from the we'll-see-how-this-goes... dept
Back in December, we wrote about plans by Rep. Mike McCaul and Senator Mark Warner to put together a “commission” to figure out what to do about the encryption “issue.” In his speech, McCaul did at least say that “providing a backdoor into everybody’s iPhone was not going to be a very good strategy” since it would open things up to hackers, but at the very same time, he kept saying that we had to somehow stop bad people (terrorists, criminals, child predators) from using encryption. He also keeps insisting that the Paris attackers used encryption, despite lots of evidence to the contrary. So it’s not entirely clear what the point of this Commission is, other than to chase down some mythical solution that doesn’t exist.
The basic problem is this: to have real security you need strong encryption. And if you have strong encryption, people who are both good and bad can use it. So either you undermine strong encryption for everyone — harming the vast majority of good people out there — or you allow strong encryption, meaning that some bad people can use it. The only way to have strong encryption but not allow the bad guys to use it is to have a technology distinguish who is “bad” from who is “good.” I’m pretty sure that’s impossible because there’s no universal standard for what makes a “bad” or “good” person, and definitely not one that can be implemented in device hardware or software. So a commission seems like a waste of time.
But the Commission is coming… and later today McCaul and Warner are releasing the bill that will form the Commission. Someone kindly leaked us the bill and some related documents over the weekend, so we can give you a bit of a preview. To their credit, it appears that McCaul and Warner have paid attention to the criticism, and really are trying to present a “balanced” commission, rather than one dominated by folks who don’t actually understand the technological realities. That’s a plus. There’s still the negative that what they’re basically asking for is impossible, but we’ll let that slide for the moment on the basis of “well, their intentions aren’t as horrible as we feared…”.
So, should this bill pass, the Commission would have 16 members, with the Republicans and Democrats each appointing eight, and that eight that each party appoints would be one person from each of the following fields:
- Global commerce and economics
- Federal law enforcement
- State and local law enforcement
- Consumer-facing technology sector
- Enterprise technology sector
- Intelligence community
- Privacy and civil liberties community
That’s actually… not a bad mix overall, though obviously who is appointed will make a huge difference in terms of whether or not we have a useful commission or one that will declare the impossible (and dangerous) possible. The commission will actually have subpoena authority, which is an interesting choice, and will, of course, hold a bunch of hearings. And it’s expected to move pretty quickly:
- Commissioners must be appointed within 30 days of enactment (except for the ex officio).
- The Commission shall hold its first meeting within 60 days of enactment.
- The interim report is due within 6 months of the initial meeting.
- The final report is due within 12 months of the initial meeting.
- The Commission terminates within 60 days after the final report.
Meanwhile, given that it’s almost certain that the commission will not unanimously agree on anything, the final report needs to only be agreed upon by
11 12 of the 16 commissioners. And dissents will be published with the report as well. Even getting to 11 12 may be tricky without some serious compromises. If you assume (which is already unlikely) that the non-law enforcement/intelligence guys would all agree on something, you’re still left with the 6 law enforcement and intelligence commissioners. One Two of them would have to be convinced to go along with the report. I mean, it is possible. Michael Hayden and Michael Chertoff have both been going around saying that strong encryption is good and backdoors are bad. So maybe you get someone like them to be one of the “intelligence community” folks on the commission — but it’s still an uphill battle. Update: While the FAQ originally said 11 were needed to agree, the actual legislation says 12, making it that much trickier.
At the very least though, it does seem clear that — contrary to the concerns of many — this isn’t just a commission set up to say “backdoor all encryption.” So while it still seems focused on the impossible, it’s still much better than it could have been (and would have been under some other folks in Congress).