404 — Advisory panel recommends strong restrictions on NSA mass surveillance . . . but not strong enough

In this fine story from The New York Times, Dave Sanger and Charlie Savage report on the President's advisory group that recently recommended curbing NSA data mining practices. Clarke is the author on one of my favorite books on cyber warfare. That said, these recommendations don't go far enough. I support the Leahy bill, also supported by Wyden and Udall.

Richard A. Clarke, a former national security official, said a new report would reassure the public on shielding civil liberties.

Obama Is Urged to Sharply Curb N.S.A. Data Mining

By DAVID E. SANGER and CHARLIE SAVAGE

WASHINGTON — A panel of outside advisers urged President Obama on Wednesday to impose major oversight and some restrictions on the National Security Agency, arguing that in the past dozen years its powers had been enhanced at the expense of personal privacy.

The panel recommended changes in the way the agency collects the telephone data of Americans, spies on foreign leaders and prepares for cyberattacks abroad.

But the most significant recommendation of the panel of five intelligence and legal experts was that Mr. Obama restructure a program in which the N.S.A. systematically collects logs of all American phone calls — so-called metadata — and a small group of agency officials have the power to authorize the search of an individual’s telephone contacts. Instead, the panel said, the data should remain in the hands of telecommunications companies or a private consortium, and a court order should be necessary each time analysts want to access the information of any individual “for queries and data mining.”

The experts briefed Mr. Obama on Wednesday on their 46 recommendations, and a senior administration official said Mr. Obama was “open to many” of the changes, though he has already rejected one that called for separate leaders for the N.S.A. and its Pentagon cousin, the United States Cyber Command.

If Mr. Obama adopts the majority of the recommendations, it would mark the first major restrictions on the unilateral powers that the N.S.A. has acquired since the Sept. 11 terrorist attacks. They would require far more specific approvals from the courts, far more oversight from the Congress and specific presidential approval for spying on national leaders, especially allies. The agency would also have to give up one of its most potent weapons in cyberconflicts: the ability to insert “back doors” in American hardware or software, a secret way into them to manipulate computers, or to purchase previously unknown flaws in software that it can use to conduct cyberattacks.

“We have identified a series of reforms that are designed to safeguard the privacy and dignity of American citizens, and to promote public trust, while also allowing the intelligence community to do what must be done to respond to genuine threats,” says the report, which Mr. Obama commissioned in August in response to the mounting furor over revelations by Edward J. Snowden, a former N.S.A. contractor, of the agency’s surveillance practices.

It adds, “Free nations must protect themselves, and nations that protect themselves must remain free.”

White House officials said they expected significant resistance to some of the report’s conclusions from the N.S.A. and other intelligence agencies, which have argued that imposing rules that could slow the search for terror suspects could pave the way for another attack. But those intelligence leaders were not present in the Situation Room on Wednesday when Mr. Obama met the authors of the report.

The report’s authors made clear that they were weighing the N.S.A.’s surveillance requirements against other priorities like constitutional protections for privacy and economic considerations for American businesses. The report came just three days after a federal judge in Washington ruled that the bulk collection of telephone data by the government was “almost Orwellian” and a day after Silicon Valley executives complained to Mr. Obama that the N.S.A. programs were undermining American competitiveness in offering cloud services or selling American-made hardware, which is now viewed as tainted.

The report was praised by privacy advocates in Congress and civil-liberties groups as a surprisingly aggressive call for reform.

Senator Ron Wyden, an Oregon Democrat who has been an outspoken critic of N.S.A. surveillance, said it echoed the arguments of the N.S.A.’s skeptics in significant ways, noting that it flatly declared that the phone-logging program had not been necessary in stopping terrorist attacks.

“This has been a big week for the cause of intelligence reform,” he said.

Greg Nojeim of the Center for Democracy and Technology called the report “remarkably strong,” and singled out its call to sharply limit the F.B.I.’s power to obtain business records about someone through a so-called national security letter, which does not involve court oversight.

