Leaked! Details Of The New Congressional Commission To Take On The Encryption Issue

from the we'll-see-how-this-goes... dept

Help us keep covering stories like these!
Back in December, we wrote about plans by Rep. Mike McCaul and Senator Mark Warner to put together a "commission" to figure out what to do about the encryption "issue." In his speech, McCaul did at least say that "providing a backdoor into everybody's iPhone was not going to be a very good strategy" since it would open things up to hackers, but at the very same time, he kept saying that we had to somehow stop bad people (terrorists, criminals, child predators) from using encryption. He also keeps insisting that the Paris attackers used encryption, despite lots of evidence to the contrary. So it's not entirely clear what the point of this Commission is, other than to chase down some mythical solution that doesn't exist.

The basic problem is this: to have real security you need strong encryption. And if you have strong encryption, people who are both good and bad can use it. So either you undermine strong encryption for everyone -- harming the vast majority of good people out there -- or you allow strong encryption, meaning that some bad people can use it. The only way to have strong encryption but not allow the bad guys to use it is to have a technology distinguish who is "bad" from who is "good." I'm pretty sure that's impossible because there's no universal standard for what makes a "bad" or "good" person, and definitely not one that can be implemented in device hardware or software. So a commission seems like a waste of time.

But the Commission is coming... and later today McCaul and Warner are releasing the bill that will form the Commission. Someone kindly leaked us the bill and some related documents over the weekend, so we can give you a bit of a preview. To their credit, it appears that McCaul and Warner have paid attention to the criticism, and really are trying to present a "balanced" commission, rather than one dominated by folks who don't actually understand the technological realities. That's a plus. There's still the negative that what they're basically asking for is impossible, but we'll let that slide for the moment on the basis of "well, their intentions aren't as horrible as we feared...".

So, should this bill pass, the Commission would have 16 members, with the Republicans and Democrats each appointing eight, and that eight that each party appoints would be one person from each of the following fields:

1. Cryptography
2. Global commerce and economics
3. Federal law enforcement
4. State and local law enforcement
5. Consumer-facing technology sector
6. Enterprise technology sector
7. Intelligence community
8. Privacy and civil liberties community

That's actually... not a bad mix overall, though obviously who is appointed will make a huge difference in terms of whether or not we have a useful commission or one that will declare the impossible (and dangerous) possible. The commission will actually have subpoena authority, which is an interesting choice, and will, of course, hold a bunch of hearings. And it's expected to move pretty quickly:

1. Commissioners must be appointed within 30 days of enactment (except for the ex officio).
2. The Commission shall hold its first meeting within 60 days of enactment.
3. The interim report is due within 6 months of the initial meeting.
4. The final report is due within 12 months of the initial meeting.
5. The Commission terminates within 60 days after the final report.

Meanwhile, given that it's almost certain that the commission will not unanimously agree on anything, the final report needs to only be agreed upon by 11 12 of the 16 commissioners. And dissents will be published with the report as well. Even getting to 11 12 may be tricky without some serious compromises. If you assume (which is already unlikely) that the non-law enforcement/intelligence guys would all agree on something, you're still left with the 6 law enforcement and intelligence commissioners. One Two of them would have to be convinced to go along with the report. I mean, it is possible. Michael Hayden and Michael Chertoff have both been going around saying that strong encryption is good and backdoors are bad. So maybe you get someone like them to be one of the "intelligence community" folks on the commission -- but it's still an uphill battle. Update: While the FAQ originally said 11 were needed to agree, the actual legislation says 12, making it that much trickier.

At the very least though, it does seem clear that -- contrary to the concerns of many -- this isn't just a commission set up to say "backdoor all encryption." So while it still seems focused on the impossible, it's still much better than it could have been (and would have been under some other folks in Congress).

Help us keep covering stories like these!

Filed Under: commission, congress, encryption, going dark, mark warner, michael mccaul

As Law To Backdoor Encryption Stalls, Congress Tries Backup Stupid Plan To Backdoor Encryption

from the bad-ideas-all-around dept

Late last year, Senator Richard Burr, who is painfully wrong on encryption, announced that he and Senator Dianne Feinstein were working on new legislation that would mandate backdoors to encryption. Most people recognized that such a bill had little-to-no chance of actually passing Congress, as there are at least enough folks up on Capitol Hill who realize that such a law is incredibly stupid. Given that, it's little surprise that reporter Jenna McLaughlin from The Intercept is reporting that such legislation "has been delayed."

