If ACTA, SOPA and PIPA were not enough to squelch Internet freedom, a new cyber bill could basically delete any remains of our first amendment.
On November 30, 2011 representatives Michael “Mike” Rogers (R-MI) and C.A. Ruppersberger (D-MD) introduced H.R. 3523: Cyber Intelligence Sharing and Protection Act of 2011, which has 106 co-sponsors.
[Editor’s note: for other cybersecurity proposals, see McCain’s legislation which would give even more control to the military and National Security Agency, as well as the alternative proposal which would hand over broad control to the Department of Homeland Security. Also consider the scheme to be voluntarily implemented by Internet Service Providers wherein they will conduct massive surveillance on all Americans in the name of stopping piracy.]
As reported by The Hill, the main goal of this legislation is to assist companies in increasing their defenses against hackers that could steal business secrets, rob customer financial information and cause chaos on computer systems.
“Every day U.S. businesses are targeted by nation-state actors like China for cyber exploitation and theft,” Rogers said in a statement last month. “The broad base of support for this bill shows that Congress recognizes the urgent need to help our private sector better defend itself from these insidious attacks.”
Govtrack.us reveals the synopsis of H.R. 3523:
“Cyber Intelligence Sharing and Protection Act of 2011 – Amends the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing. Defines “cyber threat intelligence” as information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from: (1) efforts to degrade, disrupt, or destroy such system or network; or (2) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. Requires the Director of National Intelligence to: (1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities, and (2) encourage the sharing of such intelligence. Requires the procedures established to ensure that such intelligence is only: (1) shared with certified entities or a person with an appropriate security clearance, (2) shared consistent with the need to protect U.S. national security, and (3) used in a manner that protects such intelligence from unauthorized disclosure. Provides for guidelines for the granting of security clearance approvals to certified entities or officers or employees of such entities. Authorizes a cybersecurity provider (a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes), with the express consent of a protected entity (an entity that contracts with a cybersecurity provider) to: (1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and (2) share cyber threat information with any other entity designated by the protected entity, including the federal government. Regulates the use and protection of shared information, including prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure. Prohibits a civil or criminal cause of action against a protected entity, a self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), or a cybersecurity provider acting in good faith under the above circumstances. Directs the Privacy and Civil Liberties Oversight Board to submit annually to Congress a review of the sharing and use of such information by the federal government, as well as recommendations for improvements and modifications to address privacy and civil liberties concerns. Preempts any state statute that restricts or otherwise regulates an activity authorized by the Act.”
While Rogers’ intentions maybe to prevent cyber exploitations, advocacy groups are still concerned with the bill’s overreaching capabilities.
In a letter to Rogers and Ruppersberger, the American Civil Liberties Union (ACLU) illustrated their disdain.
December 1, 2011
The Honorable Mike Rogers, Chairman
The Honorable C. A. “Dutch” Ruppersberger, Ranking Member House Permanent Select Committee on Intelligence
HVC-304 Capitol Building
Washington, DC 20515
Re: ACLU Opposition to H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011
Dear Chairman Rogers and Ranking Member Ruppersberger:
On behalf of the American Civil Liberties Union, a non-partisan organization with over half a million members, countless additional activists and supporters, and 53 affiliates nationwide, we write in opposition to H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011. We ask that you delay markup to consider the privacy implications of the bill that would allow companies to share private data with the government. We urge you to amend the bill to include explicit collection and use limitations and rigorous oversight mechanisms. In the absence of such amendments, we will vigorously oppose this legislation as inconsistent with the long tradition of Americans’ reasonable expectations of privacy.
The Cyber Intelligence Sharing and Protection Act would create a cybersecurity exception to all privacy laws and allow companies to share the private and personal data they hold on their American customers with the government for cybersecurity purposes. The bill would not limit the companies to sharing only technical, non-personal data. Instead, it would give the companies discretion to decide the type and amount of information to turn over to the government. If shared in good faith compliance with the statute, these entities would receive full liability protection and would be immune from criminal or civil liability, even after an egregious breach of privacy. Further, once an individual’s information is shared with the government, there would be no restriction on the use of that information. It could be used for any purpose whatsoever and shared with any agency. While such data might be used for cybersecurity purposes, there would be no bar on the government also using it to conduct fishing expeditions for criminal, immigration or other purposes.
