Research bill filled with major privacy, access rules


The proposed Frontiers in Innovation, Research, Science, and Technology (FIRST) Act, while ostensibly a law that would seem to be dealing with mundane research funding issues, will affect several areas of law that all citizens should be concerned about. These include the NSA’s ability to circumvent security protocols and public access to publicly funded research.

There are several contentious policy issues at stake as this bill is debated. Be aware that there is already a similar law, the America COMPETES Act of 2010, on the books; what is now being debated is the renewal and revision of that older law. Let’s start with the privacy and security provisions, as the NSA is the tech news topic du jour nowadays (for good reason).

Should the NSA be involved in the creation of cryptographic security standards?

In addition to scientific research done by scholars in fields like the physical sciences, social sciences, and mathematics, the FIRST Act allocates funds and determines bylaws for their use at the National Institute of Standards and Technology (NIST). This agency was originally created to do things like standardize the length of an inch, help standardize automobile parts, and the like. In the technological revolution, its responsibilities have expanded.

One of these tasks is creating and regulating cryptographic standards for the entire world to use. Not all standards they issue are truly their creation – the AES-256 standard for encryption was based significantly on the work of an outside proposal – but they tend to always put the finishing touches on these protocols. The current law requires that the NIST get approval from the NSA as it works on these standards.

The influence of the NSA seems to have compromised the very security the NIST is supposed to preserve.

As you might have guessed, the influence of the NSA seems to have compromised the very security the NIST is supposed to preserve. RSA, a prominent security firm that was once known for fighting against wiretaps, took $10 million from the NSA in what appeared to be a payoff for planting a backdoor in their random number generator standard. The truly random generation of numbers is a key component of cryptography and this standard was adopted by the NIST.

While security experts rather quickly spotted the vulnerability in the protocol after its release, it was not until September 2013 that leaks revealed that it was inserted intentionally for surveillance purposes and that the NSA was actively trying to put vulnerabilities into all encryption standards. The NIST recently removed its recommendation of this protocol, which never caught on due to its being open source and criticized for poor randomness.

In a statement shortly after the leaks, the NIST explained that the NSA is mandated by law to be involved with the creation of these standards. One gets the impression that the NIST was not happy to have to include the NSA, given the wording of their statement.

Currently, the FIRST Act has been amended to remove this requirement, instead making any cooperation between the two voluntary. The Center for Democracy & Technology applauds this amendment, put forth by Rep. Alan Grayson (D-Florida), for playing the balances perfectly. Since the NSA has the public sector’s best cryptographers and mathematicians, it will sometimes make sense for the NIST to seek their expertise. However, it is just as important that the NIST be able to divorce itself from the NSA when the latter is not needed or seems to be circumventing the best interests of the NIST.

The President’s Review Group suggested moving the portion of the NSA that vets security standards for other organizations be moved out of the NSA, because it is outside the scope of the organization’s purpose. The Center for Democracy & Technology sees the best home for it to be the Department of Homeland Security, but says the most important aspect of any reassignment would be that it ought to be part of a civilian (rather than military) organization.

Should the public be able to see tax-funded research? How long should they wait for it?

A contentious issue that came to public consciousness after the suicide of activist Aaron Swartz, a key decision over the question of open access will be decided in the FIRST Act as well. Open access refers to the practice of and desire for making academic research freely available to the public.

Generally speaking, the open access movement is concerned with all academic research, across fields. Arguments in favor of open access include:

  • Scholars can be assured that their work can be read by as large an audience as possible and thus have an impact more commensurate with the work’s merit.
  • Readers, particularly non-scholars, can have access to knowledge that would otherwise be cost-prohibitive to all but the most wealthy institutions.
  • Libraries can be alleviated from the so-called “pricing crisis” of academic journals’ increase in cost, allowing them to serve their communities or universities more effectively.
  • The notoriously slow publishing process that characterizes the non-open academic journal industry can be sped significantly.
  • Private entities like start-up companies cannot afford (nor can most established ones) to purchase nearly enough journal and database subscriptions to innovate based on the newest research.

For example, what JSTOR considers a “medium” college would have to pay $82,000 per year for electronic-only versions of their full collection of current publications and $135,000 per year for print copies as well according to their pricing calculator. For access to their expansive archives, such an institution would be looking at a roughly $629,000 one-time payment, as long as they could afford to pay up front. JSTOR is a non-profit database for research, meaning its prices don’t even reflect their own profit motive; just the costs for access to for-profit journals.

Elsevier, a for-profit institution that sells access to some of the most prominent journals in various sciences and mathematics, has been aggressive both in their pricing structure and in their attempts to conceal the specifics of it. According to two California-Santa Barbara economists, publishers like Elsevier negotiate highly variable rates with academic libraries that depend upon the prices those libraries paid in the past and which journals they paid for. Last year, its self-reported profit margin was just under 40%, most of which was gained on deals with university libraries.

In 2011, Purdue University revealed that they had paid Elsevier $2.9 million to renew their subscription for one year. The University of Pittsburgh was paying around $2 million per year in 2012. More discussion on this topic can be found here.

Of course, not everybody would win if open access increases. Publishers, in particular, will be affected in ways that will often be negative. Those publishers also argue that the world of knowledge would suffer with them, because their efforts enable greater prestige, impulse to invest in research, and that the publishing process adds real value to the research.

The fear associated with open access is that without a profit motive for publishers, the theory of making research more available does not play out in practice since there is not enough collective interest to make it available if nobody can earn money from doing so.

Most publicly-funded research appears in these private, academic journals…it remains in a “closed” access state where it is available only to subscribers.

Currently, most publicly-funded research appears in these private, academic journals due to their prestige and readership of top scholars in their fields. That is, when the National Science Foundation funds research, it remains in a “closed” access state where it is available only to subscribers of the journal in which it is published. The main exception to this is research funded by the National Institutes of Health, which requires that all publications produced from its funding be available for free public access after 12 months following publication.

The FIRST Act had a provision for a two-year embargo, from which the publication or authors could ask for an additional 12 month extension. The Electronic Frontier Foundation argues that this measure, which would appear to be a nod to open access, is still far from reasonable in length and varies significantly from the White House policy directive the provision was based on.

However, Reps. Jim Sensenbrenner (R-WI) and Zoe Lofgren (D-CA) have introduced an amendment that lowers that embargo period to the originally advised 12 months, with the potential for 6 additional months if “substantial harm” is demonstrated. Likewise, it shortens the 18 month implementation time of the original proposal to 90 days, making the provision’s effect felt more quickly.

The FIRST Act is an example of the way public policy debates that seem rather minor in nature can have far-reaching effects on industries that many would not expect. This bill has not yet left its committee, which means you can contact your representative and comment on it if you wish.

Featured image by PLoS, thanks to a generous access policy (CC0/Public Domain)

Tags: Congress Cryptography First Act NSA Nsf Open Access Privacy Security Technology