The NSA Report: Liberty and Security in a Changing World

GLOBAL COMMUNICATIONS TECHNOLOGY: PROMOTING PROSPERITY, SECURITY, AND OPENNESS IN A NETWORKED WORLD

A. Introduction

AN IMPORTANT GOAL OF US policy is to promote prosperity, security, and openness in the predominant method of modern communication, the Internet. This chapter examines how to achieve that goal, consistent with other goals of US policy.

In 2011, the Obama Administration released a major report: “International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World.” In the letter introducing the report, President Obama wrote: “This strategy outlines not only a vision for the future of cyberspace, but an agenda for realizing it. It provides the context for our partners at home and abroad to understand our priorities, and how we can come together to preserve the character of cyberspace and reduce the threats we face.” The Strategy defined the overall goal: “The United States will work internationally to promote an open, interoperable, secure, and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation” (emphasis added).

We believe that this is an exceedingly important goal, and that it bears directly on efforts to engage in sensible risk management. In this chapter, we offer a series of recommendations designed to promote that goal, and in the process to protect the central values associated with a free Internet.

B. Background: Trade, Internet Freedom, and Other Goals

The United States has a strong interest in promoting an open, interoperable, secure, and reliable information and communications structure. We focus our discussion on international trade, economic growth, and Internet freedom.

Throughout this report, we have stressed the need for a risk-management approach, balancing the imperatives for intelligence collection with the potential downsides. In the areas discussed in this chapter, prominent US policy goals run the risk of being undermined by the reports about US surveillance. We consider what measures will best achieve those goals for our global communications structure.

1. International Trade and Economic Growth

The US is committed to international economic competitiveness, to improvements in the international trade system, and to achievement of economic growth. The rules for international trade are crucial for the pervasively international conduct of commerce on the Internet, as well as for other sectors involved in international trade. Free trade agreements can contribute to economic growth. Unfortunately, foreign concerns about US surveillance threaten achievement of these various goals.

For example, the Transatlantic Trade and Investment Partnership (T-TIP) is a large and visible trade negotiation potentially affected by the recent surveillance leaks. The T-TIP talks were launched in 2013 as “an ambitious, comprehensive, and high-standard trade and investment agreement” designed to eliminate all tariffs on trade, improve market access on trade in services, and address a wide range of other impediments to trade.169 But strong concerns have been expressed about surveillance by European officials, as reflected in this statement by the EU Parliament Committee on Foreign Affairs: “With the damage to trust in the transatlantic relationship caused by NSA massive surveillance and lack of data privacy remedies for Europeans, the transatlantic economic relationship is at risk.”¹⁷⁰

European officials have similarly expressed doubt about whether to continue the existing Safe Harbor agreement for transfer of personal information to the US, under which companies are able to comply with the stricter EU privacy laws.¹⁷¹ Although the precise impact on such future negotiations is unclear, such statements show the linkage between intelligence collection decisions and international trade negotiations.

The effects of concern with US surveillance on US trade in cloud computing and other online activities have drawn particular attention. The public cloud computing market for enterprises is growing rapidly. By 2016, it is estimated to reach $207 billion annually, more than double the 2012 level.172 As a result, cloud computing vendors not only have to retain existing customers but also must recruit new customers to maintain market share. In the wake of press reports on US surveillance, two studies estimated large losses in sales for US cloud computing providers, due to concerns overseas about the security of US providers and possible legal measures to limit use of US-based cloud providers by other countries.¹⁷³ US-based information technology companies and trade associations have expressed strong concerns, fearing that Chinese, European, and other competitors will use the disclosures to promote their products over American exports.

Negative effects stemming from concern with US surveillance on trade and economic competitiveness may, in turn, have adverse effects on overall US economic growth. In recent years, the information technology sector has been a major source of innovation and growth. Foreign concerns about US surveillance can directly reduce the market share of US-based technology companies, and can in addition have an indirect effect of justifying protectionist measures. Addressing concerns about US Government surveillance would increase confidence in the US information technology sector, thus contributing to US economic growth.

