Law and Ethics Implications of the President’s Review Group

Peter Swire

Huang Professor of Law and EthicsScheller College of Business

Georgia Institute of Technology

March 28, 2014

Overview of the Talk

Intro to Review Group The central puzzle: how should we govern secret

agencies in an open democracy? History of secrecy and transparency (Watergate) RG recommendations on transparency and oversight “Declining Half Life of Secrets”

That is happening Has big implications for how IC conducts its future

business

Creation of the Review Group

Snowden leaks of 215 and Prism in June, 2013 August – Review Group named Report due in December 5 members

December 2013: The Situation Room

Our assigned task

Protect national security Advance our foreign policy, including economic

effects Protect privacy and civil liberties Maintain the public trust Reduce the risk of unauthorized disclosure

Our Report

Meetings, briefings, public comments 300+ pages in December 46 recommendations

Section 215 database “not essential” to stopping any attack; recommend government not hold phone records

Pres. Obama speech January Adopt 70% in letter or spirit Additional recommendations under study Organizational changes to NSA not adopted

An Ethical and Legal Challenge

How govern secret intelligence agencies in a democracy?

Thomas Jefferson: “An informed citizenry is the only true repository of the public will.”

Since WWII, enormous growth in IC Cold War War on Terrorism

Special concern if the secret surveillance is directed at the citizens themselves

That could threaten democracy

The Watergate Era and Secret Governance

1960’s + 1970’s: “The Crimes of the U.S. Intelligence Agencies” “Enemies list” in IRS Dirty tricks in political campaigns CIA, NSA, DoD surveillance in U.S. “National security” domestic wiretaps by J. Edgar

Hoover, without judicial review The Watergate break-in itself was to spy on domestic

political opposition, the DNC

Post-Watergate Solutions

Freedom of Information Act expanded Privacy Act: goal of no secret govt. databases Government in the Sunshine Act Foreign Intelligence Surveillance Act 1978

Domestic wiretaps for “foreign intelligence” but not vague “national security” grounds

Article III judges review each wiretap Public report on number of wiretap orders Congressional Intelligence committee oversight

Overall, shift toward transparency & oversight

Secrecy after 9/11

Surveillance of hard-to-find new targets, the terrorists secret surveillance

Sense of urgency & the Patriot Act Wars in Iraq & Afghanistan Warrant-less wiretaps (leaked 2005) Large database of phone records (leaked 2006) Snowden leaks beginning in June 2013

Section 215 domestic telephone meta-data Section 702 surveillance at targets overseas The long list of other stories

Section 215 of the Patriot Act

June 2013: surprising that most/all domestic phone records were being collected under “foreign intelligence” authorities

Unclear what other domestic surveillance was occurring Legislative proposals were pending for greater

“information sharing” from private sector to government for “cybersecurity” purposes Sharing would be permitted “notwithstanding any

other (privacy) law”

Was this hotel room number a coincidence?

RG Findings

RG received thorough briefings Finding: Section 215 had not been essential to

preventing any attack Good news: compliance has improved in NSA since

2008 Good news: no evidence of meddling with domestic

politics

RG Rec 11: Transparency

“We recommend that the decision to keep secret from the American people programs of the magnitude of the section 215 bulk telephony meta-data program should be made only after careful deliberation at high levels of government and only with due consideration of and respect for the strong presumption of transparency that is central to democratic governance. A program of this magnitude should be kept secret from the American people only if (a) the program serves a compelling governmental interest and (b) the efficacy of the program would be substantially impaired if our enemies were to know of its existence.”

RG Recommendations on 215

RG Rec 1 & 5: End current program of government holding the records A “black box” that is hard to monitor from outside Prevent mission creep/slippery slope to many bulk

databases about domestic activities Records already held by telcos for 18 months Go to telcos when have individualized basis for

request, with judicial review President Obama this week proposed legislation, with all

of these provisions

Other RG Transparency Recommendations

RG Rec 2: Similar judicial role for National Security Letters, by FBI Shift toward disclosure far earlier than 50 years Criminal searches often revealed in 6 months

RG Rec 4 & 7: bulk collection programs narrowly tailored, only with senior review, and public whenever possible

RG Rec 6: commission a meta-data study, to bring greater transparency and policy debate on data vs. meta-data

Transparency & the IT Industry Big economic effects on public cloud computing market

Double in size 2012-2016 Studies estimate US business losses from NSA

revelations: tens of billions $/year An opening for non-U.S. providers

Market has been dominated by US companies Deutsche Telecomm and others: “Dont put your data in the

hands of the NSA and US providers” US industry response: more transparency

Boost consumer confidence that the amount of government orders is modest

Moving to More Transparency

RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing

RG Rec 10: more detailed government reporting of lawful access orders, by type of legal authority

