McCaul’s Crypto Commission: First, do no harm

This week on Capitol Hill, Chairman Mike McCaul (R-TX) and Senator Mark Warner (D-VA) introduced legislation that would create a bipartisan commission of experts to study the debate over encryption and provide recommendations for overcoming the current impasse. Access Now welcomes the attempt to move this important conversation forward in a meaningful way, but the implementation threatens to undermine the outcomes it seeks to achieve.

Encryption is our most effective tool to protect privacy and security in digital spaces. It protects the confidentiality of sensitive transactions like those that involve banking data, financial information, and medical records. It protects users at risk from physical threats including death, reduces device theft, and makes cybercrime more difficult.

However, in some circumstances, encryption can also make it more difficult for law enforcement to access information they’re seeking in the course of a lawful investigation. This leads to difficult trade offs with regard to the security of our digital spaces and the interests of law enforcement. This ongoing debate about encryption policy is not restricted to a single phone or even a single country. From the United States to Russia, governments are considering proposals that would have the effect of undermining encryption. Yet strong encryption is vital to keeping us safe.

Chairman McCaul and Senator Warner’s proposal is nuanced. It demonstrates a clear understanding of the situation and reflects an honest attempt to move the debate forward in the interest of all. Unfortunately, despite good intentions, it appears that the commission, as proposed, might not produce what the authors expect.

Is a commission even necessary?

The commission aims to resolve an impasse where all sides are “talking past one another.” To do that, the commission proposes bringing people together to facilitate discussion and generate a common pathway forward. Underlying this proposal is the assumption that people from both “sides” of the debate have not already engaged with one another in good faith. However, digital security experts and law enforcement have in fact been discussing “the Crypto Wars” since the 1990s, and more recently, there have been numerous forums where both sides have made their case. Just last summer, Access Now held the Crypto Summit in Washington D.C. to facilitate such a discussion. We’re holding a follow-up summit on March 30, 2016 to advance the key issues that have been identified as important and unresolved. Our hope is that the commission will meaningfully address the debate without retreading well-worn pathways.

The good:

The authors recognize the complexity of encryption and its role in securing our safety and modern digital economy. It is notable that the authors direct the commission to study all aspects of encryption, including the economic and commercial value of cryptography, and the benefits of cryptography, digital security, and communications technology to national security and crime prevention.

The commission also is required to have technical experts and privacy and civil liberties advocates represented, and allow the commissioners to hire or consult with other experts. The bill also requires a tight deadline for a work product from the commission and allows for dissenting views. These are all positive steps.

The worrisome:

No matter how many good intentions are behind the development of the commission, it could be manipulated to produce something that is ultimately harmful. Even if recommendations come with caveats, negative recommendations would still have the blessing of a blue ribbon, bipartisan committee of experts. This creates a perverse incentive not to seek consensus for addressing difficult issues, but instead to score a “win” or a political talking point.

While the commission will include multiple, necessary viewpoints, it is still overwhelmingly staffed by a group with a single point of view: of the 16 slots, six of them will go to law enforcement or members of the intelligence community. In addition, Majority Leader McConnell and Speaker Ryan would name eight members and select the chairperson. Because only 12 votes are needed to produce a report, even subtle bias in the committee could lead to an unbalanced final product.

The commission may also be influenced through the staff. With a 12-month deadline to complete its report, it will take four months for an individual to receive the proper security clearances. That means the universe of potential staffers may be limited, practically, to individuals who already have a security clearance. These factors mean that the staff of the commission would likely be comprised of “detaillees” from the intelligence community and perhaps a few congressional staffers.

Further complicating this issue is the commission’s opaque funding structure. The legislation does not provide new funding, but relies on the charity of other federal agencies to provide “services, funds, facilities, staff, and other support services.” There is no transparency requirement to share with the public which agencies are financing this commission or explain why they are doing so. In short, under this proposal, we won’t know who is paying for this commission.

Final thoughts:

It is clear that the sponsors of this bill are thinking seriously about encryption and are committed to moving the policy debate forward. However, Access Now cautions that the devil is in the details. And the details about this commission leave considerable room for creating a work product that could take this debate backward rather than forward.

As anyone who follows Access Now’s work in the area knows, we remain committed to promoting and using encryption to protect the fundamental human rights of users at risk around the world. We look forward to working with the authors — and perhaps the members of this commission — to make sure the rights of users will be fully represented in these ongoing conversations. We also encourage these thoughtful lawmakers to join us at the Crypto Summit 2.0.