But, fear not, foes of strong encryption, because there's always a plan B. Late last year, we also noted that Rep. Michael McCaul, the head of the House Homeland Security Committee, was going to propose legislation that would create a "commission" bringing tech companies and law enforcement together to work on a way to undermine encryption. While, at the very least, he noted concerns about backdooring encryption (and later noted how backdoors could weaken everyone's security), it hasn't stopped him from moving forward with this commission, and making some fairly ridiculously ignorant statements about all of this.

McCaul, together with Senator Mark Warner (who should know better), has announced that they're moving forward with legislation to set up this commission, and still ridiculously claims that "going dark" is a real problem that needs to be "solved."

McCaul said the group would be given “a tight time frame” to develop “recommendations to the Congress as to what can be done to solve this urgent, and I think very challenging threat to our national security.”

But, as if to underline how little McCaul really seems to understand about the issue, during a press conference about this, he claimed that the "going dark debate" was started by Ed Snowden's use of encryption, leading to a rather sarcastic reply from Snowden himself:

Chairman McCaul on "going dark": "It’s ironic that Edward @Snowden really sort of created all this when he started using encryption."

— Kaveh Waddell (@kavehewaddell) January 19, 2016

Other things Chairman McCaul thinks I created: famine, climate change, bieber. https://t.co/eJ8JWyDy1K

— Edward Snowden (@Snowden) January 19, 2016

It's troubling that the guy who thinks Snowden started the debate on going dark is now apparently going to lead this commission to deal with the "problem" of going dark. Nor is the whole "tight timeline" particularly encouraging. Because the whole thing is based on a false premise that if we just "get smart people in the room," they'll figure out "a solution."

But how many times does it need to be said before law enforcement and politicians understand the rather basic facts: you can undermine encryption, but it makes everyone significantly less safe. There is no way to build technology that says "only the pure of heart may use this technology, while ISIS may not." The second you try to do that, all you end up doing is opening up serious vulnerabilities that will put everyone at risk.

Meanwhile, another report on this planned commission claims that it will "be tasked with developing a solution that doesn’t require a 'backdoor' into encrypted communications." That's obviously better than being tasked with backdooring encryption... but what does that even mean? The whole setup of the discussion and the debate is falsely framed around the idea that strong encryption is a "problem" that needs to be "solved." Saying "but we don't mean backdoors," feels like a semantic game, such as James Comey's ridiculous attempt a few months back, where he insisted that the FBI wants "front doors" instead of backdoors.

If Rep. McCaul and Sen Warner were serious about "Homeland Security," they'd both get on the bandwagon supporting strong encryption because that, and that alone, is the best way to protect computer security for Americans.

Filed Under: backdoors, commission, congress, dianne feinstein, ed snowden, encryption, going dark, mark warner, michael mccaul, richard burr

Rep. Michael McCaul Proposes 'Commission' To 'Force' Silicon Valley To Undermine Encryption

from the well,-here-we-go... dept

Rep. Michael McCaul, the head of the House Homeland Security Committee has now given a speech in which he announced plans to introduce legislation that will create a committee to undermine encryption in the tech industry:

The legislation "would bring together the technology sector, privacy and civil liberties groups, academics, and the law enforcement community to find common ground," Chairman Rep. Michael McCaul (R-Texas) said in a Dec. 7 speech at National Defense University. "This will not be like other blue ribbon panels, established and forgotten."

He said the ability of terrorist groups to use encrypted applications while communicating is one of his biggest fears. "We cannot stop what we cannot see," he said in reference to recent attacks in San Bernardino, Calif., and Paris.

Yes, the idea that it will include technologists and privacy and civil liberties folks sounds good, but it still seems like the key focus is going to be around undermining encryption. You don't need a special commission to do the only thing you really need to do: which is to keep making ever more secure encryption. And, of course, McCaul has been among the leading voices in seeking to blame encryption for everything. A few weeks ago he insisted that the Paris attackers used encryption and in the Q&A portion after his speech yesterday he went even further directly claiming the Paris attackers used the Telegram app -- something that no one else has claimed to date. He first admits that a "backdoor" to encryption is a bad idea, but then basically says, "but there must be some technological solution" before claiming that the Paris attackers definitely used encryption.

