On April 20, 2015, ARL joined a coalition of 36 privacy and civil liberties organizations and 19 security experts and academics raising concerns regarding the Protecting Cyber Networks Act (PCNA, H.R. 1560) and the Cybersecurity Information Sharing Act of 2015 (CISA, S.754). The letters urge members of Congress to oppose these bills because the proposed legislation, “threatens privacy and civil liberties, and would undermine cybersecurity, rather than enhance it.”
With respect to PCNA, the letter raises the following concerns that the legislation:
- Authorizes companies to significantly expand monitoring of their users’ online activities and permits sharing of vaguely defined “cyber threat indicators” without adequate privacy protections prior to sharing.
- Requires federal entities to automatically disseminate to the NSA all cyber threat indicators received, including personal information about individuals.
- Authorizes overbroad law enforcement that goes far outside the scope of cybersecurity
- Authorizes companies to deploy invasive countermeasures or “defensive measures.”
The CISA letter raises the same four concerns above, but also raises additional issues that the legislation:
- Permits companies to share cyber threat indicators, which may include information about innocent individuals, directly with the NSA.
- Authorizes companies to deploy countermeasures or “defensive measures” that could damage data and computer systems of innocent third parties who did not perpetrate the threat. The CISA bill would potentially cause greater harm than PCNA with respect to this point because it specifically authorizes “negligent use of defensive measures that could cause significant, though not substantial harm to a third party’s information system.”