Leaked! Details Of The New Congressional Commission To Take On The Encryption Issue

from the we'll-see-how-this-goes... dept

Help us keep covering stories like these!

Back in December, we wrote about plans by Rep. Mike McCaul and Senator Mark Warner to put together a "commission" to figure out what to do about the encryption "issue." In his speech, McCaul did at least say that "providing a backdoor into everybody's iPhone was not going to be a very good strategy" since it would open things up to hackers, but at the very same time, he kept saying that we had to somehow stop bad people (terrorists, criminals, child predators) from using encryption. He also keeps insisting that the Paris attackers used encryption, despite lots of evidence to the contrary. So it's not entirely clear what the point of this Commission is, other than to chase down some mythical solution that doesn't exist.

The basic problem is this: to have real security you need strong encryption. And if you have strong encryption, people who are both good and bad can use it. So either you undermine strong encryption for everyone -- harming the vast majority of good people out there -- or you allow strong encryption, meaning that some bad people can use it. The only way to have strong encryption but not allow the bad guys to use it is to have a technology distinguish who is "bad" from who is "good." I'm pretty sure that's impossible because there's no universal standard for what makes a "bad" or "good" person, and definitely not one that can be implemented in device hardware or software. So a commission seems like a waste of time.

But the Commission is coming... and later today McCaul and Warner are releasing the bill that will form the Commission. Someone kindly leaked us the bill and some related documents over the weekend, so we can give you a bit of a preview. To their credit, it appears that McCaul and Warner have paid attention to the criticism, and really are trying to present a "balanced" commission, rather than one dominated by folks who don't actually understand the technological realities. That's a plus. There's still the negative that what they're basically asking for is impossible, but we'll let that slide for the moment on the basis of "well, their intentions aren't as horrible as we feared...".

So, should this bill pass, the Commission would have 16 members, with the Republicans and Democrats each appointing eight, and that eight that each party appoints would be one person from each of the following fields:
  1. Cryptography
  2. Global commerce and economics
  3. Federal law enforcement
  4. State and local law enforcement
  5. Consumer-facing technology sector
  6. Enterprise technology sector
  7. Intelligence community
  8. Privacy and civil liberties community
That's actually... not a bad mix overall, though obviously who is appointed will make a huge difference in terms of whether or not we have a useful commission or one that will declare the impossible (and dangerous) possible. The commission will actually have subpoena authority, which is an interesting choice, and will, of course, hold a bunch of hearings. And it's expected to move pretty quickly:
  1. Commissioners must be appointed within 30 days of enactment (except for the ex officio).
  2. The Commission shall hold its first meeting within 60 days of enactment.
  3. The interim report is due within 6 months of the initial meeting.
  4. The final report is due within 12 months of the initial meeting.
  5. The Commission terminates within 60 days after the final report.
Meanwhile, given that it's almost certain that the commission will not unanimously agree on anything, the final report needs to only be agreed upon by 11 12 of the 16 commissioners. And dissents will be published with the report as well. Even getting to 11 12 may be tricky without some serious compromises. If you assume (which is already unlikely) that the non-law enforcement/intelligence guys would all agree on something, you're still left with the 6 law enforcement and intelligence commissioners. One Two of them would have to be convinced to go along with the report. I mean, it is possible. Michael Hayden and Michael Chertoff have both been going around saying that strong encryption is good and backdoors are bad. So maybe you get someone like them to be one of the "intelligence community" folks on the commission -- but it's still an uphill battle. Update: While the FAQ originally said 11 were needed to agree, the actual legislation says 12, making it that much trickier.

At the very least though, it does seem clear that -- contrary to the concerns of many -- this isn't just a commission set up to say "backdoor all encryption." So while it still seems focused on the impossible, it's still much better than it could have been (and would have been under some other folks in Congress).

Help us keep covering stories like these!




Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: commission, congress, encryption, going dark, mark warner, michael mccaul


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Capt ICE Enforcer, 29 Feb 2016 @ 4:11am

    Team U86

    How do I become a member of the team Unicorn 86.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 29 Feb 2016 @ 4:29am

    A leak that makes the government look good? I bet no one is going to jail over this.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 29 Feb 2016 @ 4:33am

    >He also keeps insisting that the Paris attackers used encryption, despite lots of evidence to the contrary.

