President Obama’s speech on surveillance reform today was a step toward more transparent and audited intelligence-gathering in the U.S.
But speech ignored some key issues that directly affect tech companies and their customers. It focused on a relatively narrow issue — telephone metadata — and ignored the National Security Agency’s collection of many other kinds of data, including email metadata and the contents of many communications, including SMS messages and even the direct connections between American companies’ international data centers.
“Our perspective is that the NSA surveillance program is so broken that it was easy to pick off some low-hanging fruit and call them reforms,” said Mark Rumold, a staff attorney at the Electronic Frontier Foundation, in an interview with VentureBeat.
Tech companies involved in the Government Surveillance Coalition — Google, Yahoo, LinkedIn, Facebook, AOL, Apple, Microsoft, and Twitter — released a cautiously-supportive joint statement today saying:
The commitments outlined by President Obama represent positive progress on key issues including transparency from the government and in what companies will be allowed to disclose, extending privacy protections to non-US citizens, and FISA court reform. Crucial details remain to be addressed on these issues, and additional steps are needed on other important issues, so we’ll continue to work with the Administration and Congress to keep the momentum going and advocate for reforms consistent with the principles we outlined in December.
But there may be deeper suspicion underlying that politically-worded statement.
For many of these companies, it is disappointing that Obama focused primarily on phone metadata, and not Internet metadata. This includes who you send emails and IMs to, when you sent it, from what IP address did you send it, what service provider you used, what client you used, and more.
Obama also missed mentioning the government’s tapping of the fiber optic cables between Google, Yahoo, and perhaps other technology companies’ data centers. That has got to be frustrating to these companies, which have been meeting with the White House in recent months to address these concerns.
“He didn’t bring up anything about encryption or whether or not he was going to stop intelligence agencies from directly tapping our cables,” said a source familiar with the issue. “He didn’t address that issue at all. He didn’t say anything about the security aspect of whether intelligence agencies will be able to undermine the security of companies.”
This was a major point of contention for tech companies who otherwise worked with the government on the front end to provide user information through court orders. It seemed to them that even if they refused to provide some data, the government was going to get however it liked.
The EFF is specifically concerned that the President did not agree to end the bulk collection of metadata in general. Instead of collecting information on everyone, Rumold suggested that the government identify individual targets and then, on top of that, be forced to prove before a court why that target merited surveillance.
A related issue is that of the Electronic Communications Privacy Act (ECPA). The President made no mention of a petition made through the White House’s “We the People” platform that proposes amending the ECPA so that warrants would be required to pull digital communications and documents in the same way that a warrant is necessary to go into your house and seize documents sitting on your desk. This petition received over 100,000 signatures in 30 days, passing over the threshold of which petitions will actually be reviewed by the White House.
In his speech, President Obama admitted that he has a “healthy skepticism” about the programs, but also defended the intelligence community. Reforms included adding more transparency in the secret Foreign Intelligence Surveillance Court, reviewing privacy as it pertains to big data, limiting how many “hops” the NSA can take when researching a target’s phone calls, and more.
Even that limitation, however, did not satisfy F-Secure security advisor Sean Sullivan. Sullivan is a U.S. citizen, currently living abroad.
“It’s interesting that the current telephone metadata is being restricted to ‘two hops’ — but that doesn’t address the fact that the data doesn’t really need to be in the hands of the government in the first place,” said Sullivan in an email to VentureBeat. “I have a Finnish phone number and yet I’m a U.S. citizen. The NSA is collecting ‘non-U.S.’ text messages, but how would it know what my number is? Thus, the NSA is undoubtedly ‘collecting’ my SMS messages — a violation of U.S. law. … If the law says, ‘Don’t collect information on U.S. citizens,’ and there are U.S. citizens living abroad — there is no way that the NSA can possibly collect bulk Internet data in a legal fashion. Obama’s speech didn’t address this issue.”
At the end of the day, this was just a speech. The devil will be in the details for many of these reforms, and while we may never see all of details, the President is at least paying lip service to transparency. That’s a start.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here