Author Archives: Michael Froomkin

EFF tries to strike a note of cautious optimism about President Obama’s NSA reform package, Obama Takes First Steps Toward Reforming NSA Surveillance, but Leaves Many Issues Unaddressed, even though by my reading Obama’s reforms, such as they are, don’t do very well on yesterday’s EFF scorecarrd.

Simon Davis is more pessimistic:

US privacy advocates are right to conditionally welcome some of Obama’s reforms, but they should take into account two critically important implications that the President avoided.

The first of these is the NSA’s intimate operational partnership with Britain’s SIGINT agency, GCHQ. Nothing in his reform package indicates a brake on the current arrangements which allow GCHQ to collect information on US persons.

The second key element is that the proposals appear to merely shift the current collection and retention of metadata from a centralised NSA operation to more of a European-style communications data arrangement that requires commercial entities to maintain a distributed retention. That arrangement in Europe has been deemed unlawful, but there is every chance the US will adopt it.

All things considered, the prospects for genuine intelligence reform at the global level are more bleak than they were 24 hours ago.

I’m underwhelmed by President Obama’s new Presidential Policy Directive/Ppd-28 on Signals Intelligence.

As I read it, the document announces various fine principles for how drift-net collection of email and telephone and other computer data will be used, but says nothing about collecting any less of it. The memo purports to define “why, whether, and how” this data will be collected; in fact it has a lot more to say about limitations on use than collection, most of it pretty good.¹

Unfortunately the collection section, section 3, is the shortest and, on first reading, the worst. Here it is in full:

Sec. 3. Refining the Process for Collecting Signals Intelligence.

U.S. intelligence collection activities present the potential for national security damage if improperly disclosed. Signals intelligence collection raises special concerns, given the opportunities and risks created by the constantly evolving technological and geopolitical environment; the unique nature of such collection and the inherent concerns raised when signals intelligence can only be collected in bulk; and the risk of damage to our national security interests and our law enforcement, intelligence-sharing, and diplomatic relationships should our capabilities or activities be compromised. It is, therefore, essential that national security policymakers consider carefully the value of signals intelligence activities in light of the risks entailed in conducting these activities.

To enable this judgment, the heads of departments and agencies that participate in the policy processes for establishing signals intelligence priorities and requirements shall, on an annual basis, review any priorities or requirements identified by their departments or agencies and advise the DNI whether each should be maintained, with a copy of the advice provided to the APNSA.

Additionally, the classified Annex to this directive, which supplements the existing policy process for reviewing signals intelligence activities, affirms that determinations about whether and how to conduct signals intelligence activities must carefully evaluate the benefits to our national interests and the risks posed by those activities. (footnote omitted)

I read that to mean … “trust us”. Am I wrong?

1. There is one odd footnote, footnote 5, that I don’t fully understand:
   

   The limitations contained in this section do not apply to signals intelligence data that is temporarily acquired to facilitate targeted collection. References to signals intelligence collected in “bulk” mean the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).

   [↩]