Tag Archives: cisa

New Advocacy and Policy Update

The latest ARL Advocacy and Public Policy Update (covering the period from October 1 to December 22) is now available.  Previous Advocacy and Policy Updates can be found here.

From the current update’s summary:

Copyright continues to be an active area with a number of developments since October. The House Judiciary Committee continues to move forward with its copyright review and is close to completing its schedule of meetings between House Judiciary majority and minority staffers and witnesses who testified at hearings during the course of the review. In early 2016, members of the House Judiciary Committee will determine what issues they may want to work on with respect to possible reform. Additionally, Representatives Marino, Chu and Comstock introduced their bill on Copyright Office modernization, which would move the Copyright Office out of the Library of Congress and establish it as an independent agency within the legislative branch. On October 16, 2015, the Court of Appeals for the Second Circuit released its long awaited opinion in Authors Guild v. Google, strongly affirming fair use. Also in October, the Library of Congress released its final rules for the current cycle of the Digital Millennium Copyright Act’s (DMCA) Section 1201 rulemaking. Finally, the Library Copyright Alliance (LCA) filed comments responding to the Copyright Office’s Notice of Inquiry regarding a proposed pilot program for mass digitization and extended collective licensing. These comments questioned the wisdom of such a pilot program.

The US Congress passed the omnibus appropriations bill for FY 2016 and avoided a government shutdown. The omnibus exceeded mandatory caps on discretionary funding, resulting in positive results for higher education and libraries.

The Department of Education issued a proposal to amend regulations and require that all Department grantees awarded direct competitive grant funds openly license all copyrightable intellectual property created with these funds. ARL submitted comments supporting the benefits of open licensing and encouraging continued dialog.

ARL joined in comments on the proposed revision to OMB Circular A-130, the Circular that provides the rules of the road for federal information management and information technology.

The DC Circuit heard oral arguments on net neutrality in December. Although threats regarding a rider to undermine the FCC’s ability enforce its net neutrality rules emerged during the omnibus appropriations process, this rider was ultimately not included.

Congress continues to consider reform of the Electronic Communications Privacy Act (ECPA), and there is widespread support in the House for such reform. The Cybersecurity Information Sharing Act of 2015 was altered in ways that raise greater privacy concerns than its original version and was passed in the omnibus appropriations bill.

The US Supreme Court heard oral arguments in Fisher v. University of Texas at Austin (Fisher II), a case involving the University of Texas (UT) admissions process, which seeks to improve student body diversity.

Finally on the international front, more countries have ratified the Marrakesh Treaty to Facilitate Access to Published Works for Persons Who are Blind, Visually Impaired or Otherwise Print Disabled, moving the Treaty closer to entry into force. The negotiations of the TransPacific Partnership Agreement (TPP) have now been finalized and the texts are now public, but the agreement must still be signed and passed by each of the negotiating parties.

ARL Disappointed in Senate’s Passage of Flawed Cybersecurity Bill

On October 27, 2015, the U.S. Senate voted 74-21 to pass the flawed Cyberinformation Sharing Act (CISA), a slightly modified version from the bill that passed the House of Representatives earlier this year.  CISA, which purports to protect against data breaches, actually raises serious privacy concerns.  In passing CISA, the Senate unfortunately voted against a number of proposed amendments which would have strengthened user privacy.

Among other concerns, CISA will allow companies to expand monitoring of their users’ online activities and permits sharing of vaguely defined cybersecurity threats without adequate privacy safeguards.  It authorizes law enforcement that goes far beyond the scope of cybersecurity.

The Senate and House will now need to conference to resolve the differences between the two versions that passed.