RG Rec 31: US should advocate to ensure transparency for requests by other governments Put more focus on actions of other governments

DOJ agreement with companies in January

Oversight goes with Transparency

Numerous RG recommendations to improve oversight Public advocate in secret FISA court New mechanisms for whistleblowers, to the Privacy & Civil

Liberties Oversight Board An Office of Technology Assessment in PCLOB to examine

new IC technologies for privacy & civil liberties Others These build on existing FISC, Congress, Inspector General

oversight mechanisms Checks and balances against accumulation of power in the

secret agencies

Oversight for the Full National Interest

Major theme of the report is that we face multiple risks, not just national security risks Effects on allies, foreign affairs Risks to privacy & civil liberties Risks to economic growth & business

Historically, intelligence community is heavily walled off, to maintain secrecy Now, convergence of civilian and military/intelligence

communications devices, software & networks Q: How respond to the multiple risks?

Addressing Multiple Risks

RG Recs 16 & 17: New process & WH staff to review sensitive

intelligence collection in advance Senior policymakers from the economic agencies

(NEC, Commerce, USTR) should participate Monitoring to ensure compliance with policy

RG Rec 19: New process for surveillance of foreign leaders Relations with allies, with economic and other

implications, if this surveillance becomes public

Summary on These Recommendations

It is time to renew the transparency initiatives that resulted from Watergate

Fortunately, we don’t have political “enemies lists” this time

But, shouldn’t have powerful, well-budgeted watchers unless they are watched as well: By the citizenry – transparency By oversight and checks & balances

Part II: Declining Half Life of Secrets

The IC assumption was that secrets lasted a long time, such as 25-50 years

My descriptive claim – the half life of secrets is declining sharply

My normative claim – when secrets get known sooner, the IC should follow the “front page” test much more than previously That’s a hard lesson for agencies accustomed to

secrets that stay secret for 25+ years We have seen what the front page can do if the

agencies don’t take that seriously

Threat Model: The System Administrator

Theme: system administrator as important threat Snowden’s job was to move files He did that RG Response: new tech to reduce system

administrator privileges But

It is hard to separate IT functions in a strict way So, secrets can get out

Threat: The Sys Admin & Sociology

Contrast of USG & Silicon Valley view of Snowden on traitor v. whistleblower

USG: with all the briefings, I have not yet found an IC or other USG person who says WB

Silicon Valley: In one company, over 90% say WB “Thunderous applause” for Snowden at SXSW Schneier: WB the civil disobedience of this generation

Sociological chasm between left coast and right coast Solution: IC shouldn’t hire any techies? EFF membership as

disqualification for security clearance? Those won’t work

The Insider and Big Data

How much can an insider leak? A lot. One thumb drive can ruin your whole day. Already knew the insider threat, now learn the sys

admin threat One CIO: “My goal is that leaks happen only by a

printer”

How well can an insider disseminate secrets? Old days: Ellsberg needed the NY Times Today: Wikileaks, no gatekeeper to the Internet

Crowd-sourcing & the Internet of Things

The mosaic theory turns against the IC Bigger effort to publicly reveal IC activities The Internet of Things – more sensors in private

hands, networked Crowd-sourcing – once some data is revealed, the

world collaborates to put the pieces together Hence, major trends in computing speed the revelation

of IC secrets

IC Targets and Private IT Systems

The good old days: Covert ops – few people knew Signals -- for radio, often passively pick up signals

Today the targets are well-defended IT systems: Reports of bulk collection inside private

telecomm/Internet systems Those systems may have EFF-leaning employees, as

they do daily intrusion detection on their systems Risk higher than before that someone outside of the

IC will detect intrusions/year and report that

Summary on Half Life of Secrets

Insider threats, with sociology risky for secrets Big Data Internet of Things Crowdsourcing Decline of gatekeepers Private systems can detect intrusions In short, if you were in the IC, would you bet on

things staying secret for 25 or 50 years?

Implications of Declining Half Life of Secrets

Previously, the IC often ignored the “front page test” Jack Nicholson & “you can’t handle the truth” in A

Few Good Men But, how many front page stories this year? Declining half life of secrets means higher expected

value of revelations – bigger negative effect if ignore the front page test

RG: effects on foreign affairs, economics, Internet governance, so USG should consider these multiple effects and not isolate IC decisions

Conclusion

Are pessimists correct that nothing will change? Section 215 program quite possibly will end DOJ agreed to the transparency agreement EU privacy regulation seemed dead, but Snowden-

related sentiments resulted this month in EU Parliament 621-10 in favor

We are in a period where change is possible Carpe diem