Rep. Michael McCaul, the head of the House Homeland Security Committee has now given a speech
in which he announced plans to introduce legislation that will create a committee to undermine encryption
in the tech industry:
The legislation "would bring together the technology sector, privacy and civil liberties groups, academics, and the law enforcement community to find common ground," Chairman Rep. Michael McCaul (R-Texas) said in a Dec. 7 speech at National Defense University. "This will not be like other blue ribbon panels, established and forgotten."
He said the ability of terrorist groups to use encrypted applications while communicating is one of his biggest fears. "We cannot stop what we cannot see," he said in reference to recent attacks in San Bernardino, Calif., and Paris.
Yes, the idea that it will include technologists and privacy and civil liberties folks sounds good, but it still seems like the key focus is going to be around undermining encryption. You don't need a special commission to do the only thing you really need to do: which is to keep making ever more secure encryption. And, of course, McCaul has been among the leading voices in seeking to blame encryption for everything. A few weeks ago he insisted that the Paris attackers used encryption
and in the Q&A portion after his speech yesterday he went even further
directly claiming the Paris attackers used the Telegram app -- something that no one else has claimed to date. He first admits that a "backdoor" to encryption is a bad idea, but then basically says, "but there must be some technological solution" before claiming that the Paris attackers definitely used encryption.
It's a very complex issue. I think initially lawmakers thought there was an easy legislative fix where we just amend the CALEA statute, until we found out that providing a backdoor into everybody's iPhone was not going to be a very good strategy. Not only would it provide a backdoor for the government, but also for hackers. So you've noticed that the language of the FBI director and the language of the Secretary of Homeland Security has shifted to trying to find a technology solution to this problem.
This part is true, but that "shift" to finding a "technology solution" still involves creating backdoors to encryption -- and just not calling them backdoors. McCaul continues:
I will not tell you that it's an easy solution, but I've had very in-depth discussions that I do believe there are alternatives. There are some solutions to this problem. And I think the inherent problem, and the reason why I'm advocating the formation of this commission, is because of the reluctance of both parties to sit in the same room together. And so what this legislation provides -- in fact what it will mandate -- that all relevant parties sit in the same room together, and in a very short period of time, provide the Congress with solutions and recommendations for legislation to deal with what I consider to, as I said in my remarks, one of the most difficult challenges of this century, in dealing with counterterrorism and basically criminal behavior.
First of all this is hogwash. People from both sides are more than willing to sit together, if there was some possible productive outcome from it
, and compelling them to sit in the same room doesn't change the facts that what they're asking for is impossible
. I don't now how many times it needs to be said, but full encryption makes us all much safer, and you can't magically create a technology that "only the good people" can use. No one's demanding that law enforcement and gunmakers get together to create bullets that only hit bad people. And no one's demanding that automakers and law enforcement get together to design cars that only nice people can drive. Why do people magically think that Silicon Valley can determine who's good and who's bad and set up technology so that only nice people can have their privacy protected?
McCaul then continues, falsely claiming the Paris attackers used encryption:
If we don't do anything. Title III wiretaps and FISAs will become a thing of the past. When we saw the encrypted apps on the on the Paris attackers' iPhone - it was Telegram. When eight attackers and numerous co-conspirators, foreign fighters from Syria, can do something like that and it's completely under the radar screen. We know why it went undetected. It went undetected because they were communicating in the dark space. In a space where we can't shine a light on to see these communications even if we have a court order.
Of course, this is hogwash. No one else has claimed the Paris attackers used encryption. And in fact we now know that they communicated via unencrypted SMS
and that they did a lot of their planning in plain sight
, with the guy behind the plans bragging to an English-language ISIS publication about his plans, and the attackers booking hotels and guest houses in their own names.
Politico followed up with staffers on McCaul's committee to ask about this, and they admitted that McCaul was exaggerating -- saying he was talking "in general about terrorists' use of encryption" rather than specifically about the Paris attacks. Except, he said it pretty directly, which means he's either misinformed or lying. And, yet, now he's rushing to set up a special commission to help figure out a way to deal with this problem that he himself is exaggerating? That's not encouraging.
McCaul later went on to repeat the "this is a difficult problem" line which misses the point. It's not a difficult problem. It's not that smart people don't want to work on this, it's that law enforcement and McCaul are asking for the impossible: encryption that protects privacy, but only for good people. And, yet, he says he needs to "force people" to solve this problem (he literally uses the phrase "force them.")
While some have suggested that this commission could deal with many other issues unrelated to encryption
(which could, potentially be a good thing), the timing of this, just as so many have been calling to undermine encryption by phrasing it as calling for "a conversation" between techies and law enforcement, combined with McCaul's incorrect statements on encryption is worrisome.
The only other "positive" in all of this is that he's pushing this commission as an alternative to legislation that would mandate encryption backdoors
admitting (correctly) that "a legislative knee-jerk reaction could weaken Internet protections and privacy for everyday Americans...." That's absolutely true, but what, exactly, does he expect this new commission to do other than to undermine encryption and weaken those protections? And, as he made clear in his statements above, he's still expecting this commission to suggest a legislative solution in a fairly short time period. In other words, this may not be a "legislative knee-jerk" but it sure looks like a plan to lead to knee-jerk legislation, just one where McCaul can point to some committee's "recommendations" to cover up the fact that he's demanding the impossible.