Leaked! Details Of The New Congressional Commission To Take On The Encryption Issue
from the we'll-see-how-this-goes... dept
Back in December, we wrote about plans by Rep. Mike McCaul and Senator Mark Warner to put together a "commission" to figure out what to do about the encryption "issue." In his speech, McCaul did at least say that "providing a backdoor into everybody's iPhone was not going to be a very good strategy" since it would open things up to hackers, but at the very same time, he kept saying that we had to somehow stop bad people (terrorists, criminals, child predators) from using encryption. He also keeps insisting that the Paris attackers used encryption, despite lots of evidence to the contrary. So it's not entirely clear what the point of this Commission is, other than to chase down some mythical solution that doesn't exist.
The basic problem is this: to have real security you need strong encryption. And if you have strong encryption, people who are both good and bad can use it. So either you undermine strong encryption for everyone -- harming the vast majority of good people out there -- or you allow strong encryption, meaning that some bad people can use it. The only way to have strong encryption but not allow the bad guys to use it is to have a technology distinguish who is "bad" from who is "good." I'm pretty sure that's impossible because there's no universal standard for what makes a "bad" or "good" person, and definitely not one that can be implemented in device hardware or software. So a commission seems like a waste of time.
But the Commission is coming... and later today McCaul and Warner are releasing the bill that will form the Commission. Someone kindly leaked us the bill and some related documents over the weekend, so we can give you a bit of a preview. To their credit, it appears that McCaul and Warner have paid attention to the criticism, and really are trying to present a "balanced" commission, rather than one dominated by folks who don't actually understand the technological realities. That's a plus. There's still the negative that what they're basically asking for is impossible, but we'll let that slide for the moment on the basis of "well, their intentions aren't as horrible as we feared...".
So, should this bill pass, the Commission would have 16 members, with the Republicans and Democrats each appointing eight, and that eight that each party appoints would be one person from each of the following fields:
- Cryptography
- Global commerce and economics
- Federal law enforcement
- State and local law enforcement
- Consumer-facing technology sector
- Enterprise technology sector
- Intelligence community
- Privacy and civil liberties community
- Commissioners must be appointed within 30 days of enactment (except for the ex officio).
- The Commission shall hold its first meeting within 60 days of enactment.
- The interim report is due within 6 months of the initial meeting.
- The final report is due within 12 months of the initial meeting.
- The Commission terminates within 60 days after the final report.
At the very least though, it does seem clear that -- contrary to the concerns of many -- this isn't just a commission set up to say "backdoor all encryption." So while it still seems focused on the impossible, it's still much better than it could have been (and would have been under some other folks in Congress).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: commission, congress, encryption, going dark, mark warner, michael mccaul
Reader Comments
Subscribe: RSS
View by: Time | Thread
Team U86
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It's difficult for anyone not to use encryption these days. If we're going to speculate, it would serve the discussion to talk about what kind of encrypted data is used and what could be intercepted under lawful order, instead of blanket statements from both sides.
[ link to this | view in chronology ]
Re:
How many times does it need to be discussed?
[ link to this | view in chronology ]
Re: Re:
Unless you are party to the criminal investigation, there's no way you could know that definitively. It doesn't mean it can't be true, but encryption can and will limit law enforcement's abilities. Why else would Techdirt and others encourage its use?
Should we ban or restrict encryption based on this potential? In my view of course not.
It's ignorant to say encryption will have no effect.
[ link to this | view in chronology ]
Re: Re: Re:
I don't think the Techdirt community encourages the use of encryption to make life difficult for law enforcement specifically. I feel the focus is more that it makes life more difficult for people to snoop on the data period. Any crack in the encryption armor renders the encryption useless, and open for all to exploit regardless of intentions.
There simply is no way to create a magic bullet that only kill's bad guys as the term "bad guys" is subjective and could apply to all parties of a gun fight.
But I'm guessing you already knew all this?
