NSA reform: lawmakers aim to bar agency from weakening encryption

Concerned about weaknesses in USA Freedom Act, Zoe Lofgren and colleagues pushing to prevent NSA from weakening online encryption with new amendment

Spencer Ackerman in New York

US legislators concerned about weaknesses in a major surveillance reform bill intend to insert an amendment barring the National Security Agency from weakening the encryption that many people rely on to keep their information secure online, or exploiting any internet security vulnerabilities it discovers.

Congresswoman Zoe Lofgren, a California Democrat, told the Guardian that she and a group of colleagues want to prevent the NSA from “utilizing discovered zero-day flaws,” or unfixed software security vulnerabilities, and entrench “the duty of the NSA and the government generally not to create them, nor to prolong the threat to the internet” by failing to warn about those vulnerabilities.

Since the discovery of the Heartbleed bug afflicting web and email servers, the NSA has faced suspicions that it has exploited the vulnerability, which the agency has strenuously denied. Beyond Heartbleed, documents from whistleblower Edward Snowden have revealed that the NSA has weakened online encryption, causing consternation among technology companies as well as privacy advocates.

Lofgren intends to attach the provision to the USA Freedom Act, increasingly the consensus bill to reform surveillance in the wake of the Edward Snowden disclosures. The bill, mostly favored by civil libertarians and expected to go for a vote on the House floor as early as next week, does not include language stopping the NSA from undermining encryption.

In an indication of the difficulty legislators will face in recasting the USA Freedom Act to better protect privacy, Lofgren conceded that attaching the provision will be difficult, as House legislators do not want to upset a tenuous deal on surveillance reform by adding to the bill. She is currently seeking a parliamentarian ruling on the “germaneness” of her online security amendment in order to make it difficult for opponents to exclude it from consideration on the floor.

Lofgren said she and other civil libertarian-minded lawmakers will have limited opportunities to add amendments to the bill, and so are prioritizing measures they believe stand the best chance of winning House support.

Lofgren said she thought those would most likely include a ban on the NSA searching through its foreign-focused communications content troves for Americans’ information without a warrant; clarifying a Patriot Act prohibition on collecting Americans’ phone calls and email content; and permitting more detailed transparency for telecoms and internet companies to disclose the sorts of national-security orders they receive from the government for their customers’ data.

Lofgren last week fought an unsuccessful battle in the judiciary committee to strengthen the bill’s privacy safeguards. After she failed, the committee approved the current version of the Act, 32-0, bringing a measure cherished by privacy advocates back from the dead and putting it on a fast track to becoming law. Lofgren, who considers the bill an improvement on the status quo, voted for it.

But the price of moving the bill through the House judiciary and intelligence committees was the loss of many of the provisions that made civil libertarians support the USA Freedom Act in the first place.

The bill has been pitched as ending bulk domestic surveillance. But as it is now written, the government would, pending the approval of a secret court, be able to access phone records of people up to two degrees of separation from someone “reasonably” suspected of links to an agent of a foreign power, without a tie to an active counterterrorism investigation required. Thousands and potentially millions of records – from as many people – could be acquired through a single court order.

Lofgren, in debate with her colleagues last week, attempted to move the USA Freedom Act closer to its civil libertarian origins. She tried to make probable cause the standard for most data acquisition; to restore a major provision barring the NSA from sifting through its foreign-focused content troves for Americans’ information without a warrant; to constrain the intentional collection of Americans’ communications to the targets of active investigations; and to restrict the kinds of intelligence the NSA can collect to information relevant to threats the US faces.

All those efforts failed. Lofgren also agreed to withdraw an amendment that would explicitly bar the NSA from collecting the contents of Americans’ communications, something the agency insists it does not do under the Patriot Act. Lofgren called her amendment necessary to rectify a “clerical error” in the revised USA Freedom Act – which modifies the Patriot Act – but backed down after the judiciary committee chairman, Republican Bob Goodlatte of Virginia, agreed to work on a fix.

--

--

--

http://www.theguardian.com/world/2014/may/13/nsa-surveillance-usa-freedom-act-encryption-amendment-zoe-lofgren