SAN FRANCISCO—In a speech before the RightsCon conference in San Francisco, a US State Department official expressed official approval for the president’s new January 2014 policy that established clearer guidelines about state-driven bulk data collection and surveillance. At that time, President Barack Obama gave a speech outlining the administration's policy after two outside review boards had critical things to say about the American surveillance regime.

Despite the fact that within the last several months, documents provided by whistleblower Edward Snowden showed that the United States has been actively weakening encryption standards, deputy assistant secretary Scott Busby told RightsCon that the US “continues to support strong cybersecurity, including strong encryption protocols.”

Busby presented the government’s case as to how, why, and under what conditions American government officials should be allowed to conduct digital surveillance. His speech was approved by all branches of the US government, including the Office of the Director of National Intelligence.

“US signals intelligence collection follows the principle that surveillance should not be arbitrary. The new Policy Directive states that signals intelligence activities shall be as tailored as feasible,” Busby added. “We prioritize obtaining data through public sources, as opposed to non-public signals intelligence collection. When decisions about surveillance are made, we assess whether the benefits of surveillance outweigh its risks, and whether there are other, less-intrusive alternatives that might accomplish our foreign intelligence requirements.”

Busby repeatedly referred to the President Policy Directive 28, which establishes a large set of conditions where the American government is authorized to collect such data. Despite Busby’s mention that “surveillance should not be arbitrary,” a closer look at PPD 28 shows that the US government does generally allow bulk collection given many general circumstances.

As that document states:

References to signals intelligence collected in "bulk" mean the authorized collection of large quantities of signals intelligence data which, due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.) only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section. In no event may signals intelligence collected in bulk be used for the purpose of suppressing or burdening criticism or dissent; disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion; affording a competitive advantage to U.S. companies and U.S. business sectors commercially; or achieving any purpose other than those identified in this section.

“Encrypt all the things”

Jochai Ben-Avie, the policy director at Access, which organized the RightsCon event, told reporters that there wasn’t a lot of detail in the speech about what this new policy actually means, but he seemed to indicate that it was a step in the right direction.

“I believe this is the first time that the US recognizes that international norms and laws apply when conducting surveillance,” he said.

Shortly before Busby's speech, Access officials also unveiled their new “Encrypt all the things” campaign that establishes new privacy guidelines for unauthorized access to user data, including notably implementing TLS with perfect forward secrecy on all traffic.

Companies and organizations, including Twitter, Google, the Freedom of the Press Foundation, DuckDuckGo, and the Electronic Frontier Foundation are publicly listed as supporters and have agreed to implement these guidelines before the year’s end.

“We’re saying collect what you want, but make sure that if you're going to collect the information that it is going to be protected,” said Amie Stepanovich, an attorney with Access.

"We're not going to check in on them. By signing on, we're going to hopefully start to see a shift, and we think that there's a public auditing function."