> You might think it's overbroad (and I do actually), but it's not 'whatever the Secretary wants'.
you list a bunch of the specific "poses an undue or unacceptable risk of—" claims &c &c. but we have tasked the Secretary of Commerce with hunting not just these risks down, but also 3.a.2, that which "otherwise poses an undue or unacceptable risk to the national security of the United States or the safety of United States persons."
you've definitely given me/us a good greater perspective on a lot of legal langauge that isn't immediately clear to me. and genuinely thank you for that (although to be truthful i also kind of crave references on which to begin to interpret this for myself, but that is a huge ask & i generally trust/am thankful for your post). but there still feels like a lot of quite unguarded unlimited licenses here, where there's very few people in the loop.
you talk about consultation being a rather high commitment/bar than i've said, but it still unclear to me who determines who "the relevant executive department and agency heads" are. america has seen very dark times recently with political elements shopping selectively for receptive elements. i don't see what real restrictions there would be if the SoC asks two known-allies & they agree. how effectively do we expect other parties to be able to say, you ought have consulted me? even if consultation implies a need for concurrence: approval farming seems not-in-any-way-checked.
issues like mitigation just seem so dubious. because what if just to pick an example Signal comes under fire, for being a secure system that just so happens to be used by a Foreign Adversary? i don't see any real limits on what the SoC could ask, what they could compel, simply because a Foreign Adversary is somewhere involved. does RISC-V help our Foreign Adversaries? damned right it does, so what's to stop the SoC from pulling down every open architecture project on github? i still feel like there's no real checks here, that this is unlimited license. but i still thank you, and think you have potentially helped us escape misinterpretations.
Probably a good place to start are the SCOTUS cases I mentioned, as well as nondelegation doctrine (Kennedy's concurrence in Clinton v. NYC is a good resource there); looking into those should be helpful.
> but it still unclear to me who determines who "the relevant executive department and agency heads" are
This is usually delineated by executive order beforehand, so the President, effectively.
> how effectively do we expect other parties to be able to say, you ought have consulted me?
Well we have the Sec. of Commerce, the relevant agency heads, the DNI, the president, and, as a last resort, a concurrent resolution from Congress (which should only require simple majorities by the way, so a lower bar than the law itself) and the courts. Still a lot of power in the executive, so I get being concerned about that, but for me this is less about the individual of the Commerce secretary themselves.
> what's to stop the SoC from pulling down every open architecture project on github?
They have the power to prohibit transactions with labeled entities, so they could theoretically tell Github to stop hosting all open architecture projects by a specific Chinese company for example, but not all such projects in general.
> i still feel like there's no real checks here
As I mentioned, there are many checks, including Congress and the courts. The real concern is when they choose not to do their job, as was the case with the PATRIOT Act. That doesn't mean they don't exist; it means they were derelict in their duty. That's what I get concerned about - apathy in the structures that are supposed to guard against abuses.
you list a bunch of the specific "poses an undue or unacceptable risk of—" claims &c &c. but we have tasked the Secretary of Commerce with hunting not just these risks down, but also 3.a.2, that which "otherwise poses an undue or unacceptable risk to the national security of the United States or the safety of United States persons."
you've definitely given me/us a good greater perspective on a lot of legal langauge that isn't immediately clear to me. and genuinely thank you for that (although to be truthful i also kind of crave references on which to begin to interpret this for myself, but that is a huge ask & i generally trust/am thankful for your post). but there still feels like a lot of quite unguarded unlimited licenses here, where there's very few people in the loop.
you talk about consultation being a rather high commitment/bar than i've said, but it still unclear to me who determines who "the relevant executive department and agency heads" are. america has seen very dark times recently with political elements shopping selectively for receptive elements. i don't see what real restrictions there would be if the SoC asks two known-allies & they agree. how effectively do we expect other parties to be able to say, you ought have consulted me? even if consultation implies a need for concurrence: approval farming seems not-in-any-way-checked.
issues like mitigation just seem so dubious. because what if just to pick an example Signal comes under fire, for being a secure system that just so happens to be used by a Foreign Adversary? i don't see any real limits on what the SoC could ask, what they could compel, simply because a Foreign Adversary is somewhere involved. does RISC-V help our Foreign Adversaries? damned right it does, so what's to stop the SoC from pulling down every open architecture project on github? i still feel like there's no real checks here, that this is unlimited license. but i still thank you, and think you have potentially helped us escape misinterpretations.