Hacker News new | past | comments | ask | show | jobs | submit login
Wyden Introduces Bill To Ban Government Backdoors Into Cellphones and Computers (senate.gov)
417 points by sethbannon on Dec 4, 2014 | hide | past | web | favorite | 62 comments

A lot of people will inevitably comment on the flimsiness of this bill - that it can be easily circumvented. This might be true, but its a step forward because it acknowledges that government backdoors are a bad thing.

I wish I could remember where I read about this, but its similar to how activists changed the classification of LGBT literature to a non-stigmatizing category in libraries. This was the start of a lot of progress for LGBT rights. It was a minor victory among lots of major defeats at the time it happened.

Instead of complaining about the weaknesses in the bill, we should view this as a facet of a multi-pronged effort to maintain privacy.

Of course that's the point of it, and in that sense it is indeed useful.

It's a bill intended to send a message and establish values, and it does that nicely.

You can tell it's intended to send a message because, well, that's what the Senator says in the press release.

“This bill sends a message to leaders of those agencies to stop recklessly pushing for new ways to vacuum up Americans’ private information, and instead put that effort into rebuilding public trust.”

So, what you're saying is, it's cosmetic.

No, that's not what I'm saying.

I didn't expect you to agree, but rather hoped you'd spell out why.

You're being downvoted above because the second comment in the thread said "Of course that's the point of it,", referring to the comment above, which said:

"it can be easily circumvented. This might be true, but its a step forward because it acknowledges that government backdoors are a bad thing. I wish I could remember where I read about this, but its similar to how activists changed the classification of LGBT literature to a non-stigmatizing category in libraries. This was the start of a lot of progress for LGBT rights. It was a minor victory among lots of major defeats at the time it happened. Instead of complaining about the weaknesses in the bill, we should view this as a facet of a multi-pronged effort to maintain privacy."

That's the answer to your question of why they claim it's not merely cosmetic. They think it is cosmetic, but may also play a role in shifting language and expectations, which will have a more than cosmetic effect down the line.

Edit: Rather than continue the thread – you might be right. I'll let waterlesscloud answer is I've misinterpreted their opinion.

I don't mind the downvotes! I don't think you and 'waterlesscloud agree. I said "so it's cosmetic", and my interpretation of his response is "it's more than cosmetic". If so: how? "Playing a role in shifting language"?

Yeah, opening an Overton window:


Shifting language is not cosmetic. Has actual consequences beyond the realm of language.

Pious is the normal term for his sort of motion.

>I wish I could remember where I read about this, but its similar to how activists changed the classification of LGBT literature to a non-stigmatizing category in libraries.

I think it was in the Tipping Point by Gladwell. I'm not certain, but I read that recently and that's the only book I've read recently that has that sort of anecdote.

So security theater is ok when we're the ones doing it?

Edit: There is the argument that this bill is a step in the right direction. The problem is that too often, steps in the right direction are the last step taken, and then people treat the problem as solved. I think there is something to be said for not letting the perfect be the enemy of the good, and this doesn't appear to explicitly OPEN any loopholes, so I guess I'm in favor. But we need something stronger to protect civil liberties, and to make people trust US companies can be secure.

The Bill itself is weak as written, at least by my layman's reading. It's two pages, go look: http://www.wyden.senate.gov/download/?id=B8F74B59-0A6E-45C2-...

First, it only covers software, hardware and devices made available to the general public. So any internally developed hardware or software business logic could face such a mandate.

Second, it only covers security functions of such items... It's not clear that specific information, such as a private key, would be a security function.

Third, it has an explicit exemption for the CALEA, Which lets the government mandate how the telephone companies network architecture worked in order to make it easier to wiretap, which the FCC expanded to ISPs and VOIP providers. Now, the FBI and other government entities have been pushing for all internet companies to fall under the CALEA or similar laws, so we can presume that the CALEA is not everything it could be. Still we know that Verizon, which is a broadband ISP, was adding a unique key to HTTP communications.

Fourth, it fails to define surveillance, and it's unclear if a broad capture of information which isn't looked, or of metadata, would be consider surveillance under the law. The law mentions physical search, but that still leaves electronic searches, as well as any form of seizures.

Fifth, it does nothing to prevent attempts to weaken protocols, systems, APIs, encryption standards, etc. While it may prevent specific implementations of them from being forcibly weakened, it wouldn't prevent a forcible or other weakening of the underlying standard, including attempts to manipulate and weaken them.

