Industry Experts to Congress: We Can Remove Personally Identifiable Information Before Reporting Cybersecurity Threats
Companies say redacting personally identifiable information of users is possible, but it wouldn’t be required under CISPA.
On Thursday, the House of Representatives Select Committee on Intelligence held a hearing on CISPA, the newly introduced “cybersecurity” legislation that would allow companies to pass sensitive user data directly to the government without a judge’s oversight. No members of the civil liberties community were invited to testify. But while Internet freedom advocates were barred from voicing our concerns at the hearing, there was one important fact brought to light during the testimony of industry representatives: experts from the financial industry and the business roundtable confirmed that it’s possible for them to remove data that identifies users from cybersecurity data before sharing it with the government.
EFF and other civil liberties groups have long said that a smart cybersecurity bill wouldn’t give companies blanket permission to share any and all data with the government. At the hearing, experts from fields of business and finance went on record to agree with us that this is possible: companies are able to strip out personally identifiable information of users.
In the hearing, Representative Adam Schiff (D-CA) questioned former Governor John Engler, President of the Business Roundtable, and Paul Smocer, President of BITS, the technology policy division of the financial industry group called the Financial Services Roundtable. Schiff began by quizzing Engler on whether it was “too much of a burden” for companies to take reasonable steps to remove personally identifiable information from cybersecurity threat data shared with the government:
Schiff: Americans are concerned with the amount of personal information that the government is getting already without adding to it. Is it too much of a burden to ask the private sector to take reasonable steps where reasonable steps can be taken?
Engler: No...I think it's exactly fine. That's what I tried to tell my daughters with Facebook. Take reasonable steps. But, seriously.
Schiff: We just want industry to do what you're asking your daughters to do.
Schiff then repeated his question, and specifically asked whether the experts testifying believed that companies would find it so burdensome to remove personally identifiable information that they might not even participate in the program.
Schiff: Let me ask it another way. Do you think that the private industry would decide to opt-out of getting classified information about attacks on their own systems because it were required to take reasonable steps to protect the privacy of the American people? You think any companies would say "Well, if I have to take reasonable steps to minimize personal information I'm giving the government I just won't participate?"
Engler: I'll let the companies respond to that. I don't think so.
Smocer: I would also say I don't think that would be the case. I mean, I think—again I go back to the core issue that there is very little private data, PII, being exchanged today in the threat information world. So I don't think it's a big issue to begin with. I think working through, as the Governor [Engler] said, the implementation of specifics will be key, but I think to answer your question I don't think it would be an issue to make sure we're doing it the right way.
Like the experts who testified in Congress, EFF sees no reason that companies couldn’t ensure that personally identifiable information of users was not part of the information provided to the government. But as CISPA is currently drafted, companies wouldn’t be required to ensure that identifiable user data was stripped out. Under the current proposal, “cybersecurity threat information” may be sent directly from companies to the government. Companies are under no requirement to strip out personally identifiable information of users before sending it along, and there are broad immunities granted to companies who share more data than is necessary to communicate a cybersecurity threat.
The companies may include restrictions on further sharing of data, including “appropriate anonymization or minimization of such information.” But the government can ignore these restrictions, since the bill provides no liability for violating this provision.
The only would-be privacy protection for stripping out personally identifiable information is a mere suggestion for the federal government: under the bill, the federal government “may…undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information.” This wording is extremely important: the government “may” do this, but isn’t actually required to do this by law.
Right now, the United States has an elaborate body of laws governing how personally identifiable information flows to the government—including industry-specific laws around utilities companies, communications laws like the Stored Communications Act and the Wiretap Act, and video privacy laws like the Cable Privacy Act and the Video Privacy Protection Act. But CISPA as drafted would sidestep all of these laws, allowing companies to share information for “cybersecurity” purposes without requiring them to strip out personally identifiable information of users.
Please join EFF in opposing CISPA by sending an email to Congress now. Blanket permissions for companies to share unredacted user data with the government without a warrant is unnecessary and dangerous, and it’s not the right solution for America’s cybersecurity concerns.