2. Internet Freedom

US Internet freedom policy seeks to preserve and expand the Internet as an open, global space for free expression, for organizing and interaction, and for commerce. In recent years, the United States has highlighted Internet freedom as an important goal of US policy, including by pushing successfully in 2012 for the first United Nations resolution that confirms that human rights in the Internet realm must be protected with the same commitment as in the real world. The US has worked with the Dutch Foreign Ministry to establish the Freedom Online Coalition, currently a group of 21 governments from five regions committed to coordinating diplomatic efforts to advance Internet freedom. This coalition has sought to broaden support for an approach based on universal human rights and the inclusive, multi-stakeholder model of Internet governance.

A central theme of US Internet freedom policy has been protection against intrusive surveillance and repression. The US Government has consistently spoken out against the arrest and persecution of bloggers and online activists in countries such as Azerbaijan, China, Cuba, Egypt, Ethiopia, Iran, Russia, Saudi Arabia, Thailand, Venezuela, and Vietnam. President Obama and Secretaries of State have publicly criticized restrictive Internet legislation designed to force companies to collaborate in censorship and pervasive surveillance of their users in order to chill expression and facilitate persecution. Since 2008, the Department of State and the United States Agency for International Development have invested over $100 million in programs to enable human rights activists and bloggers to exercise their human rights freely and safely online, including by distribution of strong encryption and other anti-censorship tools.

Revelations about US surveillance have threatened to undermine the US Internet freedom agenda. Countries that were previously criticized by the United States for excessive surveillance have accused the US of hypocrisy. In our view, these allegations lack force. US surveillance is subject to oversight by the multiple authorities shown in Appendix C, and the First Amendment protections under the US Constitution are an effective bulwark against censorship and political repression. Nonetheless, the reports about US surveillance have clearly made it more difficult to explain the key differences in international fora. As we have emphasized at several points in this Report, public trust is exceedingly important.

3. Internet Governance and Localization Requirements

The United States has strongly supported an inclusive multi-stakeholder model of Internet governance in order to maintain and expand a globally interoperable, open, and secure Internet architecture to which all people have access. This multi-stakeholder approach incorporates input from industry, governments, civil society, academic institutions, technical experts, and others. This approach has emphasized the primacy of interoperable and secure technical standards, selected with the help of technical experts.

A competing model, favored by Russia and a number of other countries, would place Internet governance under the auspices of the United Nations and the International Telecommunications Union (ITU). This model would enhance the influence of governments at the expense of other stakeholders in Internet governance decisions, and it could legitimize greater state control over Internet content and communications. In particular, this model could support greater use of “localization” requirements, such as national laws requiring servers to be physically located within a country or limits on transferring data across borders.

The press revelations about US surveillance have emboldened supporters of localization requirements for Internet communications. Brazil, Indonesia, and Vietnam have proposed requiring e-mails and other Internet communications to be stored locally, in the particular country. Although generally favoring the multi-stakeholder approach to many Internet governance issues, the EU has also shifted in the direction of localization requirements. In the second half of 2013, the EU Parliament voted in favor of a proposal to limit international data flows; this provision would prohibit responding to lawful government requests, including from the US courts and government, until release of such records was approved by a European data protection authority.

Public debate has suggested a possible mix of motives supporting such localization requirements, including (1) concern about how records about their citizens will be treated in the US; (2) support for local cloud providers and other information technology companies with the effect of reducing the market share of US providers; and (3) use of the localization proposals as a way to highlight concerns about US intelligence practices and create leverage for possible changes in US policy. Whatever the mix of motives, press reports about US surveillance have posed new challenges for the longstanding US policy favoring the multi-stakeholder approach to Internet governance as well as US opposition to localization requirements.

C. Technical Measures to Increase Security and User Confidence

RECOMMENDATION 29

We recommend that, regarding encryption, the US Government should:

(1) fully support and not undermine efforts to create encryption standards;

(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and

(3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.

Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible. For the entire system to work, encryption software itself must be trustworthy. Users of encryption must be confident, and justifiably confident, that only those people they designate can decrypt their data.

The use of reliable encryption software to safeguard data is critical to many sectors and organizations, including financial services, medicine and health care, research and development, and other critical infrastructures in the United States and around the world. Encryption allows users of information technology systems to trust that their data, including their financial transactions, will not be altered or stolen. Encryption-related software, including pervasive examples such as Secure Sockets Layer (SSL) and Public Key Infrastructure (PKI), is essential to online commerce and user authentication. It is part of the underpinning of current communications networks. Indeed, in light of the massive increase in cyber crime and intellectual property theft online, the use of encryption should be greatly expanded to protect not only data in transit, but also data at rest on networks, in storage, and in the cloud.

