Outline of today’s policy changesThe biggest substantive change is that intelligence agencies will need to get court permission before querying any of the metadata collected by the various bulk data collection programs. There will also be some type of non-governmental advocate as part of the FISA Court process to help represent privacy interests — this is definitely not a lawyer for the suspect, as typically they have no idea they are even targeted — it is a general advocate for making sure privacy considerations are taken into account. The bulk collection process will also be subject to annual review — reporting back to the President according to the Presidential Policy Directive (PPD-28), but to both the President and Congress according to what Obama said in his speech.
Most of the rest of the new Policy Directive reads like commonsense mixed with motherhood and apple pie. My first reaction after reading it, was “if this is reform, what were we doing before today?” In fact, I suspect most of the document reflects exactly what our policies already are — like only using covert sources when we can’t get the data from public sources, not using the data we get from spying to help our corporations get competitive advantage, etc.
There is one other substantive change, though. The personal information of foreign nationals is, for the first time, given similar protection to information about Americans. Clearly the White House has been stung by international disgust at the breadth of NSA data collection around the world. Obama definitely didn’t apologize for overseas spying and data collection, or make any claims that the US would make any major changes to how it is done, only pointing out that safeguards on use of the data are equally important.
First healthcare.gov and now they want another contractor?While Obama has refused to summarily end bulk metadata collection, he is putting in place a plan to keep the data out of the government’s hands until specific pieces of it are needed and access is approved by a court. Until that time, has has trimmed the sails of the collection efforts a bit, by limiting the collection to “two hops” from a known subject instead of three, and requiring court involvement before the information is accessed.
Unfortunately, the data itself is quite a hot potato. If the government can’t be trusted with it, and ISPs are reluctant to play stooge by storing it on their behalf, talk has turned to keeping it somewhere else. With the healthcare.gov debacle fresh in our minds, it is a little astonishing to hear that one of the proposed solutions to keeping the government’s hands out of the bulk-data cookie jar is to store it with a “third party.” Now, if that organization is the telcos and ISPs, and they have the data anyway, then that seems pretty sane. But there has been mention of some other group or organization holding the data. I can only imagine how that contracting process would work and how we would then insure the security of the data and prevent that organization from abusing it.
Unfortunately, as with most of the reforms Obama listed, the bulk data collection reform was short on specifics — since no one actually knows how to safely and securely collect that much data without the potential for abuse. Obama refused to consider walking back the entire idea of bulk metadata collection, despite his own review panel’s skepticism that it is worth the effort.
What was left outCritics quickly pointed out what was missing from Obama’s speech.
There was no discussion of strengthening the protection for whistleblowers. Whether Snowden would have received any protection, as a contractor, under current whistleblower statues has been very controversial. It also was ominously silent about the issue of most interest to many of us in the software community — back doors placed in computer hardware and software by intelligence agencies and cooperative vendors.
Obama also didn’t back down from the policy of using bulk metadata collection as an intelligence tool, despite his own advisory panel recommending it be stopped. So stay-tuned for some battles in Congress over legislation imposing additional safeguards and some very amusing-to-watch Congressional hearings with a bunch of non-technical congresspeople quizzing security gurus and intelligence bureaucrats over the best way to store all that metadata safely.
etremetech.com 17 Jan 2014
Politics akin to Nazi Germany occupied concentration camps.