House Encryption Working Group Report: Falls Short

December 22, 2016

On December 20, 2016, the House Energy and Commerce Committee’s Encryption Working Group released its Year-End Report, which can be found at the following link:

House Encryption Working Group Year-End Report

Although, the topic invites politics and rhetoric by its nature, and its conclusions of more “exploration” are certainly appropriate, the report also falls short in several areas.

One major flaw in the report is the inappropriate focus on encryption, as a problem for investigations and intelligence alone. In actuality, encryption in communication paths creates enormous problems for many other purposes, especially cybersecurity and network management for critical infrastructure protection. Even a minimum amount of exploration by the Committee would have revealed the issues affecting the larger ecosystem.

The Committee could begin, for example, by considering one of the major related research efforts undertaken on both sides of the Atlantic to address this challenge among companies, academia, and government known as mcTLS (Multi-Context Transport Layer Security, The mcTLS platform provides an effective and equitable means of meeting the needs for analyzing the characteristics of encrypted network streams.

An especially nonsensical “post-truth” assertion conveyed in the report is that “a mandate compromising encryption in the US technology sector would simply shift consumers to products offered by foreign companies [and] might incentivize larger companies to leave the United States.” In reality, almost every national jurisdiction worldwide imposes significant controls on the use of encryption as a condition of doing business in the country. The US is almost the only nation that does not. In addition, there are several prominent internationally accepted technical standards, that require providers to support access to unencrypted communications.

As for law enforcement agencies’ requests for information, it is worth noting that new international technical standards now exist for this purpose. The use of Trusted Third Parties such as Yaana to provide cost-effective access for standards based requests for all manner of providers domestically and extraterritorially, is a direction worth pursuing by the Committee.

So, while the Committee’s report is reasonably well balanced, its very narrow characterization of the larger compliance obligations ecosystem also being seriously impeded by widespread encryption, as well as its repeating of the “driving business offshore” nonsensical argument, diminishes the report’s stature.