You are worried that this bill will be the last step in the right direction. An increasing number of people are unhappy with US surveilance aggression, and we are all aware that this bill is far from the magic bullet. I do not think there is a risk of this step being the last step in the right direction.

We should support this bill (as it improves our state of affairs), but also call for stronger reform as well. It is a good first step, and hopefully one of many as there will be ongoing pressure for more action to be taken.

This bill is flawed but worth your support anyway. It's flawed for at least three reasons:

* It doesn’t stop NSA from weakening security standards, bribing crypto vendors, or hacking into systems to insert backdoors. Even if a future law were to address that, a future president could instruct the NSA (part of the U.S. military, after all) to disregard it. We've all seen some recent examples of aggressive presidential action even in the non-military space where executive authority is weaker.

* Wyden's bill doesn't seem to apply to FedGov spending. So if a company wants that fat .gov/.mil $10 billion-dollar contract, well, it might feel obliged to discontinue that full-device encryption product. It surely makes sense to focus on other unencrypted product lines to support that $10B contract, right?

* A future Congress could overturn it, for instance by enacting FBI’s draft “Going Dark” surveillance legislation. I disclosed some details here about the FBI's proposal to target Internet companies (in retrospect, FBI was carrying water for NSA): http://www.cnet.com/news/fbi-we-need-wiretap-ready-web-sites...

But despite those caveats, Wyden's bill is worth supporting anyway. It does no harm, it's highly symbolic -- and it would stop future agencies from creatively interpreting their statutory authority to screw over the Internet and companies represented here on HN.

While no agency has clear legal authority in this area, that doesn't always stop them, with the FCC the most likely suspect. Remember this is the same agency that unilaterally extended CALEA backdoor requirements to broadband providers, despite Congress never giving it that authority, and despite the FBI director assuring politicians this would never happen. A federal appeals court judge called the FCC's argument for surveillance mandates "gobbledygook" and "nonsense," but unfortunately ended up dissenting in a 2-1 decision, as I wrote here in 2006: http://news.cnet.com/Appeals-court-upholds-Net-wiretapping-r...

This is not a case of a bill doing some harm and some good, like the problematic USA Freedom Act, where different groups applied different weights and reached different recommendations. Wyden's bill does only good, even if doesn't go nearly far enough. Fixing a broken system is not a one-step process.

> A future Congress could overturn it

Short of a constitutional amendment, any congressional action could be overturned by a future congress.

That could also be overturned by a future congress

And the overturn that overturned the overturn could in turn, be overturned. ;P

No but a little more serious - once a bill makes it to law, its far more challenging to overturn it (not to mention the negative PR that can/will be run for a "we're making it so the government can subvert your privacy again" campaign).

And that's the kind of law that should be in a constitutional amendment.

We have amendments for these though. It will be tiresome to have to continually revisit amendments to basically say "they mean what they say". How about this Amendment instead:

Any attorney general should be able to sue for impeachment and criminal charges against any top officials in federal government, and the cases could be heard by a panel of judges from the states. After a ruling, governors should be authorized to deploy state police/military to arrest and incarcerate federal officials as indicated by the trials.

Can any agency demand a backdoor today, outside of CALEA, which this bill exempts? If they can't, then new backdoors would require new statutory authority --- which would simply override Wyden's bill.

Congress can't pass laws preventing Congress from passing other laws, except by amending the Constitution.

Often Wyden's actions signal that he knows something due to his position on the intelligence committee which he can't publicly reveal.

So, you might take this to mean that there is a possibility that such backdoors are already being demanded.

The point is that a Senator is now on record opposing that type of new statutory authority.

This bill is not intended to be a defensive wall; it's a stake in the ground in a debate that's just starting. It's a political move, not a serious legislative move. Most bills are.

> Congress can't pass laws preventing Congress from passing other laws, except by amending the Constitution.

Congress can't amend the Constitution, either.

So we're left with, essentially, "Congress can undo what Congress can do.".

Congress can of course propose amendments to the Constitution, and therefore also propose amendments which repeal previous amendments. In either case, ratification by by the state legislatures is required.

> Congress can't pass laws preventing Congress from passing other laws

Is that the same as saying that Congress cannot pass two laws which contradict one another?

