Beginning with 2013’s Snowden leaks, the Obama administration publicly wrestled with various thorny issues at the intersection of technology and government surveillance.
When, how, and for what purposes should the government collect personal communications and other data? Is it ever appropriate for the government to exploit software flaws for intelligence gathering or crimefighting, rather than sharing them with the developer? Is strong encryption a fundamental right or a threat to public safety?
These questions now fall to President Trump. After a promising start with the Trump Tower tech summit last December, relations appear to have soured. The tech sector, with its tens of thousands of international employees, reacted furiously to the administration’s recent executive order on immigration and refugees. Some leading tech companies are now considering whether to file a lawsuit challenging the order.
Surveillance and data-privacy issues are likely to add additional tension to the already fraught relationship between Trump and tech. While surveillance issues did not feature prominently during the campaign, the President and his advisors have promised an aggressive campaign to secure the homeland and defeat terrorist groups abroad. Given that emphasis, it is fair to assume that the new administration will not be inclined to reduce or eliminate existing surveillance capabilities, and may consider adding new ones.
But while some surveillance-related friction is probably inevitable, it does not have to degenerate into outright hostility. In a recent report on the future of surveillance policy, the Center for a New American Security offers more than 60 recommendations that can enable the Administration to fulfill its campaign promises — destroying terrorist groups, protecting the country against attacks, and ensuring that international relationships serve U.S. interests — and address controversial issues like encryption and government hacking while minimizing friction with the Congress, the courts, the technology community, and civil society.
Meanwhile, industry will need to build bridges to the administration and be open to reasonable compromises that protect its core interests and values.
On encryption, the new administration will likely seek to aid law enforcement with the very real challenges posed by encrypted mobile devices. At the same time, newly confirmed CIA Director Mike Pompeo has opposed government-mandated “backdoors” in encrypted devices.
Whatever the merits of a decryption mandate from a pure public-safety perspective, reviving that battle would embroil the new administration in a public showdown with the tech industry and civil-society groups, distracting Congress and the country from the President’s other policy priorities.
Fortunately, there are alternatives. Instead of renewing the push for backdoors, the Administration and Congress could give the FBI greater resources to crack encryption on its own in the toughest cases, without forcing companies to weaken or hack their own products.
This is the approach taken by Germany, which recently created a new agency to help law enforcement cope with encryption without mandatory backdoors. Congress and the Administration can also give the FBI resources and authority to share its expertise on encryption with the thousands of state and local police agencies that don’t have the technological resources to deal with it on their own.
These proposals, which should enjoy bipartisan support, would help law enforcement deal with the encryption challenge without alienating the technology community or most civil libertarians. To be sure, they are not a complete solution from law enforcement’s perspective. But they would be an improvement—and without the political costs of a renewed fight over backdoors.
Another issue where the new administration will likely seek to add a sharper edge to existing policy is what commitments the U.S. government makes to respect the privacy interests of foreigners. In January 2014, President Obama issued Presidential Policy Directive 28 (PPD-28), which imposed various limitations on electronic surveillance. Among these new restraints was a promise to consider the “legitimate privacy interests” of “all individuals,” including non-Americans overseas.
Under PPD-28, the intelligence community must delete a foreigner’s personal information after five years unless officials specifically determine that the information has foreign intelligence value. In addition, a 2015 law, the Judicial Redress Act, guarantees EU citizens protection under the U.S. Privacy Act, which includes the right to challenge certain privacy violations in U.S. courts. Yet European countries have granted none of these courtesies to Americans.
Some, including incoming CIA Director Pompeo, have proposed revoking PPD-28. These critics are correct that PPD-28 is not perfect and could better serve American interests. But the new Administration could gain more by modifying PPD-28 than by scrapping it altogether.
For example, the Trump Administration could demand that other countries credibly promise comparable protections to Americans if they want to retain PPD-28’s privacy protections for their own citizens. (Requiring the promises to be credible would exclude authoritarian foes such as Russia, China, and Iran.) This would accord with the President-elect’s emphasis on ensuring that international agreements give the United States a fair deal. And it would give the intelligence community more leeway to operate against our nation’s most dangerous adversaries.
Perhaps most importantly, however, demanding reciprocity would highlight that U.S. privacy commitments outstrip those made by our European allies—something European privacy advocates and institutions have long ignored. Drawing this favorable contrast would help reinforce the critical Privacy Shield agreement, which permits companies to transfer European citizens’ data to the United States. Without that ability, many transnational Internet services could not function.
Privacy Shield is currently being challenged in European courts. If the European Court of Justice invalidates Privacy Shield based on its perception of U.S. surveillance practices — a very real risk —it would create a major headache for the TrumpAdministration.
Raising European awareness of the U.S.’s stronger legal and oversight controls over surveillance would lessen that risk. (This should include reminding the EU of the Judicial Redress Act, which guarantees EU citizens Privacy Act protections notwithstanding the Administration’s recent Executive Order.) By contrast, canceling PPD-28’s privacy commitments to Europeans would substantially increase it.
Another area for potential compromise is how the government decides whether to disclose software vulnerabilities to the developer or retain them for use by intelligence and law enforcement agencies.
The government cannot, and should not, promise to disclose all vulnerabilities; in some cases, the value for national security or public safety outweighs any risk of harm to ordinary users. But it can provide greater transparency about the “Vulnerabilities Equities Process” it uses in making these decisions.
This could include clarifying which agencies have a say in the process, publicizing the standard they use to decide whether to retain or disclose, and issuing annual reports about the process’s operation. These modest steps would enhance industry’s confidence that the government takes its§ equities seriously, without giving up the ability to retain vulnerabilities, under appropriate secrecy, where needed to protect the nation.
Finally, industry and the new administration should work together to ensure that there are clear channels of communication before a crisis occurs. To do this, the NSA should create an industry advisory board composed of corporate officials who hold security clearances. For companies uncomfortable with such close ties to a spy agency, the NSA could also create a one-way channel to receive comment from American companies about how intelligence practices affect their businesses.
The tech-Trump relationship will inevitably have its ups and downs over the next four years. But both sides have an incentive to ensure that legitimate policy disagreements don’t descend into antagonism. Finding reasonable middle ground on these surveillance issues would be a good start.