Edit: There is the argument that this bill is a step in the right direction. The problem is that too often, steps in the right direction are the last step taken, and then people treat the problem as solved. I think there is something to be said for not letting the perfect be the enemy of the good, and this doesn't appear to explicitly OPEN any loopholes, so I guess I'm in favor. But we need something stronger to protect civil liberties, and to make people trust US companies can be secure.
First, it only covers software, hardware and devices made available to the general public. So any internally developed hardware or software business logic could face such a mandate.
Second, it only covers security functions of such items... It's not clear that specific information, such as a private key, would be a security function.
Third, it has an explicit exemption for the CALEA, Which lets the government mandate how the telephone companies network architecture worked in order to make it easier to wiretap, which the FCC expanded to ISPs and VOIP providers. Now, the FBI and other government entities have been pushing for all internet companies to fall under the CALEA or similar laws, so we can presume that the CALEA is not everything it could be. Still we know that Verizon, which is a broadband ISP, was adding a unique key to HTTP communications.
Fourth, it fails to define surveillance, and it's unclear if a broad capture of information which isn't looked, or of metadata, would be consider surveillance under the law. The law mentions physical search, but that still leaves electronic searches, as well as any form of seizures.
Fifth, it does nothing to prevent attempts to weaken protocols, systems, APIs, encryption standards, etc. While it may prevent specific implementations of them from being forcibly weakened, it wouldn't prevent a forcible or other weakening of the underlying standard, including attempts to manipulate and weaken them.
You are worried that this bill will be the last step in the right direction. An increasing number of people are unhappy with US surveilance aggression, and we are all aware that this bill is far from the magic bullet. I do not think there is a risk of this step being the last step in the right direction.
We should support this bill (as it improves our state of affairs), but also call for stronger reform as well. It is a good first step, and hopefully one of many as there will be ongoing pressure for more action to be taken.
The Bill itself is weak as written, at least by my layman's reading. It's two pages, go look: http://www.wyden.senate.gov/download/?id=B8F74B59-0A6E-45C2-...
First, it only covers software, hardware and devices made available to the general public. So any internally developed hardware or software business logic could face such a mandate.
Second, it only covers security functions of such items... It's not clear that specific information, such as a private key, would be a security function.
Third, it has an explicit exemption for the CALEA, Which lets the government mandate how the telephone companies network architecture worked in order to make it easier to wiretap, which the FCC expanded to ISPs and VOIP providers. Now, the FBI and other government entities have been pushing for all internet companies to fall under the CALEA or similar laws, so we can presume that the CALEA is not everything it could be. Still we know that Verizon, which is a broadband ISP, was adding a unique key to HTTP communications.
Fourth, it fails to define surveillance, and it's unclear if a broad capture of information which isn't looked, or of metadata, would be consider surveillance under the law. The law mentions physical search, but that still leaves electronic searches, as well as any form of seizures.
Fifth, it does nothing to prevent attempts to weaken protocols, systems, APIs, encryption standards, etc. While it may prevent specific implementations of them from being forcibly weakened, it wouldn't prevent a forcible or other weakening of the underlying standard, including attempts to manipulate and weaken them.