You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Presidential Review Scorecard

In August of 2013, President Obama established the Review Group on Intelligence and Communications Technology to review and provide recommendations on "how in light of advancements in communications technologies, the United States can employ its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure."

On December 12, 2013, the President's Review Group released its report, Liberty and Security in a Changing World: Report and Recommendations of the President's Review Group on Intelligence and Communications Technologies. The report detailed 46 recommendations. Two years later, EPIC has compiled a scorecard to evaluate the progress of implementing those recommendations.

The scorecard reveals that very few recommendations have been fully implemented. Some of the recommendations are in various stages of progress, but the majority of the recommendations have not even been started according to what is publicly available.

# Recommendation Grade
1Section 215 order only if: 1) reasonable belief that investigation is relevant to authorized investigation to protect against international terrorism or clandestine intelligence activities; 2) order is reasonble in focus, scope, breadth like a subpoena.1
why?
2National Security Letters (NSLs) only on judicial finding that: 1) reasonable belief that investigation is relevant to authorized investigation to protect against international terrorism or clandestine intelligence activities; 2) order is reasonble in focus, scope, breadth.0
why?
3NSLs should require same oversight, minimization, retention & dissemination standards as 215 orders.0
why?
4Under Section 215 of the Patriot Act: No collection and storage of all mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes without review - must be narrowly tailored.1
why?
5Legislation that terminates the storage of bulk telephony meta-data by the government under section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party. Access only with 215 order. 1
why?
6
Study assessing the distinction between metadata and other types of information - include expert analysis.
0
why?
7Legislation requiring detailed information about authorities such as those involving NSLs, section 215 business records, section 702, pen register and trap-and-trace, and the section 215 bulk telephony meta-data program should be made available to Congress and the American people.0.25
why?
8Legislation that non-disclosure orders for NSL's, 215's, and 702's may be issued only upon a judicial finding on reasonable grounds (e.g. threaten the national security, interfere with an ongoing investigation, endanger the life or physical safety of any person, etc.)
Order should last no more than 180 days
Recipient of the order needs to be able to seek legal counsel in order to challenge the order's legality.
0.25
why?
9Legislation that allows recipients of NSL's and the like may publicly disclose on a periodic basis general information about the orders (e.g. # received, # complied with, etc.)0.75
why?
10Gov't should publicly disclose on a regular basis general data about NSL's and the like1
why?
11Programs similar to 215 bulk telephony meta-data should only be secret after careful deliberation (respecting privacy principles), and if: (a) the program serves a compelling governmental interest and (b) the efficacy of the program would be substantially impaired if our enemies were to know of its existence.0
why?
12If intercepted communication involves US person then:
(1) any information about that US person should be purged upon detection unless it either has foreign intelligence value or is necessary to prevent serious harm to others;
(2) any information about the US person may not be used in evidence in any proceeding against that United States person;
(3) the government may not search the contents of communications acquired under section 702 in an effort to identify communications of particular US persons, except (a) death or serious bodily harm, or (b) to search contents with US identifiers, the government needs a warrant based on probably cause that US person is engaged in terrorim.
0
why?
13US Government should reaffirm that 702 surveillance of non-US persons:
(1) must be authorized by duly enacted laws or properly authorized executive orders;
(2) must be directed exclusively at the national security of the United States or our allies;
(3) must not be directed at illicit or illegitimate ends; and
(4) must not disseminate information about non-US persons if not relevant to national security
In addition, the US Government should make clear that such surveillance:
(1) must not target based on political views or religious convictions; and
(2) must be subject to careful oversight and transparency
0.75
why?
14Gov't should follow the model of the DHS, and apply the Privacy Act in the same way to both US persons and non-US persons.0.5
why?
15NSA should have limited statutory emergency authority to continue to track known targets of counterterrorism surveillance when they first enter the US until the FISA Ct. has time to authorize.0
why?
16New process requiring high-level approval of all sensitive intelligence requirements and the methods the Intelligence Community will use to meet them.0.25
why?
17Senior policymakers should:
(1) review any sensitive requirements (including Tier One and Tier Two);
(2) review the methods and targets of collection on requirements in any Tier that they deem sensitive; and
(3) participate in the review process because disclosures of classified information can have detrimental effects on US economic interests.
0
why?
18Director of National Intelligence should establish a mechanism to monitor the collection and dissemination activities of the Intelligence Community and prepare annual reports to National Security Advisor.0
why?
19Decisions to engage in surveillance of foreign leaders should consider the following criteria:
(1) Is there a need to engage in such surveillance in order to assess significant threats to our national security?
(2) Is the other nation one with whom we share values and interests, with whom we have a cooperative relationship, and whose leaders we should accord a high degree of respect and deference?
(3) Is there a reason to believe that the foreign leader may be being duplicitous in dealing with senior US officials or is attempting to hide information relevant to national security concerns from the US?
(4) Are there other collection means or collection targets that could reliably reveal the needed information?
(5) What would be the negative effects if the leader became aware of the US collection, or if citizens of the relevant nation became so aware?
