Senator: let’s fix “third-party doctrine” that enabled NSA mass snooping - Ars Technica 20160403
Q&A: Ars sits down with Oregon's outspoken advocate of strong crypto, Sen. Ron Wyden.
This past week hundreds of lawyers, technologists, journalists, activists, and others from around the globe descended upon a university conference center to try to figure out the state of digital rights in 2016. The conference, appropriately dubbed "RightsCon," featured many notable speakers, including Edward Snowden via video-conference, but relatively few from those inside government.
Sen. Ron Wyden (D-Oregon), however, was an exception. On the first day of the conference, he gave an in-person speech, in which he argued for a "New Compact for Security and Liberty."
The Oregon senator is likely familiar to Ars readers: he’s been one of the most consistently critical voices of the expansion of government surveillance in recent years. We last spoke with him in October 2014 when he made the case that expanded active spying hurts the American economy. In December 2014, Wyden introduced the "Secure Data Act" in the United States Senate, which aims to shut down government-ordered backdoors into digital systems. However, that bill hasn’t even made it to committee yet, over a year later.
On Thursday, the day after his address, Wyden sat down with Ars at a downtown Peet’s Coffee, where we chatted in a more detail about his proposal. What follows is the transcript of our conversation that has been lightly edited for clarity.
Ars: What does your compact mean in terms of new legislation? Because some of these items outlined in your speech, like the third-party doctrine, Congress doesn’t have the authority to overturn that.
SEN. WYDEN PUTS FORWARD A BILL TO BAN DATA “BACKDOORS”
Bill prevents FBI from meddling with companies that choose to encrypt by default.
A: Well, Congress could pass a law. But let’s begin at the beginning. What I wanted to do yesterday in this speech was to refocus the debate. More than anything else, that’s what the talk was about. I can tell you—and I don’t have an exact count—but my guess is that there have been thousands upon thousands of articles written in the last few months and they invariably start with the phrase: "In the ongoing debate between security and privacy, the following happened today... "
And I want to make clear that I don’t think that’s what the debate is all about. It is not about security versus privacy. In my view, this debate is about less security versus more security. My view is that at a time when millions of Americans have their life wrapped up in a smartphone—their medical records, their financial records, they might be tracking their child to make sure their child isn’t molested—strong encryption is the must-have go-to security tool for millions of Americans and the communities in which they live. So I want to re-focus the debate along those lines.
Are we to understand that what you're calling a compact will evolve into actual legislation?
Let’s take some of these devices one by one. As your readers know, for weeks now we’ve been told that there is going to be a Burr-Feinstein bill in the United States Senate that in fact would be a piece of legislation that would, in effect, mandate that a private company weaken the security of their products so they would be to comply with a court order. The first thing that I want to do as part of our strategy is to block that legislation. And I’m going to argue that it should be blocked on the grounds that it will weaken the security of millions of Americans. The second thing that I want to do after we block that bill is pass affirmative legislation that I’ve introduced called the Secure Data Act, where we wouldn’t be talking about blocking legislation, but talking about affirmative action to ensure the security of the data of millions of Americans. So those would clearly be two steps that would be very relevant to today’s discussion.
Beyond that, with respect to the third-party doctrine. I think that when people enter into a private business relationship, they don’t expect that that’s going to be public. And particularly now in an age of digital services I think it’s important that that law be re-written: that law stems from a decision that’s decades old. And I’m encouraged that even people like Justice Sotomayor thinks it ought to be rewritten. So that’s the third area.
FEDS WANT AN EXPANDED ABILITY TO HACK CRIMINAL SUSPECTS’ COMPUTERS
Proposed rules to let one judge authorize "remote access" essentially anywhere.
A fourth area would be that we’re more vigilant with respect to administrative actions that might be taken that again, instead of a win-win in which we’ll have more security and more liberty, there will be a lose-lose. Yesterday I talked about Rule 41, which is something that the Justice Department wants to do, where in effect, they could get one warrant and in effect get access to scores and scores of computers outsides that one jurisdiction. And I think that’s a mistake.
And finally I talked about the need for more talent. I take a position that challenges the intelligence agencies to adapt to new times. That’s why I went through the Miranda decision and how people thought "Oh my goodness, we’ll never get a confession!" Obviously law enforcement adapted to those new challenges. I think having talented people, some of whom have been in the room at RightsCon, would be a very good way to adapt. So those are, kind of, the four or five areas where a combination of elected officials who block unwise measures and affirmatively move to pass legislation to update our laws makes sense.
We at Ars struggle, as I think a lot of people struggle, to not only understanding the tools like PGP, but also to put them into practice and use them. For example, at Ars, I’m one of six people who has a publicly-listed PGP key. I’d be curious to find out from you what kinds of tools you use in your office, what kinds of tools are used in the Senate more generally, and what that experience has been like.
