
Wyden Introduces Bill To Ban Government Backdoors Into Cellphones and Computers - sethbannon
http://www.wyden.senate.gov/news/press-releases/wyden-introduces-bill-to-ban-government-mandated-backdoors-into-americans-cellphones-and-computers
======
zallarak
A lot of people will inevitably comment on the flimsiness of this bill - that
it can be easily circumvented. This might be true, but its a step forward
because it acknowledges that government backdoors are a bad thing.

I wish I could remember where I read about this, but its similar to how
activists changed the classification of LGBT literature to a non-stigmatizing
category in libraries. This was the start of a lot of progress for LGBT
rights. It was a minor victory among lots of major defeats at the time it
happened.

Instead of complaining about the weaknesses in the bill, we should view this
as a facet of a multi-pronged effort to maintain privacy.

~~~
waterlesscloud
Of course that's the point of it, and in that sense it is indeed useful.

It's a bill intended to send a message and establish values, and it does that
nicely.

You can tell it's intended to send a message because, well, that's what the
Senator says in the press release.

“This bill sends a message to leaders of those agencies to stop recklessly
pushing for new ways to vacuum up Americans’ private information, and instead
put that effort into rebuilding public trust.”

~~~
tptacek
So, what you're saying is, it's cosmetic.

~~~
waterlesscloud
No, that's not what I'm saying.

~~~
tptacek
I didn't expect you to agree, but rather hoped you'd spell out why.

~~~
graeme
You're being downvoted above because the second comment in the thread said "Of
course that's the point of it,", referring to the comment above, which said:

"it can be easily circumvented. This might be true, but its a step forward
because it acknowledges that government backdoors are a bad thing. I wish I
could remember where I read about this, but its similar to how activists
changed the classification of LGBT literature to a non-stigmatizing category
in libraries. This was the start of a lot of progress for LGBT rights. It was
a minor victory among lots of major defeats at the time it happened. Instead
of complaining about the weaknesses in the bill, we should view this as a
facet of a multi-pronged effort to maintain privacy."

That's the answer to your question of why they claim it's not merely cosmetic.
They think it _is_ cosmetic, but may also play a role in shifting language and
expectations, which will have a more than cosmetic effect down the line.

Edit: Rather than continue the thread – you might be right. I'll let
waterlesscloud answer is I've misinterpreted their opinion.

~~~
tptacek
I don't mind the downvotes! I don't think you and 'waterlesscloud agree. I
said "so it's cosmetic", and my interpretation of his response is "it's more
than cosmetic". If so: how? "Playing a role in shifting language"?

~~~
coldtea
Yeah, opening an Overton window:

[http://en.wikipedia.org/wiki/Overton_window](http://en.wikipedia.org/wiki/Overton_window)

Shifting language is not cosmetic. Has actual consequences beyond the realm of
language.

------
lsiebert
Edit: There is the argument that this bill is a step in the right direction.
The problem is that too often, steps in the right direction are the last step
taken, and then people treat the problem as solved. I think there is something
to be said for not letting the perfect be the enemy of the good, and this
doesn't appear to explicitly OPEN any loopholes, so I guess I'm in favor. But
we need something stronger to protect civil liberties, and to make people
trust US companies can be secure.

The Bill itself is weak as written, at least by my layman's reading. It's two
pages, go look:
[http://www.wyden.senate.gov/download/?id=B8F74B59-0A6E-45C2-...](http://www.wyden.senate.gov/download/?id=B8F74B59-0A6E-45C2-A259-109978D275EA&download=1)

First, it only covers software, hardware and devices made available to the
general public. So any internally developed hardware or software business
logic could face such a mandate.

Second, it only covers security functions of such items... It's not clear that
specific information, such as a private key, would be a security function.

Third, it has an explicit exemption for the CALEA, Which lets the government
mandate how the telephone companies network architecture worked in order to
make it easier to wiretap, which the FCC expanded to ISPs and VOIP providers.
Now, the FBI and other government entities have been pushing for all internet
companies to fall under the CALEA or similar laws, so we can presume that the
CALEA is not everything it could be. Still we know that Verizon, which is a
broadband ISP, was adding a unique key to HTTP communications.

Fourth, it fails to define surveillance, and it's unclear if a broad capture
of information which isn't looked, or of metadata, would be consider
surveillance under the law. The law mentions physical search, but that still
leaves electronic searches, as well as any form of seizures.

Fifth, it does nothing to prevent attempts to weaken protocols, systems, APIs,
encryption standards, etc. While it may prevent specific implementations of
them from being forcibly weakened, it wouldn't prevent a forcible or other
weakening of the underlying standard, including attempts to manipulate and
weaken them.

