It's taken more than a decade, but a critical oversight board tasked with advising the president on the privacy and civil liberties implications of the NSA's surveillance programs is finally getting a technology adviser who understands how the government's surveillance tools actually work.
The government announced last week that respected Columbia University computer scientist Steve Bellovin has been appointed the first technology scholar for the Privacy and Civil Liberties Oversight Board—the board that gained notoriety in 2014 after it condemned the NSA's bulk phone records collection program (.pdf) but found little wrong with its court-ordered bulk collection of data from ISPs like Google and Yahoo.
Until now, the five-member PCLOB has consisted primarily of lawyers, three of whom are former attorneys with the US Department of Justice and only one of whom has a civil liberties background—James X. Dempsey, former vice president for public policy at the Center for Democracy and Technology who is now with the Berkeley Center for Law and Technology.
Bellovin is co-director of Columbia's Cybersecurity and Privacy Center, a part of the university's Data Science Institute, and he has authored or co-authored a number of papers on government surveillance, including Keys Under Doormats about the security risks of installing government-friendly backdoors in encryption software. He was previously a chief technologist with the Federal Trade Commission as well as a member of the Department of Homeland Security's Science and Technology Advisory Committee.
Although the PCLOB has had staff members available to answer technology questions for them in the past, none of those staff members had the level of expertise Bellovin has. Bellovin told WIRED that he hopes to contribute a crucial missing ingredient to the PCLOB.
"As we have learned from some of the Snowden stuff, a lot of this is very technical," he told WIRED. "I don’t think they can make policy decisions without understanding what the technology actually enables, or for that matter, prevents. I understand enough about the law and policy to be able to translate, if you will, things into their terms."
Many fellow technologists and civil liberties advocates praised Bellovin's appointment last week on Twitter. Here's a sample of their reactions:
X content
This content can also be viewed on the site it originates from.
X content
This content can also be viewed on the site it originates from.
The most important thing about the NSA's spy programs, Bellovin says, is not what gets stated openly about them, but what their implications are—implications that are often obscured to anyone who doesn't grasp the full technical capabilities of the spy tools the government uses.
Bellovin says his role will be not only to understand the implications of the tools, but also to determine if there is a better way to accomplish the government's intelligence goals while still preserving privacy and civil liberties.
Although he doesn't know yet the specific programs he'll be focusing on, the board has already told him he'll be looking at surveillance programs that have been authorized by Executive Order 12333, one of the least-understood and most wide-sweeping authorities the government uses for spying. Documents leaked by Edward Snowden in 2013 have so far exposed the government's so-called 215 and 702 bulk collection programs, but have said little about the EO12333 authority and how it's being used.
The 215 program refers to the NSA's collection of phone records from US telecoms, which it claimed was authorized under Section 215 of the USA Patriot Act. The 702 bulk collection program refers to data collected from ISPs and other service providers through a court order. This collection was authorized under section 702 of the Foreign Intelligence Surveillance Act.
The government established these two authorizations—215 and 702—after the 9/11 attacks. But EO12333 pre-dates both of these authorities by more than a decade.
"It’s a very broad order that gives a lot of authority to the intelligence community, and a lot is going to be covered under this," Bellovin says.
President Ronald Reagan issued EO12333 in 1981; it authorizes US intelligence agencies to collect foreign intelligence. But unlike the 215 and 702 programs, which require court oversight and orders, EO12333 has no court oversight. And unlike the 215 program, which focuses on collecting only metadata, EO12333 allows for the collection of content, even content belonging to US persons if this collection is "incidental."
But "incidental" can be broadly interpreted, and Senator Dianne Feinstein (D-California), chairwoman of the Senate Select Committee on Intelligence, has long said that her committee has lacked the ability to "sufficiently" oversee intelligence activities conducted under 12333.
The PCLOB was established in 2004 by Congress as part of the Executive Office of the President, upon recommendation of the 9/11 Commission. It was intended to serve as an advisory body to administration officials about the privacy and civil liberties implications of proposed laws and policies implemented in the fight against terror.
But the board remained ineffectual for years after having an inauspicious and controversial start. One of the first board members resigned in 2007 amidst claims that the White House under President George W. Bush tried to control what it published in its reports. After that, the Senate Judiciary Committee failed to hold hearings to confirm nominated members a number of times, leaving the board with empty seats. It wasn't until August 2012 that the Senate finally confirmed four of Obama's nominations for the board. Finally, on May 7, 2013, weeks before the first of the revelations from Edward Snowden were published, the Senate confirmed David Medine, a former associated director of the Federal Trade Commission, as chair.
Today, the five members of the board serve staggered terms lasting six years. The current board consists of Medine, Patricia M. Wald, a former federal appellate court judge; Rachel L. Brand, chief counsel for regulatory litigation at the US Chamber of Commerce and a former assistant attorney general for the Justice Department; Elisebeth Collins Cook, a former assistant attorney general at DoJ; and Dempsey.
In 2013, after the PCLOB was revived, Bellovin sent a note to Jim Dempsey, whom he knew, saying, "Five very nice experienced lawyers; but where is your technologist?"
The note made an impression, and Bellovin was invited to provide testimony to the board at one of its first public hearings that year; then last year the board asked him about becoming a full-time adviser. Bellovin, who already had a security clearance from his days working on the Homeland Security Science and Technology Advisory Committee, jumped at the chance because he considers it important work.
Bellovin's appointment will last only six months to a year—at which point both he and the board will re-evaluate. He also plans to work for the board only a couple of days a week, traveling from New York to DC, since he wasn't ready to commit full time. Because the programs he will examine are classified, he'll have to work in a SCIF.
But Bellovin is optimistic he can still be useful, though he acknowledges it will take time to figure out how the government's spy programs fit together.
"It will take me a while just to understand what is going on, let alone look at specific things. One person is not going to understand the technologies of the entire intelligence community," he says.
All of this assumes that the government is providing the PCLOB with the information it needs to fully understand intelligence programs.
Bellovin acknowledges that the lack of technical expertise in Washington is a big problem. "We desperately need more people who are comfortable in both realms. We need policy makers who understand technology—most of them are lawyers. They’re very good lawyers, but they’re lawyers, not technologists."
Although the PCLOB is mandated by statute, this doesn't mean that a sitting president or administration will listen to it. With that in mind, what exactly does Bellovin hope to accomplish?
"It’s no secret that I’m a privacy advocate. I’m going to look very hard at some of these programs to see [if they are] unnecessarily violative of privacy and civil liberties. ... [T]here have been reports that some of the metadata programs that Snowden revealed weren’t in fact actually working very well.... But that’s really the question, isn’t it? If you’re going to violate privacy it should at least be because it’s actually accomplishing something."