It's a very complex issue. I think initially lawmakers thought there was an easy legislative fix where we just amend the CALEA statute, until we found out that providing a backdoor into everybody's iPhone was not going to be a very good strategy. Not only would it provide a backdoor for the government, but also for hackers. So you've noticed that the language of the FBI director and the language of the Secretary of Homeland Security has shifted to trying to find a technology solution to this problem.

This part is true, but that "shift" to finding a "technology solution" still involves creating backdoors to encryption -- and just not calling them backdoors. McCaul continues:

I will not tell you that it's an easy solution, but I've had very in-depth discussions that I do believe there are alternatives. There are some solutions to this problem. And I think the inherent problem, and the reason why I'm advocating the formation of this commission, is because of the reluctance of both parties to sit in the same room together. And so what this legislation provides -- in fact what it will mandate -- that all relevant parties sit in the same room together, and in a very short period of time, provide the Congress with solutions and recommendations for legislation to deal with what I consider to, as I said in my remarks, one of the most difficult challenges of this century, in dealing with counterterrorism and basically criminal behavior.

First of all this is hogwash. People from both sides are more than willing to sit together, if there was some possible productive outcome from it, and compelling them to sit in the same room doesn't change the facts that what they're asking for is impossible. I don't now how many times it needs to be said, but full encryption makes us all much safer, and you can't magically create a technology that "only the good people" can use. No one's demanding that law enforcement and gunmakers get together to create bullets that only hit bad people. And no one's demanding that automakers and law enforcement get together to design cars that only nice people can drive. Why do people magically think that Silicon Valley can determine who's good and who's bad and set up technology so that only nice people can have their privacy protected?

McCaul then continues, falsely claiming the Paris attackers used encryption:

If we don't do anything. Title III wiretaps and FISAs will become a thing of the past. When we saw the encrypted apps on the on the Paris attackers' iPhone - it was Telegram. When eight attackers and numerous co-conspirators, foreign fighters from Syria, can do something like that and it's completely under the radar screen. We know why it went undetected. It went undetected because they were communicating in the dark space. In a space where we can't shine a light on to see these communications even if we have a court order.

Of course, this is hogwash. No one else has claimed the Paris attackers used encryption. And in fact we now know that they communicated via unencrypted SMS and that they did a lot of their planning in plain sight, with the guy behind the plans bragging to an English-language ISIS publication about his plans, and the attackers booking hotels and guest houses in their own names.

Politico followed up with staffers on McCaul's committee to ask about this, and they admitted that McCaul was exaggerating -- saying he was talking "in general about terrorists' use of encryption" rather than specifically about the Paris attacks. Except, he said it pretty directly, which means he's either misinformed or lying. And, yet, now he's rushing to set up a special commission to help figure out a way to deal with this problem that he himself is exaggerating? That's not encouraging.

McCaul later went on to repeat the "this is a difficult problem" line which misses the point. It's not a difficult problem. It's not that smart people don't want to work on this, it's that law enforcement and McCaul are asking for the impossible: encryption that protects privacy, but only for good people. And, yet, he says he needs to "force people" to solve this problem (he literally uses the phrase "force them.")

While some have suggested that this commission could deal with many other issues unrelated to encryption (which could, potentially be a good thing), the timing of this, just as so many have been calling to undermine encryption by phrasing it as calling for "a conversation" between techies and law enforcement, combined with McCaul's incorrect statements on encryption is worrisome.

The only other "positive" in all of this is that he's pushing this commission as an alternative to legislation that would mandate encryption backdoors admitting (correctly) that "a legislative knee-jerk reaction could weaken Internet protections and privacy for everyday Americans...." That's absolutely true, but what, exactly, does he expect this new commission to do other than to undermine encryption and weaken those protections? And, as he made clear in his statements above, he's still expecting this commission to suggest a legislative solution in a fairly short time period. In other words, this may not be a "legislative knee-jerk" but it sure looks like a plan to lead to knee-jerk legislation, just one where McCaul can point to some committee's "recommendations" to cover up the fact that he's demanding the impossible.

