a strict suspect-by-suspect basis, if Snowden's documents are to be believed.

The telephone metadata program under Section 215 was designed to map the communications of terrorists so we can see who they may be in contact with as quickly as possible. And this capability could also prove valuable in a crisis. For example, if a bomb goes off in one of our cities and law enforcement is racing to determine whether a network is poised to conduct additional attacks, time is of the essence. Being able to quickly review phone connections to assess whether a network exists is critical to that effort.

We call this the Jack Bauer defense. Such metadata would be very useful, provided you know which number called the mobile phone that set off the first explosive, but the cellphone-activated bomb cliché is a poor one to choose. In such situations it would be easy to grab this data directly from the phone company with a single request. It shows mass collection has more to do with convenience than immediate need – and at least one judge agrees.

Having said that, I believe critics are right to point out that without proper safeguards, this type of program could be used to yield more information about our private lives, and open the door to more intrusive bulk collection programs in the future. They're also right to point out that although the telephone bulk collection program was subject to oversight by the Foreign Intelligence Surveillance Court and has been reauthorized repeatedly by Congress, it has never been subject to vigorous public debate.

Or, in fact, any public debate at all until Snowden started leaking. Such talk of mass snooping was dismissed as the province of conspiracy theorists and tinfoil hat–sporting nutjobs. At the Black Hat hacker conference two years ago, merely mentioning to a former FBI director the possibility of the NSA spying on Americans on US soil, let alone every foreigner abroad, sparked a tirade of abuse at this correspondent.

For all these reasons, I believe we need a new approach. I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata. The review group recommended that our current approach be replaced by one in which the providers or a third party retain the bulk records, with government accessing information as needed.

In other words, the mass collection of metadata will continue but the method of storage will change.

Of the two ideas floated, keeping this data in the hands of the telcos looks to be the preferable one: they are already required it hold anyway, and it would be comparatively simple to arrange access for the intelligence services. How long that data is stored, and who pays the cost of doing so, could well be a sticking point, however. This assumes the telcos have kept their systems secure, and will be able to do so in future.

Creating a third-party organization to handle this data, while possible, would be expensive and cumbersome. The organization would have to be set up, have really good security, and the owners of the repository would have to be carefully vetted and screened.

Because of the challenges involved, I've ordered that the transition away from the existing program will proceed in two steps. Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of the current three. And I have directed the Attorney General to work with the Foreign Intelligence Surveillance Court [FISC] so that during this transition period, the database can be queried only after a judicial finding or in the case of a true emergency.

The change to a two-step rule is a slight improvement, but still one that leaves a sufficiently wide dragnet to build up accurate mapping of social connections. But adding the need for a FISC thumbs-up is a major improvement.

That said, the FISC is notorious for not turning down requests for investigations – but at least there's some oversight involved, as opposed to the current situation where it's a free-for-all. Including the "true emergency" codicil will allow action in the unlikely event of a ticking time-bomb situation, should one ever arise.

Maintaining the highest standard

The new presidential directive that I've issued today will clearly prescribe what we do, and do not do, when it comes to our overseas surveillance. To begin with, the directive makes clear that the United States only uses signals intelligence for legitimate national security purposes, and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary folks.

No doubt this will come as a relief to the citizens of the UK, France, Germany, Brazil, and others who have had huge amounts of their communications data slurped by the NSA in the past. However, it will take some time before those "ordinary folks" take the US at its word, given the abuses of the past.

In this directive, I have taken the unprecedented step of extending certain protections that we have for the American people to people overseas. I've directed the DNI, in consultation with the Attorney General, to develop these safeguards, which will limit the duration that we can hold personal information, while also restricting the use of this information.

This has the potential to be very welcome news indeed. What has been striking about Congressional attempts to strengthen data protection in the light of the Snowden leaks is that any additional safeguards have only applied to US citizens, and giving the rest of the world some privacy is welcome.

I have made clear to the intelligence community that unless there is a compelling national security purpose, we will not monitor the communications of heads of state and government of our close friends and allies. And I've instructed my national security team, as well as the intelligence community, to work with foreign counterparts to deepen our coordination and cooperation in ways that rebuild trust going forward.

So if you're the head of a friendly government you should be feeling a little more secure about using your personal mobile phone. Then again, the US defines who is friendly and who isn’t, and there's that "nation security" caveat again.

I have also asked my counselor, John Podesta, to lead a comprehensive review of big data and privacy. And this group will consist of government officials who, along with the President's Council of Advisors on Science and Technology, will reach out to privacy experts, technologists and business leaders, and look how the challenges inherent in big data are being confronted by both the public and private sectors.

This debate is sorely needed, and needs to include a variety of competing specialists. No doubt the government will have its say, but the input of businesses, security experts, and privacy specialists is going to be key.

No one expects China to have an open debate about their surveillance programs, or Russia to take privacy concerns of citizens in other places into account. But let's remember: We are held to a different standard precisely because we have been at the forefront of defending personal privacy and human dignity.

Agreed. No one expects the Chinese government not to be doing this stuff because it's largely unaccountable and has shown a willingness to play fast and loose with the rules in the past. Similarly, Putin's Russia is hardly a haven of openness and democracy.

There are reasons why the US is held to a higher standard. Firstly, it claims the position and has, in the past, been a valuable force for maintaining human rights and freedoms. But it also has effective control of many parts of the digital world and with that comes a certain amount of responsibility to do things right, and to be seen to be doing so.

For more than two centuries, our Constitution has weathered every type of change because we have been willing to defend it, and because we have been willing to question the actions that have been taken in its defense. Today is no different. I believe we can meet high expectations. Together, let us chart a way forward that secures the life of our nation while preserving the liberties that make our nation worth fighting for.

We hope so. We really, really do. ®