Privacy advocates say NSA reform doesn't require 'technological magic'

Just because a new federal report found no software solution to recreate the full scale of current National Security Agency surveillance does not mean that’s the right policy, privacy pros say.

Privacy advocates say a new government study – which found no better technological alternative to intelligence agencies' practice of gathering and storing telephone data en masse – should not become the basis for maintaining the National Security Agency's bulk collection.

“The report doesn’t provide justification for continuing mass surveillance programs,” says Neema Singh Guliani, the American Civil Liberties Union’s legislative counsel.

Last January, President Obama asked intelligence agencies to determine whether there's a way to gather phone data for detecting potential terrorist activity without relying on bulk collection. The request came about after ex-NSA contractor Edward Snowden revealed details of government practices of mass collection of phone metadata – such as the time and length of calls – from millions of Americans. 

But the resulting National Academy of Sciences report released Thursday, produced by experts from top technology firms and academia, found no “technological magic” to do this and match the full scale of current intelligence-gathering opportunities.

At a press conference with British Prime Minister David Cameron on Friday, President Obama said the US needs to preserve its capability to track electronic communications of terrorist suspects, but is working with companies to ensure the government meets "legitimate privacy concerns."

Obama has already proposed some surveillance reforms, including nixing the government's storage of the phone records and forcing the NSA to gather them from company databases instead. "We just have to work through, in many cases what are technical issues," Obama said Friday. 

The press conference took place as Europe is still reeling from the deadly attack on the satirical magazine Charlie Hebdo in Paris, which Prime Minister Cameron said heightened the threat level to "severe" in the United Kingdom.

Still, Obama says the US government must not abandon privacy protections in its effort to keep the country secure. "I don't think this is a situation in which because things are so much more dangerous, the pendulum needs to swing," he said. "I think what we have to find is a consistent framework whereby our publics have confidence that their government can both protect them, but not abuse our capacity to operate in cyberspace."

But as Obama and Congress attempt to balance security with call for intelligence reforms, privacy advocates caution that just because the National Academy of Sciences report found no software replacement for the NSA's bulk metadata collection doesn't mean extended that practice is the right policy. 

“The report does not discuss whether the program itself is effective,” says Harley Geiger, advocacy director and senior counsel at the Center for Democracy and Technology. “The question facing policy makers is whether this program, a domestic mass surveillance program ... should continue,” Geiger continued, “despite its not being supported by the statute and its lack of effectiveness.”

After the Snowden leaks, a review board appointed by Obama found this kind of mass collection was not essential to identifying terrorist activity or suspects any more than conventional court orders, and another report from the Privacy and Civil Liberties Oversight Board last year found bulk collection was unlikely to provide significant value in safeguarding the nation in the future. The courts, however, have upheld the practice.

Yet conservatives may still try to use the National Academy of Sciences report’s findings to bolster their case to support leaving current surveillance practices in place.

Just this week, House Speaker John Boehner said government surveillance helped foil a terror attack on the Capitol. What's more, the rise of the Islamic State has led some key senators, including now-Majority Leader Mitch McConnell, to argue against curbing the NSA’s capabilities at a critical time. Senator McConnell’s opposition during the lame duck session last year helped prevent the USA Freedom Act, a bill which would have brought an end to the agency’s mass collection of phone data, from moving forward.

If the US moves to targeted collection, intelligence agencies won’t have access to a record of past signals intelligence that may be relevant to subsequent investigations, the National Academy of Sciences report said.

“There is no software technique that will fully substitute for bulk collection where it is relied on for queries about the past, after new targets become known,” the report states. For instance, it says, “if past events become interesting in the present because of new circumstances, such as the identification of a new target, indications that a nonnuclear nation is now pursuing the development of nuclear weapons, discovery that an individual is a terrorist, or the emergence of new intelligence-gathering priorities, historical events and the data they provide will be available for analysis only if they were previously collected.”

But this is not a shocking or even relevant conclusion, privacy advocates say. “All they’re saying is there’s no software solution to go back in time and look at new targets,” says Mark Rumold, a staff attorney at the Electronic Frontier Foundation.

For example, Mr. Rumold says, “there’s no way to know 20 years from now who will be in charge in China." Therefore, he said, "if the goal is to collect the future leader of China’s communications – and it might be a goal a future intelligence agency has in mind – they might collect everything now because they don’t know who the target will actually be. The policy question of whether that policy is useful or valuable is one they don’t really weigh into.”

The report acknowledges as much: The committee “was not asked to, and did not consider, whether the loss of effectiveness from reducing bulk collection would be too great, or whether the potential gain in privacy from adopting an alternative is worth the potential loss of intelligence information,” it states.

Still, some privacy advocates say the report’s technological review of bulk collection did not go far enough.

“It failed to consider the risks of bulk collection – misuse on the inside, as well as the vulnerabilities of these large databases enabled by bulk collection,” says Marc Rotenberg, executive director of the Electronic Privacy Information Center. “That information in the wrong hands could become very valuable to our enemies.”

Collecting records from millions of citizens effectively relies on the idea that the data will be stored securely and immune to compromise or misuse, Mr. Rotenberg said. “But in a post-Snowden world, we know the NSA itself can’t protect its own most sensitive information,” he said. “A scientific analysis and objective analysis would have acknowledged that ... potential risk scenario of bulk collection going forward.”