    It's difficult for anyone not to use encryption these days. If we're going to speculate, it would serve the discussion to talk about what kind of encrypted data is used and what could be intercepted under lawful order, instead of blanket statements from both sides.

    link to this | view in thread ]

  4. identicon
    Quiet Lurcker, 29 Feb 2016 @ 5:22am

    >>The basic problem is this: ....


    Please change "to have real security you need strong encryption by seeking a solution" to "McCaul and Warner prove that they're trying to score political points".

    FTFY

    link to this | view in thread ]

  5. icon
    orbitalinsertion (profile), 29 Feb 2016 @ 5:46am

    Re:

    Speculate about what? All the communications they found were unencrypted. Even if there are also encrypted communications, they would be redundant in terms of stopping a threat. If anyone were actually targeting suspect individuals instead of just vacuuming and storing everything from everyone for later possible perusal (and casual abuse), that is.

    How many times does it need to be discussed?

    link to this | view in thread ]

  6. icon
    That One Guy (profile), 29 Feb 2016 @ 5:54am

    Re:

    Fine, how about:

    'they did not use encryption in any way relevant to what is being discussed.'

    The Paris police and intelligence agencies were caught with their pants down, and rather than admit 'Yeah, we seriously screwed up', they instead tried to blame their incompetence on the attackers using encryption to hide their plans. Problem with that is all evidence points to the fact that they basically communicated using unencrypted methods and the intelligence groups completely missed them despite that.

    If you're trying to demonize encryption by saying 'Look, terrorists use it!', then it helps to pick an example where it was actually used, which is why the fact that even now you've got people using it as an example of how encryption can protect terrorists from being found is so boneheaded.

    link to this | view in thread ]

  7. icon
    ArkieGuy (profile), 29 Feb 2016 @ 6:26am

    Balanced only goes so far...

    "Even getting to 11 may be tricky without some serious compromises. If you assume (which is already unlikely) that the non-law enforcement/intelligence guys would all agree on something, you're still left with the 6 law enforcement and intelligence commissioners. One of them would have to be convinced to go along with the report."


    I think this is incredibly optimistic. What we have is a committee comprised of 16 individuals - we can be pretty darned sure the 6 LEO folks are going to be anti-encryption, but what worries me is that the other 10 are hand picked to also be anti-encryption.

    Somehow, I really don't see that it's going to be hard to get 11 votes, but almost impossible to get 11 pro encryption votes.

    link to this | view in thread ]

  8. icon
    That One Guy (profile), 29 Feb 2016 @ 6:36am

    Re: Balanced only goes so far...

    Yeah, when you've got people on both sides making stupid and ill-informed statements on encryption it's not too unlikely at all that both would fill positions with people who aren't too fond of encryption, allowing it to be all too easy to get the required 11 votes for something.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:00am

    Unrepresented parties

    … one person from each of the following fields …
    There's no one on the commission to represent organized crime. Maybe they could get someone from one of the Mexican drug cartels? Or better yet, someone from the Russian cybercrime scene?

    Before you laugh, tell me that those people won't have a real say in the real world. So why shouldn't they be represented on the commission?

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:23am

    i don't think the backdoors have one solitary thing to do with bad guys. it's us the govt wants to have no way to communicate in anything resembling privacy.

    these people want to know what each and every one of us is saying and thinking. why? i can't envision a good reason for it, and it goes against everything this nation has ever stood for.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:30am

    Re: Unrepresented parties

    You are mistaken... they are represented.

    They just like to make you think they are not. Have you ever notice that every time a new law is made for this shit we peasants feel the pinch more than anyone else?

    Government is responsible for about 50% of major organized crime in any nation.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:33am

    Re: Unrepresented parties

    Sure there is, I count at least eight, "global commerce" "State law enforcement" "Federal law enforcement" and "Intelligence community"

    That's not even counting the crooks who'll be nominating them.

    link to this | view in thread ]

  13. icon
    That One Guy (profile), 29 Feb 2016 @ 7:34am

    When all you have is a hammer...

