New Cybersecurity Proposal Patches Serious Privacy Vulnerabilities
For months, we’ve been raising the alarm about the serious civil liberties implications of the cybersecurity bills making their way through the Senate. Hours ago, we received some good news. A new bill called the Cybersecurity Act of 2012 (S 3414) is replacing the prior Lieberman-Collins Cybersecurity Act (S 2150). This new bill drastically improves upon the previous bill by addressing the most glaring privacy concerns. This is huge, and it’s thanks to the outcry of Internet users like you worried about their online privacy. Check out the new bill (PDF).
Make no mistake—we remain unpersuaded that any of the proposed cybersecurity measures are necessary and we still have concerns about certain sections of the bill, especially the sections on monitoring and countermeasures. But this was a big step in the direction of protecting online rights, and we wouldn’t be here without the support of Internet users contacting Congress in droves.
Here’s what you need to know about the new privacy-protective package. Major new privacy protections added to the bill:
- Ensuring that only civilian agencies—not the National Security Agency—are in charge of our nation’s cybersecurity systems. Let’s face it, we don’t want the agency that’s been spearheading the illegal warrantless wiretapping program for over 11 years to be charged with protecting citizens’ privacy interests in the realm of cybersecurity.
- Ensuring data isn’t shared with law enforcement except in very specific, limited circumstances. Language in the first Lieberman-Collins Cybersecurity Act would have allowed data collected under cybersecurity purposes to be passed to law enforcement if there was evidence of criminal activity. This raised major concerns about our online service providers snooping through our communications for potentially incriminating data and passing it to the government without a warrant—a digital Big Brother. The new language of the bill limits data flowing to the government to information which appears to pertain to 1. A cybersecurity crime investigation; 2. An imminent threat of death or serious bodily harm; and 3. A serious threat to minors, like sexual exploitation and threats to physical safety.
- Ensuring that data collected through cybersecurity programs can’t be used to prosecute other, unrelated crimes. The early version of the bill would have allowed data collected through cybersecurity programs to prosecute any crime—like copyright infringement or immigration status or drug usage. Now, the only crimes that can be prosecuted using data collected through S 3414 are violations of state or federal laws relating to computer crimes.
- Carve-outs for free speech and terms of service violations. The new privacy package makes it clear that Constitutionally-protected free speech and terms of service violations won’t constitute a “cybersecurity threat.”
There is also some language about net neutrality intended to ensure that nothing in the bill can be construed as granting new authority to engage in non-neutral behavior.
Of course, the bill has its shortcomings. The most significant problem remaining has to do with the language around monitoring and countermeasures. Currently, the bill specifically authorizes companies to use cybsersecurity as an excuse for engaging in nearly unlimited monitoring of user data or countermeasures (like blocking or dropping packets). We’ve argued that this language is overly broad and could be interpreted by an overzealous ISP to let them block privacy-protective technologies like Tor. When the bill goes to the floor next week, we’re going to be throwing our weight behind amendments to address these ongoing flaws.
This new bill patches a whole bunch of significant privacy problems with the prior proposals, and so we’re grateful for the Senators who responded to the Internet community’s concerns and championed these protections. Now it’s up to us: we need to speak out and tell Senators not to undermine these hard-won privacy protections, and hopefully tell them to go one step further and fix the problems remaining with monitoring and countermeasures. Our contacts in Washington tell us it’s likely that opponents will try to strip out these protections by hyping up fears of catastrophic cyberattacks and calling for stronger national security provisions. We need to organize now to stop any Floor amendments that would undermine these major privacy wins.
Please, send a note to your Senators now asking them to defend these hard-won privacy protections against any amendments and work to fix the monitoring and countermeasures sections of the bill.
As we’ve said before, we don’t know if a cybersecurity bill is necessary or desirable at this moment. We continue to oppose any language that unnecessarily and broadly expands existing power to engage in surveillance. But we also commend the Senate’s efforts to build these strong privacy protections into the new bill, and we’re asking the Internet to join us in fighting to keep those protections strong (and, hopefully, make them even stronger).