Well, I can paraphrase my own comment from the thread about Australian elections:
You can slander everyone who discovers vulnerabilities in your software, and you can even lobby to make it illegal to disclose those vulnerabilities, and throw people in prison over it, and so on... and your software will go right on being vulnerable. You can put every security researcher and white hat in the world in prison on trumped-up charges and throw away the keys, and it will not make your software one bit more secure. It will probably make it a great deal less secure.
Which is to say that this EO will accomplish exactly the opposite of its supposed goal.
It's like, even if I convince every human being alive that I am not bound by the laws of gravity, if I jump off a cliff I will die all the same. To think otherwise is insane, but for some reason when it comes to software (and hardware) security we give people a pass. (Not we in the tech community, but we who vote.)
This is one of the Big Problems with human reasoning. Maybe the biggest. It really does seem that most people, if you drill down, truly and fundamentally believe that the laws that govern all of reality, will respond to a popular vote. That if we all believe something hard enough, reality will take notice. Thus we get policy which is totally divorced from the goals it is purported to serve, and not held accountable to them at all. As though the President of the United States can argue with mathematics or psychology and win.
Shame on the EFF, which I normally support, for jumping on this bandwagon of terrible journalism.
The EFF insinuates, without saying outright (since they must know it is false), that this is a law enforcement policy like the Computer Fraud and Abuse Act. A law enforcement policy is one where, if you're sitting at your desk, and the government thinks you've hacked into someone's computer, the government throws you in jail.
This executive order has nothing to do with domestic law enforcement, like Aaron Swartz or Kevin Mitnick or Dread Pirate Roberts or whatever. It is a foreign policy decision. The US maintains a public list, called the SDN list, of foreign entities that American citizens and companies aren't allowed to do business with. These are normally agents of governments the US doesn't like, eg. Iran and North Korea. This order adds hacking to the list of reasons why the President can put an entity on the SDN list. If, say, a Chinese defense contractor started hacking into American computers, the President can now prohibit American businesses from trading with them.
Under this order, the only way you can go to jail (that you couldn't go to jail for before) is if a) the President suspects some foreign person or company (say, a Chinese defense contractor) of hacking; b) the President decides to put that company on the SDN list; c) you know that company is now on the SDN list; and d) you buy things from, sell things to, or otherwise do commercial business with that company.
I think it's a bad idea for the executive to have the power to add people to the SDN list without judicial oversight. But they already had that power; this isn't really anything new. Claiming it is just confuses everybody.
Not a lawyer, but sounds to me like Dread Pirate Roberts could still find himself on the wrong side of this sort of this EO:
"Sec. 5. (a) Any transaction that evades or avoids, has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions set forth in this order is prohibited"
Broadly interpreted, wouldn't that be used against crypto-currency developers or secure communication tools developers that work on such tools with the knowledge that they can be used by sanctioned individuals or organizations? How about developers who write secure communication or security testing tools and sell them online without the ability or interest to verify who the purchaser is?
The Patriot Act was also supposed to be about targeting only a few hostile foreign organizations, and yet it had massive implications for everyone living in the U.S. and abroad. Now, I get that an EO and a law are different things, but still, I can see potential implications of the general trend of the U.S. government seeing cybersecurity as something you throw sanctions and laws and deterrence at until it stops being an issue, without considering the potential collateral damage or overreach.
Ross Ulbricht isn't a foreign national, and there is no foreign power within the scope of this EO for whom any of Ross Ulbricht's assets hold any beneficial interest, so, no, this doesn't have anything to do with DPR.
Given he tried to have several people killed I imagine he finds himself on the wrong side of multiple executive orders, laws and moral frameworks alike...
As for your second paragraph I would imagine you'd have to prove some form of intent in order to throw someone in jail?
Do we know if he really did ? I thought this was all speculation from the prosecutor to shine a bad light on the character. He never was convicted of it for sure.
> Given he tried to have several people killed I imagine he finds himself on the wrong side of multiple executive orders, laws and moral frameworks alike...
