December 12, 2016

CNAS Releases Report Providing a Surveillance Agenda for the Next Administration

By Neal Urwitz

Washington, December 12 – With a new administration set to begin in a just over a month, the Center for a New American Security (CNAS) has released a new report laying out practical steps the next administration can take to make surveillance protect national security, respect critical civil liberties, and bolster the American economy. The report, “Surveillance Policy: A Pragmatic Agenda for 2017 and Beyond,” makes more than 60 concrete recommendations. CNAS Senior Fellow Adam Klein, CNAS CEO Michèle Flournoy, and CNAS President Richard Fontaine authored the report. The report is the product of dozens of meetings over the course of a year with security professionals, privacy advocates, and technology experts.   This report is part of CNAS’ Papers for the Next President series. The series is designed to assist the next administration in crafting a strong, pragmatic, and principled national security agenda. The series explores the most critical regions and topics that the next president will need to address early in his tenure.   Please find the full report here: https://www.cnas.org/publications/reports/surveillance-policy   The report’s recommendations cover three major areas, including:

  • Strengthening Public Trust
  • Protecting a Flourishing Technology Industry
  • Mitigating the International Consequences of Surveillance Policy

 
Please find report’s executive summary below:
 
Today, the United States faces a more diverse, more complex array of national security threats than ever before. With ever more human activity taking place on electronic networks, surveillance is an essential tool for protecting the nation from these threats. The American people are fortunate to have a world-leading intelligence community, with a mission-oriented workforce operating under a robust legal and oversight regime. At the same time, the intelligence community’s immense capabilities and necessary secrecy raise inevitable and important questions for individual privacy, the rule of law, and public accountability.

In late 2014, the Center for a New American Security began a two-year initiative aimed at developing a new approach to surveillance policy for the next administration. As part of this project, CNAS has held 14 expert workshops and roundtables and conducted more than 80 private conversations and interviews with leaders in the national security, privacy, and technology communities. These experts’ participation was invaluable in informing this report; the views expressed here, however, are the authors’ own.

While the leaks by former National Security Agency contractor Edward Snowden violated the law and harmed ongoing intelligence-gathering efforts, they also represented a watershed moment in the debate over government surveillance in the digital age. The leaks revealed that the scale of government data collection – even lawful, court-approved data collection – was orders of magnitude greater than most Americans had believed. And the leaks created the impression around the world (fostered in some cases by imprecise media reports) that the United States was indiscriminately collecting the personal data of ordinary people.
 
Three years after the leaks, their effects continue to reverberate across the policy landscape. The post-Snowden backlash has impeded law enforcement and intelligence gathering, harmed the U.S. technology industry’s competitiveness in international markets, and created diplomatic friction with important allies. Most importantly, many Americans remain skeptical that their government respects their digital privacy.
 
Since 2013, the executive branch and Congress have attempted to repair the damage by making important reforms to surveillance practices and legal authorities. These include:
 

  • President Obama’s Review Group on Intelligence and Communications Technologies, many of whose recommendations have become law or policy, and whose balanced, thoughtful report remains an important touchstone for surveillance policy.
  • Presidential Policy Directive 28 (PPD-28), which, most notably, required U.S. signals-intelligence (SIGINT) practices to consider the privacy interests of non-Americans overseas – a commitment still unequaled by any other country.
  • The USA Freedom Act, which ended the NSA’s bulk collection of Americans’ telephone call records and adopted a number of important, but underappreciated, measures to enhance transparency in government surveillance.
  • The intelligence community’s unprecedented efforts to explain its work, and the robust legal and compliance regime under which it operates, directly to the American people.
  • The emergence of the Privacy and Civil Liberties Oversight Board (PCLOB) as a visible, energetic, public-facing, and credible independent evaluator of key surveillance programs.  

While these changes are a strong beginning, they cannot be the end, for several reasons. They are not widely known overseas; indeed, given the technical and bureaucratic nature of many of the changes, they are unknown even to most Americans. The post-Snowden focus on collection of Americans’ personal data, while understandable, overshadowed other important issues, such as outreach to foreign publics and the challenges facing the U.S. technology sector. Finally, these successes are fragile. New leaks could rekindle latent skepticism and mistrust. Some changes, such as PPD-28 and the intelligence community’s transparency efforts, could be rolled back by a new President or altered by new legislation.