~~~
Taek
You are worried that this bill will be the last step in the right direction.
An increasing number of people are unhappy with US surveilance aggression, and
we are all aware that this bill is far from the magic bullet. I do not think
there is a risk of this step being the last step in the right direction.

We should support this bill (as it improves our state of affairs), but also
call for stronger reform as well. It is a good first step, and hopefully one
of many as there will be ongoing pressure for more action to be taken.

------
declan
This bill is flawed but worth your support anyway. It's flawed for at least
three reasons:

* It doesn’t stop NSA from weakening security standards, bribing crypto vendors, or hacking into systems to insert backdoors. Even if a future law were to address that, a future president could instruct the NSA (part of the U.S. military, after all) to disregard it. We've all seen some recent examples of aggressive presidential action even in the non-military space where executive authority is weaker.

* Wyden's bill doesn't seem to apply to FedGov _spending_. So if a company wants that fat .gov/.mil $10 billion-dollar contract, well, it might feel obliged to discontinue that full-device encryption product. It surely makes sense to focus on other unencrypted product lines to support that $10B contract, right?

* A future Congress could overturn it, for instance by enacting FBI’s draft “Going Dark” surveillance legislation. I disclosed some details here about the FBI's proposal to target Internet companies (in retrospect, FBI was carrying water for NSA): [http://www.cnet.com/news/fbi-we-need-wiretap-ready-web-sites...](http://www.cnet.com/news/fbi-we-need-wiretap-ready-web-sites-now/)

But despite those caveats, Wyden's bill is worth supporting anyway. It does no
harm, it's highly symbolic -- and it would stop future agencies from
creatively interpreting their statutory authority to screw over the Internet
and companies represented here on HN.

While no agency has clear legal authority in this area, that doesn't always
stop them, with the FCC the most likely suspect. Remember this is the same
agency that unilaterally extended CALEA backdoor requirements to broadband
providers, despite Congress never giving it that authority, and despite the
FBI director assuring politicians this would never happen. A federal appeals
court judge called the FCC's argument for surveillance mandates "gobbledygook"
and "nonsense," but unfortunately ended up dissenting in a 2-1 decision, as I
wrote here in 2006: [http://news.cnet.com/Appeals-court-upholds-Net-
wiretapping-r...](http://news.cnet.com/Appeals-court-upholds-Net-wiretapping-
rules/2100-1028_3-6082085.html)

This is not a case of a bill doing some harm and some good, like the
problematic USA Freedom Act, where different groups applied different weights
and reached different recommendations. Wyden's bill does only good, even if
doesn't go nearly far enough. Fixing a broken system is not a one-step
process.

~~~
abruzzi
> A future Congress could overturn it

Short of a constitutional amendment, any congressional action could be
overturned by a future congress.

~~~
CHY872
That could also be overturned by a future congress

~~~
Alupis
And the overturn that overturned the overturn could in turn, be overturned. ;P

No but a little more serious - once a bill makes it to law, its far more
challenging to overturn it (not to mention the negative PR that can/will be
run for a "we're making it so the government can subvert your privacy again"
campaign).

------
tptacek
Can any agency demand a backdoor today, outside of CALEA, which this bill
exempts? If they can't, then new backdoors would require new statutory
authority --- which would simply override Wyden's bill.

Congress can't pass laws preventing Congress from passing other laws, except
by amending the Constitution.