Sure, not saying he is a moral person, or not a criminal, or that he is likely to be even in the smallest measure a good person. But he clearly is not a hostile foreign power in and of himself, though I am sure he would love to be considered one ;)
My only argument regarding DPR is that this sort of EO might end up applying to targets other than agents of hostile governments or terrorists or whatever the current boogieman is.
> As for your second paragraph I would imagine you'd have to prove some form of intent in order to throw someone in jail?
I would hope so, and that things like "intent to sell/export tools to find and exploit security vulnerabilities" would not be enough, even when interpreted by non-expert police, prosecutors, juries and judges.
"This executive order has nothing to do with domestic law enforcement"
This is just not true.
As the article points out, Section 1(ii)(B) has absolutely no provision requiring activity to be outside of the United States. Read it through:
Section 1. (a) All property and interests in property that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person of the following persons are blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in:
(ii) any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State:
(B) to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in subsections (a)(i) or (a)(ii)(A) of this section or any person whose property and interests in property are blocked pursuant to this order;
Look closely at this part of (B):
to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in subsections (a)(i) or (a)(ii)(A) of this section
The requirement is only to assist, sponsor, or provide support to someone described in (a)(i) or (a)(ii)(A), which describe people who are "in whole or in substantial part, outside the United States."
What it does NOT say is that the person providing that support must also be outside of the United States. That's what the EFF article is talking about.
It doesn't matter what the executive order says. It has to invoke laws passed by Congress that provide the President with the authority to do anything. In this case, that law is the IEEPA. Read 50 U.S.C. 1702. He is limited to foreign transactions.
Executive orders are part of the federal rulemaking process. Rulemaking fills in the blanks left deliberately by Congress. Whether or not the President can use a national emergency to interfere with domestic financial transactions is not a blank Congress appears to have left in the IEEPA.
It does invoke laws passed by Congress, one which specifically grants powers to the President:
50 U.S. Code § 1702 - Presidential Authorities [0]:
(1) At the times and to the extent specified in section 1701 of this title, the President may, under such regulations as he may prescribe, by means of instructions, licenses, or otherwise—
(B) investigate, block during the pendency of an investigation, regulate, direct and compel, nullify, void, prevent or prohibit, any acquisition, holding, withholding, use, transfer, withdrawal, transportation, importation or exportation of, or dealing in, or exercising any right, power, or privilege with respect to, or transactions involving, any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States;
Yes, and 50 USC 1702 is limited to foreign transactions and actors. You can't have your assets frozen under IEEPA merely for publishing POODLE. You have to write POODLE on behalf of China for this to matter to you.
to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in subsections (a)(i) or (a)(ii)(A)
According to the EO, you only need to "provide technological support." And what does that entail? Whatever the Secretary of Treasury and AG decide it does.
Once again: the EO can only do what the IEEPA allows it to do. It does not matter what the EO says: if it conflicts with (or, in this case, is simply vague about) something in the IEEPA, it's the IEEPA that controls. Look at your own citation (50 USC 1702 is part of IEEPA); it's right there in the text.
This has come up before in US law --- executive orders w/r/t IEEPA --- before, by the way.
That sounds very good, except for four ominous words in the article: "declares a national emergency". If I understand correctly (and I could well be wrong), in a national emergency, the president can (temporarily, theoretically) assume powers that neither Congress nor the Constitution gives him. Lincoln did this, briefly, during the Civil War.
The article doesn't give any more detail on the "national emergency". But I worry that it could be a "get out of jail free" card for the president to do more than Congress authorized in the IEEPA.
The whole concept of the IEEPA is to define the scope of powers the President has when he declares a national emergency.
The history of the IEEPA was that before it was passed in the 1970s, Congress felt like there were not enough controls on the President's emergency powers. So we're discussing a delegation of power designed for exactly the circumstance you're talking about.
The concern that the President could claim extralegal powers in an "emergency" is legitimate, but you can't reasonably point to a case where he's working within the narrow guidelines established by Congress specifically to avoid that outcome as evidence that that's happening.
