27 June 2016

The Path Forward on Encryption: The McCaul-Warner Commission

June 24, 2016, 

The current encryption debate is gridlocked. For the past year, privacy advocates, civil libertarians, Department of Justice attorneys, cryptographers, and others have been stonewalling one another, exchanging a barrage of bumper sticker slogans. These engagements have drawn attention to an important issue, but have largely failed to illuminate the path forward.

In a recent post for Lawfare, Jamil Jaffer and Daniel Rosenthal bring moderate and tempered reasoning to this discussion. They correctly contend that the Orlando shooting, like similar terror attacks, illustrates “the importance of developing thoughtful, non-reactionary, and bipartisan solutions.” Even more importantly, Jaffer and Rosenthal point out that “[t]he opportunity to work together on a reasonable, middle-ground solution may be transient.” It is of no small consequence that any such opportunity “could quickly vanish in the wake of the next significant terrorist attack in the United States.”

Drawing on Jaffer and Rosenthal’s tempered discourse, we should give serious consideration to the Digital Security Commission Act co-sponsored by Rep. Michael McCaul and Sen. Mark Warner (commonly referred to as the McCaul-Warner Commission). I’ve made similar arguments in support of the Commission in The Hill, the Wall Street Journal—where the editorial board also supported the Commission—and elsewhere. In short, given the available options—at the moment, a choice between doing nothing or passing the Burr-Feinstein bill—the McCaul-Warner Commission presents the restrained and appropriate course.


Adopting a commission approach recognizes that Congress, as an institution, has limited technical expertise and is not equipped to weigh the many competing issues at play in this debate. Intellectual humility is required, now more than ever, if we hope to move this debate forward. Assembling a commission dispels the illusion that encryption is a “problem” to be “solved,” and instead examines the broader challenges faced by law enforcement in the digital age. No ex ante assumptions should preclude any particular course of action and a diverse array of stakeholders—economists, cryptographers, law enforcement, and civil society—would ensure a fair representation of various perspectives. And the Commission facilitates a focus on a critical but undervalued component of this debate—the economics of encryption.

The problem with attempts to undermine encryption through the surreptitious installation of “backdoors” is not simply one of potential civil liberties impacts. There is a compelling economic dimension to this debate that has been largely ignored. Specifically, the engenderment of trust in the online ecosystem is precipitated by expectations of security made possible by the proliferation of transit layer encryption protocols, such as TLS and SSL. For example, when you go to make a purchase on Amazon, the little green lock icon in the URL bar indicates a secure connection, made possible by encryption. Attempts to undermine the security of those protocols could have profound consequences to the level of trust users equate with e-commerce. Those economic concerns need to be taken more seriously in a debate that has largely centered on privacy and civil liberties concerns.

So what might the Commission recommend?

One potential solution could result in establishing a lawful systems access framework for law enforcement—that is, a legal hacking regime. Some have written quite favorably of this approach as a potential alternative to forcing technology firms to retain the ability to decrypt customers’ data.

In January, Benjamin Wittes outlined some of the pitfalls those in the civil libertarian community may have overlooked in supporting such an approach. As he points out: “when civil libertarians and cryptographers talk about lawful hacking, what that may mean in practice is the government’s commandeering companies into compromising their users’ devices.” Which begs the ultimate question: “Is a regime in which companies may have to do these things better or worse from a civil liberties perspective than a regime under which they have to help with decryption?”

I won’t pretend to speak for all civil libertarians, but I think on net, that a lawful systems access regime—with appropriately tailored judicial and congressional oversight, transparency, and accountability practices, all subject to the provisions of the Wiretap Act—is far better public policy than simply mandating companies embrace weaker encryption practices and standards. Perhaps more importantly, however, is the simple fact that such a question, in order to be answered appropriately, requires all relevant stakeholders to engage one another in a tempered and rational dialogue. Shouting past one another in the media and public fora simply will not do as a means to achieving an ideal policy outcome.

We have but one path forward in this debate, and that’s the one that treats all the competing equities and stakeholders as equals. The intellectually honest and ideologically neutral option is to embrace politics as the art of the possible, not as a war of all against all. To do so, civil society, law enforcement, the technology industry, economists, cryptographers, and other leading experts need to sit down and reason through competing interests to arrive at a solution that protects encryption, the digital economy, and the security of all Americans.

Otherwise, this will continue to be a debate with no end in sight. The sooner we embrace the Digital Security Commission, the sooner we can get to work compromising on a solution.

No comments: