The House passed a toothless NSA reform bill yesterday, and VC Marc Andreessen says that meetings about privacy and surveillance between tech companies and the Obama administration haven't been very productive. But the news isn't all depressing for privacy advocates. One consolation prize: a new amendment that says the NSA can no longer be involved in determining encryption standards.
The National Institute of Standards and Technology is the federal agency that determines standards for measured quantities, like the length of a second. But NIST also holds competitions to get the best cryptographers in the world to solve security problems and evaluate new encryption techniques. The agency considers the results of its competitions as it forms new encryption standards. Once those standards are published, government agencies, subcontractors, and vendors must adhere to them for digital communications and hardware/software purchases. That means they influence manufacturers, government vendors, and tons of people.
Until now, the NSA has been allowed to influence decisions about encryption standards. And the NSA, presumably, is interested in finding ways to circumvent the standards so it can intercept communications and data that the senders think are secure. The agency even prevailed upon NIST to publish a standard which many in the cryptography community warned had been weakened and probably contained a backdoor for easy NSA access.
Now, finally, the House Science and Technology Committee passed an amendment to the Frontiers in Innovation, Research, Science, and Technology Act this week that will keep the NSA from getting involved in NIST's encryption-standard evaluation process. As the Huffington Post points out, this may be the first time a body of Congress has approved legislation that limits the NSA's power.
Before the vote on the amendment, Rep. Alan Grayson (D-Fla.) wrote the following in a letter to the committee:
These are serious allegations. NIST, which falls solely under the jurisdiction of the Science, Space, and Technology Committee, has been given "the mission of developing standards, guidelines, and associated methods and techniques for information systems." To violate that charge in a manner that would deliberately lessen encryption standards, and willfully diminish American citizens' and business' cyber-security, is appalling and warrants a stern response by this Committee. Many businesses, from Facebook to Google, have lamented the NSA's actions in the cyber world; and some, such as Lavabit, have consciously decided to shut their doors rather than continue to comply with the wishes of the NSA. Changes need to be made at NIST to protect its work in the encryption arena.
Internally, NIST has also been working to cleanse itself by eliminating the faulty, NSA-backed encryption component from its standard. And the amendment is an important victory and a good reminder for people who may not think about cryptography every day. Weakened encryption has been one of the NSA's reliable backdoors for collecting data, and the NSA's involvement at NIST was preventing citizens and people worldwide from making informed choices about how to protect their data.