We are aware of recent allegations that the United States Government has intentionally introduced “backdoors” into commercially available software, enabling decryption of apparently secure software. We are also aware that some people have expressed concern that such “backdoors” could be discovered and used by criminal cartels and other governments, and hence that some commercially available software is not trustworthy today.

Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.174

Nonetheless, it is important to take strong steps to enhance trust in this basic underpinning of information technology. Recommendation 32 is designed to describe those steps. The central point is that trust in encryption standards, and in the resulting software, must be maintained. Although NSA has made clear that it has not and is not now doing the activities listed below, the US Government should make it clear that:

• NSA will not engineer vulnerabilities into the encryption algorithms that guard global commerce;

• The United States will not provide competitive advantage to US firms by the provision to those corporations of industrial espionage;

• NSA will not demand changes in any product by any vendor for the purpose of undermining the security or integrity of the product, or to ease NSA’s clandestine collection of information by users of the product; and

• NSA will not hold encrypted communication as a way to avoid retention limits.

Although NSA is authorized to retain encrypted data indefinitely for cryptanalysis purposes, such as for encryption systems of nation-states or terrorist groups, NSA should not store generic commercial encrypted data, such as Virtual Private Network (VPN) or SSL data. If NSA is able to decrypt data years after it is collected, that data, once decrypted, should be sent to an analytic storage facility, where standard retention, minimization, and reporting rules would apply. Those rules should include minimization of US person data and a prohibition on using data that is beyond authorized retention limits.

RECOMMENDATION 30

We recommend that the National Security Council staff should manage an interagency process to review on a regular basis the activities of the US Government regarding attacks that exploit a previously unknown vulnerability in a computer application or system. These are often called “Zero Day” attacks because developers have had zero days to address and patch the vulnerability. US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.

NSA and other US Government agencies, such as DHS, have important missions to assist US corporations in the protection of privately owned and operated critical infrastructure information networks. To do so, NSA, DHS, and other agencies should identify vulnerabilities in software widely employed in critical infrastructure and then work to eliminate those vulnerabilities as quickly as possible. That duty to defend, however, may sometimes come into conflict with the intelligence collection mission, particularly when it comes to what are known as “Zero Days.”

A Zero Day or “0 Day” exploit is a previously unknown vulnerability in software in a computer application or system—the developers or system owners have had zero days to address or patch the vulnerability. Because the software attack technique has not been used or seen before, it enables a cyber attacker to penetrate a system or to achieve other malicious goals. In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection. Eliminating the vulnerabilities—“patching” them—strengthens the security of US Government, critical infrastructure, and other computer systems.

We recommend that, when an urgent and significant national security priority can be addressed by the use of a Zero Day, an agency of the US Government may be authorized to use temporarily a Zero Day instead of immediately fixing the underlying vulnerability. Before approving use of the Zero Day rather than patching a vulnerability, there should be a senior-level, interagency approval process that employs a risk management approach. The NSS should chair the process, with regular reviews. All offices and departments with relevant concerns, generally including the National Economic Council, State, Commerce, Energy, and Homeland Security, should be involved in that process.

D. Institutional Measures for Cyberspace

RECOMMENDATION 31

We recommend that the United States should support international norms or international agreements for specific measures that will increase confidence in the security of online communications. Among those measures to be considered are:

(1) Governments should not use surveillance to steal industry secrets to advantage their domestic industry;

(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise manipulate the financial systems;

(3) Governments should promote transparency about the number and type of law enforcement and other requests made to communications providers;

(4) Absent a specific and compelling reason, governments should avoid localization requirements that (a) mandate location of servers and other information technology facilities or (b) prevent trans-border data flows.

The US Government should encourage other countries to take specific measures to limit the possible negative consequences of their own intelligence activities, and increase public trust and user confidence in the security of online communications. Norms or agreements might be valuable for that purpose.

We suggest consideration of a series of specific steps. First, governments should not use their surveillance capabilities to steal industry secrets to advantage their domestic industries. Surveillance may take place against both foreign and domestic companies for a variety of reasons, such as to promote compliance with anti-money laundering, anti-corruption, and other laws, as well as international agreements such as economic sanctions against certain countries. The purpose of such surveillance, however, should not be to enable a government to favor its domestic industry. Bolstering an international norm against this sort of economic espionage and competition would support economic growth, protect investment and innovation in intellectual property, and reduce costs to those innovators of protecting against nation-state cyber attacks.

Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counterattacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

Third, governments should increase transparency about requests in other countries from communications providers. Elsewhere in this Report, we discuss the importance of such transparency, and recommend increasing reporting by both providers and the US Government. Transparency about the number and nature of such requests serves as a check against abuse of the lawful access process. Greater transparency can also encourage increased trust in the security of Internet communications and reduce the risk that governments are obtaining widespread access to private communication records without the knowledge of users. Putting this sort of provision into free trade agreements or other international instruments can broaden the positive effects of greater transparency within the US.

Fourth, we support international efforts to limit localization requirements except where there is a specific and compelling reason for such actions. Global inter-operability has been a fundamental technical feature of the Internet; bits flow from one user to the next based on technical considerations rather than national boundaries. National efforts to tamper with this architecture would require pervasive technical changes and be costly in economic terms. A balkanized Internet, sometimes referred to as a “splinternet,” would greatly reduce the economic, political, cultural, and other benefits of modern communications technologies. The US Government should work with allies to reduce harmful efforts to impose localization rules onto the Internet.

RECOMMENDATION 32

We recommend that there be an Assistant Secretary of State to lead diplomacy of international information technology issues.

In the wake of recent disclosures, distortions, and controversies involving US Government intelligence collection, there is an increased need for vigorous, coordinated, senior-level US diplomacy across a broad range of inter-related information technology issues. We believe that the US should take the lead in proposing an agreement among multiple nations to some set of Internet Norms for Cyberspace, such as a prohibition on industrial espionage, a protection of financial services and markets data standard, and others. To this end, we recommend a US diplomatic agenda to promote confidence-building measures for international cyber security, building on the Budapest Convention on Cyber Crime. The promotion of the Internet Freedom Agenda, the protection of intellectual property rights in cyberspace, changes in Internet governance and the implementation of the President’s International Cyber Strategy—all will necessitate agile diplomatic activity by the United States.

Currently, there is no single, senior US diplomat, and no single Department of State Bureau, with lead responsibility across this broad set of issues. Just as other international, non-regional functional issues have in the past benefited from the creation of an Assistant Secretary of State position and of a State Department bureau (International Narcotics, Environmental Affairs, Counterterrorism, Human Rights), the interests of the United States would be served by the creation of a Department of State Bureau of Internet and Cyberspace Affairs, led by an experienced senior diplomat confirmed by the Senate as an Assistant Secretary of State. The Assistant Secretary would coordinate activity of the regional and functional bureaus on these issues and should, with NSS support, coordinate interagency activities with other governments.

RECOMMENDATION 33

We recommend that as part of its diplomatic agenda on international information technology issues, the United States should advocate for, and explain its rationale for, a model of Internet governance that is inclusive of all appropriate stakeholders, not just governments.

The United States Government should continue and strengthen its international advocacy for an Internet governance model that is inclusive of all appropriate stakeholders, not just governments. This recommendation builds on the administration’s 2011 International Strategy for Cyberspace, which outlines multiple US Government goals with respect to global communications technologies. It articulates the need to protect national security, while also highlighting the importance of economic growth, openness, privacy protection, and a secure communications infrastructure. Other administration initiatives similarly emphasize the importance of multiple policy goals for online communications, such as the efforts led by the Department of State on the Internet Freedom agenda and the efforts led by the Department of Commerce on the Consumer Privacy Bill of Rights.

As part of the overall discussion of US policy concerning communications technology, we believe that the US Government should reaffirm that Internet governance must not be limited to governments, but should include all appropriate stakeholders. Inclusion of such stakeholders—including civil society, industry, and technical experts—is important to ensure that the process benefits from a wide range of information and to reduce the risk of bias or partiality.

We are aware that some changes in governance approaches may well be desirable to reflect changing communications practices. For instance, the time may well be approaching for a hard look at the unique US relationship to the organization that governs the domain name system, the Internet Corporation for Assigned Names and Numbers (ICANN). The current US role is an artifact of the early history of the Internet, and may not be well suited to the broader set of stakeholders engaged in Internet governance today. The US Government and its allies, however, should continue to oppose shifting governance of the Internet to a forum, such as the International Telecommunications Union, where nation-states dominate the process, often to the exclusion of others. We believe that such a governance shift would threaten the prosperity, security, and openness of online communications.