Beyond the potential for massive data collection authorization, the bill would provide no meaningful oversight of, or accountability for, the use of these new information-sharing authorities. Congressional reporting would be delegated to the Privacy and Civil Liberties Oversight Board (PCLOB). But the PCLOB has never been activated, therefore making it likely that no regular, institutionalized and substantive reporting will happen at all. Moreover, no federal agency or official has been tasked with issuing guidance to companies and government agencies as to how best protect privacy.
Writing a statute to govern the sharing of cybersecurity information is a complex and challenging task. But any new programs simply must respect privacy. The White House’s May legislative draft, the Recommendations of the House Republican Cybersecurity Task Force, and the Privacy Impact Assessment of Einstein 3 all contained more explicit privacy protections than the new bill. We encourage the committee to borrow from any of these documents in improving the privacy provisions of the legislation. Any new information-sharing legislation must at a minimum do the following:
· Narrowly define the privacy laws it will contravene. The committee must carefully consider what privacy laws truly inhibit necessary information-sharing and craft narrow exceptions limited to just those critical circumstances.
· House domestic cybersecurity efforts in a civilian agency. Congress must not empower military or intelligence agencies such as the National Security Agency to collect the internet usage data of Americans. Cybersecurity efforts on American soil should be led by the private sector, and any government information collection must be coordinated by a civilian government agency.
· Require companies to remove personally identifiable information (PII) from data they share with the government. While sharing technical data can take place without implicating civil liberties, a presumption of privacy should protect PII. Sharing PII should be an exception and not the norm, even if there could be certain limited exceptions to cover legitimate emergencies or other narrowly defined situations.
· Limit government use of information shared for cybersecurity purposes. Cybersecurity information-sharing should not become a windfall of data for the federal government to use as it pleases. Any information shared with the government must have strict use limitations to ensure that this new program doesn’t become an end run around privacy laws that would otherwise offer stronger protections.
· Create an oversight and accountability structure that includes public and congressional reporting. The executive branch must provide regular, substantive and public reporting, ideally by multiple Inspectors General and/or privacy officers.
We appreciate your consideration and look forward to working with you in the coming months as cybersecurity legislation advances through the House. Please contact Legislative Counsel Michelle Richardson if you should have questions or comments about this correspondence.
Laura W. Murphy, Director, Washington Legislative Office
Michelle Richardson, Legislative Counsel
CC: Members of the House Permanent Select Committee on Intelligence
The ACLU is not the only organization fighting the bill.
The Electronic Frontier Foundation (EFF) is a donor-funded nonprofit organization founded in 1990 that champions digital rights, privacy and censorship concerns.
EFF released this statement, the entirety of which can be found here:
“…There are almost no restrictions on what can be collected and how it can be used, provided a company can claim it was motivated by “cybersecurity purposes.” That means a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop cybersecurity threats…”
Is there any validity to the statements made by the ACLU and EFF?
Here is an excerpt from the bill, and can be read in its entirety at govtrack.us (linked above):
“2) CYBER THREAT INTELLIGENCE- The term `cyber threat intelligence’ means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from–
`(A) efforts to degrade, disrupt, or destroy such system or network; or
`(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”
The bill is set to be voted on during the week of April 23 and hopefully, congress will vote down this authoritarian piece of legislation.
Because it is passed this would open Pandora’s Box for other restrictions on privacy and sweeping internet censorship.
“There’s no way to rule an innocent man. The only power any government has is the power to crack down on criminals. Well, when there aren’t enough criminals, one makes them. One declares so many things to be a crime that is becomes impossible to live without breaking laws,” Ayn Rand.