Senator Mark Warner and Representative Mike McCaul are calling on Congress to create an "Encryption Commission" composed of business, tech, and law enforcement and intelligence agency leaders that will investigate and report on encryption issues. The commission is set to ask questions already answered in the 1990s like whether or not the government should mandate backdoors or otherwise change current law. The answer is no. At the end of the day, the commission shows Congress still hasn't learned that math is not something you can convince to compromise.
The Warner-McCaul Commission tasks Senate and House leaders with appointing 16 representatives from private industry, law enforcement, academia, the privacy and civil liberties community, and the intelligence community to publish two reports within a year. Each report will investigate (among other topics) how encryption is used, if current law or warrant procedures should change, the value of encryption, the effects of encryption on law enforcement, and the costs of weakening encryption standards.
Many of these questions have been repeatedly asked—and answered—since the Crypto Wars of the 1990s. During that period, the Clinton administration tried to keep strong crypto out of consumer devices and services by proposing things like the now-infamous "Clipper Chip," which sought to compel companies to insert backdoors into commercial encryption technologies, and by enforcing export regulations that effectively prevented the development and distribution of strong encryption.
The Clipper Chip proposal was defeated in the late 1990s, and ever since then the public has been using strong encryption and discussing its importance to security. The benefits are real. Encryption protects people from criminals, it secures our everyday communications, and enables confidentiality and privacy.
The Apple-FBI litigation renewed efforts to push forward with the commission; however, lawmakers should oppose its creation. Honestly, we already know the right answers—but the commission seems aimed at producing the wrong answers because it avoids crucial questions about U.S. capabilities and because its membership is skewed.
First, the bill calls on the commission to review the role of cryptography in a variety of instances, but with a glaring omission: investigating the current capabilities of U.S. law enforcement and intelligence agencies when it comes to encryption and encryption-based attacks. In the past three years, Americans learned the National Security Agency deliberately weakened encryption standards, as well as paid the security company RSA to prefer a default (crackable) encryption scheme in a product called BSafe software. There can be no fair review of the role of cryptography without understanding how and what the U.S. government has been doing to defeat or compromise encryption.
The makeup of the commission is also an issue. The law enforcement and intelligence community is overrepresented with 6 out of 16 seats. Because 12 of the 16 commission’s members are required to issue subpoenas or approve any conclusions, those 6 members have tremendous influence over the commission’s investigations and the content of any report.
The Warner-McCaul proposal ignores what technical experts, computer scientists, and others have repeatedly told Congress for more than 20 years: weakening encryption standards and mandating backdoors (or key escrow) for government access will make people and their devices less safe. Indeed, the very existence of the Warner-McCaul bill will be used to prolong an unnecessary conversation.
We don’t believe such a commission should pass Congress, and we hope the president vetoes it if it does.