    For groups used to dealing with criminals, finding them, prosecuting them, that sort of thing, it's all too easy to fall into the thinking where everyone is a potential criminal, and treating them accordingly.

    Unfortunately that mindset seems to be pretty rampant in multiple agencies and governments, the USG's included, and as a result when they say they want backdoors to 'stop/watch bad guys' the public is included in the category of 'bad guys', they just don't say so.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:36am

    Re: Re:

    "All the communications they found were unencrypted. Even if there are also encrypted communications, they would be redundant in terms of stopping a threat."

    Unless you are party to the criminal investigation, there's no way you could know that definitively. It doesn't mean it can't be true, but encryption can and will limit law enforcement's abilities. Why else would Techdirt and others encourage its use?

    Should we ban or restrict encryption based on this potential? In my view of course not.

    It's ignorant to say encryption will have no effect.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:37am

    The War on Encryption will be as pointless and as with no-end as the War on Drugs and War on Terrorism is.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:40am

    By this logic, I'm surprised planes have been allowed to fly all over the US for the past 15 years.

    On the encryption "issue", I still remember when doing stuff online with money was supposed to be scary and banks and retailers were quick to assure that, thanks to encryption, there was nothing to worry about. An indeed they had a point. Encryption is necessary, and where it is necessary it is often vital. Cripple it and watch 20 years, maybe more, of online development crumble away.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:44am

    Counsel to the Commission

    Reading through the bill, while I see that the commission is empowered to contract for services, and yada, yada, I'm not seeing explicit provision for the appointment of Counsel to the Commission.

    The commission should have its own attorney, to assist and advise the commissioners.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:44am

    Under the current governmental style of ruling. A good person is someone that is blindly loyal to their government. A bad person is anyone that is not, or questions what they are told.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 29 Feb 2016 @ 7:45am

    Re:

    No doubt they will pick someone they do not like and blame it all on them to unjustly imprison them.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 29 Feb 2016 @ 8:03am

    Re: Re: Balanced only goes so far...

    Sounds like: We'll have to pass this bill to find out what's in it.

    Sound familiar?

    link to this | view in thread ]

  21. identicon
    AJ, 29 Feb 2016 @ 8:09am

    Re: Re: Re:

    "but encryption can and will limit law enforcement's abilities. Why else would Techdirt and others encourage its use?"

    I don't think the Techdirt community encourages the use of encryption to make life difficult for law enforcement specifically. I feel the focus is more that it makes life more difficult for people to snoop on the data period. Any crack in the encryption armor renders the encryption useless, and open for all to exploit regardless of intentions.

    There simply is no way to create a magic bullet that only kill's bad guys as the term "bad guys" is subjective and could apply to all parties of a gun fight.

    But I'm guessing you already knew all this?

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 29 Feb 2016 @ 8:13am

    Developers vs QA vs Marketing

    5. Consumer-facing technology sector
    6. Enterprise technology sector
    This calls for four people for “technology sector[s]”.

    So, that means one person from development, one person from testing, one marketdroid, and who else?

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 29 Feb 2016 @ 8:20am

    Re: Developers vs QA vs Marketing

    2. Global commerce and economics
    These guys are the vulture capitalists?

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 29 Feb 2016 @ 9:00am

    Re: Re:

    Hey what are you doing for the next 5-30 years? Just asking for a friend in Government. Their looking for a guy.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 29 Feb 2016 @ 9:09am

    This is a solved problem!

    The only way to have strong encryption but not allow the bad guys to use it is to have a technology distinguish who is "bad" from who is "good." I'm pretty sure that's impossible because there's no universal standard for what makes a "bad" or "good" person, and definitely not one that can be implemented in device hardware or software. So a commission seems like a waste of time.


    It is a waste of time, as this problem has already been solve. Any internet communication that is fully standards compliant will follow RFC 3514 and be flagged "good" or "evil". This is defined for IPv4 though, so it may need to be updated for IPv6 and modern devices.

    link to this | view in thread ]

  26. identicon
    Anonymous Anonymous Coward, 29 Feb 2016 @ 9:11am

    So it's not entirely clear what the point of this Commission is...