[ link to this | view in chronology ]
Re: Re: Re: Re:
I concur, my previous comment was poorly worded. I was speaking to the efficacy of strong encryption, not its intended use. As we have seen in San Bernardino, strong encryption works (at least in a very limited data-at-rest context). As Julian Assange said, "It is easier to encrypt information than it is to decrypt it."
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Holy !@#$, what a twisted interpretation! You believe TD exists to foil law enforcement's attempts to subvert crypto?!? Hasn't it yet occurred to you that crypto is good in and of itself? It can protect you from predators. Is it not possible that's why TD defends crypto, not just to foil law enforcement?
Holy !@#$. :-P
[ link to this | view in chronology ]
Re: Re: Re: Re:
But in all seriousness, no one ever said law enforcement was supposed to be easy. In fact, much of the process involved is to make sure that it is *not* easy. When law enforcement becomes too easy, you get what we've basically got now: a police state.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
'they did not use encryption in any way relevant to what is being discussed.'
The Paris police and intelligence agencies were caught with their pants down, and rather than admit 'Yeah, we seriously screwed up', they instead tried to blame their incompetence on the attackers using encryption to hide their plans. Problem with that is all evidence points to the fact that they basically communicated using unencrypted methods and the intelligence groups completely missed them despite that.
If you're trying to demonize encryption by saying 'Look, terrorists use it!', then it helps to pick an example where it was actually used, which is why the fact that even now you've got people using it as an example of how encryption can protect terrorists from being found is so boneheaded.
[ link to this | view in chronology ]
Please change "to have real security you need strong encryption by seeking a solution" to "McCaul and Warner prove that they're trying to score political points".
FTFY
[ link to this | view in chronology ]
Balanced only goes so far...
I think this is incredibly optimistic. What we have is a committee comprised of 16 individuals - we can be pretty darned sure the 6 LEO folks are going to be anti-encryption, but what worries me is that the other 10 are hand picked to also be anti-encryption.
Somehow, I really don't see that it's going to be hard to get 11 votes, but almost impossible to get 11 pro encryption votes.
[ link to this | view in chronology ]
Re: Balanced only goes so far...
[ link to this | view in chronology ]
Re: Re: Balanced only goes so far...
Sound familiar?
[ link to this | view in chronology ]
Unrepresented parties
Before you laugh, tell me that those people won't have a real say in the real world. So why shouldn't they be represented on the commission?
[ link to this | view in chronology ]
Re: Unrepresented parties
They just like to make you think they are not. Have you ever notice that every time a new law is made for this shit we peasants feel the pinch more than anyone else?
Government is responsible for about 50% of major organized crime in any nation.
[ link to this | view in chronology ]
Re: Unrepresented parties
That's not even counting the crooks who'll be nominating them.
[ link to this | view in chronology ]
these people want to know what each and every one of us is saying and thinking. why? i can't envision a good reason for it, and it goes against everything this nation has ever stood for.
[ link to this | view in chronology ]
When all you have is a hammer...
Unfortunately that mindset seems to be pretty rampant in multiple agencies and governments, the USG's included, and as a result when they say they want backdoors to 'stop/watch bad guys' the public is included in the category of 'bad guys', they just don't say so.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
On the encryption "issue", I still remember when doing stuff online with money was supposed to be scary and banks and retailers were quick to assure that, thanks to encryption, there was nothing to worry about. An indeed they had a point. Encryption is necessary, and where it is necessary it is often vital. Cripple it and watch 20 years, maybe more, of online development crumble away.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Counsel to the Commission
The commission should have its own attorney, to assist and advise the commissioners.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Developers vs QA vs Marketing
So, that means one person from development, one person from testing, one marketdroid, and who else?