No, it can definitely do that, but more importantly it can simply change its mind, and it can do that in subtler ways than by making direct references to Wyden's bill, "notwithstanding" &c &c.

What further restriction were you talking about? Is it judicial precedent you're referring to, or legislative precedent? I believe there is at least one case where courts ruled that the government must fulfill the terms of a contract it made previously, but that's different than statutes.

The advantage is value language in new laws rarely trumps specific language in older laws. So, when or if the law is changed it becomes more obvious that agencies can add backdoors.

I do not believe that it's the case that there's a "most specific wins" in statutory interpretation. A broad exemption in a later bill overrides all the previous statutes it implicates.

In fact: if that's the case, and I think it is, then bills like this are deceptive: they make people like you believe you can grep the Congressional Record for references to Wyden's bill and tell if there's new statutory authority for backdoors.

One of the HN legals (DannyBee! Rayiner! Tzs! Pdabbadabba!) can probably clear this up.

There's a few canons of construction in play in this hypo.

1) Prefer a construction that gives effect to both provisions.

2) If conflict is inevitable: a) repeals by implication are disfavored; b) specific provisions govern general ones, regardless of when enacted.

3) The clear intent of Congress controls.

Say Congress says: agencies can't require backdoors.

Later, it says: NSA can require backdoors. This is both more recent, and more specific, and controls.

Or, later it says: NSA can place requirements on products necessary for security. This is later, but more general, so the earlier act probably controls.

Or, later it says: NSA can place whatever requirements on products it wants, notwithstanding any other law. Here, the clear intent is to give NSA the authority to do whatever it wants regardless of what prior law says, so the intent controls.

Unless you're a devout Scalia-ite, all of this will be subject to second-guessing on the basis of the legislative history or other indicators of Congressional intent. At the end of the day, canons of construction are useful, but it had better not be the only thing you have in your pocket.

Thanks. It's the "notwithstanding" that sticks in my head, because that exact construction has come up in discussions --- I think here! --- in the past.

The "notwithstanding" won't necessarily read like "notwithstanding previous bills about backdoors", either.

The override won't need to be obvious to be effective, is the point I'm trying to make.

Yes, often "notwithstanding" is used just as in my last example, with no reference to the overridden law.

Grep is clearly not enough, but sometimes cases are decided by extreme edge case interpretations as there is no clear intent. In which case a very specific law generally beats a vague interpretation if you squint really hard, but not clear if sweeping language.

So, agency X can do anything wins. Agency X can make reasonable precautions does not because a prior law defines such behavior as unreasonable.

Edit: My point being a law that says agency X can do anything raises plenty of red flags where 'make reasonable precautions' does not.

PS: Though, that's just my understanding I would love to hear a better analysis.

People think I love threads like this because I'm pro-surveillance (no) but really it's just that I like having a reason to look stuff like this up.


Search: "notwithstanding".

We can probably find a bunch of examples in real statutes to get a sense of exactly how subtle the override could be.

I don't think Wyden's bill is likely to be helpful in detecting new authority to demand backdoors. We'll have to be exactly as vigilant after it passes.

Sure, but "notwithstanding" is exactly the type of language that should raise eyebrows. It's like seeing a goto in code. Sure it can be used to obscure things, and there are plenty of great examples of this, but it's also a big sign that saying "pay attention to me".

It's pretty common. The word "notwithstanding" occurs twice in the ECPA, for instance. It occurs too many times to count in the ACA.

There is indeed a canon of interpretation which upholds a prior specific rule over a later in time general rule which does not specifically repeal the earlier one, and isn't directly conflicting. In that case, the general rule will be read if possible to avoid the earlier rule. Legislatures need to explicitly repeal something if it could be an issue.

See the section in the following CRS report titled "Repeals by implication": http://www.fas.org/sgp/crs/misc/97-589.pdf

Edit: Foiled again!

It can the older motion would normally get invalidated as a "consequential" of the second motion - its one of the trickier bits of drafting motion's in a parliamentary system you have to work out what consequentials there are and in which order it makes sense to take a set of motions.

what congress or any parliamentary system cant do is bind it's self (the constitution might) - eg the uk parliament could decide to have an election tomorrow even though they passed a law 4 years back saying we have a fixed 5 year term

I see comments on the veracity of this bill, but I decry the idea that passing more laws will fix this. It's mere theatre. There are laws already which ban the things our government is doing and they ignore those laws, what is it to ignore one more law? It grows worse with each passing year even the customary dog and pony show slap on the wrist has been dispensed with. The 24 hour news cycle moves on and the fourth estates co-option is more obvious daily. Arguing the details of bullshit doesn't strike me as a judicious use of our time. I strongly urge you to throw any effort you consider devoting to discussion or even thought in regard to legislative fixes to moving forward with the broad adoption of encryption and infrastructure changes within your own organizations that prevent them from monitoring our communications whether they like it or not. The United States government has proven itself untrustworthy, the best option is to simply remove the choice from their hands.