    The obvious answer is entertainment. After viewing the offerings on TV over an unknown period of time, and KNOWING how talented the people in Hollywood say they are, they have decided that that entertainment is in fact encrypted. The only way to get decent entertainment back on the air, therefore, is to do something about encryption.

    After having consulted with a couple of professors of statistics, who professed to be expert in statistical anomalies, they directed the casting director to put together a cast list that could be fulfilled by anyone who could play the roles. Thus using the design criteria they could ensure the desired results.

    That there were no viewers included in the focus group was intentional. Who would listen to them? They watch the stuff that is on TV now, so using them as a benchmark for improvement would be like asking them who should run the country.

    While the antics of the commission will most certainly BE entertaining, as well as pointless and self serving (just like TV programing) it actually has a mission. Expectations are that that mission will be fulfilled, to the detriment of society, and to no ones surprise is engineered with only one outcome in mind. I am hoping for some slapstick.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 29 Feb 2016 @ 9:12am

    Re: Re: Re: Re:

    "I don't think the Techdirt community encourages the use of encryption to make life difficult for law enforcement specifically."

    I concur, my previous comment was poorly worded. I was speaking to the efficacy of strong encryption, not its intended use. As we have seen in San Bernardino, strong encryption works (at least in a very limited data-at-rest context). As Julian Assange said, "It is easier to encrypt information than it is to decrypt it."

    link to this | view in thread ]

  28. identicon
    AJ, 29 Feb 2016 @ 9:37am

    Re: Re: Re: Re: Re:

    I figured as much. Just keeping us sharp :) Cheers!

    link to this | view in thread ]

  29. icon
    JoeCool (profile), 29 Feb 2016 @ 10:38am

    Re: Re: Developers vs QA vs Marketing

    I read it like this -


    1. Cryptography = the lone nerd
    2. Global commerce and economics = big banks
    3. Federal law enforcement = an NSA spook
    4. State and local law enforcement = the head of LEO unions
    5. Consumer-facing technology sector = Microsoft
    6. Enterprise technology sector = Microsoft
    7. Intelligence community = another NSA spook
    8. Privacy and civil liberties community = astroturf rep

    Too cynical? Nah! Just wait - I'm almost certainly not cynical enough.

    link to this | view in thread ]

  30. icon
    tqk (profile), 29 Feb 2016 @ 11:14am

    Sturm und drang.

    I split that list into these two; public interests vs. gov't/law enforcement/NatSec. Of course, crypto's in both.

    Carrot:
    Cryptography
    Global commerce and economics
    Consumer-facing technology sector
    Enterprise technology sector
    Privacy and civil liberties community

    Stick:
    Cryptography
    Federal law enforcement
    State and local law enforcement
    Intelligence community

    And, they're off!

    link to this | view in thread ]

  31. icon
    tqk (profile), 29 Feb 2016 @ 11:19am

    Re:

    Likely leaked by both the committee heads. This gives them a reason to contact potential donors for campaign contributions ("I'm doing something. Support me!"). Don't you know how this works yet?

    link to this | view in thread ]

  32. icon
    tqk (profile), 29 Feb 2016 @ 11:28am

    Re: Re: Re:

    ... but encryption can and will limit law enforcement's abilities. Why else would Techdirt and others encourage its use?

    Holy !@#$, what a twisted interpretation! You believe TD exists to foil law enforcement's attempts to subvert crypto?!? Hasn't it yet occurred to you that crypto is good in and of itself? It can protect you from predators. Is it not possible that's why TD defends crypto, not just to foil law enforcement?

    Holy !@#$. :-P

    link to this | view in thread ]

  33. identicon
    JBDragon, 29 Feb 2016 @ 11:57am

    It's just silly to weaken security for that tiny fraction of Terrorists that exist. It's just a false sense of security. Finding Info after the fact does no good. The Paris Attack they didn't use any Encryption.

    People were up in Arms on the iCloud hack with leaked celebrity nudes from their own phones!!! The U.S. Government is getting hacked and Data released out into the wild all the time. The latest is the IRS, but before that is was millions who just filled out a Government application wither you got a job or not and your Data was leaked!!!

