What Obama’s NSA reform means for tech

When President Barack Obama stepped down from the podium after describing his plans for reforming the United States’ surveillance programs, only the most newsworthy and hot-button issues had been addressed. Reforms that the tech industry would most want — such as prohibiting the undermining of encryption standards — went unmentioned, and only a few specific reforms that would have an immediate and useful impact on the tech landscape were offered.

No word of cyber program reform

When the five-member Review Group on Intelligence and Communications Technologies issued its report in December last year, it made a number of recommendations involving the National Security Agency’s use of specific technologies. Among them: not weakening encryption standards, not exploiting zero-day attacks, and having better review and oversight for how the NSA responds to advances in communications technology. All of these issues, especially the NSA’s underhanded handling of encryption by way of the NSIT (National Institute of Standards and Technology) — and possibly companies like RSA — have sparked ire in the tech world.

But Obama’s speech touched on almost none of this, or if it did, it only hinted at it in the most oblique and indirect way. Encryption and the NIST itself weren’t even mentioned. It’s an echo of the sentiments felt by top technology company executives when they met with Obama in December 2013 and made their own recommendations for NSA reform. Obama promised at the time to “consider their input,” but made no commitments.

One possible reason why Obama kept silent on these issues was because most of the public attention vis à vis the NSA is focused now on the bulk collection of phone records, which is a far more visible and hot-button issue than more technically complex ones like encryption standards. But some mention of this problem, even as an offering during the pre-briefing for the press, would have been better than nothing.

Until these issues are discussed more explicitly by this administration, there’s no sense that the government will take a stand against that kind of underhanded meddling. The tech industry will have to remain vigilant on its own — the loss of a major opportunity for government and tech business to be less antagonistic.

Bulk phone data collection: Who keeps it?

As noted above, the most high-profile part of Obama’s speech involved the reform of the NSA’s bulk phone data collection program. But the plan isn’t being suspended, despite many questions about its ultimate effectiveness.

Aside from cutting down the number of hops away from a suspect that the NSA can pursue phone intelligence (down to two from three), Obama also stated he was “establishing a mechanism that preserves the capabilities we need without the government holding this bulk metadata.”

“This will not be simple,” he admitted. That’s an understatement, because the only two plans on the table right now don’t sound like much of an improvement.

The first plan involves the providers themselves continuing to retain the data, which would only be queried as needed by the government, something Obama admitted could have additional repercussions. “Relying solely on the records of multiple providers … could require companies to alter their procedures in ways that raise new privacy concerns.”

If the data was indeed left with the providers, it would be useful to also allow them a little more freedom to speak about the data collection programs conducted against that data. Obama’s speech did hint at one possible reform in that direction: Placing terms of expiry on the gag orders that go with the use of National Security Letters. As long as the time limits are sane (180 days, not five years), that could be useful.

The second plan, however, involves consolidating the data in the hands of a third party. That might well be the worst option of all if the custodian turns out to be a corporate data clearinghouse. Such companies have poor track records for security and might well allow that data to be leaked to an even broader, more indiscriminate audience.

A closer look at big data

As an adjunct to his talk about the data collection programs, Obama mentioned he was tasking Counselor John Podesta “to lead a comprehensive review of big data and privacy” by reaching out to “privacy experts, technologists, and business leaders.” This would “look at how the challenges inherent in big data are being confronted by both the public and private sectors, whether we can forge international norms on how to manage this data, and how we can continue to promote the free flow of information in ways that are consistent with both privacy and security.”

If this all sounds vague, that’s most likely a way to avoid unduly alienating the tech industry by making immediate demands about, say, providing consumers with strong protection for the reams of data harvested from them through the growing number of services that do so. Granted, such protections can’t be rolled out properly at the snap of a finger. But they’re growing all the more needed, so one can only hope Podesta’s review doesn’t simply result in voluntary compliances that have no teeth.

What’s most clear about Obama’s claims is that reform of any significant kind is never going to happen all at once. A few valuable items are offered here — such as a bit more flexibility about gag orders — and they should be used wisely by tech companies that before have chafed under such restrictions. But in the end, when it comes to surveillance reform, tech and government are still on opposite sides of a divide that has only narrowed ever so slightly.

This story, “What Obama’s NSA reform means for tech,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.