Privacy groups: Obama's cyber framework falls short

Privacy advocates are saying the Obama administration’s cybersecurity framework — released Wednesday — falls short of the privacy protections found in earlier versions.

On Wednesday, the White House launched its voluntary framework, which is a product of President Obama’s executive order from last year, which was crafted by the Department of Commerce’s National Institute of Technology and Standards.

The document provides guidelines and benchmarks for private companies in critical infrastructure industries looking to bolster their protections against cyber attacks. 

While the version launched Wednesday largely reflects an agency draft from October, the final document does not include the October draft’s lengthy appendix on privacy and civil liberties issues. Instead, the issues are discussed throughout the framework.

“We are concerned that the privacy provisions in the framework were watered down from the original draft,” Greg Nojeim, director of the Center for Democracy and Technology’s Project on Freedom, Security and Technology, said in a statement.

"We would have preferred a framework that requires more measurable privacy protections as opposed to the privacy processes that were recommended,” he said. “As the framework is implemented, we are hopeful that such privacy protections are further developed and become standardized."

Nojeim credited the framework, saying that it “will be useful to companies and their privacy officers, because it will remind them that processes should be put in place to deal with the privacy issues that arise in the cybersecurity context."

Michelle Richardson, legislative counsel at the ACLU, said Wednesday’s framework is “not as detailed as the old appendix” from the October draft.

“In a way, it’s a step back,” she said, noting that the newer language discusses “problematic activities and “what type of issues [companies] should be considering when they build out these cyber programs.”

Richardson said she is hopeful that companies “will consider this as part of their analysis” as they use the framework and cement industry best practices regarding cybersecurity.

The framework is “an OK first start, but the devil will be in the details,” she said.

Robert Mayer, vice president of industry and state affairs at US Telecom Association, said the decision to integrate the privacy section was “the right move.”

“That increases the likelihood that privacy considerations are going to be a part of each of the evaluations” companies make as they consider the framework, he said.

The administration “made it a much better document” by doing away with the appendix and addressing the privacy and civil liberties at a general level, according to Paul Tiao, former cybersecurity adviser to FBI Director Robert Mueller. Tiao is currently a partner at Hunton and Williams’ privacy and data security practice.

The administration faced “a huge outcry” from the private sector, which was “very uncomfortable with that appendix because, among other things, it was very broad and it did not reflect a wide range of successful privacy and data protection programs implemented by industry, in partnership with various government agencies,” he said.