Assessing the Review Group Recommendations: Part VII

Chapter VII of the Review Group report is, for the most part, vaporous. It deals with, as its title puts it, "Global Communications Technology: Promoting Prosperity, Security, and Openness in a Networked World." Much of it is a series platitudes that will be easy for the President to adopt without changing policy in any substantial way. A few items are more consequential, but the report leaves them considerably underdeveloped. The most significant, but also the most obscure, of the recommendations is the first. Recommendation #29 deals with encryption, suggesting that the US government "fully support and not undermine efforts to create encryption standards," "not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software," and encourage companies to increase encryption use with respect to data in transit and in the cloud. The recommendation responds to allegations that NSA has sabotaged encryption standards and encouraged companies to introduce backdoor access for its use. Notably, the Review Group generally rejects this allegation, writing that "Upon review, . . . we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data." In fact, the Review Group says, "it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or 'backdoor,' that makes it possible for the US Government or anyone else to achieve unauthorized access." In other words, the Review Group seems to be saying that the allegations are, for the most part, wrong---though there's clearly some give in the report's formulation on this point---but that it should be clear policy on the part of the government not to do this sort of thing. I generally agree that the US should support strong encryption standards. But I'm not sure the government can really commit itself to refraining from "in any way" subverting or undermining or weakening "generally available commercial software." After all, NSA is a signals intelligence agency and it has to decrypt communications by targets who use commercial software. It therefore needs the capacity to "subvert" encryption---decryption being a big part of what it does. Indeed, the explanatory text of the recommendation acknowledges that NSA is sometimes able to "decrypt data years after it is collected." An agency that aspires to break encryption systems but also is responsible for information assurance---that is, the protection and security of US government communications---and that wants to see the banking system remain stable has an inherent conflict of interest here. No statement that too completely privileges one mission over the other will accurately capture the government's competing priorities. Recommendation #30 suggests "an interagency process" to review US government activities with respect to "Zero Day" attacks. It suggests that policy should generally be to ensure that Zero Days are quickly patched, but that "[i]n rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments." This is total pablum. It amounts to an admonition to be really careful with Zero Days and only use them for defense---except when you use them for offense. Who can disagree with that? Recommendation #31 is equally hard to disagree with, at least from a US perspective. The US, the Review Group says, should "support international norms or international agreements for specific measures that will increase confidence in the security of online communications." What norms? Governments shouldn't steal industry secrets to give them to their domestic industry or change the account balances in bank financial accounts. They should promote transparency about surveillance and about governmental demands for user communications or data from communications providers. And they should generally avoid localization requirements that require that data or servers be stored in any one country. This is effectively a statement of current US views in a series of international negotiations, so it requires no policy change to embrace. Recommendation #32 suggests that we need an assistant secretary of state to "lead diplomacy of international information technology issues." The last thing I think we need is another assistant secretary of state, but well, okay. Like the Privacy Czar recommendation in Chapter VI, this is way of conveying seriousness bureaucratically without actually changing policy. Recommendation #33 is another statement that the US should do exactly what it is doing: "advocate for, and explain its rationale for, a model of Internet governance that is inclusive of all appropriate stakeholders, not just governments." In other words, the Review Group wants the US to continue resisting the push to place Internet governance under the ITU. Again, I agree, but this doesn't actually reflect any real change. Recommendation #34, by contrast, does suggest a real change---and it's on a subject about which I know very little: Mutual Legal Assistance Treaties. The Review Group wants to streamline the process by which the United States helps other countries with their lawful surveillance requests, which now are time consuming and laborious. This seems sensible to me, though I am not qualified to evaluate it. Finally, Recommendation #35 suggests that the government do "Privacy and Civil Liberties Impact Assessments" for major data collection and data mining programs "to ensure that such efforts are statistically reliable, cost-effective, and protective of privacy and civil liberties." Recommendation #36 suggests that for future developments in communications technology, the government should have "program-by-program reviews informed by expert technologists, to assess and respond to emerging privacy and civil liberties issues." I have no strong objection to these suggestions, though I suspect they would amount in practice to additional paperwork burdens that accomplish little. To put it simply, there is nothing in Chapter VII---except perhaps the discussion of encryption---that will detain the administration long. A lot of it is endorsement of current policy. Some of it is bureaucratic tinkering. Very little of it is consequential. If I had been this report's editor---and this report badly needed an editor---this chapter would have been cut. CORRECTION: An earlier version of this post accidentally omitted reference to Recommendation #36.