The Obama Administration is on a roll with proposing legislation that endangers our privacy and security. Over the course of two days, President Obama proposed a cybersecurity bill that looks awfully similar to the now infamous CISPA (with respect to information sharing), a computer crime bill that is the opposite of our own proposed computer crime reform, and a data breach law weaker than the current status quo. All three of the bills are recycled ideas that have failed in Congress since their introduction in 2011. They should stay on the shelf.
Zombie Bill Dead in 2013, Stumbles from the Grave in 2015
Every year for the past four years we've seen at least one cybersecurity "information sharing" bill introduced in Congress. Unfortunately, those bills were deeply flawed: they were redundant, offered new authorities that could be abused by companies to spy on users, and offered broad legal immunity for disclosing the information obtained with the government. Sometimes they even granted companies the ability to "hack back." They were a perfect storm threatening our online privacy.
This time, it's not the House Intelligence Committee proposing the bill, but President Obama. And to the president’s credit, this bill doesn’t authorize or immunize any new monitoring or collection activity. But the administration's bill is still similar to CISPA as it grants broad legal immunity for transmitting "cyber threat indicators"—which could include your communications—to the Department of Homeland Security (DHS) and private sector information sharing hubs called information sharing and analysis organizations.
The president's press release is noticeably silent on why the current information sharing regimes aren't adequate. Companies can already share information through Information Sharing and Analysis Centers (ISACs), public reports, private communications, and the DHS's Enhanced Cybersecurity Services. The bill is also peculiar since President Obama previously issued a veto threat against CISPA due to privacy concerns.
The proposal also mandates the Director of National Intelligence, Attorney General, and DHS to create privacy guidelines for collecting and sharing cyber threat indicators; however, we're skeptical the guidelines will provide any semblance of privacy, because even if they’re well crafted, there’s no way to know whether the guidelines are being followed or enforced. Also, these are the same offices that were supposed to create "privacy protections" (aka minimization procedures) in the surveillance context. The result? Guidelines that are littered with loopholes to keep the very information the agencies aren't supposed to have: innocent users' personal information.
When The DOJ Says "Modernizing" They May Mean "We Can Charge a 10 Years Felony for Sharing Your HBO GO Password"
The Obama Administration also proposed to "modernize" the Computer Fraud and Abuse Act (CFAA), the law notoriously used in the aggressive prosecution of the late Aaron Swartz. The Administration's proposal introduces ideas from May 2011 that—similar to information sharing bills—have been defeated year in and year out. It's shocking in light of the Aaron Swartz prosecution that the Administration is proposing to double, and in one case triple, the already draconian and redundant penalties under the CFAA.
Under the Administration's proposal, the Department of Justice could get creative and threaten up to 10 years in prison if you know your friend will use one of your passwords you shared with them—even if you have no “intent to defraud,” important limiting language the Administration wants removed from the statute.
What might be worse is that the Administration expands one of the bill's central definitions—"exceeds authorized access"—to include any access that the person may know the computer owner hasn't authorized. This radically changes the CFAA and makes it even more dangerous. This is contrary to rulings in both the Ninth and Fourth Circuits, which recognized that terms of service should not be enforced criminally.
Both provisions may chill the computer security research that is a central part of our best defense against computer crime. First, the password clause expands the provision from criminalizing sharing passwords to sharing other “means of access,” while “having reason to know” it might be misused. Second, the expansion of the definition may impact researchers who commonly scan public websites to detect potential vulnerabilities. These researchers should not have to face a felony charge if a prosecutor thinks they should have known the site prohibited scanning. It a cause for concern as recent history has shown that aggressive prosecutors are willing to stretch the CFAA language. Vulnerability research and disclosure will be chilled, even if the researcher would ultimately win the trial.
The proposal is in direct contradiction to EFF's own proposal to reform the CFAA. Our reform ensures violations of contractual obligations like a website's terms of service are not the basis for criminal charges, clarifies key definitions in the CFAA, and makes the criminal penalties proportionate to the offense.
The Administration's Data Breach Proposal
President Obama also touched on data breaches. Consumers have a right to know when their data is exposed, whether through corporate misconduct, malicious hackers, or under other circumstances. But most states already have breach notification laws, so we think any legislation must be as strong as existing law and must preserve a state’s power to protect its own residents. President Obama's legislation fails on both accounts.
The legislation proposed by President Obama would force companies handling 10,000 or more customers' information (during a 12-month period) to disclose data breaches within 30 days. Companies are allowed a few exceptions to the disclosure, but will be overseen by the Federal Trade Commission to ensure they comply. In an attempt to normalize across the land, the law would trump all state data breach laws—including stronger ones—and allow the government to stop any action brought by a state attorney general.
Under California law, for example, businesses must provide notice of a breach “in the most expedient time possible and without unreasonable delay,” unless law enforcement determines that notification will impede a criminal investigation. Companies must also notify the California Attorney General if over 500 users' unencrypted information is breached.
The Administration’s proposed standard is weak. Ideally, it would have proposed a “floor,” not a “ceiling,” allowing states like California to be more privacy protective and not depriving state attorneys general from being able to take meaningful action.
As we mentioned in our initial reaction to the Administration's proposal, many of these ideas are recycled relics that should remain in the past. Before tackling information sharing bills, companies need to address the low-hanging security fruit like making sure passwords aren't sent in unencrypted emails and employees don't download malware. We also need more participation in the already existing information sharing regimes. When it comes to the CFAA, the administration has moved in the opposite direction as advocates. Prosecutions like the Aaron Swartz and Andrew Auernheimer case provide evidence for clarifying unauthorized access (and not expanding it) and decreasing the already draconian penalties (and not increasing them).
There is more work to be done to protect cyberspace and enhance computer security, but the Administration's proposals do not move us towards that goal, and could cause great harm, too.