First of all, I think that those who are using a smartphone are counting on encryption. And that is a basic security measure. But for me, the important way to assess your question is that when legislators make policy, the big mistakes come when they are reacting, particularly when there has been a horrible tragedy and someone makes a knee-jerk reaction. When you get a chance to reflect on it, instead of what I call a win-win—security and liberty—too often you get a lose-lose. For example you weaken strong encryption, the first thing that’s going to happen is people who seek encryption are going to go overseas where there are hundreds of products and there’s even less control over them.
You’re somebody who pops up in the news a lot, talking about these issues of privacy. You obviously care a lot about them. I’d love to hear how you plan to convince your colleagues of the importance of these issues. I think it can be hard for people who aren't as steeped in these issues to wrap their brains around them. So I’d love to hear what that process has been like for you.
IN SILICON VALLEY, SENATOR CALLS FOR ENDING AMERICAN “DIGITAL DRAGNET”
Tech leaders also look to prevent government spying.
First of all, we’ve come quite a ways. Back when I started in 1996, I wrote the law that ensured that a website owner would not be held personally liable for something that was posted on the site. We wrote the digital signatures law and banning tax discrimination, for example, so that people who needed Internet access to get education and employment opportunities wouldn’t face problems. It’s been a pretty amazing ride since then. All the way to the time when the NSA overreached with respect to metadata. When we started, there were only a handful of us trying to rein in that overreach. By the time we were done, we had plenty of Republican votes and what had been a secret interpretation of the Patriot Act was gone. Education efforts take time.
One of my favorite accounts was that there was a law that came out of Intel Comm [Senate Select Committee on Intelligence] that passed 14-1 written by Sen. Feinstein (D-California) to deal with so-called overly broad leaks, and I knew the bill was a turkey from the very beginning, and I didn’t even know how bad it was. After it got out of committee, we had a chance to learn more about it, educate ourselves, we all talked about it, and by the time we were done, the senators who had written it didn’t want anything to do with it and we were able to get rid of it. So education efforts can take more time. But we’ve had a fair number of successes and of course nothing matches the campaign of SOPA and PIPA.
You talked about hiring more technologists. What would that look like in your mind?
Obviously I think it's very valuable for offices, individual House and Senate offices to have a go-to person who is knowledgeable about the technology. I was talking yesterday mostly about agencies like the FBI and the government.
Would that involve hiring from the private sector and bringing them on in these types of cases [that involve cryptography] ? Because obviously the FBI already has people...
I’d like them to be in a position to get leadership positions and permanent positions on the basis of their knowledge and expertise and the kinds of issues that people were talking about at RightsCon.
Are there any cases or issues that we in the public should be aware of in Oregon that maybe haven't hit the national stage yet?
FEDS BREAK THROUGH SEIZED IPHONE, STAND DOWN IN LEGAL BATTLE WITH APPLE
DOJ won't say how, but its mysterious new method to bust through iPhone 5C worked.
Let’s put it this way: when the FBI said that they had been able to access the Apple San Bernardino phone, it was clear that was not the end of the debate. In fact, this debate is just starting. And we’ve heard about other jurisdictions that purportedly are looking at it. I’ve been very troubled and it will be something I'll be following up on. The FBI has said this just involves one phone. We’re talking about re-creating code, so it’s not about one. And then later the district attorney in New York talked about scores and scores of phones.
Is there anything that you'll be taking from your experience at RightsCon back to Oregon or to Washington?
I was hoping that it was a two-way street, and it was. My goal was to make sure that the people there who play these leadership roles in so many grassroots organizations, that they had a sense of what I as one elected official thought the challenge was all about. That’s why I said right at the beginning: I see our job as trying to convince politicians it’s not about security versus privacy, it’s about more security versus less security. And I think as we went we had a lot of good conversation. I think there was a lot of interest at RightsCon about what’s coming next—[people were asking] what does he think is coming next—and there was a lot of interest in Rule 41.
Last time we spoke, you’d mentioned that before the president leaves office that you wanted to play basketball with him. Is that going to happen?
It’d better happen soon! There are a few priorities for Oregon that I may see if I can get on the court. He’s been very gracious and he’s invited me multiple times and I think I indicated that I was saving it for something big that Oregon needs, and we’re heading into the home stretch.
Anything else that I didn’t ask you about that you’d like to add?
I think that this is going to be a very busy few months. People have asked what’s next, and we’re going to have some classified briefings, I assume, to try to figure out what the details are with respect to how the process went forward, with respect to accessing the data on the [San Bernardino] phone, and there are zero-day issues that we’re talking about and looking at.