Given that the NSA is unlikely to police itself and the lobbying pressure from Big Tech is nothing to sneeze at, the next step is tech-sponsored legislation to keep NSA snooping in line.
But what would such legislation look like, especially if Big Tech pressure was behind it?
There's already a bill that serves as a step in that direction: the USA Freedom Act (S.1599) sponsored by Senator Patrick J. Leahy (D - VT). This bill deals with some but not all of the major and most egregious aspects of the government's data-dragnet and surreptitious surveillance activities. Some of the fixes proposed in the bill:
- Better privacy protections for accessing business records, and more judicious use of "pen registers" and "trap and trace devices" -- the latter being technical names for widely criticized surveillance techniques that harvest phone numbers. Audits about the effectiveness of the last two from 2010 through 2013 would also need to be conducted by the Inspector General of the Department of Justice.
- Changes to the Foreign Intelligence Surveillance Court, which oversees requests for surveillance warrants. The proposed changes would allow for greater disclosure of the court's decisions, as well as an appeals process.
- Making it all the more illegal to perform "reverse targeting," where data on American citizens is collected by way of harvesting data about foreign nationals.
- The bill also yanks back the sunset provisions of the previous FISA Amendments Act of 2008, so that act's provisions end 2.5 years earlier (June of 2015 instead of December 2017).
There's still a great deal missing from the bill, as the Electronic Frontier Foundation pointed out -- especially when it comes to legal measures that concentrate on technical aspects of spying.
To that end, here are some ideas on what future tech-friendly amendments to the bill could include:
- A ban on the use of surreptitious data-interception techniques that involve hijacking or misdirecting Internet traffic. This technique has been used several times now by both U.S. and U.K. spy agencies. Making such techniques explicitly illegal seems wise in the light of how easy it remains to misdirect Internet traffic on a global scale.
- The freedom for ISPs to notify their customers, or the public generally, about surveillance, and have more flexible handling of gag orders over such issues. It was bad enough that Lavabit and Silent Circle opted to shut down their encrypted email services rather than comply with government orders to hand over encryption information; it was even worse that they couldn't talk about it openly. Such a measure would have impact far beyond tech companies, of course, but they have been among the loudest to protest not being able to discuss government data requests.
- Some way of dealing with how the NSA worked to surreptitiously weaken encryption standards. One possible method would be ensuring that all encryption standards with NSA support be audited independently of any government agency for a certain period of time. This part would be particularly tough, given the amount of time needed to establish confidence in a given cryptographic method.
What specific demands get made are also likely to be shaped by the nature of the tech companies in question. Among the companies that sent their open letter to Washington, none is a mobile provider or a common carrier. It's an open question if that's because if such a move would further complicate their already-thorny relationships with the government or because carriers and providers are at odds with each other and see little reason to share a mission -- even one this broad.
This article, "To rein in the NSA for good, here's what's needed," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.