For these reasons, surveillance reform should be seen as a work in progress rather than a finished product. The agenda we propose would take the next step toward rebuilding trust with the American people, the technology industry, and partners and publics abroad. It would enable the new administration to speak with one voice in support of a pragmatic, privacy-enhancing agenda. It would make clear to foreign populations that their countries and the United States share basic values on data privacy and surveillance. It would safeguard the United States’ enviable position as the world leader in information technology. It would help inoculate the new administration against the risk of future unauthorized disclosures. And it would further these goals while preserving needed national security capabilities.

Six Principles for Pragmatic Surveillance Policy

Six basic premises underlie our pragmatic approach to surveillance policy:

1. The next President and Congress should take meaningful steps both to enhance Americans’ digital privacy and to reassure the American people that government surveillance is consistent with American values and the rule of law. Protection from unwarranted government intrusion into personal privacy is a bedrock element of American liberty. But greater transparency about surveillance practices is also needed to shore up public faith in government institutions. When the public learns that government surveillance practices dramatically outstrip what laws and the statements of government officials would lead a reasonable observer to believe, it erodes faith in governing institutions, with corrosive and dangerous long-term effects for U.S. democracy.

2. A thriving, world-leading American technology industry is in the United States’ economic interest. It also benefits U.S. intelligence and counterterrorism efforts. Millions of American jobs rely on the information-technology industry, and tech is a vital and growing export sector. But the benefits of technological pre-eminence are not economic alone: U.S. law enforcement, counterterrorism, and intelligence efforts also benefit from the fact that much of the world’s data is stored on U.S. soil and much of the world’s internet traffic passes through the United States. Unfortunately, in the wake of the Snowden revelations, other governments have begun taking regulatory steps to align the storage and transfer of their citizens’ data with physical borders. Below, we recommend various steps to help slow or reverse this trend.

3. Signals-intelligence collection and analysis are vital national security tools. The United States will and should continue to maintain world-leading SIGINT capabilities. Dramatically curtailing the government’s electronic surveillance capabilities is neither prudent from a national security perspective nor politically realistic. No president could responsibly surrender vital, lawful national security capabilities at a time of serious threat to the nation.

4.  Improving public and foreign trust on surveillance and digital-privacy issues is an important goal, but no reform agenda can dispel completely the aftereffects of the Snowden leaks. The heightened skepticism and expectation of transparency that the Snowden leaks created will not simply disappear.  Rather, they are features of the new landscape, and policymakers and the intelligence community will have to acknowledge and adapt to them.

5.  The oft-employed metaphor of “balance” between civil liberties and security is a poor guide for optimizing surveillance policy. In a time of diverse national security threats, Americans will demand robust counterterrorism, law enforcement, and intelligence capabilities to secure the homeland.  They will also insist on safeguards for personal privacy and fidelity to the rule of law. The answer is not to choose between security or liberty but to work toward both. A focus on zero-sum tradeoffs between privacy and security deters security officials from embracing a privacy-enhancing reform agenda and assumes incorrectly that surrendering some amount of one value automatically yields a concomitant benefit for the other. 

6.  Signals intelligence and the powers of the NSA are not neatly severable from other issues affecting domestic and international data privacy. In practice, issues that experts would consider only loosely related to signals intelligence – such as debates over iPhone encryption and whether the government needs a warrant to read Americans’ email – powerfully influence Americans’ willingness to entrust the government with collecting, monitoring, and analyzing communications and user data. A pragmatic surveillance-policy agenda must not artificially exclude other data-privacy issues that are highly salient to the public and where constructive reform is possible.
The Case for Pragmatic Surveillance Reform
 
The next administration has an opportunity to refresh the narrative surrounding the U.S. government’s approach to surveillance and digital privacy – if it acts proactively. But this opportunity is perishable. As the new President’s term unfolds, other controversies and crises will inevitably arise, making it far harder for the administration to dictate the policy agenda. And reforms undertaken reactively after a crisis tend to garner less public goodwill than those enacted before a crisis occurs. 

Some might argue in favor of a bold, controversial surveillance-policy agenda – whether reformist (such as allowing the FISA Amendments Act to sunset) or security-driven (such as pushing aggressively for decryption legislation). Yet either course would be both impracticable and inadvisable for a new administration. The new president’s first actions, if divisive, will consume the president’s political capital and harden political opposition. In addition, the public will hold the new administration responsible for any terrorist attacks that occur on its watch. By contrast, the agenda we outline below would expand the new president’s political capital, earn public support and bipartisan credibility, and to some extent inoculate the President against a backlash should there be future unauthorized disclosures.
A new administration would be best served by announcing the measures recommended in this report as a unitary reform agenda rather than simply farming them out to various parts of the government for quiet implementation. The reforms will be more effective as a restorative tonic for past breaches of trust if they are widely known. And a major initiative, publicly promoted by the White House, will more effectively define the new administration in the public mind as serious about Americans’ digital privacy than a series of atomized technical changes quietly implemented by the bureaucracy.

