Leaked! Details Of The New Congressional Commission To Take On The Encryption Issue
from the we'll-see-how-this-goes... dept
Back in December, we wrote about plans by Rep. Mike McCaul and Senator Mark Warner to put together a “commission” to figure out what to do about the encryption “issue.” In his speech, McCaul did at least say that “providing a backdoor into everybody’s iPhone was not going to be a very good strategy” since it would open things up to hackers, but at the very same time, he kept saying that we had to somehow stop bad people (terrorists, criminals, child predators) from using encryption. He also keeps insisting that the Paris attackers used encryption, despite lots of evidence to the contrary. So it’s not entirely clear what the point of this Commission is, other than to chase down some mythical solution that doesn’t exist.
The basic problem is this: to have real security you need strong encryption. And if you have strong encryption, people who are both good and bad can use it. So either you undermine strong encryption for everyone — harming the vast majority of good people out there — or you allow strong encryption, meaning that some bad people can use it. The only way to have strong encryption but not allow the bad guys to use it is to have a technology distinguish who is “bad” from who is “good.” I’m pretty sure that’s impossible because there’s no universal standard for what makes a “bad” or “good” person, and definitely not one that can be implemented in device hardware or software. So a commission seems like a waste of time.
But the Commission is coming… and later today McCaul and Warner are releasing the bill that will form the Commission. Someone kindly leaked us the bill and some related documents over the weekend, so we can give you a bit of a preview. To their credit, it appears that McCaul and Warner have paid attention to the criticism, and really are trying to present a “balanced” commission, rather than one dominated by folks who don’t actually understand the technological realities. That’s a plus. There’s still the negative that what they’re basically asking for is impossible, but we’ll let that slide for the moment on the basis of “well, their intentions aren’t as horrible as we feared…”.
So, should this bill pass, the Commission would have 16 members, with the Republicans and Democrats each appointing eight, and that eight that each party appoints would be one person from each of the following fields:
- Cryptography
- Global commerce and economics
- Federal law enforcement
- State and local law enforcement
- Consumer-facing technology sector
- Enterprise technology sector
- Intelligence community
- Privacy and civil liberties community
That’s actually… not a bad mix overall, though obviously who is appointed will make a huge difference in terms of whether or not we have a useful commission or one that will declare the impossible (and dangerous) possible. The commission will actually have subpoena authority, which is an interesting choice, and will, of course, hold a bunch of hearings. And it’s expected to move pretty quickly:
- Commissioners must be appointed within 30 days of enactment (except for the ex officio).
- The Commission shall hold its first meeting within 60 days of enactment.
- The interim report is due within 6 months of the initial meeting.
- The final report is due within 12 months of the initial meeting.
- The Commission terminates within 60 days after the final report.
Meanwhile, given that it’s almost certain that the commission will not unanimously agree on anything, the final report needs to only be agreed upon by 11 12 of the 16 commissioners. And dissents will be published with the report as well. Even getting to 11 12 may be tricky without some serious compromises. If you assume (which is already unlikely) that the non-law enforcement/intelligence guys would all agree on something, you’re still left with the 6 law enforcement and intelligence commissioners. One Two of them would have to be convinced to go along with the report. I mean, it is possible. Michael Hayden and Michael Chertoff have both been going around saying that strong encryption is good and backdoors are bad. So maybe you get someone like them to be one of the “intelligence community” folks on the commission — but it’s still an uphill battle. Update: While the FAQ originally said 11 were needed to agree, the actual legislation says 12, making it that much trickier.
At the very least though, it does seem clear that — contrary to the concerns of many — this isn’t just a commission set up to say “backdoor all encryption.” So while it still seems focused on the impossible, it’s still much better than it could have been (and would have been under some other folks in Congress).
Filed Under: commission, congress, encryption, going dark, mark warner, michael mccaul
Comments on “Leaked! Details Of The New Congressional Commission To Take On The Encryption Issue”
Team U86
How do I become a member of the team Unicorn 86.
A leak that makes the government look good? I bet no one is going to jail over this.
Re: Re:
No doubt they will pick someone they do not like and blame it all on them to unjustly imprison them.