RECOMMENDATION 34

We recommend that the US Government should streamline the process for lawful international requests to obtain electronic communications through the Mutual Legal Assistance Treaty process.

US efforts to obtain improved international cooperation on information technology issues of importance to us are undermined by the inability of the Department of Justice to provide adequate support to other nations when they request our assistance in dealing with cyber crime originating in the United States. The Justice Department has severely under-resourced the so-called Mutual Legal Assistance Treaty (MLAT) support process.

The MLAT process essentially permits one country to seek electronic communication and other records held in other countries. For instance, non-US countries may seek e-mails held in the United States by web e-mail providers. Under the Electronic Communications Privacy Act, providers in the US can turn over the content of e-mails only through the required legal process, typically requiring probable cause that a crime has been committed.

The MLAT process creates a legal mechanism for non-US countries to obtain e-mail records, but the process today is too slow and cumbersome. Requests appear to average approximately 10 months to fulfill, with some requests taking considerably longer. Non-US governments seeking such records can face a frustrating delay in conducting legitimate investigations. These delays provide a rationale for new laws that require e-mail and other records to be held in the other country, thus contributing to the harmful trend of localization laws discussed above.

We believe that the MLAT process in the US should be streamlined, both in order to respond more promptly to legitimate foreign requests and to demonstrate the US commitment to a well-functioning Internet that meets the goals of the international community. Promising reform measures could include:

1. INCREASE RESOURCES TO THE OFFICE IN THE DEPARTMENT OF JUSTICE THAT HANDLES MLAT REQUESTS. The Office of International Affairs (OIA) in the Department of Justice has had flat or reduced funding over time, despite the large increase in the international electronic communications that are the subject of most MLAT requests.

2. CREATE AN ONLINE SUBMISSION FORM FOR MLATS. Today, there is no online form for foreign governments that seek to use the MLAT process. An online submission process, accompanied by clear information to foreign governments about the MLAT requirements, would make it easier for distant and diverse foreign governments to understand what is required under the US probable cause standard or other laws.

3. STREAMLINE THE NUMBER OF STEPS IN THE PROCESS. Under the current system, the OIA first examines a request, and then forwards it to the US Attorney in the district where the records are held. That US Attorney’s office then reviews the application a second time, and handles the request subject to the other priorities of that office. The Department of Justice should explore whether a single point of contact would be able to expedite the MLAT request.

4. STREAMLINE PROVISION OF THE RECORDS BACK TO THE FOREIGN COUNTRY. Under the current system, the provider sends the records to the Department of Justice, which then forwards the records to the requesting country. It may be possible to streamline this process by permitting the provider to send the records directly to the requesting country, with notice to the Justice Department of what has been sent.

5. PROMOTE THE USE OF MLATS GLOBALLY AND DEMONSTRATE THE US GOVERNMENT’S COMMITMENT TO AN EFFECTIVE PROCESS. Changing technology has sharply increased the importance for non-US governments of gaining lawful access to records held in the United States. Web e-mail providers are largely headquartered in the United States, and today’s use of secure encryption for e-mail means that other governments frequently cannot intercept and read the e-mail between the user and the server. It is in the interest of the United States to support the continued use of efficient and innovative technologies on the Internet, including through leading web e-mail providers. The US Government can promote this interest by publicizing and supporting the existence of a well-functioning MLAT process, thereby reducing the likelihood of harmful localization measures.

E. Addressing Future Technological Challenges

This chapter has thus far addressed issues that are currently known to implicate US intelligence and communications technology policy. Communications technology will continue to change rapidly, however, so institutional mechanisms should be in place to address such changes.

RECOMMENDATION 35

We recommend that for big data and data-mining programs directed at communications, the US Government should develop Privacy and Civil Liberties Impact Assessments to ensure that such efforts are statistically reliable, cost-effective, and protective of privacy and civil liberties.

We believe that the Intelligence Community should develop Privacy and Civil Liberties Impact Assessments for new programs or substantial modifications of existing programs that contain substantial amounts of personally identifiable information. Under the E-Government Act of 2002, federal agencies are required to prepare Privacy Impact Assessments (PIAs) in connection with the procurement of new, or substantially modified, information technology systems. These PIAs are designed to encourage building privacy considerations early into the procurement cycle for such systems.

