Rep. Zoe Lofgren Proposes NSA Surveillance Reform Amendments to the National Defense Authorization Act (NDAA)

May 20, 2014
Press Release
WASHINGTON, D.C. - Reps. Zoe Lofgren (D-CA), a senior Member of the House Judiciary Committee, testified today before the House Rules Committee on two amendments (Amendments 228 and 229, more detailed information following the transcribed remarks) she has proposed to the National Defense Authorization Act (NDAA) to bring needed reforms to NSA Surveillance activities.  What follows are Rep. Lofgren's remarks and a brief colloquy with Rep. Pete Sessions (R-TX), the Chairman of the House Rules Committee, video of which is available here:  
 
Rep. Lofgren: Thank you very much Mr. Chairman.  I have amendment 228 and amendment 229.  
 
Let me start first with 228. This is an encryption funding amendment.  It is sponsored by myself, Congressman Rush Holt, and my colleague on the Judiciary Committee, Representative Doug Collins of Georgia. The amendment would prevent funding of any intelligence elements, program, or related activity that mandates a request  that a device manufacturer, software developer, or standards organization build in a backdoor to circumvent the encryption or privacy protection of its products, unless there is statutory authority to make such a mandate or request.  
 
Now we've seen in the newspaper that the NSA paid the RSA $10 million to set as the default a deliberately flawed encryption method which gave backdoor access to any message encrypted with the RSA program. In March we saw another report that another flawed encryption tool was given to RSA by the NSA to increase the speed at which to access messages encrypted with the flawed standard.  
 
The recent Heartbleed SSL bug shows that even when backdoors are created unintentionally, the cost to business to repair them are tremendous. I think the important thing to remember is that if there is a flaw in encryption, eventually somebody finds that flaw and they exploit them. 
 
Now intentionally adding a backdoor to security or privacy system or standards not only makes us all more unsafe, it comes with huge economic cost. These costs are more than what we lose to bad actors exploiting the backdoors. It also costs tech companies the goodwill and trust that they build up over the years with foreign consumers. It just doesn't make sense to spend money on a program that results in greater harm and cost than would exist without the program.
 
Since the NDAA purpose is to authorize appropriations for FY 2015 for military activities of DoD and since the NSA is within this department, we've been advised that this amendment is germane. 
 
I think it's important that we give an opportunity to the members of the House to speak out on this item that is a matter of tremendous concern among Americans of both parties, and there is support for reform among the members of the House from both parties, and I think it's important that the House have an opportunity to express its will. 
 
The second amendment has to do with 702 of the USA PATRIOT Act. The amendment would prohibit the use of funds researching for the communications of Americans that is collected under section 702 of FISA, in a manner that is inconsistent either with the probable cause requirements of the rest of Title 7 regarding US persons or the 4th Amendment. 
 
This amendment is offered by myself, Congressman Massie, Congressman Amash, and Congressman Polis. Again, this is a bipartisan amendment and I think it's important that the members of the House of Representative have an opportunity to stand up and take a stand on this issue. This amendment comports with the structure of Title 7 which requires probable cause in all of its authorities that directly deals with the communications of US persons.
 
Now how does this actually work? 702 of the act provides that you can collect information, in bulk, about people outside the United States and also communications between people in the United States outside.  As a practical matter, what that means is not just phone calls from me to my great Aunt Tilly in Sweden—but also because phone calls as well as emails and other internet communications are routed along the internet backbone—that information flows in a way that's easiest to flow.  Further, we have servers that have the information of US persons that may be located outside of the United States even though they have the information of US persons. 
 
For example, some companies have servers in Iceland because of their geothermal energy and because it's not that hot in Iceland, which is an issue for server farms. They might have all of your information, Mr. Chairman, if you have a Gmail, or Yahoo, or MSN account, but because it's located outside of the United States, all of that could be obtained. 
 
The point of this amendment is that if you're going to query that database that has been lawfully collected or information about Americans—you should get a warrant to do that—you should have probable cause—and probable cause is the standard for in the 4th amendment, and it's the standard throughout the rest of the bill. 
 
Now this is germane because the NDAA's purpose is to authorize appropriations for FY 2015 for military activities, for the Department of Defense, the NSA, and agencies under the DoD.  And we believe that, although there are efforts underway between the Judiciary and Intelligence committees to come up with a compromised bill relative to the USA FREEDOM Act, this is not addressed by that compromise, and it needs to be addressed by the House of Representatives. 
 
REP. SESSIONS: Ms. Lofgren, your insight into this specificity of the cyber world is interesting and I will tell you that I am intrigued by your testimony. I am, probably as every single member of this body, concerned about the laws of this country to protect individual civil liberties, but also to make sure we have an opportunity to protect this country. But the application through the backdoor by an organization—any organization—that would allow information to be gained—what I would call gained—without proper notice, is serious. I don't consider it a breach, I consider it an application. And I need to go look at this a little bit more and I tell you being here is very important and I appreciate this. 
 
REP. LOFGREN: I thank you very much, Mr. Chairman, and as I say, this does have bipartisan support. I would note that I was aware that a version of the USA FREEDOM Act will be coming before us and it is a compromise, I did vote for it in the Judiciary committee. But the 702 backdoor problem, which was addressed by Mr. Sensenbrenner in his original bill, is not included and it should be. 
 
It doesn't mean that you wouldn't get any information, but it is – Sir, if you have a warrant, you can query it.  And here is my fear:  that if you don't address this issue, we're going to be back here in a couple years having seen the same kind of, you know, violations of the Constitution that are going to lead our constituents across the country to be outraged. We have an opportunity to address it now. I understand and support the need for compromise between the two committees, but allowing the House to work its will, if a majority of the House feels that the 4th Amendment ought to be honored in this way, is not inconsistent with the agreement reached between the two committees. 
 
I thank the gentleman for his kind words.
 
# # #
 
Click here for more related video from this hearing.
 
Amendment #228 is a bipartisan proposal offered by Reps. Lofgren, Rush Holt (D-NJ) and Doug Collins (R-GA):  This amendment would prevent the funding of any intelligence agency, intelligence program, or intelligence related activity that mandates or requests that a device manufacturer, software developer, or standards organization build in a backdoor to circumvent the encryption or privacy protections of its products, unless there is statutory authority to make such a mandate or request.
 
Amendment #229 is a bipartisan proposal offered by Reps. Lofgren, Justin Amash (R-MI), Thomas Massie (R-KY), and Jared Polis (D-CO):  This amendment would prohibit the use of funds for searching for the communications of U.S. persons collected under section 702 of FISA in a manner inconsistent with the probable cause requirements of the rest of Title VII regarding U.S. persons or the Fourth Amendment.