 

Coalition Asks President Obama to Pledge to Veto Cybersecurity Information Sharing Act (CISA)

Congress is currently considering the Cybersecurity Information Sharing Act of 2015 (CISA, S. 754), a bill that has serious implications for privacy and civil liberties.  While the bill purportedly is designed to strengthen cybersecurity, it contains significant flaws.  On Monday, July 27, ARL joined a coalition of organizations and security experts in sending a letter to President Obama asking for a pledge to veto CISA due to these concerns:

  • CISA fails to protect personal information.  CISA allows the sharing of vast amounts of personal data to be shared with government agencies.  It allows the sharing of personal and identifying information as a default measure.
  • CISA allows the use of information in investigations unrelated to cybersecurity.  CISA also allows for governments to use cyber threat indicators to investigate a wide range of crimes, including those that are not related to cybersecurity, such as robbery, arson, or trade secret violations.
  • CISA fails to maintain civilian control of domestic cybersecurity.  CISA would permit companies that operate in the civilian sector to share cyber threat indicators with any agency of the federal government, raising serious privacy concerns.
  • CISA permits countermeasures that could damage networks.  CISA would allow companies to deploy “defensive measures” or “countermeasures” that could damage networks that belong to innocent bystanders, even when they would otherwise be illegal under the Computer Fraud and Abuse Act.
  • CISA raises additional transparency concerns.  CISA would create a new exemption to the existing list of nine exemptions under the Freedom of Information Act (FOIA).

 

ARL Joins Letters to House and Senate Expressing Concerns Over Cybersecurity Bills

On April 20, 2015, ARL joined a coalition of 36 privacy and civil liberties organizations and 19 security experts and academics raising concerns regarding the Protecting Cyber Networks Act (PCNA, H.R. 1560) and the Cybersecurity Information Sharing Act of 2015 (CISA, S.754).  The letters urge members of Congress to oppose these bills because the proposed legislation, “threatens privacy and civil liberties, and would undermine cybersecurity, rather than enhance it.”

With respect to PCNA, the letter raises the following concerns that the legislation:

  • Authorizes companies to significantly expand monitoring of their users’ online activities and permits sharing of vaguely defined “cyber threat indicators” without adequate privacy protections prior to sharing.
  • Requires federal entities to automatically disseminate to the NSA all cyber threat indicators received, including personal information about individuals.
  • Authorizes overbroad law enforcement that goes far outside the scope of cybersecurity
  • Authorizes companies to deploy invasive countermeasures or “defensive measures.”

The CISA letter raises the same four concerns above, but also raises additional issues that the legislation:

  • Permits companies to share cyber threat indicators, which may include information about innocent individuals, directly with the NSA.
  • Authorizes companies to deploy countermeasures or “defensive measures” that could damage data and computer systems of innocent third parties who did not perpetrate the threat.  The CISA bill would potentially cause greater harm than PCNA with respect to this point because it specifically authorizes “negligent use of defensive measures that could cause significant, though not substantial harm to a third party’s information system.”

 

ARL Joins 47 Civil Society Organizations and Security Experts Opposing Cybersecurity Information Sharing Act of 2015 (CISA)

On March 2, 2015, ARL joined a coalition of civil society organizations, security experts and academics in sending a letter to Senate Select Committee on Intelligence Chairman Richard Burr and Vice Chairman Dianne Feinstein explaining how the Cybersecurity Information Sharing Act of 2015 (CISA) would undermine privacy and civil liberties.  The letter urges the rejection of CISA in its current form.

The letter notes particular concerns with respect to the following:

  • Automatic NSA access to personal information shared with a governmental entity;
  • Inadequate protections prior to sharing;
  • Dangerous authorization for countermeasures; and
  • Overbroad authorization for law enforcement use

The full text of the letter is available here.

Coalition Calls for Swift Passage of USA FREEDOM Act; Express Concerns Over Cybersecurity Information Sharing Act

On September 4, 2014, the Association of Research Libraries joined a coalition of 43 civil liberties, human rights and public interest organizations sent a letter to Senate leadership supporting swift passage of the USA FREEDOM Act (S. 2685) and expressing concerns regarding the Cybersecurity Information Sharing Act of 2014 (CISA, S. 2588).

