The Electronic Frontier Foundation's Cindy Cohn and Trevor Timm have compiled an extensive list of things to demand from NSA reform legislation, from obvious things like ending bulk collection to crucial legal subtleties like fixing the problem of standing in cases regarding surveillance.
—Stop Bulk Collection. The starting point for NSA reform would be a definitive statement that court orders for bulk collection of information are not allowed and indeed are illegal. At all times, a specific person or specific identifier (like a phone number or email address) or a reasonable, small and well-cabined category (like a group on the terrorist list or member of a foreign spy service) must be specified in the context of an investigation. And a category like: "all records of all Verizon customers," is neither reasonable, small nor well-cabined.
—Limits on Hops. Clarification that if one identified person is under investigation, the NSA does not have the authority to run analysis of call records on persons "two hops" or "three hops" away from that person without a separate court authorization.
—Metadata Protection. Information about communications, also called metadata or noncontent, requires probable cause warrants issued by a court (or the equivalent) whenever it reveals previously nonpublic information about or comprising your communications. This includes revealing your identity if it is not public, what websites you visit and information you read, who you communicate with, when, from where, and for how long. Public metadata information, such as information about Facebook wall posts, public tweets and followers or information available in telephone books or similar resources should not included in this requirement. This is also contained in the International Principles on the Application of Human Rights to Communications Surveillance that applies international human rights principles to the digital age that EFF and hundreds of NGOs around the world have recently endorced.
—Location Information. Metadata about your location, including cell phone GPS data, IP addresses and cell tower information should also require a probable cause warrant. The NSA claims the legal authority to collect this information on Americans in mass quantities as well, but claims they do not do so, but Senator Wyden indicates that this might not be the whole story.
—Congressional Disfavor of Third-Party or Business Records Doctrine. Eliminate the so-called third-party or business records doctrine. The fact that communications or communications records are held or collected or generated by third parties should be irrelevant to their protection under privacy statutes. Congress should also state firmly that the fact of third party involvement should be irrelevant to a person's "reasonable expectation of privacy," as this may assist the Courts when considering Fourth Amendment implications.
—Americans Protected Even if Communicating with a "Target." Confirm the NSA must obtain a specific, probable cause warrant to seize or search Americans' communications when they are picked up via a FISA court order or otherwise even if the American is not the "target" of the Order. Often while the "target" of orders are foreign, American communications are vacuumed up and able to be searched thereafter without a warrant.
—U.S. Law Protects All Data in the U.S. Ensure that the protections of American law, including standing to sue to challenge violations of law, apply to all data accessed by the NSA in the United States, even if the data is about a non-U.S. person. This can help American businesses by assuring foreigners that they may use U.S.-based communications services without discrimination and will enjoy the same rights as U.S. persons when the government comes knocking…