Filed Under: conversation, encryption, going dark, homeland security, michael mccaul, paris attacks, silicon valley

Insanity Rules: Disgusting Politicians Push For More Surveillance And Less Encryption... Based On Nothing

from the make-it-stop dept

Yesterday we noted that the surveillance state supporters were quick to rush in and blame Ed Snowden and call for undermining encryption in response to the attacks in Paris last week -- and they did so based on no factual information whatsoever. There was, briefly, a NY Times article quoting anonymous "officials" claiming that the attackers had communicated via encrypted channels. That article eventually disappeared entirely (with no explanation from the NY Times). If that's true, it would not be surprising, because terrorist groups have long used encryption -- as have tons and tons and tons of law abiding folks. Blaming encryption seems particularly dumb.

And, indeed, on Monday it was made clear that no one actually has any idea how the planning was done and there isn't yet known evidence of encryption:

A U.S. security official said there is no evidence yet demonstrating that the Paris attackers used a particular method for communicating, or whether any technology they used was encrypted in a particular way.

Of course, that statement is as meaningless as the one from the anonymous official claiming they did use encryption, because it's just a random namely "official." And, of course, it wouldn't be surprising at all if they did use encryption, because that's how people communicate safely. And it's not because of Snowden. As we noted yesterday, terrorists have known to use encrypted communications for well over a decade.

Still, none of this has stopped the insane grandstanding on the issue. CIA Director John Brennan kicked it off by taking a potshot at Snowden along with privacy advocates and tech companies -- again, based on nothing:

"In the past several years, because of a number of unauthorized disclosures and a lot of handwringing over the government’s role in the effort to try to uncover these terrorists, there have been some policy and legal and other actions that are taken that make our ability collectively, internationally to find these terrorists much more challenging," he said. "I do hope that this is going to be a wake-up call particularly in areas of Europe where I think there has been a misrepresentation of what the intelligence security services are doing by some quarters that are designed to undercut those capabilities."

Brennan also ridiculously claimed that the terrorists had "gone to school" based on the Snowden disclosures, which again, defies all logic and historical reporting of how widely encrypted communications were used prior to this.

And then all the usual fear mongerers started to pile on. Let's start with the surveillance state's number one defender, Senator Dianne Feinstein:

Senator Dianne Feinstein, the California Democrat, said she’s asked Silicon Valley companies to help law enforcement and intelligence agencies access communications that have been encrypted -- or scrambled to evade surveillance -- if terrorists are using the tools to plan attacks.

“I have asked for help. And I haven’t gotten any help,” Feinstein said Monday in an interview with MSNBC. “If you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner, that’s a big problem.”

But that's idiotic. Does she feel the same way about the telephone? Or paper? Or cars? These are all tools that terrorists use as well, but she's not calling for them to be broken. Blaming the tools is a ridiculous move -- especially for a politician who should know better.

But, of course, she wasn't the only one. Senator John McCain -- who once was a strong defender of encryption in the late 90's, has apparently gone to the other side as he's been taken by unrealistic fears:

Senator John McCain, an Arizona Republican and chairman of the Senate Armed Services Committee, said on MSNBC Monday that "it’s time we had another key that would be kept safe and only revealed by means of a court order."

Except, of course, that doesn't work. And McCain has been told that won't work and will make everyone less safe... and yet he's still pushing for it.

Rep. Michael McCaul, chair of the House Homeland Security Committee got in on the stupid game as well:

“The dark space of the Internet is becoming a breeding ground for terrorist communications, recruitment and plotting,” said McCaul, a Texas Republican. “Our inability to monitor encrypted messages on social media apps, and the terrorists’ awareness of that, compounds the danger America and the West face.”

You know what would put us in even greater danger? Undermining encryption and giving up our keys.

NYPD Commissioner Bill Bratton also repeated the nonsensical claim that tech companies, in better protecting users from hackers, were somehow helping the terrorists:

Technology has been "purposefully designed by our manufactures so that even they claim they cannot get into their own devices after they’ve built them," Bratton said on MSNBC’s Morning Joe.

"They need to work with us right now," Bratton said. "In many respects, they’re working against us."

All of this is based on a weird kind of idiocy. It's wrong on so many levels: (1) strong encryption helps protect citizens, not harm them; (2) terrorists already know how to use strong encryption and they have for years; (3) backdooring encryption won't stop people from using non-backdoored encryption; (4) there's still little to no evidence that snooping on everyone's communications actually stops any terrorist plots. But a big tragedy happened and thus, politicians feel like they need to "do something" and that "doing something" seems to be to attack the technology that actually makes us safer. It's insanity on a massive level.