Anthony Romero, the executive director of the American Civil Liberties Union, while praising the report’s recommendations, questioned “whether the president will have the courage to implement the changes.”

Members of the advisory group said some of the recommendations were intended to provide greater public reassurances about privacy protections rather than to result in any wholesale dismantling of the N.S.A.’s surveillance powers. Richard A. Clarke, a cyberexpert and former national security official under Presidents Bill Clinton and George W. Bush, said the report would give “more reason for the skeptics in the public to believe their civil liberties are being protected.”

Other members included Michael J. Morell, a former deputy director of the C.I.A.; Cass Sunstein, a Harvard Law School professor who ran the office of Information and Regulatory Affairs in the Obama White House; Peter Swire, a privacy law specialist at the Georgia Institute of Technology; and Geoffrey R. Stone, a constitutional law specialist at the University of Chicago Law School, where Mr. Obama once taught.

Mr. Obama is expected to take the report to Hawaii on his vacation that starts this week and announce decisions when he returns in early January. Some of the report’s proposals could be ordered by Mr. Obama alone, while others would require legislation from Congress, including changes to how judges are appointed to the Foreign Intelligence Surveillance Court.

Senator Rand Paul, Republican of Kentucky, said he was skeptical that any changes passed by Congress would go far enough. “It gives me optimism that it won’t be completely brushed under the rug,” he said. “However, I’ve been here long enough to know that in all likelihood when there’s a problem, you get window dressing.”

The FISA court, which oversees national security surveillance inside the United States, has been criticized because it hears arguments only from the Justice Department without adversarial lawyers to raise opposing views, and because Chief Justice John G. Roberts Jr. has unilateral power to select its members. Echoing proposals already floated in congressional hearings and elsewhere, the advisory group backs the view that there should be a “public interest advocate to represent the interests of privacy and civil liberties” in classified arguments before the court. It also says the power to select judges for the surveillance court should be distributed among all the Supreme Court justices.

In backing a restructuring of the N.S.A.’s program that is systematically collecting and storing logs of all Americans’ phone calls, the advisers went further than some of the agency’s backers in Congress, who would make only cosmetic changes to it, but stopped short of calling for the program to be shut down, as its critics have urged. The N.S.A. uses the telephone data to search for links between people in an effort to identify hidden associates of terrorism suspects, but the report says it “was not essential to preventing attacks.”

Currently, the government obtains orders from the surveillance court every 90 days that require all the phone companies to give their customers’ data to the N.S.A., which commingles the records from every company and stores it for five years. A small group of analysts may query the database — examining records of everyone who is linked by up to three degrees of separation from a suspect — if the analyst has “reasonable, articulable suspicion” that the original person being examined is linked to terrorism.

Under the new system proposed by the review group, such records would stay in private hands — either scattered among the phone companies or pooled into some kind of private consortium. The N.S.A. would need to make the case to the surveillance court that it has met the standard of suspicion — and get a judge’s order — every time it wanted to perform such “link analysis.”

“In our view, the current storage by the government of bulk metadata creates potential risks to public trust, personal privacy, and civil liberty,” the report said.

The report recommended new privacy protections for the disclosure of personal information about non-Americans among agencies or to the public. The change would extend to foreigners essentially the same protections that citizens have under the Privacy Act of 1974 — a way of assuring foreign countries that their own citizens, if targeted for surveillance, will enjoy at least some protections under American law.

It also said the United States should get out of the business of secretly buying or searching for flaws in common computer programs and using them for mounting cyberattacks. That technique, using what are called zero-day flaws, so named because they are used with zero days of warning that the flaw exists, were crucial to the cyberattacks that the United States and Israel launched on Iran in an effort to slow its nuclear program. The advisers said that the information should be turned over to software manufacturers to have the mistakes fixed, rather than exploited.

Regarding spying on foreign leaders, the report urged that the issue be taken out the hands of the intelligence agencies and put into the hands of policy makers.

Jeremy W. Peters contributed reporting.