Months after the National Security Agency’s foreign intelligence collection practices were brought to public attention by Edward Snowden, a review group established by the US government has come up with a number of recommendations to engender trust in communications systems (including cloud computing) while still keeping national security a top priority.
In August, the President announced the creation of the Review Group on Intelligence and Communications Technologies. The formation of the group had to do with Snowden’s revelations, but rather than focus specifically on the NSA’s actions, the group looked at the more broad issues around balancing liberty and security with privacy and civil liberties.
President Obama isn’t obligated to adopt the recommendations made by the group, but he and his national security team will take the review into account over the next several weeks to determine which recommendations should be implemented.
Among the dozens of recommendations, the review group said governments should promote transparency about the number and type of law enforcement and other requests made to communications providers. Requests made under the Foreign Intelligence Surveillance Act have been kept secret, with some of the largest IT organizations asking to make at least some of these details known.
The review group also recommends the Foreign Intelligence Surveillance Court, which provided that any government agency seeking to use electronic surveillance for foreign intelligence, must provide more oversight in their granting of electronic surveillance warrants – requiring surveillance to have more specific purpose and scope.
The mass collection and storage of non-public personal information about individuals is specifically called into question, even if it enables future queries and data-mining for foreign intelligence. Data should be just narrow enough to serve an important government interest.
It also recommends the US government examine the feasibility of creating software to allow the NSA and other intelligence agencies easily conduct targeted information acquisition rather than bulk-data collection, and streamline the process for lawful international requests to obtain electronic communications through the Mutual Legal Assistance Treaty process.
The group also recommends the US fall in line with international norms or agreements for specific measures that will increase confidence in the security of online communications. This would mean refraining from the use of surveillance to steal industry secrets, manipulating financial systems, and requiring localization of servers and other IT facilities or preventing cross-border data flows without a compelling reason. Politicians have already been lobbying for many of these same issues.
There are also possible limits within intelligence agencies that would provide the public more confidence in the collection of their information such as limitations on how personnel are given access to information. The review proposes access be based on a Work-Related Access model rather than “need-to-share” or “need-to-know” models which are based on clearance level, as well as additional network security protections.
For the time being, the Obama administration will weigh the recommendations of this group with other input and evidence to formulate a plan that many hope will restore trust in American IT services.