Barring another vote before the end of the calendar year and the current Congressional session, the USA FREEDOM Act is dead in the water until 2015—and maybe even beyond.
The Senate last night came up two votes shy of passing the bill, which would have overhauled the NSA’s current dragnet surveillance of phone call metadata. Opponents of the bill cried that it would infringe on the intelligence community’s ability to keep tabs on terrorists. Proponents, on the other hand, saw the Senate’s 58-42 rejection as a defeat for civil liberties.
And there you have it: competing agendas; politics at its best, er, worst. And your agenda, you whose privacy is in question and at stake, probably doesn’t matter much.
Cyber security legislation, like its distant cousins The Year of PKI and Information Sharing, is quickly becoming the biggest nonstarter in the industry. Legislators are just as reactive as the rest of us. Not to mention that too many competing priorities are in the way, but you likely won’t get definitive legislation until something bad happens—and then of course, like always, it will be too late.
The USA FREEDOM Act, introduced more than a year ago by Wisconsin Republican Rep. Jim Sensenbrenner, was the latest best hope for some kind of ruling that would curb the National Security Agency’s ability to spy on Americans without a court order. The bill would have required parties seeking access to communications records to demonstrate reasonable suspicion that the records in question are associated with a foreign power or agent. Investigators would be granted access to communications data in 180-day blocks that can be extended under a new application for access. The government would also be required to destroy all collected information within five years of receipt. And call content is not in scope here, only metadata.
Yet, according to bill author Sen. Patrick Leahy (D-VT), opponents got their way by fear mongering, which in turn scares people away from productive debates, the New York Times said. The Times also said Sen. Mitch McConnell, Republican leader, was the main opponent. “This is the worst possible time to be tying our hands behind our backs,” he said. Others such as former NSA and CIA head Michael Hayden said the bill was a gift to terror groups such as ISIS.
D.C. insiders have been saying for a while that this could be the last shot for a while at some sort of cyber legislation; one went so far as to say it wouldn’t happen until after the 2016 elections, citing another potential government shutdown in December, appointment of a new Attorney General, debates over the use of military force against ISIS and diplomatic and strategic agreements with Iran needing to be reworked.
So what does that all mean for information security types?
For once, security and technology companies have not been completely reactive. Yes it took the Snowden revelations starting in June 2013 to get the ball rolling, but no one is waiting for legislation to dictate what needs to be done. Since Snowden started dropping his knowledge, we’ve seen important innovations around data security and privacy. Companies are taking encryption seriously and see it as the only true means of keeping personal communication and digital interaction safe from the NSA and GCHQ.
Just yesterday, we had Open Whisper Systems reveal that they partnered with WhatsApp on end-to-end encryption for Android mobile clients. That comes on the heels of a laundry list of similar announcements. New ventures such as Blackphone were announced providing secure phones for consumers that include Silent Text messaging. The Signal app was also released this summer, providing encrypted iPhone calls. Technology companies such as Microsoft, Yahoo, Facebook and Google have battened down encryption on important applications, as well, by turning on HTTPS, Perfect Forward Secrecy, HSTS and a lot more.
Encrypting everything everywhere is hard—and it’s the best available answer. Tech providers need to remain vigilant about encryption, patching vulnerabilities, finding the next Heartbleed/Shellshock/Poodle, and calling out ISPs for shady practices such as turning off STARTTLS and cozy relationships with the government.
The rejection of the USA FREEDOM Act sends a clear, albeit indirect message: Take care of your own back yard. Government has an ongoing green light to spy and encryption is the best barrier at your disposal. Be sure: they won’t stop, and neither should you.