HR 4651 & S 2604 – Encryption Commission

Earlier this week, amid a large amount of publicity, HR 4651 and S 2604, both companion bills entitled the Digital Security Commission Act of 2016 were introduced in the House and Senate, each with a number of bipartisan sponsors. Each of the bills would establish the National Commission on Security and Technology Challenges.

Establishing the Commission

In Section 2 the bills lay out the Congressional findings that outline the conflict to be studied and possibly resolved by the Commission. It notes that {§2(11)}:

“Despite years of dialogue between the technology sector, law enforcement, national security professionals, and others, no clear path forward has been developed that would benefit each of the critical security interests simultaneously; rather, there seems to be a consensus among stakeholders, lawmakers, and experts that the question of reconciling competing security interests is one without an easy or obvious answer.”

With that in mind the findings section goes on to recommend that {§2(12)}:

“Leading experts and practitioners from the technology sector, cryptography, law enforcement, intelligence, the privacy and civil liberties community, global commerce and economics, and the national security community must be brought together to examine these issues in a systematic, holistic way and determine the implications for national security, public safety, data security, privacy, innovation, and American competitiveness in the global marketplace.”

With that in mind §3 of the bill establishes a 16-member Commission to look at those issues. With eight members appointed by the Republican and Democratic leaders of the House and Senate and an ex-officio member appointed by the President, The Commission will represent {§4(b)}:

• Cryptography;

• Global commerce and economics;

• Federal law enforcement;

• State and local law enforcement;

• Consumer-facing technology sector;

• Enterprise technology sector;

• The intelligence community;

• The privacy and civil liberties community.

Reports to Congress

Section 5 of the bill requires the Commission to prepare at least two reports to Congress. An initial Interim Report will be submitted no later than 6 months after the Commission is established. A Final Report will be submitted 12 months after the Commission first meets. Additional interim reports may be published with the support of at least 12 members. The Commission rules will include provisions for including minority views, findings and recommendations in each report.

Each report to Congress will include (at a minimum) “an assessment of the issue of multiple security interests in the digital world, including public safety, privacy, national security, and communications and data protection, both now and throughout the next 10 years” {§3(b)(2)(A)}. This will include a qualitative and quantitative assessment of {§3(b)(2)(B)}:

• The economic and commercial value of cryptography and digital security and communications technology to the economy of the United States;

• The benefits of cryptography and digital security and communications technology to national security and crime prevention;

• The role of cryptography and digital security and communications technology in protecting the privacy and civil liberties of the people of the United States;

• The effects of the use of cryptography and other digital security and communications technology on Federal, State, and local criminal investigations and counterterrorism enterprises;

• The costs of weakening cryptography and digital security and communications technology standards; and

• International laws, standards, and practices regarding legal access to communications and data protected by cryptography and digital security and communications technology, and the potential effect the development of disparate, and potentially conflicting, laws, standards, and practices might have.

The bill would also require that the Commission reports include recommendations for policy and practice, including, if the Commission determines appropriate, recommendations for legislative changes, regarding {§3(b)(2)(C)}:

• Methods to be used to allow the United States Government and civil society to take advantage of the benefits of digital security and communications technology while at the same time ensuring that the danger posed by the abuse of digital security and communications technology by terrorists and criminals is sufficiently mitigated;

• The tools, training, and resources that could be used by law enforcement and national security agencies to adapt to the new realities of the digital landscape;

• Approaches to cooperation between the Government and the private sector to make it difficult for terrorists to use digital security and communications technology to mobilize, facilitate, and operationalize attacks;

• Any revisions to the law applicable to wiretaps and warrants for digital data content necessary to better correspond with present and future innovations in communications and data security, while preserving privacy and market competitiveness;

• Proposed changes to the procedures for obtaining and executing warrants to make such procedures more efficient and cost-effective for the Government, technology companies, and telecommunications and broadband service providers; and

• Any steps the United States could take to lead the development of inter- national standards for requesting and obtaining digital evidence for criminal investigations and prosecutions from a foreign, sovereign State, including reforming the mutual legal assistance treaty process, while protecting civil liberties and due process.

Commentary

There is a long, mixed history of Congress establishing commissions to look at politically charged issues and recommend legislative action to remedy the problems identified. On the plus side, these commissions have been able to bring a wide variety of expertise to the table to take a hard look at issues by people with applicable expertise. While these commissions are relatively bipartisan or non-partisan, their recommendations still have to be included legislation that has to pass in the Congress and be signed by the President. Finally, once Congress does pass the legislation it still requires implementing regulations to be formulated by the various agencies and departments in the Executive Branch.

There is a long distance in time and performance between the first commission meeting and the last implementation regulation is put into place. We are still waiting for the TSA, for instance, to establish the counter-terrorism training requirements for surface transportation organizations recommended by the 9-11 Commission. And, of course, there have been any number of commission reports that have never made it out of the halls of Congress in the way of implementing legislation.

To be sure, the conflicts outlined in the findings section of this bill are real and need resolution. Equally certain, there is not the technical knowledge in the Congress (either in the elected members or their staffs) to adequately define the issues involved in these conflicts, much less propose and agree upon a solution out of whole cloth. If a workable solution is to be found, as it must, then the Digital Security Commission seems to offer the best of identifying such a solution.

Having said that, the timing could not be much worse. We are in a very divisive election year and there has been very little understanding of these issues on the campaign trail to date. The Congress that will have to decide whether or not to act upon the recommendations of the Commission will not be the same Congress that comes together, however briefly, to create the Commission. This is another important fact that mitigates against a successful outcome to this process.

The other confounding problem is that Congress is heading into its busiest season as the budget/authorization/spending process moves forward. Add into that the controversy over a potential Supreme Court nominee and you have a Congress that is going to have a difficult time coming together over the definition of a complex problem like this. If action does not move forward quickly on these bills, it is unlikely that they will make their way to the President’s desk before the election in November.