While this position is fashionably cosmopolitan, in practice, it would turn out to be either meaningless or extremely damaging to intelligence collection. The intelligence community would not be likely to collect significant data from non-U.S. citizens through voluntary means like background investigations. As the report itself notes, the Privacy Act does not apply to systems related to national security, such as networks used for storing and transmitting classified information; if this exemption were continued, in most cases, the information available to non-U.S. citizens would be trivial or nonexistent, as most intelligence is classified and would be held in systems that the Privacy Act does not cover.
On the other hand, if the intent is to make some information from national security systems available, then the impact would be devastating. The Privacy Act, for instance, permits “any individual to gain access to his record or to any information pertaining to him which is contained in the system.” If the intelligence community faithfully implemented the act, it would also have to allow a target of its espionage and “a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him.”
At the risk of stating the obvious, this would demolish the whole purpose of spying.
The second major flaw in the report that Morell does not address is its call to eschew in almost all instances the exploitation of so-called “Zero Day vulnerabilities” in software. A Zero Day vulnerability is one whose existence is not known and therefore has not been addressed by the developer in a patch. These vulnerabilities can be used to infiltrate computer systems to collect intelligence, inflict harm or both. The report asserts, with very little supporting argument, that fixing these vulnerabilities is more important than intelligence collected by exploiting them in all but a handful of cases. Though not discussed specifically in the report, this policy approach would likely rule out programs like the alleged exploitation of Microsoft Windows error reporting by NSA’s Tailored Access Operations, used to gain insight into target systems.