The letter urges the Senate to pass the S. 2685 in its current form, noting that this version of the USA FREEDOM Act would end bulk collection of records under Section 215 of the USA PATRIOT Act, a provision known as the “library records” or “business records” provision,” as well as under National Security Letter authorities. As the letter explains, S. 2685 also provides for other significant reforms including enhanced transparency, appointing of a special panel of civil liberties and privacy advocates to the FISA court, and limiting the purpose for which call detail records collected under Section 215 may be used.

Given these improvements, the signatories to the letter are “eager for Congress to pass this legislation swiftly and without weakening the bill.” As these groups previously expressed, Congress should not weaken the USA FREEDOM Act through consideration of new mandatory data retention requirements. The letter urges the Senate to make passage of the USA FREEDOM Act (S.2685) a legislative priority for September.

The letter then notes its opposition to and concerns regarding the CISA, pointing out that “Ironically, just as Congress is struggling to pass meaningful surveillance reform to rein in the NSA, the Senate Select Committee on Intelligence has approved a problematic bill that would give the NSA even more access to American’s data.” Advocacy groups have previously written to Congress and the President opposing CISA because the bill would pose serious threats to privacy by allowing information to automatically be disseminated to the NSA and other government agencies.

The letter concludes:

We therefore urge the Senate to swiftly pass the USA FREEDOM Act (S. 2685) without any amendments that would weaken its protections or create any new data retention mandates, and without taking up the Cybersecurity Information Sharing Act (S. 2588 in its current form. The Senate cannot seriously consider controversial information-sharing legislation such as CISA without first completing the pressing unfinished business of passing meaningful surveillance reform.

Broad Coalition Opposes Cyber Information Sharing Act of 2014

On June 26, 2014 the Association of Research Libraries joined with thirty-four other organizations opposing the Cyber Information Sharing Act of 2014 (CISA). This broad coalition sent a letter to Majority Leader Harry Reid (D-NV), Minority Leader Mitch McConnell (R-KY), U.S. Senate Select Committee on Intelligence Chairman Dianne Feinstein (D-CA), and U.S. Senate Select Committee on Intelligence Vice Chairman Saxby Chambliss (R-GA) expressing concerns that the bill would create a loophole in existing privacy laws and does not prevent the government from requesting “voluntary” cooperation from private companies in sharing information, including content of communications.

The letter raises a number of concerns, including threats the bill poses to whistleblowers and transparency. Additionally, with respect to specific privacy concerns, the letter notes that the bill creates a “danger of a potential end-run around the Foreign Intelligence Surveillance Act (“FISA”), the Electronic Communications Privacy Act (“ECPA”), the Fourth Amendment and other crucial privacy protections [which] is compounded by the potentially broad immunity conferred on sharing ‘in accordance’ with the act, and the additional absolute defense when sharing occurs in violation of the act but in ‘good faith’ reliance on the mistaken belief that the sharing is lawful.”

This letter makes several specific recommendations:

  • Ensure that DHS is the custodian of cybersecurity information voluntarily shared by the private sector, and has the authority to prevent sensitive information from being transmitted to the intelligence community and military without appropriate privacy protections;
  • Ensure that information shared is “reasonably necessary” to describe a cybersecurity threat;
  • Restrict the use of information received under the sharing authority to actual cybersecurity activities, the prosecution of cybercrimes, the protection of individuals from imminent threat of physical harm or death, or to protect children from serious threats;
  • Limit FOIA restrictions to those provided by 6 U.S.C. §§ 131-34 (2012).14
  • Require public disclosure of annual reports from relevant inspectors general describing what information is received, how it is used, who gets it and how it is treated to protect privacy.
  • Include a sunset provision in the bill keyed to these reports, which will allow the measure to expire if abuse or misuse is disclosed;
  • Allow individuals harmed by inappropriate sharing to sue the government if it intentionally or willfully violates the law.