Congress Finally Put a (Really Obscure, But Important) Limit on NSA Power

heartbleed_bug

The House passed a toothless NSA reform bill yesterday, and VC Marc Andreessen says that meetings about privacy and surveillance between tech companies and the Obama administration haven’t been very productive. But the news isn’t all depressing for privacy advocates. One consolation prize: a new amendment that says the NSA can no longer be involved in determining encryption standards.

The National Institute of Standards and Technology is the federal agency that determines standards for measured quantities, like the length of a second. But NIST also holds competitions to get the best cryptographers in the world to solve security problems and evaluate new encryption techniques. The agency considers the results of its competitions as it forms new encryption standards. Once those standards are published, government agencies, subcontractors, and vendors must adhere to them for digital communications and hardware/software purchases. That means they influence manufacturers, government vendors, and tons of people.

Until now, the NSA has been allowed to influence decisions about encryption standards. And the NSA, presumably, is interested in finding ways to circumvent the standards so it can intercept communications and data that the senders think are secure. The agency even prevailed upon NIST to publish a standard which many in the cryptography community warned had been weakened and probably contained a backdoor for easy NSA access.

Now, finally, the House Science and Technology Committee passed an amendment to the Frontiers in Innovation, Research, Science, and Technology Act this week that will keep the NSA from getting involved in NIST’s encryption-standard evaluation process. As the Huffington Post points out, this may be the first time a body of Congress has approved legislation that limits the NSA’s power.

Before the vote on the amendment, Rep. Alan Grayson (D-Fla.) wrote the following in a letter to the committee:

These are serious allegations. NIST, which falls solely under the jurisdiction of the Science, Space, and Technology Committee, has been given “the mission of developing standards, guidelines, and associated methods and techniques for information systems.” To violate that charge in a manner that..

Read more: http://www.slate.com/blogs/future_tense/2014/05/23/nist_doesn_t_have_to_confer_with_the_nsa_about_encryption_standards_anymore.html