I doubt whether many people had high expectations of President Obama’s “big” speech last week about NSA spying. After all not only has he showed few signs of being willing to admit the value of Snowden’s revelations, he has, in general, been an immense disappointment to many who had placed such great hopes in his election. But at least this time he did not disappoint us, because what he announced was as disappointing as everyone expected.
Take, for example, the bulk collection of US telephone metadata. Here’s how Obama intends to “reform” this particular kind of surveillance:
I believe we need a new approach. I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk meta-data.
And what might this be?
I have instructed the intelligence community and Attorney General to use this transition period to develop options for a new approach that can match the capabilities and fill the gaps that the Section 215 program was designed to address without the government holding this meta-data. They will report back to me with options for alternative approaches before the program comes up for reauthorization on March 28. During this period, I will consult with the relevant committees in Congress to seek their views, and then seek congressional authorization for the new program as needed.
So the only thing we know about this “new approach” is that the US government won’t hold the bulk metadata itself. It might be held by someone else, or it might involve something other than metadata, but we don’t know. Obama’s solution is essentially the classic “set up a committee to report back” tactic that allows him to claim that he has done something, even though that something amounts to very little, because that won’t be apparent until some time in the future.
It’s worth noting that most of his speech was about the bulk metadata programme, and barely touched on all the other ways that we are spied upon. One thing he was forced to address was the fact that non-US people have basically no rights that might protect them against the NSA (or GCHQ). Here’s what he’s doing on that front:
the new presidential directive that I have issued today will clearly prescribe what we do, and do not do, when it comes to our overseas surveillance.
And here’s what that directive has to say on bulk data collection from foreigners:
In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section. In no event may signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S. business sectors commercially; or achieving any purpose other than those identified in this section.
Despite the token attempt to exclude certain classes of use, the main ones relating to national security are so broad as to cover pretty much everything. In other words, the US will still be spying on all foreigners, all the time – unless your name is Angela Merkel.
What’s particularly troubling is the justification for this:
Locating new or emerging threats and other vital national security information is difficult, as such information is often hidden within the large and complex system of modern global communications. The United States must consequently collect signals intelligence in bulk in certain circumstances in order to identify these threats.
As you can see, there is an assumption here: that in order to locate new or emerging threats, the US must carry out bulk collection. But there is no proof of this. On the contrary: we have clear evidence that bulk collection doesn’t help.
The US government has gone from saying that its massive surveillance programme stopped more than 50 “potential terrorist events” around the world since the Sept. 11 attacks, to using the phrasing that intelligence from the programmes on 54 occasions "has contributed to the [U.S. government’s] understanding of terrorism activities and, in many cases, has enabled the disruption of potential terrorist events at home and abroad".
And now it has backtracked even from that weak claim: it can only point to one case, involving a San Diego man convicted of sending $8,500 to a terrorist group in Somalia, where NSA surveillance played a dominant role. Since we can be sure that if there were any more dramatic instances of surveillance averting terrorists attacks, we would have heard about them repeatedly, this tends to suggest that bulk data collection has done little to help in the domain of terrorism (although it may well have provided other kinds of information – not least economic – of value to the US.)
The fact that the bulk surveillance programme is based on an unproven assumption is one glaring flaw in Obama’s speech last week. The other is the complete absence of any promise to stop undermining encryption, and thus the Internet. Until he does so, no rational company will trust US-produced software or hardware, since there is a strong likelihood that they will contain backdoors of some kind that vitiate their putative security.
However, to be fair, in one respect Obama is to be praised for his comments last Friday. And that is for that fact that he at least went through the motions of addressing the concerns of the US and foreign public in this area. The UK government hasn’t even done that. Instead, it keeps bleating about everything being “legal”, conveniently overlooking the fact that the relevant law – RIPA – dates back to 2000, and is thus, not surprisingly, so unfit for the purpose that being “legal” in this context is utterly worthless. The UK government’s refusal even to countenance some kind of public debate about what form surveillance should take in the digital age, and what its limits should be, is patronising and insulting. Obama’s speech, for all its many faults, was never either of those.
Find your next job with computerworld UK jobs