Obama Panel Recommends Huge Changes to NSA

The headquarters of the National Security Agency in Fort Meade, Md. Credit: National Security Agency. Credit: NSA

(Image credit: The headquarters of the National Security Agency in Fort Meade, Md. Credit: National Security Agency. Credit: NSA)

President Barack Obama today (Dec. 18) released his task force's list of recommendations for reforming the National Security Agency (NSA).

White House press secretary Jay Carney made the surprise announcement that the report would be released early just after Obama met with the five members of the task force, officially called the Review Group on Intelligence and Communications Technology. Politico said Obama had received the panel's recommendations last Friday (Dec. 13).

The panel's recommendations include sweeping changes of the way the NSA does business, including many that would severely hinder its methods of data collection and surveillance.

"The government should not be permitted to collect and store mass, undigested, non-public personal information about U.S. persons for the purpose of enabling future queries and data-mining for foreign intelligence purposes," the report's executive summary states.

MORE: Judge Orders NSA to Stop Collecting Telephone Metadata

The report had been scheduled to be released in January, but a flurry of leaks over the weekend led to what Carney called "inaccurate and incomplete reports in the press about the report's content," according to USA Today.

"We felt it was important to allow people to see the full report to draw their own conclusions," Carney said. "For that reason, we will be doing that this afternoon."

The panel was convened in August to address perceived abuses of power by the NSA brought to light by the massive trove of NSA documents given to the news media by former NSA contractor Edward Snowden.

Only a small portion of Snowden's documents have been published since the nearly-daily news articles began on June 5 of this year.

What the NSA review panel wants

Among the recommendations:

— The NSA should no longer retain the metadata pertaining to every domestic telephone call made within the United States. Rather, the metadata — the telephone lines placing and receiving calls, the duration of calls and the time and data of each call — would be held by a third party or by the telephone companies themselves.

"In our view, the current storage by the government of bulk metadata creates potential risks to public trust, personal privacy, and civil liberty," says the report.

— The NSA should no longer ask telecommunication, networking and software companies to build hidden backdoors — which allow the NSA to evade security restrictions — into their products.

— The NSA should no longer work to undermine encryption standards.

— The NSA should no longer possess secret methods — commonly known as zero-day exploits— of hacking into software.

— The NSA should draw up rules to protect the rights of foreign nationals with regard to data collection. Currently, the NSA has few restrictions on collecting telephone and Internet metadata and content belonging to foreigners, including citizens and leaders of allied nations.

"The U.S. government should follow the model of the Department of Homeland Security and apply the Privacy Act of 1974 in the same way to both U.S. persons and non-U.S. persons," says the report.

(The "Five Eyes" agreement among the U.S., the United Kingdom, Canada, Australia and New Zealand limits those major English-speaking countries from spying on each other.)

— The NSA's Information Assurance Directorate, which defends the government's computer systems and makes cybersecurity recommendations to the general public, should be spun off into a separate organization, to end a perceived conflict of interest with the NSA's offensive missions, such as surveillance and interception.

— The NSA should be separated from U.S. Cyber Command, a Pentagon command overseeing military operations in cyberspace, whose commander is also head of the NSA.

— The NSA, which has always been a quasi-military agency headed by a general or admiral, should be placed under civilian control.

"We believe that the director [of the NSA] should be a Senate-confirmed position, with civilians eligible to hold that position," the report says. "The President should give serious consideration to making the next director of [the] NSA a civilian."

— Rulings and decisions by the Foreign Intelligence Surveillance Court (FISA court), which oversees NSA activities within U.S. borders, should be declassified as often as possible. Most FISA court decisions were kept secret until this past Summer of Snowden.

— A strong, independent intelligence oversight panel should be created to replace the existing Privacy and Civil Liberties Oversight Board, and a White House special assistant for privacy should be appointed.

— Laws should be amended to narrow the scope of grounds for issuing Section 215 orders and National Security Letters, two forms of no-refusable demands by government agencies for information from private parties. The panel also wants time limits on "nondisclosure," the rule that recipients of such demands cannot publicly acknowledge them.

— The NSA's internal security should be beefed up to prevent more devastating security breaches like Snowden's.

— Congress should create a public-interest advocate to "represent the interests of privacy and civil liberties" before the FISA court. That would be a step toward an adversarial framework for the FISA court, which currently hears arguments only from the NSA and the Justice Department.

What the NSA review panel doesn't want changed

However, the recommendations will reportedly not include several changes sought by digital-rights advocates, including the overall end of wholesale collection of domestic telephone metadata.

"There is something in this report for everybody to hate," an unnamed White House aide told Politico reporter Matthew Aid in a story published Monday (Dec. 16).

Yesterday (Dec. 17), Obama met behind closed doors with representatives of technology companies including Yahoo, Google, Apple, Netflix, Twitter, Microsoft and Facebook, as well as the telecommunications giant AT&T.

The ostensible aim was to seek advice regarding the faulty Healthcare.gov website, but reports indicated that the meeting was dominated by tech companies' angry demands that Obama rein in the NSA. The Washington Post said one person in the room even urged Obama to pardon Snowden.

U.S. technology companies are worried that the NSA revelations will cost them business overseas, and several are outraged that the NSA spied on their overseas operations even as the companies complied with NSA demands for information at home.

The members of Obama's NSA review panel are: Richard A. Clarke, a counterterrorism and cybersecurity expert who worked in the Clinton and both Bush administrations; Michael Morell, a career Central Intelligence Agency official who retired as deputy director of the CIA in August; Geoffrey R. Stone, former dean of the University of Chicago Law School; Cass Sunstein, a legal expert and Harvard law professor who taught alongside Obama at the University of Chicago, worked in the Obama White House and is married to U.S. Ambassador to the United Nations Samantha Power; and Peter Swire, an expert on technology and privacy law who worked in the Clinton and Obama administrations and is now a law professor at Georgia Tech.

Obama is free to implement, ignore or change each of the panel's recommendations.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.