Our focus here is on the broader programs that may constitute multiple systems. The goal in the program assessment should be broader and more policy-based than has usually been the case for PIAs. For instance, policy officials should explicitly consider the costs and benefits of a program if it unexpectedly becomes public. In some cases, that consideration may result in modifications of the program, or perhaps even in a decision not to go forward with a program.175

RECOMMENDATION 36

We recommend that for future developments in communications technology, the US should create program-by-program reviews informed by expert technologists, to assess and respond to emerging privacy and civil liberties issues, through the Civil Liberties and Privacy Protection Board or other agencies.

Technical collection and communications technologies continue to evolve rapidly. The US Government should adopt mechanisms that can assess and respond to emerging issues. To do this effectively, expert technologists, with clearances as needed, must be deeply involved in the process.¹⁷⁶

We recommended in Chapter Six that the CLPP Board should have an Office of Technology Assessment, capable of assessing the privacy and civil liberties implications of Intelligence Community programs. Sufficient funding for this office should be part of the generally enhanced budget for policy and oversight concerning the expensive and technically sophisticated programs of the Intelligence Community.177

¹⁶⁹ White House Fact Sheet: Transatlantic Trade and Investment Partnership (T-TIP), June, 2013, available at http://www.ustr.gov/about-us/press-office/factsheets/2013/june/wh-ttip.

¹⁷⁰ “Draft Working Document on Foreign Policy Aspect of the Inquiry on Electronic Mass Surveillance of EU Citizens,” European Parliament Committee on Foreign Affairs, Nov. 4, 2013, available at http://www.statewatch.org/news/2013/nov/ep-nsa-surv-inq-working-document-fa-committee.pdf.

¹⁷¹ Bhatt Jaheen, “In Wake of PRISM, German DPAs Threaten to Halt Data Transfers to Non-EU Countries,” Bloomberg BNA, July 29, 2013, available at http://www.bna.com/wake-prism-germann1717987502.

¹⁷² “Garner Predict Cloud Computing Spending to Increase by 100% in 2016, says AppsCare,” PRWEb.com, 2012, available at http://prweb.com/releases/2012/7/prweb9711167.htm.

¹⁷³ Daniel Castro, “How Much Will PRISM Cost the US Cloud Computing Industry,” August, 2013 (estimating monetary impact on US cloud providers of $21.5 billion by 2016, based on 10% loss in foreign market share), available at www2.itif.org/2013-cloud-computing-costs.pdf; Cloud Security Alliance, “CSA Survey Results: Government Access to Information”, July 2013, available at https://downloads.cloudsecurityalliance.org/initiatives/surveys/nsa_prism/CSAgovt-access-survey-July-2013.pdf (losses up to $180 billion by 2016).

¹⁷⁴ Any cryptographic algorithm can become exploitable if implemented incorrectly or used improperly.

¹⁷⁵ We should emphasize here that data-mining and big data have been the subject of previous federally funded reports, notably including “Safeguarding Privacy in the Fight Against Terrorism,” from the Technology and Privacy Advisory Committee of the Department of Defense (2004), and “Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment,” by the National Research Council (2008). These studies have examined issues of data-mining in considerable detail, and we have found them useful and illuminating. Related academic work includes Fred H. Cate, “Government Data Mining: the Need for a Legal Framework,” Harvard Civil Rights-Civil Liberties Law Review 43, 2008; Peter Swire, “Privacy and Information Sharing in the War Against Terrorism,” 51 Villanova Law Review 260, 2006. We encourage agencies to study this literature, and adopt risk management approaches where feasible.

¹⁷⁶ The Federal Trade Commission (FTC) often plays this role for evolving privacy-related issues, such as through its recent workshops on the Internet of Things or Big Data. The FTC’s jurisdiction, however, is limited to the commercial sector. It has no jurisdiction over technology issues facing government agencies, including the Intelligence Community.

¹⁷⁷ If an OTA is not created within the PCLOB or a new CLPP Board, then the intelligence community should find other mechanisms to institutionalize the effects of new programs on privacy, civil liberties, and the other important values implicated by cutting-edge intelligence technologies. These new mechanisms must include effective participation by expert technologists beyond those involved in development of the program.