Yesterday evening, the U.S. House of Representatives took two minor steps forward on surveillance reform – one a 293-123 vote to prevent some targeting of Americans in the use of collected intelligence data, the other a voice vote to limit backdoors in technical security standards. The changes help close loopholes in the current system of legal oversight over surveillance practices, though they are not nearly at the scale of compelling reforms to improve transparency and safeguards for mass and targeted surveillance that Mozilla has been calling for, alongside many public interest organizations and major technology companies. The changes are included within the appropriations bill for the Defense Department, so they have a few more steps to go through before they become law. But if they make it through, they will help at the edges of the surveillance problems. And the strength of the victories gives some reason for hope that all is not lost in achieving meaningful legislative change.
First, in a compelling bipartisan vote, the House approved an amendment by Lofgren to close a loophole permitting “backdoor” searches by the NSA for information on Americans; the amendment is not designed to offer more protections for non-Americans. Under the current legal framework, the intelligence agency can collect and gather information about a foreign national, and then search within that set for information about individual Americans, thus getting around rules that otherwise prohibit NSA targeting of Americans. Lofgren’s amendment closes that loophole.
Second, in a less-widely-reported amendment passed by voice vote, Rep. Grayson proposed an amendment that would formally prevent the NSA from using its consultative role with the National Institute of Standards and Technology (NIST) for purposes other than improving information security. (See the 8:55 pm line of the House floor record, which references line (c)(1)(A) of the U.S. code.) One particular NIST security standard, a process for generating numbers for use in security tools, was suspected last year of including a deliberate backdoor; software using that standard has since been removed by major security vendors. The Grayson amendment is intended to prohibit this behavior in the future, and it could help restore some degree of trust in NIST for the professional security community.
These changes do not represent the major reforms we need to repair and restore user trust online, like those proposed by the President’s Review Board, those originally proposed in Congress, and those identified by Mozilla earlier this year. Much more work needs to be done in the months and years to come, and everyone who cares about the future of the Internet will have a part to play in making real change happen. But, we can have a little more hope today than we did yesterday.