New Jersey Congressman Seeks To Bar NSA Backdoors In Encryption 200
Frosty P writes "Congressman Rush D. Holt, a New Jersey Democrat, has proposed legislation (summary, full text) that would prohibit the agency from installing 'back doors' into encryption, the electronic scrambling that protects e-mail, online transactions and other communications. Representative Holt, a physicist, said Friday that he believed the NSA was overreaching and could hurt American interests, including the reputations of American companies whose products the agency may have altered or influenced. 'We pay them to spy,' Mr. Holt said. 'But if in the process they degrade the security of the encryption we all use, it's a net national disservice.'"
Re:Pointless posturing (Score:5, Informative)
Whoa, now. While it's true that the NSA has a history of disregarding the law, it's bad to fall into the trap of believing that there's no point to creating such laws at all.
What do you want Congressman Holt do? Rip off his shirt and physically attack James Clapper? That's not going to help curtail the powers of the NSA and you know it. Congress creates laws. That's what they're supposed to do. If you think the law is a good idea, then proposing the law isn't "pointless posturing," it's Congress' job.
It's easy to get so lost in cynicism that you stop believing that forward progress is possible. But it's an ugly fact that many of the NSA's recent activities have had explicit Congressional approval. Revoking that approval is an essential step to fixing the situation, and Congressman Holt should be applauded for attempting to do so.
This is a stupid idea. (Score:4, Informative)
This is a stupid idea. The 1976 consultation between the NSA and IBM over DES resulted in a stronger DES. The NSA couldn't disclose what it knew about how to easily attack the DES as it was originally proposed, and it took about 8 years for an academic researcher to understand why the original algorithm was actually weaker than the one with the proposed NSA modifications.
They are doing some rather asshole things at the moment (at the behest of the Federal Government - "We were just following orders"), but they tend not to screw with cryptography which is allowed to be on the GSA schedule when embodied in communications equipment for sale to the U.S.Military.
Re:Pointless posturing (Score:5, Informative)
A law to stop the NSA? Yeah, that oughta do the trick. *rolls eyes*
Your cynicism has run away with your sense.
The NSA has clearly been breaking the law, but they've been doing it through a series of rationalizations, and they've just been edging over the line, not just ignoring the law completely. Specifically, they have redefined the word "collection" to mean "reading", which allows them to hoover up all the information they can get access to and then only later have to decide what they can legally look at and what they can't. And, of course, once they have the data, mistakes are inevitably made or in some cases they may even decide flat out that there is sufficient justification to ignore the law "in this case". And of course there has been no law at all against installing back doors, just a tension with the other mission of the NSA, which is to ensure the security of US signals. Again, some rationalization can allow them to get past that.
That's the kind of thing that it's very easy for good people who feel like they're working for the higher good to do. They can easily tell themselves that they're following the law except in isolated cases where it really, really matters because they have really, really good reasons.
A law like this would be different, because backdooring systems must be done well in advance of any specific case where the backdoor would be used, making it extraordinarily difficult to rationalize it... and also making violations abundantly clear. To really make certain, the law should apply severe criminal penalties to anyone who knew about and didn't report the violation.
I would like to see the law also require them to quietly go about closing all of the backdoors/weaknesses they've already put in place.
Another change to the law that I think would be very useful is to explicitly clarify the definition of "collect". Granted that it's impossible in many cases not to collect a little extra data alongside the stuff that you're really trying to grab, but that could be addressed by specifying data retention limits in the law. Perhaps they should only have 24 hours to evaluate the origin/destination of captured data, and then be required by law to discard anything that they can't substantiate as being lawful for them to collect. Another suggestion I've heard would allow the NSA to capture everything they want, but would require them to immediately escrow all of it with a court or other agency, from whom they could request the pieces they can show they should have access to. That court or agency would, of course, have as its primary job to ensure the NSA doesn't cross the lines.
Re:Pointless posturing (Score:4, Informative)
Yes, that's called an All-or-nothing Transform. It's computationally cheap but not yet used very widely.