Re: Re: Re:
Hey what are you doing for the next 5-30 years? Just asking for a friend in Government. Their looking for a guy.
Re: Re:
Likely leaked by both the committee heads. This gives them a reason to contact potential donors for campaign contributions (“I’m doing something. Support me!”). Don’t you know how this works yet?
>He also keeps insisting that the Paris attackers used encryption, despite lots of evidence to the contrary.
It’s difficult for anyone not to use encryption these days. If we’re going to speculate, it would serve the discussion to talk about what kind of encrypted data is used and what could be intercepted under lawful order, instead of blanket statements from both sides.
Re: Re:
Speculate about what? All the communications they found were unencrypted. Even if there are also encrypted communications, they would be redundant in terms of stopping a threat. If anyone were actually targeting suspect individuals instead of just vacuuming and storing everything from everyone for later possible perusal (and casual abuse), that is.
How many times does it need to be discussed?
Re: Re: Re:
“All the communications they found were unencrypted. Even if there are also encrypted communications, they would be redundant in terms of stopping a threat.”
Unless you are party to the criminal investigation, there’s no way you could know that definitively. It doesn’t mean it can’t be true, but encryption can and will limit law enforcement’s abilities. Why else would Techdirt and others encourage its use?
Should we ban or restrict encryption based on this potential? In my view of course not.
It’s ignorant to say encryption will have no effect.
Re: Re: Re: Re:
“but encryption can and will limit law enforcement’s abilities. Why else would Techdirt and others encourage its use?”
I don’t think the Techdirt community encourages the use of encryption to make life difficult for law enforcement specifically. I feel the focus is more that it makes life more difficult for people to snoop on the data period. Any crack in the encryption armor renders the encryption useless, and open for all to exploit regardless of intentions.
There simply is no way to create a magic bullet that only kill’s bad guys as the term “bad guys” is subjective and could apply to all parties of a gun fight.
But I’m guessing you already knew all this?
Re: Re: Re:2 Re:
“I don’t think the Techdirt community encourages the use of encryption to make life difficult for law enforcement specifically.”
I concur, my previous comment was poorly worded. I was speaking to the efficacy of strong encryption, not its intended use. As we have seen in San Bernardino, strong encryption works (at least in a very limited data-at-rest context). As Julian Assange said, “It is easier to encrypt information than it is to decrypt it.”
Re: Re: Re:3 Re:
I figured as much. Just keeping us sharp 🙂 Cheers!
Re: Re: Re: Re:
Holy !@#$, what a twisted interpretation! You believe TD exists to foil law enforcement’s attempts to subvert crypto?!? Hasn’t it yet occurred to you that crypto is good in and of itself? It can protect you from predators. Is it not possible that’s why TD defends crypto, not just to foil law enforcement?
Holy !@#$. 😛
Re: Re: Re:2 Re:
Foiling law enforcement is just a handy side-effect.
But in all seriousness, no one ever said law enforcement was supposed to be easy. In fact, much of the process involved is to make sure that it is not easy. When law enforcement becomes too easy, you get what we’ve basically got now: a police state.
Re: Re: Re:2 Re:
I addressed that issue with him in my rebuttal to his comment, that’s not what he meant at all. Bad wording on his part.. climb on down 🙂
Re: Re:
Fine, how about:
‘they did not use encryption in any way relevant to what is being discussed.’
The Paris police and intelligence agencies were caught with their pants down, and rather than admit ‘Yeah, we seriously screwed up’, they instead tried to blame their incompetence on the attackers using encryption to hide their plans. Problem with that is all evidence points to the fact that they basically communicated using unencrypted methods and the intelligence groups completely missed them despite that.
If you’re trying to demonize encryption by saying ‘Look, terrorists use it!’, then it helps to pick an example where it was actually used, which is why the fact that even now you’ve got people using it as an example of how encryption can protect terrorists from being found is so boneheaded.
>>The basic problem is this: ….
Please change “to have real security you need strong encryption by seeking a solution” to “McCaul and Warner prove that they’re trying to score political points”.
FTFY
Balanced only goes so far...
I think this is incredibly optimistic. What we have is a committee comprised of 16 individuals – we can be pretty darned sure the 6 LEO folks are going to be anti-encryption, but what worries me is that the other 10 are hand picked to also be anti-encryption.
