Comments to the Privacy and Civil Liberties Oversight Board Concerning Activities Under Executive Order 12333 (Notice PCLOB–2015–01)

By Robyn Greene, Policy Counsel June 15, 2015

Introduction and Summary

New America’s Open Technology Institute welcomes the opportunity to provide input to the Privacy and Civil Liberties Oversight Board (PCLOB) on its investigation into the counterterrorism activities of the National Security Agency (NSA) and the Central Intelligence Agency (CIA) pursuant to Executive Order (EO) 12333.1

New America is a nonprofit, nonpartisan public policy institute based in Washington, D.C. that invests in new thinkers and new ideas to address the next generation of challenges facing the United States and the global community. The Open Technology Institute (OTI) is a program within New America that promotes affordable, universal access to open and unrestricted communications networks through technology development, applied learning, and policy reform. OTI offers in-depth, objective research, analysis, and findings for policy decision-makers and the general public, develops technologies and tools to support universal and secure communications, and works directly with communities to address communications and technological disparities. A significant portion of OTI’s portfolio focuses on cybersecurity, surveillance reform, and research and analysis of public policies that impact individual privacy and Internet security.

Over the last two years, a combination of whistleblower and Director of National Intelligence disclosures have revealed to the public some small piece of the broad scope of the Intelligence Community’s activities under EO 12333. Still, the majority of those activities remain secret. In its examination, we urge PCLOB to review the full catalogue of the Intelligence Community’s

1 Fed. Register, Vol. 80, No. 55, Notice–PCLOB–2015–01; Docket No. 2015– 0001; Sequence No. 1 (March 23, 2015), available at https://pclob.gov/library/FederalRegister- PCLOB-2015-03-24.pdf.

1

activities pursuant to EO 12333 as they related to counterterrorism activities and to issue a public report that includes a summary of those activities and their impact on privacy, as well as the conclusions it draws from its examinations, and its resulting recommendations.

In particular, we urge PCLOB to include in its examination reviews of bulk and targeted collection, efforts to subvert cybersecurity in order to facilitate surveillance as part of counterterrorism operations, and failures in congressional and public oversight.

Bulk and Targeted Collection

The first issue we urge PCLOB to review is the NSA’s bulk and targeted collection activities under EO 12333. Bulk collection poses a serious threat to privacy, as it inherently results in the large-scale collection of the communications of millions of innocent Americans and people around the world. The procedures governing the NSA’s acquisition, retention, search, dissemination, and use of those communications are not public.

PCLOB should review the scale of incidental collection of U.S. person communications that results from bulk collection under EO 12333. It should also review and make recommendations to enhance the privacy protections provided by the minimization procedures that are applied to those collections.

Additionally, it should review and publicly disclose the number of instances in which those communications have been searched for U.S. person information, and how many times that information has been used in any government proceeding, such as criminal investigations, including instances where parallel construction was employed to obscure the source of the information; judicial proceedings; and other civil, immigration, and regulatory proceedings.

PCLOB should make similar inquiries into the NSA’s targeted collection practices under EO 12333. Specifically, it should assess the adequacy of and make recommendations for additional safeguards of privacy protections conferred on U.S. person communications by targeting and minimization procedures, and policies governing their retention, use, and dissemination.

Lastly, the 113th Congress passed H.R. 4681, the Intelligence Authorization Act for 2015.2 That bill includes Section 309, which requires the Director of National Intelligence (DNI) to establish procedures governing the retention of U.S. person data collected pursuant to EO 12333. PCLOB should request to consult with the DNI and make recommendations concerning the privacy safeguards that should be included in those procedures.

2 H.R. 4681, Intelligence Authorization Act for Fiscal Year 2015, 113th Cong. (2014), available at https://www.congress.gov/bill/113th-congress/house-bill/4681.

2

The legislation requires that the procedures include broad exceptions to the retention limits, including all encrypted communications, communications that are reasonably believed to include evidence of any crime, and communications that contain foreign intelligence. It would be beneficial for PCLOB to make recommendations as to how the DNI could carefully tailor those exceptions in its procedures so that they would be more protective of Americans’ privacy.

NSA Tactics to Subvert Cybersecurity

The second area we urge PCLOB to examine is NSA efforts to subvert cybersecurity and undermine encryption. To the extent that efforts to undermine or crack encryption aid in EO 12333 surveillance conducted in furtherance of counterterrorism investigations or related activities, we believe that they are within the jurisdiction of the Board. It is essential that PCLOB examine those activities to determine the extent of their impact on cybersecurity and privacy.