~~~
baddox
> Congress can't pass laws preventing Congress from passing other laws

Is that the same as saying that Congress cannot pass two laws which contradict
one another?

~~~
tptacek
No, it can definitely do that, but more importantly it can simply change its
mind, and it can do that in subtler ways than by making direct references to
Wyden's bill, "notwithstanding" &c &c.

~~~
Retric
The advantage is value language in new laws rarely trumps specific language in
older laws. So, when or if the law is changed it becomes more obvious that
agencies can add backdoors.

~~~
tptacek
I do not believe that it's the case that there's a "most specific wins" in
statutory interpretation. A broad exemption in a later bill overrides all the
previous statutes it implicates.

In fact: if that's the case, and I think it is, then bills like this are
_deceptive_ : they make people like you believe you can grep the Congressional
Record for references to Wyden's bill and tell if there's new statutory
authority for backdoors.

One of the HN legals (DannyBee! Rayiner! Tzs! Pdabbadabba!) can probably clear
this up.

~~~
rayiner
There's a few canons of construction in play in this hypo.

1) Prefer a construction that gives effect to both provisions.

2) If conflict is inevitable: a) repeals by implication are disfavored; b)
specific provisions govern general ones, regardless of when enacted.

3) The clear intent of Congress controls.

Say Congress says: agencies can't require backdoors.

Later, it says: NSA can require backdoors. This is both more recent, and more
specific, and controls.

Or, later it says: NSA can place requirements on products necessary for
security. This is later, but more general, so the earlier act probably
controls.

Or, later it says: NSA can place whatever requirements on products it wants,
notwithstanding any other law. Here, the clear intent is to give NSA the
authority to do whatever it wants regardless of what prior law says, so the
intent controls.

Unless you're a devout Scalia-ite, all of this will be subject to second-
guessing on the basis of the legislative history or other indicators of
Congressional intent. At the end of the day, canons of construction are
useful, but it had better not be the only thing you have in your pocket.

~~~
tptacek
Thanks. It's the "notwithstanding" that sticks in my head, because that exact
construction has come up in discussions --- I think here! --- in the past.

The "notwithstanding" won't necessarily read like "notwithstanding previous
bills about backdoors", either.

The override won't need to be obvious to be effective, is the point I'm trying
to make.

~~~
rayiner
Yes, often "notwithstanding" is used just as in my last example, with no
reference to the overridden law.

------
jdhendrickson
I see comments on the veracity of this bill, but I decry the idea that passing
more laws will fix this. It's mere theatre. There are laws already which ban
the things our government is doing and they ignore those laws, what is it to
ignore one more law? It grows worse with each passing year even the customary
dog and pony show slap on the wrist has been dispensed with. The 24 hour news
cycle moves on and the fourth estates co-option is more obvious daily. Arguing
the details of bullshit doesn't strike me as a judicious use of our time. I
strongly urge you to throw any effort you consider devoting to discussion or
even thought in regard to legislative fixes to moving forward with the broad
adoption of encryption and infrastructure changes within your own
organizations that prevent them from monitoring our communications whether
they like it or not. The United States government has proven itself
untrustworthy, the best option is to simply remove the choice from their
hands.

~~~
rayiner
> There are laws already which ban the things our government is doing and they
> ignore those laws, what is it to ignore one more law?

I can't think of any off the top of my head. Federal agencies have the
authority to regulate what sort of air pollution control features your car
has, so what law does it violate for them to regulate security features?

~~~
jdhendrickson
[https://www.aclu.org/technology-and-liberty/nsa-spying-
ameri...](https://www.aclu.org/technology-and-liberty/nsa-spying-americans-
illegal)

We can start with the 4th amendment and move on from there.

~~~
rayiner
Its quite debatable whether the 4th amendment prohibits the NSA programs we
know about.[1] And I can't think of any support for the position that it
prohibits requiring back doors that are used with a warrant, or only used when
the user is foreign.

[1] I won't rehash it here, but the 4th amendment has two big loopholes: 3rd
party doctrine, and non-applicability to foreigners on foreign soil. The NSA
programs seem calculated to fit into those loopholes.