By doing so, the next president can seize the near-term – and possibly unique –opportunity to repair the various deficits in trust that have emerged in the wake of the NSA disclosures. In so doing, the government can ensure respect for critical civil liberties, protect national security, and bolster the strength of the American economy. The window for action will not remain open indefinitely; the time to act is now.

Recommendations

  1. Strengthening Public Trust

Email Privacy and Government Access to Other Personal Data

  1. If the Email Privacy Act does not pass during the 114th Congress, the next President should, in the first 100 days of the new administration, call for legislation (i) requiring a warrant to obtain the content of email and documents stored in the cloud and (ii) imposing reasonable limits on nondisclosure orders.
  2. The new administration should launch a White House initiative to propose standards for government access to other types of sensitive data, such as cell-site location data, data generated by “internet of things” devices, license-plate readers, facial recognition systems, and other foreseeable technologies with significant implications for personal privacy.

Intelligence Transparency and Secret Law

  1. The NSA should expand its efforts to demystify the agency’s work in the mind of the general public.
  2. Senior leaders should not hesitate to defend the many valid purposes of signals intelligence beyond counterterrorism. Limiting the public defense of SIGINT to counterterrorism alone invites a backlash when uses other than counterterrorism are revealed.
  3. The next president should publicly embrace the principle that all domestic surveillance and surveillance of Americans overseas will be based on clear statutory authority, publicly interpreted, with sufficient oversight to hold the government to its construction of the statute.
  4. The President should task the general counsels of the Office of the Director of National Intelligence, NSA, FBI, and CIA, and the Assistant Attorney General for National Security, in consultation with the PCLOB, with proposing, within six months, other ways to reduce the amount of classified legal interpretation and programmatic guidance governing electronic surveillance. This could include, where consistent with national security, further declassification of relevant presidential directives, agency procedures, interagency memoranda of understanding, opinions of the Justice Department’s Office of Legal Counsel, and classified annexes to legislation. 
  5. Even those documents in these categories that cannot be safely declassified and published should be shared, in a manner consistent with their classification and to the extent permitted by executive privilege, with the congressional intelligence committees. 

Section 702

  1. Section 702 should be reauthorized, but with reforms to enhance public confidence, transparency, and privacy. 
  2. The FBI should publicly explain with greater precision why it needs to search databases containing 702 information for data about U.S. persons.
  3. The FBI should consider, and explain, whether it would be sufficient for it to continue to query databases containing 702 data for U.S.-person identifiers but, where such a search returns 702 information, to receive only the responsive metadata rather than the content.
  4. Congress, as a condition of reauthorization, should mandate further transparency about several aspects of the 702 program:
  • Require and enable NSA to fully implement Recommendation 9 from the PCLOB’s report on Section 702.
  • Estimate the overall scale of incidental collection, if a valid and practicable methodology can be found.
  • Publish annually the number of instances in which an FBI query in an investigation unrelated to national security returns 702 information about a U.S. person.
  • Estimate the total number of U.S.-person queries of databases containing 702 data conducted by the FBI in non-national-security criminal investigations.
  • Provide more detail about which cybersecurity offenses the Department of Justice considers “serious crimes” for which it will use 702-derived information in a criminal proceeding.
  • Publish the Justice Department’s standard for determining whether evidence introduced in a criminal proceeding is “derived from” 702 information.
  • Mandate the appointment of an amicus curiae in 702 certification proceedings.
  • Provide to the public as much detail as possible about the national security value of Section 702.

The Privacy and Civil Liberties Oversight Board

  1. The next president should swiftly appoint new members or reappoint existing members and work with the Senate to ensure that they are promptly confirmed.
  2. Congress should pass legislation that permits the remaining members to collectively appoint staff in the absence of a chairman.
  3. Congress should enact legislation exempting the Board from the Government in the Sunshine Act.
  4. While is appropriate that the Board’s activities focus on protecting the privacy rights of U.S. persons, Congress should not expressly restrict the Board’s statutory jurisdiction to only the rights of U.S. persons.
  5. Congress should not require the Board to keep the Director of National Intelligence or other elements of the intelligence community “fully and currently informed” of its activities.

