Just over a year ago, President Obama delivered a speech describing the administration’s response to the policy and legal issues from the Edward Snowden revelations. In early February, the administration announced a batch of new reforms. Overall, I believe there has been far more progress than most people realize.
I am pretty confident that Stanford lawyer and technologist Jonathan Mayer will disagree when we “debate” at the IAPP Global Privacy Summit, beginning at 4:30 p.m. on Thursday, March 5. I come to our session as one of the five members of the Review Group on Intelligence and Communications Technology that President Obama commissioned in the fall of 2013. Jonathan, whom I respect a great deal even when we disagree, comes fresh from his on-line Stanford course on surveillance law that he taught to thousands this fall.
I got to know Jonathan during my period as co-chair of the global Do Not Track process. Jonathan was the more-or-less official gadfly from the consumer perspective. As the group tried to build a solution that could gain support from a wide range of stakeholders, Jonathan repeatedly used his technological expertise to expose weaknesses in proposals from other participants. Those efforts to create a Do Not Track standard did not succeed, although discussions continue under new leadership. Meanwhile, Jonathan has remained active on advertising technology, which we expect to discuss at the Summit. For instance, he played a major role in reporting about a persistent unique identifier used by Verizon and Turn for targeted advertising programs.
To help lay the groundwork for the “debate,” it is useful to highlight some of the good news on surveillance reform since the Snowden revelations:
1. Section 215. The greatest public attention has focused on the Section 215 program that collected metadata on domestic phone calls. In his 2014 speech, President Obama announced a number of reforms to the program, notably including getting judicial approval before accessing the database. A good bill, the USA-Freedom Act, passed the House in 2014 and nearly passed the Senate. Congress will need to turn to this issue again soon, because the entire Section 215 authority sunsets on June 1.
2. Prism. Press coverage of the Prism program (Section 702 of the FISA Amendments Act) drew attention to the ability of the government to get the contents of emails and other communications when one party is domestic and the other overseas. Although quite a few possible reform issues remain, the Obama administration this year announced new limits on “incidental” collection about U.S.-persons, limiting the extent to which collection targeted at foreign persons could be used for prosecution of Americans.
3. Transparency. The administration has declassified many opinions from the Foreign Intelligence Surveillance Court, and has created a detailed new annual report on its requests for communications records. Meanwhile, companies reached an agreement with the Department of Justice to enable them to provide many more details in their company transparency reports. With greater transparency comes greater accountability.
4. White House oversight of the intelligence community. Policy decisions affecting the global communications infrastructure should not be made unilaterally by the intelligence community. The Obama administration has announced a number of new mechanisms to bring economic, diplomatic and other policymakers into such decisions. Topics include: sensitive intelligence collections; surveillance of foreign leaders, and when to fix “zero-day” vulnerabilities rather than keep them on hand for offensive purposes.
5. Treat non-U.S. persons more carefully. Intelligence agencies have historically faced relatively strict rules for citizens, but no similar restrictions when spying on other countries. Obama’s Presidential Policy Directive-28 is an historic change in approach. As a new baseline, non-U.S. persons will receive the same minimization and dissemination protections as U.S. persons, except where a reason exists to do otherwise. The Obama administration has recently announced the first steps to implement this. No other country has taken a similar step. The administration also now supports amending the Privacy Act to give legal redress to non-U.S. persons, rather than only to U.S. citizens and permanent residents.
6. Funding increases. Congress has come through with needed funding in two areas highlighted by the Review Group report. First, the independent Privacy and Civil Liberties Oversight Board, which has access to highly classified information about the intelligence community, received a large increase in funding. Second, there was a similar increase in funding for the Justice Department to handle requests under Mutual Legal Assistance Treaties, which are a desirable method to govern government access to individuals’ communications overseas.
7. National Security Letters (NSLs). A longstanding accountability problem has been the high volume of NSLs, which enable the government to gain communications records without a warrant, and then prohibit disclosure of the requests for 50 years. This month, the administration announced that NSLs would be more like other wiretap and communications requests – they would remain secret for no more than three years, except where there is a finding that a specific NSL must stay secret for longer.
Reports by the Review Group and the Privacy and Civil Liberties Oversight Board set forth other important areas for potential reform. Nonetheless, in preparing to debate about the changes to date, there has been greater progress than most have realized, or than I suspect Jonathan Mayer will agree with, when we take this and other topics on at the Summit.