The NEA means national emergencies aren't a simple binary state. Instead, the President invokes "emergencies" on an as-needed basis to access specific powers delegated to him by Congress, which can shut him down with a vote (and, of course, can repeal the grants of power altogether).
So it's not as if the President can say "oh noez hackers national emergency!", suspend habeas, and imprison Michal Zalewski†. Instead: Congress gave the President the authority to recognize arbitrary foreign powers as "threats" and, pursuant to the declaration of a "national emergency", to interfere with their financial transactions. That's what Obama has done here, presumably with China as the subtext.
In the wake of KindHearts, if these powers are executed against American citizens or organizations, they can be challenged and overturned on 4th Amendment grounds. (Note the powers we're talking about are, again, only meaningful in the context of foreign transactions, or assets whose beneficiaries are foreign threat actors).
Cryptocurrency. Reading that section reads like a playbook on threatening cryptocurrency networks.
If you are a part of a cryptocurrency network, you are materially assisting and providing technological support for services potentially in use by foreign entities that are potentially targeted by United States enforcement of this EO.
It shouldn't matter whether Section 1(ii)(B) restricts itself to foreign actors, because the underlying law that animates this executive order, the International Emergency Economic Powers Act (50 U.S.C. 1702) is limited to foreign transactions. In fact: it's kind of weird that they'd even raise the question. Fundamentally, the President can't make new laws, and they know that. He's exercising powers that Congress delegated to him, and he is limited by the scope of that delegation.
A few others have mentioned this. The EO is tailored towards those outside the US and is a response to overwhelming cyber attacks. Sanctions are one of the US's tried and true international political weapons. They aren't going to be sanctioning US researchers, nor US-allied parties. The EFF seems to be confusing what is an EO targetting Chinese and Russian hackers and their funders with civil law? The EFF is normally very careful about these sorts of distinctions - so I'm very confused.
It has a clear purpose the public can get behind, but it will almost certainly be abused for persecuting domestic political rivals, software developers among them.
Here are some entertaining thought exercises:
A cyber 9/11 is linked to Bitcoin. Can Bitcoin developers be sanctioned?
A cyber 9/11 is linked to Tor. Can Tor developers be sanctioned?
You donate to Wikileaks, which is linked to a national security threat. Can you be sanctioned?
Section 1(ii)(B) applies to _any_ individual or entity, domestic or abroad, developing or facilitating development of pentesting or related software employed against vague and faceless "national security interests". But don't you worry, because this is only applicable to the "Chinese" threat which may actually be true for the first couple of years to build political support for the eventual, predictable abuses of power.
The EFF's news sites are almost never careful about these distinctions. The EFF does some important work, but their online advocacy programs aren't part of it. EFF's layperson explanations of the law are almost uniformly misleading.
It's hard to take an article seriously when they use the spelling "Whitehouse" in the title, and harder yet when they alternate between that and the (correct) White House within a single paragraph. I see there were two authors for the piece- wasn't there an editor?
I would very much like to see a separation between the high-quality investigative journalism from the EFF and their opinion pieces, which I wouldn't mind if they were under that heading.
It may be time for a constitutional amendment forbidding the United States government from any action that would impact the Internet -- save those maintaining free and unencumbered flow.
It'd be better for each of us to fight off APTs and other problems by ourselves than to head too far down the road of good intentions and unintended consequences.
A lot of you seem to be assuming the EO applies only to people outside the US. It would be a good idea to actually read the EO, which is NOT restricted to people outside the US.
From the EO[1], reformatted to show clause structure:
Section 1
(a) All property and interests
... of the following persons
... are blocked
(i) any person determined by the Secretary of the Treasury
... to have engaged in
... directly or indirectly,
... any activity originating form,
or directed by
... persons located outside the United States
that are reasonably likely to result in
...a significant threat to national security
...or economic health
...of the united states.
This language targets "any person" that meets some shockingly vague criteria[2] by few government officials[3]. The clause with "outside the United States" is not describing the person being targeted by the EO; that language is a detail about the type of activity that the targeted person is doing.