~~~
sitkack
They want you to think those loopholes are valid. I would argue that they are
not. 4th definitely prohibits many NSA programs.

~~~
rayiner
The areas not covered by the 4th amendment are set forth in reasonable
judicial interpretations of the text of the amendment, and the NSA is entitled
to rely on those interpretations.

1) The understanding that the 4th amendment doesn't apply to anything crossing
the border (like data in undersea cables) dates back to the First Congress,
which enacted customs laws that allowed warrantless searches at the border.
This interpretation is well-supported by the history of the amendment, which
arose not in opposition to border searches generally, but in opposition to
customers inspectors searching peoples' houses for contraband.

2) The idea that the 4th amendment follows around pieces of information in the
hands of third parties is contrary to two basic understandings of law. A)
consent (e.g. Google consenting to disclose records in its possession), is
always an acceptable alternative to a warrant; B) subpoenas can compel people
to produce documents in their possession.

At the end of the day, you have to grapple with one basic, undeniable fact:
the 4th amendment does not say people have a right to "privacy" the same way
the 1st amendment says people have a right to "free speech." It talks about
quite specific conduct, and the things that privacy advocates want the 4th
amendment to protect (e.g. call metadata that is not only not in the
possession of the individual asserting the 4th amendment right, but not even
accessible to the individual!) doesn't fit cleanly into the text of the
amendment.

~~~
nathan_long
I can't speak for anyone else, but I think those "reasonable judicial
interpretations" represent a gutting of the 4th amendment.

The writers specified "persons, houses, papers, and effects" as protected - in
other words, everything they could think of in their day. For every one of
those things, they said that the government needed probable cause and a
warrant.

Today, our persons nearly always carry trackable devices. Our houses are where
we search the web and video chat with loved ones. Our papers and effects are
files, which we back up over the cloud. Most conversations we have are
digital.

It is impossible to function in modern society without giving lots of data to
third parties as a side effect. All of this is tracked, recorded, stored and
analyzed without cause or warrants.

If it's claimed that the 4th amendment covers the grocery list in my pocket,
but none of the my truly sensitive data, then I say it's a fat lot of good.

With interpretations like those, why bother having laws at all?

~~~
rayiner
> I can't speak for anyone else, but I think those "reasonable judicial
> interpretations" represent a gutting of the 4th amendment.

In 1789:

a) The government could have subpoenaed your banking records without a
warrant. 1789 wasn't prehistory--the founders were lawyers and businessmen,
and would have had an understanding of sensitive commercial, accounting, and
legal records being held by third parties.

b) The First Congress passed a law enabling warrantless customs searches at
the border. The founders perceived the government's right to control what
crossed the border outweighed anyone's privacy interests.

> With interpretations like those, why bother having laws at all?

To the contrary. Textual interpretations of law protect you. They're
predictable and hard to argue with. It's results-oriented interpretations that
are dangerous, because there's no guarantee that the decision maker and you
are going to have the same understanding of which results are important.

~~~
nathan_long
Thank you for making an interesting point with concrete examples. This was
very informative.

------
snowwrestler
This bill won't pass. Some members would object, but mostly it's just not
worth passing because it doesn't do anything. Also, it was introduced with
just a few days left in this Congress. (All un-passed legislation is wiped out
by the change in Congress.)

BUT, it's not intended to pass. It is intended to communicate and memorialize
a particular political opinion. In this case, it is intended to stand in
opposition to the opinion expressed by some law enforcement leaders that the
government, in the face of improving commercial encryption, should have new
powers to mandate back doors.

Most--in fact the vast majority of--bills that are introduced into Congress
are not intended to pass, they are intended to make a point. This is one of
those bills. That doesn't make it bad or good. That really depends on whether
you agree with Senator Wyden. (I bet most people here do.)

------
Panino
I don't mind if the bill is weak, because real solutions are happening outside
of electoral politics.