Somehow, I really don’t see that it’s going to be hard to get 11 votes, but almost impossible to get 11 pro encryption votes.
Re: Balanced only goes so far...
Yeah, when you’ve got people on both sides making stupid and ill-informed statements on encryption it’s not too unlikely at all that both would fill positions with people who aren’t too fond of encryption, allowing it to be all too easy to get the required 11 votes for something.
Re: Re: Balanced only goes so far...
Sounds like: We’ll have to pass this bill to find out what’s in it.
Sound familiar?
Unrepresented parties
There’s no one on the commission to represent organized crime. Maybe they could get someone from one of the Mexican drug cartels? Or better yet, someone from the Russian cybercrime scene?
Before you laugh, tell me that those people won’t have a real say in the real world. So why shouldn’t they be represented on the commission?
Re: Unrepresented parties
You are mistaken… they are represented.
They just like to make you think they are not. Have you ever notice that every time a new law is made for this shit we peasants feel the pinch more than anyone else?
Government is responsible for about 50% of major organized crime in any nation.
Re: Unrepresented parties
Sure there is, I count at least eight, “global commerce” “State law enforcement” “Federal law enforcement” and “Intelligence community”
That’s not even counting the crooks who’ll be nominating them.
i don’t think the backdoors have one solitary thing to do with bad guys. it’s us the govt wants to have no way to communicate in anything resembling privacy.
these people want to know what each and every one of us is saying and thinking. why? i can’t envision a good reason for it, and it goes against everything this nation has ever stood for.
Re: When all you have is a hammer...
For groups used to dealing with criminals, finding them, prosecuting them, that sort of thing, it’s all too easy to fall into the thinking where everyone is a potential criminal, and treating them accordingly.
Unfortunately that mindset seems to be pretty rampant in multiple agencies and governments, the USG’s included, and as a result when they say they want backdoors to ‘stop/watch bad guys’ the public is included in the category of ‘bad guys’, they just don’t say so.
The War on Encryption will be as pointless and as with no-end as the War on Drugs and War on Terrorism is.
By this logic, I’m surprised planes have been allowed to fly all over the US for the past 15 years.
On the encryption “issue”, I still remember when doing stuff online with money was supposed to be scary and banks and retailers were quick to assure that, thanks to encryption, there was nothing to worry about. An indeed they had a point. Encryption is necessary, and where it is necessary it is often vital. Cripple it and watch 20 years, maybe more, of online development crumble away.
Re: Re:
Heck, even with encryption it is scary using money online! Most companies have embraced at least the minimum of encryption between here and there (SSL, TLS, etc), but still haven’t grasped the need to keep their customer’s data protected at rest. How many “big” websites have had to admit they were hacked and had customer data stolen?
Counsel to the Commission
Reading through the bill, while I see that the commission is empowered to contract for services, and yada, yada, I’m not seeing explicit provision for the appointment of Counsel to the Commission.
The commission should have its own attorney, to assist and advise the commissioners.
Under the current governmental style of ruling. A good person is someone that is blindly loyal to their government. A bad person is anyone that is not, or questions what they are told.
Developers vs QA vs Marketing
This calls for four people for “technology sector[s]”.
So, that means one person from development, one person from testing, one marketdroid, and who else?
Re: Developers vs QA vs Marketing
These guys are the vulture capitalists?
Re: Re: Developers vs QA vs Marketing
I read it like this –
1. Cryptography = the lone nerd
2. Global commerce and economics = big banks
3. Federal law enforcement = an NSA spook
4. State and local law enforcement = the head of LEO unions
5. Consumer-facing technology sector = Microsoft
6. Enterprise technology sector = Microsoft
7. Intelligence community = another NSA spook
8. Privacy and civil liberties community = astroturf rep
Too cynical? Nah! Just wait – I’m almost certainly not cynical enough.
This is a solved problem!
It is a waste of time, as this problem has already been solve. Any internet communication that is fully standards compliant will follow RFC 3514 and be flagged “good” or “evil”. This is defined for IPv4 though, so it may need to be updated for IPv6 and modern devices.
So it's not entirely clear what the point of this Commission is...
