On October 27, 2015, the U.S. Senate voted 74-21 to pass the flawed Cyberinformation Sharing Act (CISA), a slightly modified version from the bill that passed the House of Representatives earlier this year. CISA, which purports to protect against data breaches, actually raises serious privacy concerns. In passing CISA, the Senate unfortunately voted against a number of proposed amendments which would have strengthened user privacy.
Among other concerns, CISA will allow companies to expand monitoring of their users’ online activities and permits sharing of vaguely defined cybersecurity threats without adequate privacy safeguards. It authorizes law enforcement that goes far beyond the scope of cybersecurity.
The Senate and House will now need to conference to resolve the differences between the two versions that passed.
Congress is currently considering the Cybersecurity Information Sharing Act of 2015 (CISA, S. 754), a bill that has serious implications for privacy and civil liberties. While the bill purportedly is designed to strengthen cybersecurity, it contains significant flaws. On Monday, July 27, ARL joined a coalition of organizations and security experts in sending a letter to President Obama asking for a pledge to veto CISA due to these concerns:
- CISA fails to protect personal information. CISA allows the sharing of vast amounts of personal data to be shared with government agencies. It allows the sharing of personal and identifying information as a default measure.
- CISA allows the use of information in investigations unrelated to cybersecurity. CISA also allows for governments to use cyber threat indicators to investigate a wide range of crimes, including those that are not related to cybersecurity, such as robbery, arson, or trade secret violations.
- CISA fails to maintain civilian control of domestic cybersecurity. CISA would permit companies that operate in the civilian sector to share cyber threat indicators with any agency of the federal government, raising serious privacy concerns.
- CISA permits countermeasures that could damage networks. CISA would allow companies to deploy “defensive measures” or “countermeasures” that could damage networks that belong to innocent bystanders, even when they would otherwise be illegal under the Computer Fraud and Abuse Act.
- CISA raises additional transparency concerns. CISA would create a new exemption to the existing list of nine exemptions under the Freedom of Information Act (FOIA).
On April 20, 2015, ARL joined a coalition of 36 privacy and civil liberties organizations and 19 security experts and academics raising concerns regarding the Protecting Cyber Networks Act (PCNA, H.R. 1560) and the Cybersecurity Information Sharing Act of 2015 (CISA, S.754). The letters urge members of Congress to oppose these bills because the proposed legislation, “threatens privacy and civil liberties, and would undermine cybersecurity, rather than enhance it.”
With respect to PCNA, the letter raises the following concerns that the legislation:
- Authorizes companies to significantly expand monitoring of their users’ online activities and permits sharing of vaguely defined “cyber threat indicators” without adequate privacy protections prior to sharing.
- Requires federal entities to automatically disseminate to the NSA all cyber threat indicators received, including personal information about individuals.
- Authorizes overbroad law enforcement that goes far outside the scope of cybersecurity
- Authorizes companies to deploy invasive countermeasures or “defensive measures.”
The CISA letter raises the same four concerns above, but also raises additional issues that the legislation:
- Permits companies to share cyber threat indicators, which may include information about innocent individuals, directly with the NSA.
- Authorizes companies to deploy countermeasures or “defensive measures” that could damage data and computer systems of innocent third parties who did not perpetrate the threat. The CISA bill would potentially cause greater harm than PCNA with respect to this point because it specifically authorizes “negligent use of defensive measures that could cause significant, though not substantial harm to a third party’s information system.”
On June 26, 2014 the Association of Research Libraries joined with thirty-four other organizations opposing the Cyber Information Sharing Act of 2014 (CISA). This broad coalition sent a letter to Majority Leader Harry Reid (D-NV), Minority Leader Mitch McConnell (R-KY), U.S. Senate Select Committee on Intelligence Chairman Dianne Feinstein (D-CA), and U.S. Senate Select Committee on Intelligence Vice Chairman Saxby Chambliss (R-GA) expressing concerns that the bill would create a loophole in existing privacy laws and does not prevent the government from requesting “voluntary” cooperation from private companies in sharing information, including content of communications.
The letter raises a number of concerns, including threats the bill poses to whistleblowers and transparency. Additionally, with respect to specific privacy concerns, the letter notes that the bill creates a “danger of a potential end-run around the Foreign Intelligence Surveillance Act (“FISA”), the Electronic Communications Privacy Act (“ECPA”), the Fourth Amendment and other crucial privacy protections [which] is compounded by the potentially broad immunity conferred on sharing ‘in accordance’ with the act, and the additional absolute defense when sharing occurs in violation of the act but in ‘good faith’ reliance on the mistaken belief that the sharing is lawful.”
This letter makes several specific recommendations:
- Ensure that DHS is the custodian of cybersecurity information voluntarily shared by the private sector, and has the authority to prevent sensitive information from being transmitted to the intelligence community and military without appropriate privacy protections;
- Ensure that information shared is “reasonably necessary” to describe a cybersecurity threat;
- Restrict the use of information received under the sharing authority to actual cybersecurity activities, the prosecution of cybercrimes, the protection of individuals from imminent threat of physical harm or death, or to protect children from serious threats;
- Limit FOIA restrictions to those provided by 6 U.S.C. §§ 131-34 (2012).14
- Require public disclosure of annual reports from relevant inspectors general describing what information is received, how it is used, who gets it and how it is treated to protect privacy.
- Include a sunset provision in the bill keyed to these reports, which will allow the measure to expire if abuse or misuse is disclosed;
- Allow individuals harmed by inappropriate sharing to sue the government if it intentionally or willfully violates the law.
Well, the week is half over, but I hope it’s not too late to jump onto this very important bandwagon with a short blog post explaining why libraries should oppose CISPA – a “cybersecurity” bill that’s moving in the House of Representatives despite massive opposition from the privacy and civil liberties community and a veto threat from the White House (which privacy advocates have urged President Obama to reiterate).
As the EFF points out, the objectionable provisions of CISPA include:
Eviscerating existing privacy laws by giving overly broad legal immunity to companies who share users’ private information, including the content of communications, with the government.
Authorizing companies to disclose users’ data directly to the NSA, a military agency that operates secretly and without public accountability.
Broad definitions that allow users’ sensitive personal information to be used for a range of purposes, including for “national security,” not just computer and network security.
The coalition EFF is leading, of which ARL is a part, believes that legislation intended to enhance our computer and network security must not sacrifice long-standing civil liberties and privacy protections.
The freedom of inquiry is a core research library value, and it requires meaningful privacy. Otherwise, researchers will have to think twice before embarking on a research project that, however innocent, may trigger law enforcement curiosity.
CISPA would create a broad, unchecked flow of information from technology providers, including providers who serve libraries, directly to military agencies, with very little limitation on how those agencies use that information. The chill on inquiry could be significant.
That’s why ARL has joined this coalition to oppose CISPA. You can use the EFF’s advocacy tools to join us, and we hope you will.
via EFF – Call to Action: Join the Fight Against Cyber Spying Proposals in the Senate
If you’re concerned about proposals like CISPA, which override privacy protections for electronic data and allow your information to be turned over to spying agencies with little oversight, the EFF has a suite of tools you can use to make your concerns known.