Whistleblower Laws

  1. The next president should issue an executive order making Presidential Policy Directive 19’s whistleblower protections binding within the executive branch and clarifying that they extend to contractors working at all intelligence community components. 
  2. Congress should extend the full panoply of statutory whistleblower protections to contractors working in the intelligence community.
  3. The next president should support legislation updating the FBI’s whistleblower process in the next Congress.
  1. Protecting a Flourishing Technology Industry

Encryption

  1. Given the impasse over decryption legislation, and given that the debate itself has damaged relations between the government and the technology industry, the next administration should de-escalate the public debate over encryption. 
  2. The FBI should support its argument for an encryption mandate by publishing more data about the precise contours of the technical challenge posed by encryption.
  3. To help the FBI cope with the status quo, Congress should scale up the FBI’s resources for gaining access to encrypted devices and communications without compelled assistance from providers.
  4. This scaling up should also include resources to enable the FBI to create a centralized repository of expertise and technical assistance for the 15,000 state and local law enforcement agencies in the United States.

Risk Management in SIGINT Decisions

  1. Operations that, if exposed, would pose a significant risk to an American company or business sector should be approved by senior political appointees after a process that incorporates, to the greatest extent possible, external input about the scale of the risk.
  2. The government should create regularized channels for candid communication between NSA and the technology industry, such as creating an industry advisory board of corporate officials who hold security clearances.
  3. To the extent that a dialogue would, for some companies, raise concerns about appearing complicit in NSA practices, NSA should also establish a formalized one-way channel for receiving comment from American companies about the risks that signals-intelligence practices pose to their businesses and other issues of concern.
  4. Where the U.S. government wishes to obtain data held by a U.S. company, it should generally seek to access the data through the “front door” provided by U.S. domestic law rather than through overseas intelligence operations or liaison relationships.
  5. To the extent that the government contemplates operations that involve tampering with or introducing vulnerabilities into an American company’s product before it reaches its end customer, any such operations should be approved by the National Security Advisor with input, where appropriate, from the Deputy National Security Advisor for International Economic Affairs, or another senior official with analogous responsibilities.
  6. The government should not, as a rule, pressure American technology companies to compromise their own products or hand over their source code. 
  7. The government should not pressure American companies that sell to the government to disclose to it vulnerabilities that the company discovers before the company discloses them to other customers.
  8. The Vulnerabilities Equities Process should be formalized in an executive order.
  9. The executive order should, to the maximum extent consistent with national security, list all agencies that have a say in the process and should specifically state which agencies have a vote on whether to retain or disclose a vulnerability. 
  10. In order to ensure that the process takes account of the broader interests of the U.S. technology sector, the Department of Commerce should have a regular seat at the table.
  11. The executive order should also describe the process to be followed in deciding whether to retain or disclose a vulnerability. In particular, it should clearly state the government’s substantive standard for deciding whether a vulnerability’s potential national security benefits outweigh the risks of retaining it.
  12. The executive order should also require that there be periodic review of whether a retained vulnerability should be disclosed.
  13. The executive order should provide for public annual reports containing as much detail about the process’s operation as is consistent with national security, along with a classified annex for the relevant congressional committees.
  1. Mitigating the International Consequences of Surveillance Policy