[ link to this | view in chronology ]
Re: Developers vs QA vs Marketing
[ link to this | view in chronology ]
Re: Re: Developers vs QA vs Marketing
1. Cryptography = the lone nerd
2. Global commerce and economics = big banks
3. Federal law enforcement = an NSA spook
4. State and local law enforcement = the head of LEO unions
5. Consumer-facing technology sector = Microsoft
6. Enterprise technology sector = Microsoft
7. Intelligence community = another NSA spook
8. Privacy and civil liberties community = astroturf rep
Too cynical? Nah! Just wait - I'm almost certainly not cynical enough.
[ link to this | view in chronology ]
This is a solved problem!
It is a waste of time, as this problem has already been solve. Any internet communication that is fully standards compliant will follow RFC 3514 and be flagged "good" or "evil". This is defined for IPv4 though, so it may need to be updated for IPv6 and modern devices.
[ link to this | view in chronology ]
So it's not entirely clear what the point of this Commission is...
After having consulted with a couple of professors of statistics, who professed to be expert in statistical anomalies, they directed the casting director to put together a cast list that could be fulfilled by anyone who could play the roles. Thus using the design criteria they could ensure the desired results.
That there were no viewers included in the focus group was intentional. Who would listen to them? They watch the stuff that is on TV now, so using them as a benchmark for improvement would be like asking them who should run the country.
While the antics of the commission will most certainly BE entertaining, as well as pointless and self serving (just like TV programing) it actually has a mission. Expectations are that that mission will be fulfilled, to the detriment of society, and to no ones surprise is engineered with only one outcome in mind. I am hoping for some slapstick.
[ link to this | view in chronology ]
Sturm und drang.
Carrot:
Cryptography
Global commerce and economics
Consumer-facing technology sector
Enterprise technology sector
Privacy and civil liberties community
Stick:
Cryptography
Federal law enforcement
State and local law enforcement
Intelligence community
And, they're off!
[ link to this | view in chronology ]
People were up in Arms on the iCloud hack with leaked celebrity nudes from their own phones!!! The U.S. Government is getting hacked and Data released out into the wild all the time. The latest is the IRS, but before that is was millions who just filled out a Government application wither you got a job or not and your Data was leaked!!!
In the end, if a Terrorists actually cared about security, would they even trust Apple or Google for that matter? No!!! You can buy any old cheap Android phone and throw on any number of 3rd party Encryption software you want that is out of the U.S. Governments control that have NO BACK DOORS!!! So in the end, the Terrorists have great Encryption and most everyone else has to deal with fraud or worse because of weak backdoor Encryption that the U.S. Government goes and mandates. The only way you're going to stop any terrorists from Data on a phone is to just spy on everyone in the hope of catching someone. That's slim to none.
As it is, these U.S. Terrorists are DEAD!!! They destroyed their own personal phones and HDD before they went on their rampage. They didn't give a crap about the work phone or they would have destroyed that one also. The FBI already has any call records from this work phone. Even the police don't think there's anything on it. I wouldn't care if there was. Making everyone's security weak won't do a thing for the criminals.
[ link to this | view in chronology ]
Why pick on encryption? Why not keep bad people from using cars, guns, deoderant? Why not just keep them from using fire? Or any other chemical process involving OXYGEN? Problem solved.
Seriously, it's easier to keep someone from using oxygen, which at least is physically detectable and controllable, than to keep them from thinking. And historically, fire use predates encryption, but encryption techniques were in use in ISIS-influenced parts of the Middle East at least 3000 years ago.
The problem has nothing to do with encryption. It has to do with journalism industry that pretends people whose knowledge of information technology is 3000 years out of date have an opinion on information technology worth hearing.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Its to get some buddies on the payroll at the taxpayers expense.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The basic problem
You can't undermine strong encryption for everyone, that's the basic problem. What will keep companies outside the US to implement strong encryption into their devices? And even if you got every tech-company on the planet to agree on a treaty not to produce such devices, what would keep criminals or rogue states from producing them?
You may be able to outlaw strong encription, but no one will be able to suppress it. As has happened so many times before: The ones on the loosing side would be the law-abiding People...
[ link to this | view in chronology ]