Don't forget to add decentralization to that list as well. A further addendum is that this isn't about just the US government- even in a magical world where the US stopped spying you'd still be the victim of other governments all over the world (and corporations as well!).

This is a battle that started with technology and the only way to fight it is with better technology.

> There are laws already which ban the things our government is doing and they ignore those laws, what is it to ignore one more law?

I can't think of any off the top of my head. Federal agencies have the authority to regulate what sort of air pollution control features your car has, so what law does it violate for them to regulate security features?


We can start with the 4th amendment and move on from there.

Its quite debatable whether the 4th amendment prohibits the NSA programs we know about.[1] And I can't think of any support for the position that it prohibits requiring back doors that are used with a warrant, or only used when the user is foreign.

[1] I won't rehash it here, but the 4th amendment has two big loopholes: 3rd party doctrine, and non-applicability to foreigners on foreign soil. The NSA programs seem calculated to fit into those loopholes.

They want you to think those loopholes are valid. I would argue that they are not. 4th definitely prohibits many NSA programs.

The areas not covered by the 4th amendment are set forth in reasonable judicial interpretations of the text of the amendment, and the NSA is entitled to rely on those interpretations.

1) The understanding that the 4th amendment doesn't apply to anything crossing the border (like data in undersea cables) dates back to the First Congress, which enacted customs laws that allowed warrantless searches at the border. This interpretation is well-supported by the history of the amendment, which arose not in opposition to border searches generally, but in opposition to customers inspectors searching peoples' houses for contraband.

2) The idea that the 4th amendment follows around pieces of information in the hands of third parties is contrary to two basic understandings of law. A) consent (e.g. Google consenting to disclose records in its possession), is always an acceptable alternative to a warrant; B) subpoenas can compel people to produce documents in their possession.

At the end of the day, you have to grapple with one basic, undeniable fact: the 4th amendment does not say people have a right to "privacy" the same way the 1st amendment says people have a right to "free speech." It talks about quite specific conduct, and the things that privacy advocates want the 4th amendment to protect (e.g. call metadata that is not only not in the possession of the individual asserting the 4th amendment right, but not even accessible to the individual!) doesn't fit cleanly into the text of the amendment.

I can't speak for anyone else, but I think those "reasonable judicial interpretations" represent a gutting of the 4th amendment.

The writers specified "persons, houses, papers, and effects" as protected - in other words, everything they could think of in their day. For every one of those things, they said that the government needed probable cause and a warrant.

Today, our persons nearly always carry trackable devices. Our houses are where we search the web and video chat with loved ones. Our papers and effects are files, which we back up over the cloud. Most conversations we have are digital.

It is impossible to function in modern society without giving lots of data to third parties as a side effect. All of this is tracked, recorded, stored and analyzed without cause or warrants.

If it's claimed that the 4th amendment covers the grocery list in my pocket, but none of the my truly sensitive data, then I say it's a fat lot of good.

With interpretations like those, why bother having laws at all?

> I can't speak for anyone else, but I think those "reasonable judicial interpretations" represent a gutting of the 4th amendment.

In 1789:

a) The government could have subpoenaed your banking records without a warrant. 1789 wasn't prehistory--the founders were lawyers and businessmen, and would have had an understanding of sensitive commercial, accounting, and legal records being held by third parties.

b) The First Congress passed a law enabling warrantless customs searches at the border. The founders perceived the government's right to control what crossed the border outweighed anyone's privacy interests.

> With interpretations like those, why bother having laws at all?

To the contrary. Textual interpretations of law protect you. They're predictable and hard to argue with. It's results-oriented interpretations that are dangerous, because there's no guarantee that the decision maker and you are going to have the same understanding of which results are important.

Thank you for making an interesting point with concrete examples. This was very informative.

