The President’s Review Group on Intelligence and Communications Technologies also recommended in a wide-ranging report issued Wednesday that decisions to spy on foreign leaders be subjected to greater scrutiny, including weighing the diplomatic and economic fallout if operations are revealed. Allied foreign leaders or those with whom the United States shares a cooperative relationship should be accorded “a high degree of respect and deference,” it said.
The panel also urged legislation that would require the FBI to obtain judicial approval before it can use a national security letter or administrative subpoena to obtain Americans’ financial, phone and other records. That would eliminate one of the tool’s main attractions: that it can be employed quickly without court approval.
The review group also would impose a ban on warantless NSA searches
for Americans’ phone calls and e-mails held within large caches of communications collected legally because the program targeted foreigners overseas.
Taken together, the five-
member panel’s recommendations take aim at some of the most controversial practices of the intelligence community, in particular the 35,000-employee NSA, headquartered at Fort Meade, Md. The signals intelligence agency has been in the news constantly since June, when reports based on documents leaked by former NSA contractor Edward Snowden began appearing in The Washington Post and the Guardian.
The White House released the 300-plus-page report as part of a larger effort to restore public confidence in the intelligence community, which has been shaken by the Snowden revelations.
The panel said that the NSA’s storage of phone data “creates potential risks to public trust, personal privacy, and civil liberty” and that as a general rule, “the government should not be permitted to collect and store mass, undigested, non-public personal information” about Americans to be mined for foreign intelligence purposes.
Despite the proposed constraints, panel member Michael Morell, a former deputy director of the CIA, said, “We are not in any way recommending the disarming of the intelligence community.”
The panel made 46 recommendations in all, which included moving the NSA’s information assurance directorate — its computer defense arm — outside the agency and under the Defense Department’s cyber-policy office.
“The review committee has reaffirmed that national security neither requires nor permits the government to help itself to Americans’ personal information at will,” said Elizabeth Goitein, co-
director of the Brennan Center for Justice’s Liberty and National Security Program. “The recommendations would extend significant privacy protections to Americans.”
Some intelligence professionals were dismayed. “If adopted in bulk, the panel’s recommendations would put us back before 9/11 again,” said Joel F. Brenner, a former NSA inspector general.
Former NSA and CIA director Michael V. Hayden urged senior intelligence officials to lay out the operational costs of adopting the recommendations. “The responsibility is now in the intelligence community to be ruthlessly candid with the policy leadership,” Hayden said.
Obama met Wednesday morning with the panel, whose suggestions are advisory only, and some intelligence officials predicted that the most far-reaching recommendations, including ending the government collection and storage of bulk phone data, would not be adopted. The White House has said it will announce in January which ideas it has embraced, as it concludes its internal review of surveillance activities.
The NSA’s phone-records program has prompted debate about whether the government has overreached in the effort to prevent terrorist attacks. The review panel is urging that Congress pass legislation to end the NSA’s storage of phone records — estimated by some former officials to number more than 1 trillion — “as soon as reasonably practicable.”
If the data were held by phone companies or a private third party, access to them would be permitted only with an order from the Foreign Intelligence Surveillance Court, based on reasonable suspicion that the information sought is relevant to an authorized terrorism investigation. Each phone number would require a court order.
Currently, the NSA holds for five years the phone records it gathers daily from U.S. phone companies. These “metadata” include the numbers dialed and call times and durations, but not call content or subscriber names.
The review panel is not recommending that the phone companies maintaining the data store it any longer than they do now — periods that vary from as little as six months to 10 years.
In a ruling Monday on the collection program, U.S. District Judge Richard J. Leon described the technology used to search the NSA database as “almost Orwellian.” The judge said the collection was “almost certainly” unconstitutional.
“The combination of this report plus the judge’s decision Monday makes this a big week for the cause of intelligence reform,” said Sen. Ron Wyden (D-Ore.).
Moving custodianship of the records outside the NSA would diminish the agency’s agility in detecting terrorist plots, supporters of the current arrangement say. With companies holding data for different periods and in different formats, searching across them would become complicated, they argue.
But the panel said the collection program had not proved its utility. “Our review suggests that the information contributed to terrorist investigations by the use of . . . telephony metadata was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional [court] orders,” it said.
The review group urged that the public have a legal advocate before the Foreign Intelligence Surveillance Court.
Anthony D. Romero, executive director of the American Civil Liberties Union, said the recommendation to end NSA’s bulk collection “goes to the very heart of NSA dragnet surveillance.” He called it “the most necessary recommendation of the review group.”
The NSA’s information assurance directorate, which would be shifted out of the agency, protects classified government computer systems and works with industry to help them better safeguard their systems. That mission differs from the NSA’s job of breaking into systems overseas to gain intelligence, the panel said.
The suggested move, said Gregory T. Nojeim, senior counsel at the Center for Democracy and Technology, would “end NSA’s dual personality as a code-breaker and cybersecurity-enhancer. It’s good.”
But Tony Sager, a former NSA information assurance executive, said moving the defensive mission out of NSA was unwise. “The defensive mission benefits a lot from the technology and the skills of people who work on the offensive side of the house and vice versa,” he said. “They get better insight into the model of what real adversaries do.”
The panel also recommended a prohibition on the government “in any way” subverting or weakening commercial software in order to get around encryption and urged that it not undermine efforts to create encryption standards. The panel also said the government should add oversight to the use and production of “zero day” hacking tools that can be used to penetrate computer systems and, in some cases, damage or destroy them.
The security community has long been concerned that the NSA is building and buying hacking tools, but a Pentagon cyber-official, Eric Rosenbach, has said that the government discloses vulnerabilities it finds to software companies.
Matthew Blaze, a University of Pennsylvania cryptology expert, said disclosure “doesn’t mean that the government can’t or wouldn’t be able to make use of cyberattack techniques that involve exploiting computers.
Soltani is an independent security researcher and consultant. Greg Miller, Craig Timberg and Julie Tate contributed to this report.