    In the end, if a Terrorists actually cared about security, would they even trust Apple or Google for that matter? No!!! You can buy any old cheap Android phone and throw on any number of 3rd party Encryption software you want that is out of the U.S. Governments control that have NO BACK DOORS!!! So in the end, the Terrorists have great Encryption and most everyone else has to deal with fraud or worse because of weak backdoor Encryption that the U.S. Government goes and mandates. The only way you're going to stop any terrorists from Data on a phone is to just spy on everyone in the hope of catching someone. That's slim to none.

    As it is, these U.S. Terrorists are DEAD!!! They destroyed their own personal phones and HDD before they went on their rampage. They didn't give a crap about the work phone or they would have destroyed that one also. The FBI already has any call records from this work phone. Even the police don't think there's anything on it. I wouldn't care if there was. Making everyone's security weak won't do a thing for the criminals.

    link to this | view in thread ]

  34. icon
    Almost Anonymous (profile), 29 Feb 2016 @ 12:04pm

    Re: Re: Re: Re:

    Foiling law enforcement is just a handy side-effect.

    But in all seriousness, no one ever said law enforcement was supposed to be easy. In fact, much of the process involved is to make sure that it is *not* easy. When law enforcement becomes too easy, you get what we've basically got now: a police state.

    link to this | view in thread ]

  35. icon
    Almost Anonymous (profile), 29 Feb 2016 @ 12:09pm

    Re:

    Heck, even with encryption it is scary using money online! Most companies have embraced at least the minimum of encryption between here and there (SSL, TLS, etc), but still haven't grasped the need to keep their customer's data protected at rest. How many "big" websites have had to admit they were hacked and had customer data stolen?

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 29 Feb 2016 @ 12:28pm

    >he kept saying that we had to somehow stop bad people (terrorists, criminals, child predators) from using encryption.

    Why pick on encryption? Why not keep bad people from using cars, guns, deoderant? Why not just keep them from using fire? Or any other chemical process involving OXYGEN? Problem solved.

    Seriously, it's easier to keep someone from using oxygen, which at least is physically detectable and controllable, than to keep them from thinking. And historically, fire use predates encryption, but encryption techniques were in use in ISIS-influenced parts of the Middle East at least 3000 years ago.

    The problem has nothing to do with encryption. It has to do with journalism industry that pretends people whose knowledge of information technology is 3000 years out of date have an opinion on information technology worth hearing.

    link to this | view in thread ]

  37. identicon
    AJ, 29 Feb 2016 @ 12:29pm

    Re: Re: Re: Re:

    I addressed that issue with him in my rebuttal to his comment, that's not what he meant at all. Bad wording on his part.. climb on down :)

    link to this | view in thread ]

  38. identicon
    AJ, 29 Feb 2016 @ 12:30pm

    Re:

    "deoderant?".. you may be on to something. If they stink, they must be a terrorist!!??

    link to this | view in thread ]

  39. identicon
    Anonymous Coward, 29 Feb 2016 @ 1:09pm

    "So it's not entirely clear what the point of this Commission is..."

    Its to get some buddies on the payroll at the taxpayers expense.

    link to this | view in thread ]

  40. icon
    Groaker (profile), 29 Feb 2016 @ 1:28pm

    The war against cryptography will be as effective as the war against drugs.

    link to this | view in thread ]

  41. identicon
    Anonymous Coward, 1 Mar 2016 @ 12:50am

    The basic problem

    "The basic problem is this: to have real security you need strong encryption. And if you have strong encryption, people who are both good and bad can use it. So either you undermine strong encryption for everyone -- harming the vast majority of good people out there -- or you allow strong encryption, meaning that some bad people can use it."

    You can't undermine strong encryption for everyone, that's the basic problem. What will keep companies outside the US to implement strong encryption into their devices? And even if you got every tech-company on the planet to agree on a treaty not to produce such devices, what would keep criminals or rogue states from producing them?

    You may be able to outlaw strong encription, but no one will be able to suppress it. As has happened so many times before: The ones on the loosing side would be the law-abiding People...

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.