This bill won't pass. Some members would object, but mostly it's just not worth passing because it doesn't do anything. Also, it was introduced with just a few days left in this Congress. (All un-passed legislation is wiped out by the change in Congress.)

BUT, it's not intended to pass. It is intended to communicate and memorialize a particular political opinion. In this case, it is intended to stand in opposition to the opinion expressed by some law enforcement leaders that the government, in the face of improving commercial encryption, should have new powers to mandate back doors.

Most--in fact the vast majority of--bills that are introduced into Congress are not intended to pass, they are intended to make a point. This is one of those bills. That doesn't make it bad or good. That really depends on whether you agree with Senator Wyden. (I bet most people here do.)

I don't mind if the bill is weak, because real solutions are happening outside of electoral politics.

Curve25519 deployment is now massive, for example. LibreSSL is moving forward. RC4 has been ripped out of a lot of stuff and replaced with ChaCha. Salsa20 is in a ton of software and has many users. SafeCurves are getting discussion, especially ed448 and E-521. More people are deploying TLS. More people are conscientous. More people are protected by default without having to make an effort (TextSecure is a great example).

My only sad point is that people are still talking about DNSSEC, which reduces security significantly if used for anything besides signing DNS records. I don't know why anyone not affiliated with Project Bullrun wants you to use RSA-1024 for security.

There is more wrong with DNSSEC than RSA-1024 (PKCS1v15 RSA, no less!). DNSSEC is a PKI run by world governments, most prominently that of the United States. It's hard to understand why anyone working in privacy would ever support it.

Thankfully, it's dying on its own engineering (de)merits.

The only true solution here will be to rule cellphones as inadmissible in court; Not under the Fourth, but under the Fifth. More and more, computers are becoming part of our brains; As inextricably linked to us as our limbs. Until we recognize that this is not fantasy, not the near future, but the now, we're all at danger from government overreach.

That's hardly effective; most covertly collected evidence is already inadmissible in courts in most free countries and yet here we are.

Governments spying isn't ubiquitous because it's an effective means to uphold the law: it's because like any government budget: you use it or you lose it. And after the "good old days" of the Cold War nobody is ready to relinquish that power. So instead here we are, decades after we stepped back from the nuclear brink, as terrified as ever with a media presenting us with a myriad of dubious villains to justify expansion and over reach.

The true extent of the damage caused by rampant espionage will probably never be understood because secrets breed secrets, breed corruption -- and when a nation's intelligence services can legally spy on the full spectrum of industry: the potential for corruption is massive

It's great when politicians show a spine after being unelected. We should unelect them more often.

The attention Wyden gets as being the anti-surveillance guy in Congress says more about Congress than it does about Wyden. This guy sat on the Intelligence Committee for years, and knew exactly what was going on, and although even he probably learned a thing or two from the Snowden leaks, it's a sure bet he learned a hell of a lot less than the rest of us. Yet, before that, he did precisely fuck-all about any of it. He's still done about fuck-all, besides sort of vaguely indicating that he might exploit some Constitutional provisions to reveal a few more secrets on the Senate floor before leaving office. I'm not holding my breath.

First, the bill has a major(?) exception. Second, they don't need to mandate it. They can just "ask" for it.

A law prohibiting executive branch agencies from asking for backdoors might actually have some utility.

But unless there's a law (other than CALEA, which is indeed a major exception) that currently enables the USG to demand backdoors --- and I don't think there is --- this bill is a no-op. Anything that enabled the USG to make such a demand would have to come from Congress, which would simply override Wyden's bill.

Makes me think of "These new laws will fundamentally change how we get around them".

Too bad it looks like congress dropped this amendment that passed with an overwhelming majority in a backdoor deal over the past 48 hours: https://news.ycombinator.com/item?id=8703331

what is the point of this? there are already laws that forbid it, and there are already laws that ignore those laws in case of national security or other bs.

this new law would just add to the first lot. total waste of time.

the only sane thing to do is to better regulate and try to add consequences to misuses of the second lot.

This will probably last about as long as the attempt at NSA reform; i.e. not very :(

If the bill even has a shot of passing, it will be quietly amended to include gaping exceptions, to the extent that nothing will actually change other than a brief pulling off the wool over the public eyes.

I don't think the bill needs to be changed at all to be deceptive to the public, because Congress doesn't work the way this bill suggests it does.

But there are already backdoors in those things. And you can bet that this bill won't pass. You can bet your right thumb on that.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact