The Cybersecurity Act allows too much snooping and user data sharing. We stand opposed.July 31, 2012 - by Donny Shaw
While the latest version of the Cybersecurity Act of 2012 is better on privacy than CISPA, its House counterpart, it still gives corporations and the federal government broad new powers to monitor internet users, block access to websites and services, and share personal user information without due process. Unless these provisions are removed, the Participatory Politics Foundation (makers of OpenCongress) stand with EFF, Fight for the Future, Free Press and other tech-rights groups in opposing the bill.
The problem with the bill, from our perspective, is with Title VII, which covers “Information Sharing.” Just Like CIPSA, the very first thing this section does is use a big “notwithstanding” clause to simply wipe aside decades of privacy laws. The text of the section begins:
(a) In General- Notwithstanding chapter 119, 121, or 206 of title 18, United States Code, the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), and sections 222 and 705 of the Communications Act of 1934 (47 U.S.C. 222 and 605), any private entity may—
Let’s just pause here for a second. What this section does is name a bunch of crucial, long-standing privacy laws and say that they no longer apply on the internet for the new information monitoring and sharing powers that would be created by this bill. In case you’re curious, the laws that would no longer apply include the following:
- Criminal penalties for intentionally intercepting and sharing private electronic communications (link)
- Criminal penalties for unauthorized access to stored electronic communications. (link)
- Criminal penalties for installing data-tracking devices on telecommunications systems without court authority. (link)
- All of the FISA Act, which is Congress’ response from the 70s to the Nixon Administration’s unconstitutional spying on political activists that provides some level of judicial oversight of government spying activities.
- A 1934 Communications Act provision requiring telecommunications companies to protect the confidentiality of customer information (link)
- Communications Act prohibition on divulging private communications (link
Moving on (now that all those pesky privacy laws out of the way) the next thing the Senate cybersecurity bill does is give “any private entity” expansive new powers to monitor internet users on their systems and operate countermeasures against them, and it would reward them with full legal immunity for doing so. Here’s the bill text:
any private entity may—
(1) monitor its information systems and information that is stored on, processed by, or transiting such information systems for—
(A) malicious reconnaissance;
(B) efforts to defeat a technical control or an operational control;
(C ) technical vulnerabilities;
(D) efforts to cause a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a technical control or an operational control;
(E) malicious cyber command and control;
(F) information exfiltrated as a result of defeating a technical control or an operational control;
(G) any other attribute of a cybersecurity threat, if monitoring for such attribute is not otherwise prohibited by law; or
(H) any combination of subparagraphs (A) through (G);
But that’s not all. They don’t just get power to monitor users without privacy restrictions, they can also take direct action against users. Picking up where we left of with the bill text…
(2) operate countermeasures on its information systems to protect its rights or property from cybersecurity threats;
In the words of Sen. Al Franken, this provision is “so broad that if a company uses [this] power negligently to snoop in on your email or damage your computer-they will be immune from any lawsuit.” But don’t worry, the bill does require companies to “make reasonable efforts to safeguard communications.”
The bill also gives companies new power to share user information, “notwithstanding any other provision of law,” with the federal government, state and local governments, and other private entities via a new cyber information exchange. The information in these exchanges is supposed to be limited to things that are relevant to cybersecurity threats, but under the bill that can be something as simple as accessing an information system without explicit authorization.
At this point you’re probably thinking, “Meh. I’m sure they’re already tracking everything I do and say online.” And it’s true, they probably are. But what makes this bill significant is that it would take all of the worst, questionably-illegal corporate/government abuses of your private information and make it much harder for the public to ever seek legal recourse.No wonder all the web companies that are supposedly pro-internet have been silent about this bill — it gives them more legal tools to defend the unethical data practices that many of them have based their profit models on.
The bill also makes wholesale information sharing with the government much easier to justify. Remember that a decade ago nearly every telecommunications company agreed to participate in an illegal wiretapping program with the Bush Administration, even though their legal immunity was not at all guaranteed going in. This bill would give explicit legal immunity for internet data monitoring and create a new information sharing structure with plenty of slippery language around it that could easily be interpreted by the current Administration or any future Administration to allow information sharing that goes far beyond what anyone would reasonably suspect from reading the public legal text. Kind of like what they’re doing right now with the PATRIOT Act.
The fact is, nobody yet has provided a good explanation for why the information sharing provisions in this bill and in CISPA are needed. We already have a legal structure for investigating criminal threats and sharing information that exists alongside (inadequate-but-better-then-nothing) consumer privacy laws. There certainly is work that can be done to improve cybersecurity, but there’s no reason why judicial oversight, due process, and fair legal recourse should be suspended on the internet. It does not make us more secure and it is detrimental to social and economic innovation.
For these reasons, we’re supporting an amendment from Sens. Al Franken (D, MN) and Rand Paul (R, KY) that would strike the information sharing section from the bill, and opposing the bill overall if the amendment is not adopted. A vote on the amendment is expected in the next two days. If you agree with us, can you take a second to email your senators? Click here to use the OpenCongress Contact-Congress tool to email your senators. You can write your own letter, or just click on the “PPF talking points” in the message builder (right side of screen) to quickly build your message.