Obama: NSA will not hold telephone metadata, nor spy on heads of state

Trying to counter widespread criticism of the National Security Agency’s surveillance programs, President Barack Obama on Friday announced a number of reforms to the way U.S. intelligence agencies operate.

Obama has ordered the National Security Agency to relinquish control of the telephone metadata it collects to the providers (telcos) or a third party. It remains unclear how that will work, however. Obama is giving the NSA and Attorney General Eric Holder 60 days to develop a revised structure for the program. They’re to deliver their recommendations prior to the late March deadline by which Congress must vote to reauthorize various intelligence practices, including the telephone data collection program.

Intelligence agencies will also have to seek judicial approval from the Foreign Intelligence Surveillance (FISA) court before querying the NSA database for information on a potential suspect. Privacy and civil liberties advocates have argued that the secret FISA court simply serves as a rubber stamp for government requests, however. Obama sought to assuage those critics with his support for the appointment of a “privacy advocate” on the FISA court.

Obama also ordered a change, effective immediately, that limits intelligence agencies from pursuing phone calls more than two steps removed from a number associated with a terrorist organization, as opposed to three.

“I believe it is important that the capability that this program is designed to meet is preserved,” said Obama during his speech. “Having said that, I believe critics are right to point out that without proper safeguards, this type of program could be used to yield more information about our private lives and open the door to more intrusive, bulk collection programs in the future.”

The president also sought to reassure allied nations that the United States will not monitor their leaders’ private communications.

“And the leaders of our close friends and allies deserve to know that if I want to learn what they think about an issue, I will pick up the phone and call them, rather than turn to surveillance,” he said.

His statements on monitoring foreign leaders come in response to revelations that the U.S. has spied on German Chancellor Angela Merkel, among other heads of state, which strained diplomatic ties with many friendly countries.

The president remained critical of former NSA contractor Edward Snowden, whose continued leaks prompted the changes Obama announced today.

“Our nation’s defense depends in part on the fidelity of those entrusted with our nation’s secrets,” Obama said. “If any individual who objects to government policy can take it in their own hands to publicly disclose classified information, then we will never be able to keep our people safe or conduct foreign policy.”

Much of how the government conducts its surveillance won’t change. Obama declined to address many significant recommendations laid out by a presidential panel tasked with investigating government surveillance practices.

The president will not separate the NSA director from also heading U.S. Cyber Command, as the panel recommended. He also made no mention of encryption standards or software security vulnerabilities, much to the frustration of business leaders across the country. The panel had recommended that the NSA should promise “it will not in any way subvert, undermine, weaken or make vulnerable generally available commercial encryption,” and that the U.S. should stop collecting information about security vulnerabilities in other systems, called “zero-day attacks.”

Obama did promise a “comprehensive review” of big data and privacy led by his counselor John Podesta.

“This group will consist of government officials who … will reach out to privacy experts, technologists, and business leaders and look at how the challenges inherent in big data are being confronted by both the public and private sectors; whether we can forge international norms on how to manage this data; and how we can continue to promote the free flow of information in ways that are consistent with both privacy and security.”

But that may not satisfy American companies, like cloud computing vendors, that have voiced concerns about losing international customers to competitors in Europe and Asia over (perceived or actual) NSA snooping. Last year, the U.S.-based Cloud Security Alliance estimated that American cloud vendors could lose between $21.5 billion and $35 billion in worldwide contracts over the next three years due to the string of NSA revelations.