And the press is playing right into it. The NY Times may have dropped that original story, but came back with one claiming that the attacks had "reopened the debate on encryption." No, they did not. The debate is over. Undermining encryption is dangerous and bad news for everyone. As we noted, the intelligence community's top lawyer, Robert Litt, flat out said just a few weeks ago that he and his friends were waiting for the next terrorist attack in order to push for backdoors in encryption. This is the playbook that was planned all along and most of the press is falling for it.

Thankfully, there are a few exceptions. Kim Zetter at Wired pointed out how the whole narrative is wrong and that backdooring encryption won't help at all. And Alex Howard at the Huffington Post put up a similar story. But for much of the mainstream press, they're playing right into the surveillance state's game plan, repeating the stupid talking points on encryption, based on zero actual facts, and then insisting that the debate is somehow open again.

There is no debate. Yes, the surveillance state supporters want to undermine our security and undermine encryption, but there's no actual debate here. Actual experts know that this is a bad move and a dangerous one that will put many more people at risk. Exploiting an attack in Paris (right after France expanded its own surveillance efforts) is hardly a good excuse for undermining the safety of basically everyone.

Filed Under: bill bratton, dianne feinstein, encryption, going dark, john brennan, john mccain, michael mccaul

Top FBI Official Says Tech Companies Need To 'Prevent Encryption Above All Else'

from the where-do-they-find-these-people? dept

Usually, when we see clueless government lackeys discussing the need to backdoor encryption, they at least admit upfront that they think encryption is important in protecting private information. Even that nutty rambling speech by Homeland Security Appropriations chair Rep. John Carter recognized that there were important reasons to use encryption to protect privacy. And FBI boss James Comey usually does some hand waving to that effect as well. But apparently he forgot to tell one of his deputies.

While testifying before Congress, Michael Steinbach, assistant director in the FBI's Counterterrorism Division, just went to the levels of pure insanity, in arguing that above all else companies should work to prevent encryption. This was during a ridiculous grandstanding hearing held by the House Homeland Security Committee entitled "Terrorism Gone Viral", and Steinbach didn't waste the opportunity to make a ridiculously viral comment of his own:

So that’s the challenge: working with those companies to build technological solutions to prevent encryption above all else.

Above all else? Is he crazy? At least his written testimony isn't quite as crazy, but still has a bunch of fear-mongering about "going dark."

Unfortunately, changing forms of internet communication are quickly outpacing laws and technology designed to allow for the lawful intercept of communication content. This real and growing gap the FBI refers to as “Going Dark” is the source of continuing focus for the FBI, it must be urgently addressed as the risks associated with “Going Dark” are grave both in traditional criminal matters as well as in national security matters.

He also seemed positively freaked out that some social networks actually recognize that protecting their users privacy is a good thing:

"There are 200-plus social media companies. Some of these companies build their business model around end-to-end encryption," said Michael Steinbach, head of the FBI's counterterrorism division. "There is no ability currently for us to see that" communication, he said.

"We're past going dark in certain instances. We are dark," he added.

While the head of the committee, Rep. Michael McCaul played along with this insanity, arguing about how these so called "dark spaces" are a "tremendous threat to the homeland" at least Rep. Ted Lieu -- the same Rep. who recently called out the push to backdoor encryption as "technologically stupid" -- has some more thoughts on the FUD and grandstanding by McCaul and Steinbach. As he told the Intercept:

“When they talk about dark places, ooooh it sounds really scary,” Lieu said. “But you have a dark place in your home you can talk, you can meet in a park –- there are a zillion dark places the FBI will never get to and they shouldn’t because we don’t want to be monitored in our home.” .....

“The notion that encryption is somehow different than other forms of destroying and hiding things is simply not true,” Lieu told The Intercept. “Forty years ago, you could make the statement that paper shredders are one of the most damaging things to national security because they destroy documents that law enforcement might want to see.”

More Lieu, less McCaul and Steinbach, please.

The thing is, as we've noted before, what's equally as disturbing as the ignorant statements from folks like Steinbach is that now, security researchers and tech companies are going to have to waste tons of time and resources explaining why all of this is not just "technically stupid" but actively makes all of us less safe. And they need to do that, rather than building stronger encryption, which is what we really need.

Filed Under: encryption, fbi, james comey, michael mccaul, michael steinbach, privacy, security, ted lieu