If the attack is directed by someone outside the US, and you are determined to be indirectly "engaged in" or "complicit with" that that activity, you are targeted by this clause. Neither you nor the attack itself need to be outside the US, as long as it is directed by someone that is outside the US.
What kinds of activities? In a previous thread I mentioned[4] how the EO doesn't prohibit harming "critical infrastructure", but instead prohibits:
Section 1 (a) (i)
(A) harming, or otherwise significantly compromising
a computer or network of computers that support
... the provision of service
... in a critical infrastructure sector
(C) causing a significant disruption to the availability
of a computer or network of computers
Note that section (C) does not limit itself to a "critical infrastructure sector".
There are so many vague and undefined terms in this EO, I wouldn't be surprised if this EO could be used against some kid that is "indirectly" engaging in a DDOS[5] being run by some *chan troll outside the US.
Also note: the EO doesn't mention the SDN list at all.
This analysis makes sense only if you believe the President can do whatever he wants in an executive order. Of course, he can't. Executive orders have only the flexibility allowed by Congress. You've read the text of the order, but not the laws its based on, and those laws contradict your analysis.
Unlikely; these things usually take some time to do (advisors provide feedback, multiple edit sessions likely, reviewed by lawyers, etc). I can't see them pulling this out so quickly...though I guess it's certainly possible just seems unlikely to me.
I wonder if there is any data out there to show how long executive orders typically take from conception to execution.
I don't think it's a knee-jerk reaction. For me it's easier to believe that this EO was signed deliberately to make every important security researcher guilty by default. It's hard to go against a government that can always punish you for what you have already done.
When I read the executive order it appears to explicitly target people "outside the US".
Basically the internet changes the paradigm of law enforcement. I get the impression this is a step toward allowing US to "penalize" people who actively seek to disrupt computers / networks in the US from abroad.
If you spend too much time trying to figure out all the tiny details and put them into the eo this is where (a) you can waste time nitpicking instead of spending that time enforcing, (b) cases get thrown out of court on technicalities just because "this is what the law / eo says". Instead I prefer a system where executive / judicial branches of government can spend all their time analyzing a case based on the merits alone and not on the technical jargon that may or may not be included in the law / eo.
I prefer the approach of "give the elected representatives a leash, but a short one". Spend less time agonizing over exactly what the law should say, and more time analyzing whether or not the law / eo is being enforced in good faith.
The one exception to this rule is if you have (a) an overly broad law / executive order, and (b) an executive branch who is not transparent about how they enforce those laws / executive orders.
I could not disagree more. The only way to keep the "leash" short is with a great amount of precision in writing laws.
There is no "enforce[ment] in good faith", and the evidence is everywhere. The Patriot Act is used domestically for any and every type of law enforcement investigation, far beyond what it was supposedly intended to be.[0] We've seen civil forfeiture become essentially a license to steal for LE agencies.[1] The government has stretched the meaning of the "exceeds authorization" component of the CFAA to the point of being almost meaningless.[2]
The point is this: the natural tendency of government is to stretch any power it is granted to the absolute max. We have reached a point that an assumption that government will exercise enforcement in "good faith" is simply naive. I assert that there is little evidence to the contrary.
I think there might be different definitions of "enforcement in good faith" here. Your perspective, if I understand it correctly, is "The purpose of this law was presented as fighting terrorism and now it's being used for other purposes, which constitutes bad faith enforcement".
Another perspective is, "Law enforcement isn't doing anything that it shouldn't be doing, therefore they aren't acting in bad faith". Whether they're going after terrorists or drug dealers or money launderers, it's all the same to many (if not most) people. As long as there's no evidence that government officials are abusing the provisions of the PATRIOT Act to settle personal scores or persecute those with unpopular beleifs, most people will see them as acting in good faith. This assumes that actions taken are within a reasonable interpretation of the letter of the law, of course.
I get where you're coming from, or at least I think I do. I just don't think that the issue is so black and white. This may be a case of "The current government isn't doing what I want it to do" as opposed to "We should change the way that the laws are written". And the solution to that is pretty simple: Vote.
