Cybersecurity & Tech Surveillance & Privacy

The McCaul-Warner Digital Commission Can Be a Value-Add. Here’s How.

Carrie Cordero
Tuesday, April 5, 2016, 7:36 AM

On February 29, 2016, Homeland Security Committee Chairman Michael McCaul and Senator Mark Warner, a bipartisan team, introduced legislation to create a National Commission on Security and Technology Challenges; a “Digital Commission.” In support of their effort, McCaul and Warner secured over 30 co-sponsors, as well as support from several former senior national security officials, law enforcement representatives, industry associations, and technology and security companies.

Published by The Lawfare Institute
in Cooperation With
Brookings

On February 29, 2016, Homeland Security Committee Chairman Michael McCaul and Senator Mark Warner, a bipartisan team, introduced legislation to create a National Commission on Security and Technology Challenges; a “Digital Commission.” In support of their effort, McCaul and Warner secured over 30 co-sponsors, as well as support from several former senior national security officials, law enforcement representatives, industry associations, and technology and security companies. The Congressmen have also made public appearances to explain the need for and solicit support for their proposal. Written summaries of the proposal, and video/audio clips of the sponsors’ public appearances are all available on the Homeland Security Committee’s website, here. The crux of the proposal is this:

To bring together leading experts and practitioners from the technology sector, cryptography, law enforcement, intelligence, the privacy and civil liberties community, global commerce and economics, and the national security community to examine the intersection of security and digital security and communications technology in a systematic, holistic way, and determine the implications for national security, public safety, data security, privacy, innovation, and American competitiveness in the global marketplace.

Styled on the 9/11 Commission, the 16-member group, supported by a professional staff, would produce a report that would make both policy and legislative recommendations.

In Washington, one’s first reaction at any proposal for a new commission is often to dismiss it as “just another Blue Ribbon commission.” But the McCaul-Warner Digital Commission can be a value-add.

Here’s how:

  • The Commission would provide a venue to arrive at some common technological understandings, and provide a narrative that can be understood by non-technologists about the state of communications technology today. This might include an inventory of the modes of digital communications that exist – from basic e-mail, to existing apps, to emerging technologies. A common lexicon and baseline of technological understanding would make a valuable contribution.

  • The Commission could also articulate the economic and commercial aspects of digital communications. The Commission would need to understand the market for privacy, and how privacy-protective features relate to a company’s or product-designer’s business model.

  • The Commission could explore how lawful governmental communications interception – whether in real-time or of stored data – supports national security and law enforcement goals. This effort could take advantage of any government data calls that have been commissioned, or, initiate data calls, so that the Commission develops an understanding of the value that communications acquisition plays in protecting public safety, countering national security threats, and supporting other national security interests of the U.S. and its global allies and partners.

  • The Commission would need to take on the issue of lawful government access to encrypted data, both for law enforcement and national security purposes.

  • The Commission could also provide an accounting of the legal framework for interception of communications technology, for both law enforcement and national security purposes. Gaps should be identified. This analysis could include, among an outline of other relevant laws and relevant policies, inequities in the law governing access to stored content, and the current application and use of the All Writs Act.

  • The Commission would want to consider how certain other countries are addressing these issues, across the spectrum. Companies that provide communications services often serve a global market, and so the issues relating to digital communications and lawful government access cannot be observed in a U.S.-only silo.

The goal of the Commission’s work should be to create a common narrative, that can frame recommendations to move the public dialogue beyond the debate stage. The Commission will need to make specific legislative and policy recommendations. Importantly, the Commission’s work in this regard should be one of identifying actual problems, and then making recommendations that are responsive to those problems.

Two final observations that might inform how the Commission approaches its task, if enacted:

First, the Commission could potentially help lessen (as it is unlikely to reverse) the shift towards adversarial process in this space. The Commission’s work will necessarily reside at the intersection of technology, surveillance, law enforcement, national security, privacy and civil liberties. As I have previously noted:

[O]ne of the most significant, long-term, and damaging effects of the [Snowden] disclosures, from a national security perspective, may turn out to be the loss of productive cooperation between the government and the private sector, pursuant to lawful process, in order to enable the government to protect the nation from critical national security threats.