Surveillance Diplomacy and PPD-28

  1. The next administration should offer to hold a political dialogue, among willing allies with similar rule-of-law cultures, on norms to govern surveillance of one another’s citizens and institutions.
  2. This dialogue should seek to exchange high-level, public, political (rather than legal) commitments analogous to the public commitments the United States has already made, most notably in PPD-28. For example, the United States should ask partners to mutually agree:
  • To incorporate in their signals-intelligence practices protections for the privacy interests of one another’s citizens.
  • To publish, with the maximum detail consistent with national security, agency procedures implementing such protections, including minimization requirements limiting the dissemination and retention of personal information of one another’s citizens.
  • To establish a presumptive time limit for retaining the personal information of one another’s citizens.
  • To agree to limitations on the use of signals intelligence collected in bulk.
  • To designate a senior official to serve as a point of contact for implementation of these commitments and other concerns related to signals-intelligence practices.
  • To require individualized judicial approval for electronic surveillance of one another’s citizens when on the other country’s territory.
  1. These discussions should also include mutual, public, high-level commitments about the purposes and boundaries of “liaison” cooperation between one another’s intelligence services – in particular, the circumstances in which they will exchange information about one another’s citizens. 
  2. In order to encourage allied governments to enter into such discussions and extend appropriate privacy protections to the American people, the United States should make clear to allied publics and their governments that while it is prepared to commit itself to protect their privacy, the American people’s privacy deserves equivalent respect and it expects such protections to be reciprocated. 
  3. The next administration should reaffirm that PPD-28’s basic recognition that signals-intelligence activities must consider the basic dignity and privacy of all people, and the fundamental commitments of Section 1 of PPD-28 (signals-intelligence activities must be be authorized by law; no use for discrimination or suppressing dissent; no espionage for commercial advantage of U.S. companies; narrow tailoring), will remain applicable to all countries and their citizens without regard to their own governments’ policies.
  4. The new administration should announce that after one year, the heightened commitments in PPD-28 Sections 2 and 4 will be guaranteed only to citizens of countries that agree to extend comparable protection to Americans. There is no reason why other countries, and particularly U.S. allies, should resist extending to Americans the same consideration that the U.S. government grants to their citizens. 
  5. The next administration should also offer to elevate these commitments to an executive order for countries that make credible reciprocal promises.
  6. The United States should insist that European Union member states grant to Americans the same judicial-redress rights and access to a surveillance “ombudsperson” that the United States extended to Europeans under Privacy Shield.
  7. The United States should demand that allied countries publicly commit not to spy on one another’s nationals for the economic benefit of domestic companies – a practice the United States has long forsworn but some close allies have not.
  8. The next administration should also make clear that it will consider excluding from any list of allied leaders whose personal communications are off-limits from surveillance the leaders of any country that refuses to publicly renounce economic espionage against American companies.
  9. The next administration and Congress should establish regularized, formal exchanges between congressional, judicial, and executive branch compliance and oversight bodies, including the Privacy and Civil Liberties Oversight Board, and their foreign counterparts.

Public Diplomacy

  1. The United States should explain, in a modest and factual manner, the many ways in which the U.S. intelligence community supports Europe in its fight against terrorism.
  2. The intelligence community should, with as much specificity as is consistent with national security, offer greater detail about how much and what kind of counterterrorism data the United States shares with European partners, as well as the types of information it receives from them. 
  3. The next administration should also consider raising the profile of joint counterterrorism efforts by making American ambassadors and senior national security officials available to discuss them with local media, and asking European counterparts to publicly acknowledge the cooperation.

Privacy Shield

  1. While legal challenges are pending, U.S. officials should seek to foster a climate conducive to ensuring that Privacy Shield passes judicial muster. 
  2. This includes continuing to make the case that U.S. and European privacy protections are, at a minimum, “essentially equivalent.”
  3. U.S. officials should also seek to publicly reinforce the significance of the new ombudsperson mechanism and the Judicial Redress Act.
  4. Consumer-protection officials should work to publicly demonstrate that Privacy Shield’s consumer protections are being rigorously enforced.
  5. American ambassadors in Europe and visiting U.S. government principals should be encouraged to highlight U.S. privacy protections and emphasize that in the United States, as in Europe, the right to privacy is a fundamental right.
  6. The next administration should begin to consider what the United States’ response will be, other than further concessions, if Privacy Shield is struck down. 
  7. It should also begin communicating quietly to European partners that while the United States respects their legal institutions, shares their values, and has taken every reasonable measure to help European partners satisfy the Court of Justice, the United States has a “Plan B” and will not respond to another flawed, Schrems-like decision with more unilateral concessions.
  8. To amplify this message, Congress should consider legislation providing that if a judicial decision restricts data transfers from Europe to the United States, the same limitations will apply to data transfers from the United States to Europe by European companies. 

Cross-Border Data Requests

  1. If the Justice Department’s proposal does not pass during the current Congress, the next administration should seek, and Congress should enact, similar legislation authorizing executive agreements on cross-border data requests. 
  2. Once the enabling legislation is enacted, the Executive Branch should move quickly to conclude executive agreements with countries with similar human-rights and rule-of-law standards.
  3. Legislation creating an alternative to the Mutual Legal Assistance system should be accompanied by parallel efforts to streamline the existing system.

Klein is available for interviews. To arrange an interview please contact Neal Urwitz at nurwitz@cnas.org or 202-457-9409.

  • Neal Urwitz

    Director of External Relations

    Neal Urwitz is the Director of External Relations at the Center for a New American Security (CNAS). At CNAS, Mr. Urwitz is responsible for the organization’s media relations, ...