Curve25519 deployment is now massive, for example. LibreSSL is moving forward.
RC4 has been ripped out of a lot of stuff and replaced with ChaCha. Salsa20 is
in a ton of software and has many users. SafeCurves are getting discussion,
especially ed448 and E-521. More people are deploying TLS. More people are
conscientous. More people are protected by default without having to make an
effort (TextSecure is a great example).

My only sad point is that people are still talking about DNSSEC, which reduces
security significantly if used for anything besides signing DNS records. I
don't know why anyone not affiliated with Project Bullrun wants you to use
RSA-1024 for security.

~~~
tptacek
There is more wrong with DNSSEC than RSA-1024 (PKCS1v15 RSA, no less!). DNSSEC
is a PKI run by world governments, most prominently that of the United States.
It's hard to understand why anyone working in privacy would ever support it.

Thankfully, it's dying on its own engineering (de)merits.

------
GauntletWizard
The only true solution here will be to rule cellphones as inadmissible in
court; Not under the Fourth, but under the Fifth. More and more, computers are
becoming part of our brains; As inextricably linked to us as our limbs. Until
we recognize that this is not fantasy, not the near future, but the _now_ ,
we're all at danger from government overreach.

~~~
Nanzikambe
That's hardly effective; most covertly collected evidence is already
inadmissible in courts in most free countries and yet here we are.

Governments spying isn't ubiquitous because it's an effective means to uphold
the law: it's because like any government budget: you use it or you lose it.
And after the "good old days" of the Cold War nobody is ready to relinquish
that power. So instead here we are, decades after we stepped back from the
nuclear brink, as terrified as ever with a media presenting us with a myriad
of dubious villains to justify expansion and over reach.

The true extent of the damage caused by rampant espionage will probably never
be understood because secrets breed secrets, breed corruption -- and when a
nation's intelligence services can legally spy on the full spectrum of
industry: the potential for corruption is _massive_

------
deciplex
It's great when politicians show a spine after being unelected. We should
unelect them more often.

The attention Wyden gets as being the anti-surveillance guy in Congress says
more about Congress than it does about Wyden. This guy sat on the Intelligence
Committee for years, and knew exactly what was going on, and although even he
probably learned a thing or two from the Snowden leaks, it's a sure bet he
learned a hell of a lot less than the rest of us. Yet, before that, he did
precisely fuck-all about any of it. He's still done about fuck-all, besides
sort of vaguely indicating that he might exploit some Constitutional
provisions to reveal a few more secrets on the Senate floor before leaving
office. I'm not holding my breath.

------
pdknsk
First, the bill has a major(?) exception. Second, they don't need to mandate
it. They can just "ask" for it.

~~~
tptacek
A law prohibiting executive branch agencies from _asking_ for backdoors might
actually have some utility.

But unless there's a law (other than CALEA, which is indeed a major exception)
that currently enables the USG to demand backdoors --- and I don't think there
is --- this bill is a no-op. Anything that enabled the USG to make such a
demand would have to come from Congress, which would simply override Wyden's
bill.

------
blackaspen
Makes me think of "These new laws will fundamentally change how we get around
them".

------
everettForth
Too bad it looks like congress dropped this amendment that passed with an
overwhelming majority in a backdoor deal over the past 48 hours:
[https://news.ycombinator.com/item?id=8703331](https://news.ycombinator.com/item?id=8703331)

------
gcb0
what is the point of this? there are already laws that forbid it, and there
are already laws that ignore those laws in case of national security or other
bs.

this new law would just add to the first lot. total waste of time.

the only sane thing to do is to better regulate and try to add consequences to
misuses of the second lot.

------
blueskin_
This will probably last about as long as the attempt at NSA reform; i.e. not
very :(

------
AdmiralAsshat
If the bill even has a shot of passing, it will be quietly amended to include
gaping exceptions, to the extent that nothing will actually change other than
a brief pulling off the wool over the public eyes.

~~~
tptacek
I don't think the bill needs to be changed at all to be deceptive to the
public, because Congress doesn't work the way this bill suggests it does.

------
finid
But there are already backdoors in those things. And you can bet that this
bill won't pass. You can bet your right thumb on that.

