Proposal Would Gut Privacy Laws, Allow Unprecedented Data-Grab by Government
We’re for better network, computer, and device security. Unfortunately, "cybersecurity" bills often go off track—case in point: the " Internet kill switch. " The latest example comes courtesy of the leaders of the House Intelligence Committee. Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.) are introducing "The Cyber Intelligence Sharing and Protection Act of 2011"(PDF).
The bill would allow a broad swath of ISPs and other private entities to "use cybersecurity systems" to collect and share masses of user data with the government, other businesses, or "any other entity" so long as it’s for a vaguely-defined "cybersecurity purpose." It would trump existing privacy statutes that strictly limit the interception and disclosure of your private communications data, as well as any other state or federal law that might get in the way. Indeed, the language may be broad enough to bless the covert use of spyware if done in "good faith" for a "cybersecurity purpose."
This broad data-sharing between companies wouldn’t be subject to any oversight or transparency measures (users can’t restrict companies’ sharing), while the only oversight for sharing with the federal government, ironically, would be through the Privacy and Civil Liberties Oversight Board—which hasn’t existed since January 2008.
Worse yet, the bill doesn’t limit what the federal government can do with the data or private communications that ISPs and others hand over, except to say that it can’t be used for "regulatory" purposes—apparently it can be used for law enforcement and intelligence targeting purposes.
Based on how this proposal diverges from the White House’s own cybersecurity proposal from May 12, we hope and expect that the Administration isn’t happy with this House Intelligence bill for several reasons—insufficient privacy protections, lack of oversight, skepticism about efficacy. Perhaps at the top of the list is concern over the fact that the bill allows information sharing with any federal agency—including the National Security Agency (NSA)—thereby threatening civilian control of domestic cybersecurity efforts. As Rod Beckstrom, former Director of DHS’s National Cybersecurity Center, said when he resigned in March 2009:
"NSA currently dominates most national cyber efforts…. I believe this is a bad strategy…. The intelligence culture is very different from a network operations or a security culture [and] the threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization (either directly or indirectly).
Considering how greatly this bill would change the law and cybersecurity policy generally, the timing is especially shocking: the bill, introduced today, was only shown to privacy advocates such as EFF yesterday, and yet the Committee intends to "mark-up" and vote on whether to recommend passage of the bill TOMORROW.
Lawmakers should not rush to approve such a broad expansion of government power to obtain private information about its citizens without so much as a hearing on the bill. EFF flatly opposes this bill, and urges House Intelligence Committee members to oppose the bill and support any amendments to make it more privacy-protective if and when the Committee considers the proposal tomorrow. Eviscerating our online privacy protections won’t strengthen our cybersecurity, it will only undermine it.