Cyber protection act too broad, infringes on our privacy rights

This week is “Cybersecurity Week” in the House of Representatives, and members will vote on a handful of bills intended to protect cybersecurity — the ability to prevent and respond to threats from foreign governments, terrorists and criminals over the Internet. Some of the bills are civil-liberties-neutral but, as usual when addressing a security issue, Congress is considering a bill that overreaches — this time by allowing companies to share private and sensitive information with the government without a warrant and without much oversight. 

The bill is H.R. 3523, the Cyber Intelligence Sharing and Protection Act (CISPA), and would create an exemption to all privacy laws so that companies that hold our private information can share it with one another or the government for cybersecurity purposes. Companies that share information would get complete liability protection, meaning they would no longer be held accountable by their customers or even the government if they negligently or recklessly mishandle information. Once in government hands, information can be used for any lawful purpose so long as a significant purpose is cybersecurity or national security. The program is permanent, only to be reviewed annually by the inspector general of the intelligence community. 

ADVERTISEMENT
There are numerous privacy problems with CISPA, which remain even if the five so-called privacy amendments orchestrated by the sponsors are adopted. First, the very definition of what can be shared is incredibly broad, and includes sensitive and private information such as the content of emails or a person’s Internet use history. Companies are not required to even make an effort to disentangle sensitive but unnecessary information from the technical and useful data that government might really need. 

Second, the bill allows companies to choose which government agency to share the information with, including the National Security Agency or other element of the Department of Defense. It is a long-held American value that the military doesn’t operate on U.S. soil against Americans, and allowing the NSA and DOD to collect information on average Americans turns that value on its head. All domestic programs must be run by civilian agencies. And finally, CISPA offers few limitations on what can be done with the information that the government ultimately collects.  

Even the Obama administration opposes the bill due in part to its privacy infringements. Yes, the administration that fought for the reauthorization of the Patriot Act and is now lobbying for an extension of the Foreign Intelligence Surveillance Act (FISA) Amendments Act has balked at CISPA. Those responsible for protecting our cybersecurity believe they can be effective with less collection authority, making this broad and intrusive new program not only horrible for privacy but totally unnecessary.  

There are alternatives to CISPA in both the House and Senate, sponsored by Democrats and Republicans, that offer more privacy protections. Even the administration’s draft legislation last year, the result of a lengthy intra-agency process that required the sign-off of the NSA, Department of Homeland Security and other intelligence agencies, proposes a better regime for minimizing the amount of irrelevant information that ends up in government hands and more meaningful limitations on how the government can use Americans’ sensitive information. CISPA is far and away the worst legislative option for privacy, and by no means represents the only way to facilitate information-sharing. Many of the protections in legislation authored by the administration or Sen. Joe Lieberman (I-Conn.), for example, could easily be inserted into CISPA to make real policy and privacy differences.  

Supporters have made information-sharing the cornerstone of our cybersecurity policy, and there’s nothing wrong with companies sharing technical data about threats, per se. But CISPA permits sharing far beyond what’s necessary and reasonable, ultimately letting the companies that hold our information decide just how much the government will know about the websites we visit or the notes we send to our loved ones. Supporters of this legislation talk about stealth Chinese efforts to steal our state secrets or a terrorist attack on an electrical grid. To be sure, if the bill were narrowly tailored to capture information only about such situations, there would be far less controversy, but it’s not. It’s drafted to siphon Internet information about Americans who have absolutely nothing to do with espionage or terrorism. 

Congress should vote “no” and go back to the drawing board on information-sharing. As we’ve seen time and again over the last decade, once the government gets expansive national security authorities, there’s no going back, and Congress will hear little about it until rampant abuse is on the front page of The New York Times. This is Congress’s one shot at legislating cybersecurity and privacy — it must get it right.

Richardson is a legislative counsel with the American Civil Liberties Union.