In a speech that garnered worldwide attention, President Barack Obama has announced important reforms in the ways the US government will gather, store, use and retain signals-related information. These changes will quickly affect many companies, both in the United States and globally. In this alert, we identify some of the most significant changes found in the reforms announced by the President last week.
President Obama's announcement comes in the wake of highly publicized intelligence leaks by former NSA contractor Edward Snowden, as well as a December 2013 report from the President's Review Group on Intelligence and Communications Technologies, which proposed more than 40 changes to how the US government collects, stores, uses, and retains signals intelligence.
Focusing on the need to balance transparency regarding government surveillance with the need for a strong counter-intelligence program that can effectively protect American interests, the President directed intelligence agencies and the Department of Justice to implement the following changes to its signals intelligence programs. These changes adopt some, but by no means all, of the recommendations in the December report:
- Promulgating Presidential Policy Directive 28, which articulates what intelligence agencies may and may not do with respect to the collection, storage, use and retention of communication records and related information, including explicit prohibitions on the indiscriminate review of electronic and telephonic communications
- Reviewing annually all future opinions of the Foreign Intelligence Surveillance Court (FISC) by the Director of National Intelligence and the US Attorney General in order to declassify opinions that have broad privacy implications
- Reviewing annually all of the permissible uses of signals intelligence collected in bulk under Section 215i
- of the Foreign Intelligence Surveillance Act
- Creating a panel of independent, non-governmental advocates to present an independent voice to address proposed governmental practices and privacy concerns in significant cases before the FISC
- Restricting the government's ability in criminal cases to retain, search and use communications between Americans and foreign citizens under Section 702ii of the Foreign Intelligence Surveillance Act and requiring intelligence agencies to obtain Court approval prior to any database query in non-exigent circumstances
- Amending the use of National Security Letters (NSLs) to limit how long such letters must be kept secret, and to allow communications providers to disclose information about the receipt of such letters and provision of data to the government
- Modifying the current bulk telephony metadata record program so that the only calls that may be pursued are those that are two degrees removed from a terrorist source (rather than three degrees removed, as is currently the case)
- Directing the intelligence community and the US Attorney General to develop options for non-governmental storage of bulk-collected telephone metadata (while acknowledging the complexity of this issue)
The President also announced a series of changes that directly affect foreign citizens and companies, including:
- Limiting the use of signal intelligence gathering to national security purposes only (e.g., counter-intelligence, counter-proliferation, cybersecurity, counter-terrorism), and not for any other purposes (such as offering US companies a competitive advantage over others)
- Developing and implementing rules that limit monitoring of friendly foreign governments and heads of state
- Developing limitations on the use and retention of foreign nationals personal information
Finally, in what should be a closely watched process, the President directed his Counselor John Podesta to conduct a comprehensive review of big data and privacy and to review the data collection, storage, use, and retention practices in both the public and private sectors.
Important considerations for companies and individuals globally
These changes raise important considerations for companies and individuals both inside and outside the United States. All potential recipients of NSLs, and communications providers in particular, should take note of the intent to relax associated non-disclosure or gag order requirements.
These changes may offer NSL recipients the opportunity to notify customers and clients of the volume of NSLs the companies receive, in what frequency and potentially even the kinds of records sought by the government via such letters.
The changes also should be reviewed carefully by non-US companies. In particular, companies outside the United States should study the President's concession to extend to foreign nationals rights traditionally only guaranteed to US citizens. Following the revelations about US intelligence gathering practices, European leaders recently attacked the adequacy of the US-EU safe harbor. There is reason to hope that the President's proposed changes will lower tensions and bring a more balanced and reciprocal view of intelligence gathering on both sides of the Atlantic. Indeed, Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, spoke favorably on Friday about the President's announcement.
The President stopped short of endorsing data retention mandates for communications and telecoms companies, something that many tech sector and privacy advocates strongly oppose.
On the other hand, missing from the announcement were several priorities for the US technology sector that had been endorsed by the President's Review Group. These include: (1) ending intelligence agency practices of introducing security vulnerabilities into US tech companies' products and not informing them of zero-day vulnerabilities that intelligence agencies have identified; and (2) speeding the MLAT process under which other countries may obtain evidence stored in the United States (because delays in this process are a significant driver of forced localization requirements now moving forward in Brazil and Indonesia).
Finally, the White House review of big data practices has the potential to bring more changes to the way that the US contracts for big data services furnished by contracts, as well as recommendations for legislation and Federal Trade Commission enforcement.