The fact is it is being used to persecute people with unpopular beliefs. The evidence is taken out of context or completely false. You just hear very little about its misuse because poor, defenseless, innocent people are targeted. They are not obligated to present the court with information that is true.
In a somewhat ironic way I agree with you. However I am speaking from the perspective of what I want the US government to be more like instead of what it is right now. When you have no faith in your government I think you want no leash at all. Put all the details in the laws if you want more power than you already have.
But when you have sufficiently capable and competent actors in government I would lean on the side of trusting and giving the leash.
EDIT: And come to think of it, enormous weight of huge bills / laws I imagine could become a hindrance to a government's ability to do its job. Think about it. What if you inherited a highly complex legacy application that you were not allowed to rewrite from scratch or even refactor it, but were stuck maintaining it. And all that you ever get to do is add more code on top of the old (alot of times bad) code. It seems a cycle of futility. Instead given limited resources of a government I want a lean system where people are allowed to use their judgment and intuition.
>But when you have sufficiently capable and competent actors in government I would lean on the side of trusting and giving the leash.
The elected and appointed members of government change. Their terms expire, they retire, they're voted out.
The law doesn't suddenly change when a bad actor is elected or appointed.
And laws don't generally have expiry dates. The now nearly 100 year old Espionage Act of 1917 is being applied to Edward Snowden, imagine how out of touch laws will become, and how misapplied they will be?
tl;dr: the government changes and the length of the leash doesn't adapt to suit it.
That's a perfect example of a situation where the feedback loop needs to be tightened in government.
The more I think about it the more I feel governments should be alot more nimble than they have been historically. Alot more like an agile development team.
There needs to be just as often "amendments to" or "repealing of" laws that aren't working as originally intended as there are signings of new laws.
Instead we have in government the equivalent of a team of developers working on a project for months or maybe years nitpicking all the details before launching only to find that no one wants the product they spent all that time working on, or that it's out-dated, or impossible to maintain given all the complexity, or that it doesn't work on half the computers people try to run it on.
I would argue that (a) and (b) are exactly what's happening now, and why people are so unhappy with this law: it's overly broad, and it will be applied by organizations that have traditionally given little importance to the boundaries of the law, right to defense, and even human rights.
The leashes are the words of the law and their ultimate interpretation. Everything follows from those words.
Transparency and good faith are ideals that are rare in powerful bureaucracies. Expecting those with the most power in the world to act in good faith is a scorpion and frog tale.
I am only thinking out loud right now, but I'm trying to picture what the US Constitution would look like (or if it would have even been finished) had the founders agonized over all the minutiae they could've consumed themselves with when writing it.
> this executive order [does not] target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity
Non-story, it's not targeted so I don't see why anyone would be against this unless maybe they are racist or love terrorism or something.
If there was any genuine interest in making US systems more secure they would be more worried about making sure those systems don't succumb so easily to arbitrary strings of bytes sent over the network. The EO is completely pointless and toothless for any purpose BUT gaining an upper hand on legitimate security researchers.
You can slander everyone who discovers vulnerabilities in your software, and you can even lobby to make it illegal to disclose those vulnerabilities, and throw people in prison over it, and so on... and your software will go right on being vulnerable. You can put every security researcher and white hat in the world in prison on trumped-up charges and throw away the keys, and it will not make your software one bit more secure. It will probably make it a great deal less secure.
Which is to say that this EO will accomplish exactly the opposite of its supposed goal.
It's like, even if I convince every human being alive that I am not bound by the laws of gravity, if I jump off a cliff I will die all the same. To think otherwise is insane, but for some reason when it comes to software (and hardware) security we give people a pass. (Not we in the tech community, but we who vote.)
This is one of the Big Problems with human reasoning. Maybe the biggest. It really does seem that most people, if you drill down, truly and fundamentally believe that the laws that govern all of reality, will respond to a popular vote. That if we all believe something hard enough, reality will take notice. Thus we get policy which is totally divorced from the goals it is purported to serve, and not held accountable to them at all. As though the President of the United States can argue with mathematics or psychology and win.