1
why?
20Gov't should examine the feasibility of creating software that would allow the National Security Agency and other intelligence agencies more easily to conduct targeted information acquisition rather than bulk-data collection.1
why?
21We recommend that with a small number of closely allied governments, US should explore arrangments relative to intelligence on each others citizens (including limitations on collection). The criteria should include:
(1) shared national security objectives;
(2) a close, open, honest, and cooperative relationship between senior-level policy officials; and
(3) a relationship between intelligence services characterized both by the sharing of intelligence information and analytic thinking and by operational cooperation against targets.
0
why?
22(1) the Director of the National Security Agency should be a Senate-confirmed position;
(2) civilians should be eligible to hold that position; and
(3) the President should give serious consideration to making the next Director of the National Security Agency a civilian.
0
why?
23National Security Agency should be clearly designated as a foreign intelligence organization; missions other than foreign intelligence collection should generally be reassigned elsewhere.0
why?
24Head of US Cyber Command and NSA should not be a single official.0
why?
25Information Assurance Directorate should become a separate agency within the Department of Defense.0
why?
26Create a privacy and civil liberties policy official located both in the National Security Staff and the Office of Management and Budget.1
why?
27(1) create a new agency, the Civil Liberties and Privacy Protection Board, that can oversee Intelligence Community activities for foreign intelligence purposes, rather than only for counterterrorism purposes;
(2) This new agency should be an authorized recipient for whistle-blower complaints related to privacy and civil liberties concerns from employees in the Intelligence Community;
(3) An office should be created to assess Intelligence Community technology initiatives and support privacy-enhancing technologies; and
(4) Some compliance functions should be shifted from the National Security Agency to the new agency.
0
why?
28(1) Congress should create the position of Public Interest Advocate to represent privacy and civil liberties interests before FISA;
(2) the FISA should have greater technological expertise available to the judges;
(3) the transparency of the FISA decisions should be increased; and
(4) Scotus should appoint FISA judges.
0.75
why?
29US Gov't should:
(1) fully support and not undermine efforts to create encryption standards;
(2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and
(3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.
0.25
why?
30We recommend that the National Security Council staff should manage an interagency process to review on a regular basis the activities of the US Government regarding attacks that exploit a previously unknown vulnerability in a computer application or system. Should quickly resolve vulernabilities.1
why?
31We recommend that the United States should support international norms or international agreements for specific measures that will increase confidence in the security of online communications. Among those measures to be considered are:
(1) Don't steal industry secret;
(2) Don't manipulate the financial systems;
(3) Law enforcement request transparency;
(4) Don't mandate location of IT infrastructure
0
why?
32Need Assistant Secretary of State to lead diplomacy of international information technology issues to create a set of Internet Norms of Cyberspace.0
why?
33Advocate for a model of Internet governance that is inclusive of all appropriate stakeholders, not just governments. 0
why?
34Streamline the process for lawful international requests to obtain electronic communications through the Mutual Legal Assistance Treaty process0.5
why?
35Conduct privacy assessments of big data and data-mining programs directed at communications0
why?
36US should create program-by-program reviews informed by expert technologists, to assess and respond to emerging privacy and civil liberties issues0
why?
37Background investigations for security clearances should be performed solely by Gov't employees or by a non-profit, private sector corporation1
why?
38The vetting of personnel for access to classified information should be ongoing, rather than periodic. Should continuously monitor personnel, to note such things as changes in credit ratings or any arrests or court proceedings.0
why?
39Security clearances should be more highly differentiated, including the creation of administrative access clearances.0
why?
40Institute a demonstration project in which personnel with security clearances would be given an Access Score, based upon the sensitivity of the information to which they have access.0
why?
41We recommend that the need-to-share or need-to-know models should be replaced with a Work-Related Access model, which would ensure that all personnel whose role requires access to specific information have such access, without making the data more generally available to cleared personnel who are merely interested.0
why?
42We recommend that the Government networks carrying Secret and higher classification information should use the best available cyber security hardware, software, and procedural protections against both external and internal threats. Reports on the implementation should occur. All networks carrying classified data, including those in contractor corporations, should be subject to a Network Continuous Monitoring Program.0
why?
43President's prior directions to improve the security of classified networks, Executive Order 13587, should be fully implemented as soon as possible0
why?
44National Security Council Principals Committee should annually meet to review the state of security of US Government networks carrying classified information, programs to improve such security, and evolving threats to such networks. An interagency Red Team should report annually to the Principals with an independent, second opinion on the state of security of the classified information networks.0
why?
45All US agencies and departments with classified information should expand their use of software, hardware, and procedures that limit access to documents and data to those specifically authorized to have access to them. Should use information management rights software to control /audit access.0
why?
46Use cost-benefit analysis and risk- management approaches, both prospective and retrospective, to orient judgments about personnel security and network security measures.0
why?

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security