The obvious answer is entertainment. After viewing the offerings on TV over an unknown period of time, and KNOWING how talented the people in Hollywood say they are, they have decided that that entertainment is in fact encrypted. The only way to get decent entertainment back on the air, therefore, is to do something about encryption.
After having consulted with a couple of professors of statistics, who professed to be expert in statistical anomalies, they directed the casting director to put together a cast list that could be fulfilled by anyone who could play the roles. Thus using the design criteria they could ensure the desired results.
That there were no viewers included in the focus group was intentional. Who would listen to them? They watch the stuff that is on TV now, so using them as a benchmark for improvement would be like asking them who should run the country.
While the antics of the commission will most certainly BE entertaining, as well as pointless and self serving (just like TV programing) it actually has a mission. Expectations are that that mission will be fulfilled, to the detriment of society, and to no ones surprise is engineered with only one outcome in mind. I am hoping for some slapstick.
Sturm und drang.
I split that list into these two; public interests vs. gov’t/law enforcement/NatSec. Of course, crypto’s in both.
Carrot:
Cryptography
Global commerce and economics
Consumer-facing technology sector
Enterprise technology sector
Privacy and civil liberties community
Stick:
Cryptography
Federal law enforcement
State and local law enforcement
Intelligence community
And, they’re off!
It’s just silly to weaken security for that tiny fraction of Terrorists that exist. It’s just a false sense of security. Finding Info after the fact does no good. The Paris Attack they didn’t use any Encryption.
People were up in Arms on the iCloud hack with leaked celebrity nudes from their own phones!!! The U.S. Government is getting hacked and Data released out into the wild all the time. The latest is the IRS, but before that is was millions who just filled out a Government application wither you got a job or not and your Data was leaked!!!
In the end, if a Terrorists actually cared about security, would they even trust Apple or Google for that matter? No!!! You can buy any old cheap Android phone and throw on any number of 3rd party Encryption software you want that is out of the U.S. Governments control that have NO BACK DOORS!!! So in the end, the Terrorists have great Encryption and most everyone else has to deal with fraud or worse because of weak backdoor Encryption that the U.S. Government goes and mandates. The only way you’re going to stop any terrorists from Data on a phone is to just spy on everyone in the hope of catching someone. That’s slim to none.
As it is, these U.S. Terrorists are DEAD!!! They destroyed their own personal phones and HDD before they went on their rampage. They didn’t give a crap about the work phone or they would have destroyed that one also. The FBI already has any call records from this work phone. Even the police don’t think there’s anything on it. I wouldn’t care if there was. Making everyone’s security weak won’t do a thing for the criminals.
>he kept saying that we had to somehow stop bad people (terrorists, criminals, child predators) from using encryption.
Why pick on encryption? Why not keep bad people from using cars, guns, deoderant? Why not just keep them from using fire? Or any other chemical process involving OXYGEN? Problem solved.
Seriously, it’s easier to keep someone from using oxygen, which at least is physically detectable and controllable, than to keep them from thinking. And historically, fire use predates encryption, but encryption techniques were in use in ISIS-influenced parts of the Middle East at least 3000 years ago.
The problem has nothing to do with encryption. It has to do with journalism industry that pretends people whose knowledge of information technology is 3000 years out of date have an opinion on information technology worth hearing.
Re: Re:
“deoderant?”.. you may be on to something. If they stink, they must be a terrorist!!??
“So it’s not entirely clear what the point of this Commission is…”
Its to get some buddies on the payroll at the taxpayers expense.
The war against cryptography will be as effective as the war against drugs.
The basic problem
“The basic problem is this: to have real security you need strong encryption. And if you have strong encryption, people who are both good and bad can use it. So either you undermine strong encryption for everyone — harming the vast majority of good people out there — or you allow strong encryption, meaning that some bad people can use it.”
You can’t undermine strong encryption for everyone, that’s the basic problem. What will keep companies outside the US to implement strong encryption into their devices? And even if you got every tech-company on the planet to agree on a treaty not to produce such devices, what would keep criminals or rogue states from producing them?
You may be able to outlaw strong encription, but no one will be able to suppress it. As has happened so many times before: The ones on the loosing side would be the law-abiding People…