4 Problems With Creating a ‘Commission on Encryption’

Last week, we saw yet another proposal in Congress to resolve law enforcement’s supposed “growing dark” issue — including the FBI’s misguided belief that encryption can be weakened just enough to catch the “bad guys” without harming the innocent. Under this approach, Congress would create a “National Commission on Security and Technology Challenges” to examine the impact of encryption on law enforcement, including the issues raised in the current Apple case.

On the surface, the idea of a commission may seem like a reasonable idea. After all, if we bring together “experts,” isn’t it likely they’ll come to the right conclusions?

But, despite the good intentions of the bill sponsors, Sen. Warner (D-Va.) and Rep. McCaul (R-Texas), we don’t think so. As drafted, the ACLU, along with advocacy groups including the Electronic Frontier Foundation, opposes the commission.

If history is any indication, commissions are often susceptible to partisan politics, inefficiency, errors, and bias. In this case, the scope, authorities, and makeup of the commission suggest it will be vulnerable to these pitfalls. There are several reasons for this.

First, its overly broad mission threatens to open up a Pandora’s box of bad ideas. The bill explicitly allows the commission to recommend revisions to existing warrant and wiretap statutes, additional “tools” that law enforcement and national security agencies could use to adapt to encryption advances, and ways for the private sector to make it more difficult for terrorists to use communications technologies. This would allow the commission to recommend expansions to NSA authorities or revisions to well-settled statutes, such as the Wiretap Act, which have protected the rights of Americans for decades. Or, it could propose that companies take steps that are ostensibly targeted at terrorist use of social media but, as a practical matter, actually undermine First Amendment principles for everyone. Examination of these issues by a body that is not accountable to the public could set back — rather than advance — the current debate.

Second, the bill grants disturbingly broad subpoena authority to the commission. The proposed bill would grant the commission the power to subpoena any information that is considered “materially relevant” to its duties. For example, the commission could require companies to turn over the technical specs of future or current encrypted products, journalists to reveal how they use encryption to communicate, or whistleblowers to disclose information that they may have provided in confidence.

In the past, we have seen how administrative subpoenas have been abused to engage in bulk collection and target innocent parties. The ACLU has always opposed broad subpoena authorities precisely because they are vulnerable to these types of abuses, and we similarly have significant concerns with the subpoena provisions in the proposed bill.

Third, the commission would be redundant. The issue of encryption has been examined by countless experts, including those at MIT, Harvard, and within the President’s Review Group. These experts have found that mandates to build a backdoor into encrypted products are unwise and impracticable. It is not necessary to use taxpayer resources to fund yet another commission to reexamine this well-settled issue — particularly in the current environment where there is political pressure to adopt proposals that undermine encryption.

Fourth, the commission includes inadequate provisions to ensure that privacy and civil liberties viewpoints will be adequately represented. Any commission is only as good as its members. The proposal does not contain a requirement that a significant subset of commission members come from the privacy and civil liberties community. Under the proposed legislation only two of the 17members must come from this community; other members would be drawn from the government, technology sector, or have expertise in specific issues. And there is no requirement that privacy and civil liberties representatives agree with any ultimate recommendations, which means they could be marginalized and ignored.

The supporters of this proposal actually have good intentions and want to encourage a thoughtful approach to this issue. The problem, however, is that we are not confident that this commission would not ultimately be used, even unintentionally, to defend policies that undermine privacy and security.