Efforts to Undermine Encryption

The NSA not only attempts to crack encryption through EO 12333 programs like Bullrun.3 On at least one occasion it also sought to undermine the National Institute of Standards and Technology’s encryption standard-setting process,4 and press reports revealed that it has contracted with technology companies to use weak encryption in their products.5 More recently, the Director of the NSA, Admiral Rogers, has joined the Director of the Federal Bureau of Investigation, James Comey, in publicly stating that companies should weaken their encryption by inserting vulnerabilities in order to facilitate surveillance.6

3 Jeff Larson, Nicole Perlroth, & Scott Shane, Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security, ProPublica & NY Times, Sept. 5, 2013, http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet- encryption. 4 Nicole Perlroth, Government Announces Steps to Restore Confidence on Encryption Standards, NY Times, Sept. 10, 2013, http://bits.blogs.nytimes.com/2013/09/10/government-announces- steps-to-restore-confidence-on-encryption-standards/; see also Kim Zetter, How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA, Wired, Sept. 24, 2013, http://www.wired.com/2013/09/nsa-backdoor/. 5 Joseph Menn, Exclusive: NSA infiltrated RSA security more deeply than thought – study, Reuters, Mar. 31, 2014, http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa- idUSBREA2U0TY20140331; Joseph Menn, Exclusive: Secret contract tied NSA and security industry pioneer, Reuters, Dec. 20, 2013, http://www.reuters.com/article/2013/12/20/us-usa- security-rsa-idUSBRE9BJ1C220131220. 6 John Reed, Transcript: NSA Director Mike Rogers vs. Yahoo! on Encryption Back Doors, Just Security, Feb. 23, 2015, http://justsecurity.org/20304/transcript-nsa-director-mike-rogers-vs- yahoo-encryption-doors/. See also David E. Sanger & Matt Apuzzo, James Comey, F.B.I. Director, Hints at Action as Cellphone Data Is Locked, NY Times, Oct. 16, 2014,

3

Employing strong encryption is widely accepted as the best way for individuals to protect the contents of their communications. It is also critical to effective cybersecurity, as is evidenced by its widespread deployment throughout the Internet economy, including by financial institutions, businesses, medical providers, and e-mail service providers.

NSA efforts to undermine encryption violates Americans’ privacy and threaten the public’s trust in the security of their online communications. The government’s calls to undermine encryption are strongly opposed by technology companies, security experts, and privacy advocates. In May, a coalition of nearly 150 groups, companies, and experts wrote to the president to voice their strong opposition and warn that such proposals, if enacted, would pose a serious threat to privacy, human rights, economic security, and even national security.7

David Kaye, the UN Special Rapporteur for Freedom of Expression and Opinion, also published a report concluding that access to strong encryption is essential to privacy and free expression, and that “States should promote strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online,” and “States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows.”8 The report also notes that the governments that have urged the adoption of policies to require intentional vulnerabilities in encryption “have not demonstrated that criminal or terrorist use of encryption serves as an insuperable barrier to law enforcement objectives,” and that “intentional flaws invariably undermine the security of all users online, since a backdoor, even if intended solely for government access, can be accessed by unauthorized entities.”9

http://www.nytimes.com/2014/10/17/us/politics/fbi-director-in-policy-speech-calls-dark- devices-hindrance-to-crime-solving.html?_r=0. 7 Coalition Letter to Pres. Obama (on file with New America’s Open Technology Institute) (May 19, 2015), https://static.newamerica.org/attachments/3138-- 113/Encryption_Letter_to_Obama_final_051915.pdf. 8 David Kaye, United Nations Special Rapporteur for Freedom of Expression and Opinion, Report on encryption, anonymity, and the human rights framework, United Nations Office of the High Commissioner for Human Rights (May 2015), http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx. See also Danielle Kehl, Kevin Bankston, & Andi Wilson, Comments to the UN Special Rapporteur on Freedom of Expression and Opinion Regarding the Relationship Between Free Expression and the Use of Encryption, New America’s Open Technology Institute (Feb. 2015), https://static.newamerica.org/attachments/1866-oti-urges-un-human-rights-council-to- promote-the-benefits-of-strong-encryption/OTI_Crypto_Comments_UN.pdf. 9 Id.

4

These calls for government support of strong encryption follow the recommendations made by the President’s Review Group on Intelligence and Communications Technologies, which concluded in its 2013 report that the government should “(1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.”10

PCLOB should examine any NSA or CIA programs that seek to weaken or undermine encryption, and make recommendations to lessen the impact they have on privacy and Internet security.

Stockpiling of Vulnerabilities

Additionally, we have learned that the NSA stockpiles vulnerabilities and spends millions of dollars on the purchase of exploits, including malware and cyberweapons, and vulnerabilities, which it uses to develop exploits. These activities may also be intended to further surveillance conducted pursuant to EO 1233 in furtherance of the NSA and CIA’s counterterrorism activities.11 The Administration has stated that there is an equities review process in place to determine which vulnerabilities should be disclosed to the public, and which should remain secret.12 However, very little is known about that process, and how often the government elects to keep secret the existence of previously unknown vulnerabilities, or how often it discloses their existence to software and hardware developers.

10 President’s Review Group on Intelligence and Communications Technologies, Liberty and Security in a Changing World 218 (2013), https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf. 11 Barton Gellman & Ellen Nakashima, U.S. spy agencies mounted 231 offensive cyber- operations in 2011, documents show, Wash. Post, Aug. 30, 2013, http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231- offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb- fd7ce041d814_story.html. See also Jacob Appelbaum, Judith Horchert & Christian Stöcker, Shopping for Spy Gear: Catalog Advertises NSA Toolbox, Der Spiegel, Dec. 29, 2013, http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous- devices-a-940994.html; and Inside TAO: Documents Reveal Top NSA Hacking Unit, Der Spiegel, Dec. 29, 2013, http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in- effort-to-spy-on-global-networks-a-940969.html. 12 David E. Sanger, Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say, NY Times, http://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws- officials-say.html?_r=0; and Kim Zetter, U.S. Government Insists It Doesn’t Stockpile Zero-Day Exploits To Hack Enemies, Wired, Nov. 17, 2014, http://www.wired.com/2014/11/michael- daniel-no-zero-day-stockpile/.

5

Keeping vulnerabilities secret instead of disclosing them so they may be patched increases the likelihood of cyberattacks and data breaches, which pose significant threats to the privacy of everyday Americans. The President’s Review Group on Intelligence and Communications Technologies also concluded in its final report that “U.S. policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on U.S. Government and other networks.”13

PCLOB should examine the NSA’s practice of purchasing vulnerabilities, and assess the impact that this support of the vulnerabilities black market has on Internet security, and thus privacy. It should also review the government’s practice of developing and deploying malware and cyberweapons. Finally, PCLOB should review the equities process, and assess the implications that stockpiling vulnerabilities has on Internet security and privacy.

Congressional Oversight

The last thing we urge the PCLOB to review is Congressional oversight of EO 12333 activities. Congress has conducted no substantial oversight of EO 12333 activities. Senator Feinstein, the Chair of the Senate Select Committee on Intelligence, has stated that she knows very little about the NSA programs under that authority.14 PCLOB should make recommendations to all relevant committees as to how Congressional oversight of these activities can be improved.

Activities conducted under EO 12333 are also not subject to judicial oversight. PCLOB should examine and make recommendations of ways that Congress can legislate to bring those activities within the jurisdiction of the Foreign Intelligence Surveillance Court.

Conclusion

We thank the Board for engaging in this important examination of Intelligence Community activities pursuant to EO 12333, and for the opportunity to provide comments and recommendations as to appropriate areas of focus for that examination.

While we hope that the Board will examine all activities conducted pursuant to EO 12333, we urge the board to focus in particular on the issues of bulk and targeted collections, efforts to subvert cybersecurity in order to facilitate surveillance, and ways to enhance congressional and public oversight. Given the significant impact that EO 12333 has on privacy and Internet security, we also urge the Board to summarize the activities it reviews, its conclusions, and its

13 Liberty and Security in a Changing World at 219, supra note 10. 14 Ali Watkins, Most of NSA’s data collection authorized by order Ronald Reagan issued, McClatcy, Nov. 21, 2013, http://www.mcclatchydc.com/2013/11/21/209167/most-of-nsas- data-collection-authorized.html#storylink=cpy.

6

recommendations in a public report, as it did when examining surveillance programs pursuant to Patriot Act Section 215 and FISA Amendments Act Section 702.

Thank you for your consideration.

Respectfully submitted,

Robyn Greene Policy Counsel New America’s Open Technology Institute 1899 L Street NW, Suite 400 Washington, DC 20036

7