On June 26, 2014 the Association of Research Libraries joined with thirty-four other organizations opposing the Cyber Information Sharing Act of 2014 (CISA). This broad coalition sent a letter to Majority Leader Harry Reid (D-NV), Minority Leader Mitch McConnell (R-KY), U.S. Senate Select Committee on Intelligence Chairman Dianne Feinstein (D-CA), and U.S. Senate Select Committee on Intelligence Vice Chairman Saxby Chambliss (R-GA) expressing concerns that the bill would create a loophole in existing privacy laws and does not prevent the government from requesting “voluntary” cooperation from private companies in sharing information, including content of communications.
The letter raises a number of concerns, including threats the bill poses to whistleblowers and transparency. Additionally, with respect to specific privacy concerns, the letter notes that the bill creates a “danger of a potential end-run around the Foreign Intelligence Surveillance Act (“FISA”), the Electronic Communications Privacy Act (“ECPA”), the Fourth Amendment and other crucial privacy protections [which] is compounded by the potentially broad immunity conferred on sharing ‘in accordance’ with the act, and the additional absolute defense when sharing occurs in violation of the act but in ‘good faith’ reliance on the mistaken belief that the sharing is lawful.”
This letter makes several specific recommendations:
- Ensure that DHS is the custodian of cybersecurity information voluntarily shared by the private sector, and has the authority to prevent sensitive information from being transmitted to the intelligence community and military without appropriate privacy protections;
- Ensure that information shared is “reasonably necessary” to describe a cybersecurity threat;
- Restrict the use of information received under the sharing authority to actual cybersecurity activities, the prosecution of cybercrimes, the protection of individuals from imminent threat of physical harm or death, or to protect children from serious threats;
- Limit FOIA restrictions to those provided by 6 U.S.C. §§ 131-34 (2012).14
- Require public disclosure of annual reports from relevant inspectors general describing what information is received, how it is used, who gets it and how it is treated to protect privacy.
- Include a sunset provision in the bill keyed to these reports, which will allow the measure to expire if abuse or misuse is disclosed;
- Allow individuals harmed by inappropriate sharing to sue the government if it intentionally or willfully violates the law.