We have seen this adversarial relationship play out recently in the Apple/FBI litigation. Each side may claim it “won” in some regard (Apple “stood up” to the government; the FBI accessed the San Bernardino phone in the end). But I think everyone came out of it banged up: the FBI is perceived by some in the privacy and technology communities as being either technically incompetent or dishonest. Apple, on the other hand, is now publicly exposed as designing and selling a product with a security vulnerability, when security of that device was a significant component of its marketability.

The device security arms race is on. And, as we know from other arms races, “winning” can mean everyone loses.

Second, our legislative and policy efforts in the surveillance and privacy space must more openly acknowledge that we are living through - from a societal, economic and market perspective – the Digital Revolution. As a result, we probably will not, in the next year or two, come up with a legislative solution that will last a quarter century. And that’s ok.

A little history underlying this approach might be useful:

The Foreign Intelligence Surveillance Act (FISA) was passed in 1978, and represented a major legislative achievement to protect privacy and civil liberties while enabling domestic national security surveillance to take place under a statutory framework. The government, from a national security perspective, subsequently enjoyed a period of relative stability under the law for approximately twenty years. While there were minor amendments to FISA in the 1990s, and one major one in 1994 when the authority to authorize physical searches was added, the government, basically, had a pretty good run in terms of the system working as it was designed. More or less, the executive branch was able to employ legal authorities in a way that met its responsibilities. The legal framework adequately protected privacy and civil liberties.

But that long run of relative stability and reliability came to an end.

The terrorist attacks on September 11, 2001, demonstrated, in part, that FISA, for at least some period of time beginning in the 1990s and up to 2001, was not actually working effectively when it came to facilitating effective counterterrorism activities. I am referring, in part, to the “Wall.” The USA Patriot Act in 2001 and subsequent litigation through the Foreign Intelligence Surveillance Court of Review resolved that issue circa 2002. But there were other issues.

Just five years later, circa 2007, senior national security leaders again were informing Congress that a “gap” in collection - and therefore a vulnerability in competency to protect the nation - was developing as a result of the statute not keeping up with changing modes of communication. It was this issue, along with follow-on issues related to the post-9/11 Terrorist Surveillance Program – that the 2008 FISA Amendments Act (which included what is now Section 702 of FISA) was intended to address.

The 2008 amendments solved the latest need, but changed the framework enough that new concerns were raised from legislators, privacy advocates and industry. These, coupled with the unauthorized disclosures begun by Edward Snowden in June 2013, led to new legislation, the USA Freedom Act in June 2015, just seven years after an extensive legislative debate that resulted in bipartisan-approved legislation. We are now approaching the sunset of Section 702 of FISA in December 2017, and many of these issues will be ripe for Congressional consideration, again. This time, Congress will be debating surveillance, privacy, national security and the appropriate legal framework just a short two years after the most recent legislative debate on related issues.

I repeat this (very) truncated history because it illuminates that given where we are today – with the global community on edge over both privacy and security and public safety – it would be progress for the communities of interest involved in these issues to collectively acknowledge that the relevant stakeholders are going to have to revisit surveillance issues regularly, perhaps every five to ten years. Chairman McCaul and Senator Warner appear to recognize this, as the text of the proposal specifically states that the Commission’s report should include, among other things:

An assessment of the issue of multiple security interests in the digital world, including public safety, privacy, national security, and communications and data protection, both now and throughout the next 10 years. [Emphasis added].

The Commission proposal is smart to focus on the next ten years. If we can adopt this approach more broadly, perhaps we can shift the dialogue so that it is not repeatedly presented as an existential battle between privacy and security; a false choice. Instead, it will simply be people doing their job to make sure that we continually have the technology/law enforcement/national security/privacy equities calibrated for the foreseeable, but relatively near, future.

The Commission can play a useful role in digesting the factual and legal issues outlined above, and by making recommendations for legislative accommodation and improvements. But it also can play an important role in the public dialogue by framing these issues, and solutions, in a way that stops the hyperventilating and restores confidence.


Carrie Cordero is a Senior Fellow at the Center for a New American Security. She is also an adjunct professor at Georgetown Law, where she previously served as Director of National Security Studies. She spent the first part of her career in public service, including as Counsel to the Assistant Attorney General for National Security; Senior Associate General Counsel at the Office of the Director of National Intelligence; Attorney Advisor at the Department of Justice, where she practiced before the Foreign Intelligence Surveillance Court; and Special Assistant United States Attorney.

Subscribe to Lawfare