US President Barack Obama issued a presidential policy directive (PPD-28) on Friday that placed certain limitations on how the government can use the data it collects.
While this may have helped assuage some critics, manysuch as the Electronic Frontier Foundation, have said that it has not gone far enough to engender trust in digital communications, and many of the recommendations made by the President’s Review Group on Intelligence and Communications Technologies have gone unheeded.
Industry efforts such as the Reform Government Surveillance coalition have called on the government to make the legal framework for user data requests clear, and include an independent court system (as opposed to the secret Foreign Intelligence Surveillance Court) and an adversarial process that would allow a true defense for those who may be surveilled.
According to PPD-28, FISA will add members with expertise in civil liberties and technology (coming closer to an adversarial process) and it will declassify more of its decisions and allow National Security Letter recipients (many of whom are web hosts) to divulge more information about them (such as their number and nature) unless a court decides it would pose a significant risk, in which case the gag order should expire within 180 days unless renewed. This will likely enable web hosts to show what fraction of their information is sent to the government.
One of the biggest areas of concern for many hosting providers is that the US government hasn’t provided a strong level of assurance when it comes to giving up their tools of online data collection such as encryption keys and backdoors into certain cloud services.
As far as the collection of data goes it will be more tightly targeted only to those in two-degrees of separation from targets as opposed to three degrees. Overseas individuals will also now have some of the same privacy protections of US citizens, and that it would not target foreign leaders, and people for political or religious beliefs, but only target those who could threaten national security.
Some have proposed that the massive databases of metadata gathered by government agencies should be run by a third-party to whom it would have to send requests in an effort to provide greater oversight. This, however, is outside the scope of the presidential directive, and will have to go before US Congress.
Finally, the government will be hiring a senior official who will be in charge of diplomacy around issues related to technology and signals intelligence. This individual will likely be called upon to keep the services playing field open to US corporations by making sure that foreign governments do not require service providers to locate infrastructure within a country’s borders or operate locally.
Restoring trust in US-hosted services will help avoid a balkanization of the internet signalled by foreign service providers like the German hosts involved in the “Email Made in Germany” campaign which assures customers their email is subject to the country’s customary protections.
Based on the reactions in the technology community, the White House still has a long way to go to reverse the damage caused by the revelations of the NSA’s intelligence-gathering program, which some estimate could cost the US cloud computing industry between $22 to $35 billion in revenues over the next three years.
Updating government procedures surrounding internet communication has been long overdue, and the NSA scandal helped prioritize this need to establishing trust and transparency in the government and private hosting providers. It will remain to be seen if the government can re-establish consumer trust in privacy and security – otherwise it could hurt US hosting providers tremendously.