ACLU warns of expanded spying powers in new GOP cybersecurity legislation

The American Civil Liberties Union (ACLU) is warning that a cybersecurity bill from Sen. John McCainJohn Sidney McCainCollins to endorse LePage in Maine governor comeback bid Meghan McCain: Country has not 'healed' from Trump under Biden Biden steps onto global stage with high-stakes UN speech MORE (R-Ariz.) and other Republicans would give spy agencies unprecedented powers to snoop through people’s personal information.

McCain's bill, the Secure IT Act, would encourage companies to share information about cyber threats with government agencies, including the National Security Agency (NSA) and U.S. Cyber Command. 

"The bill would allow the NSA to collect the Internet records of civilians who are not suspected of doing anything wrong," Michelle Richardson, legislative counsel for the ACLU, told The Hill.  


Although the bill's goal is to help the government work with Internet providers, wireless carriers, and websites to prevent cyber attacks, the ACLU argues the language is so broad, companies could end up sharing personal information about their users with spy agencies. 

"The military has no place in collecting civilian domestic Internet information," Richardson said.

Supporters of McCain’s cybersecurity bill said they worked hard to protect people’s privacy.

"Our approach has been all along to take into account privacy concerns that we know are very important for Internet providers and consumers and make sure that we could pass a bill that would increase our security without decreasing our privacy," Sen. Kay Bailey Hutchison (R-Texas), one of the leading supporters of the Secure IT Act, said at a press conference earlier this month.

An aide to McCain emphasized that the bill does not give NSA any new authority, but not everyone agrees.

"Saying 'no new authorities' is a little misleading. They are removing legal impediments [to information sharing with NSA]," said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.

He added that giving NSA a leading role in combating domestic cyber threats is a "departure from precedent."

At a hearing last month, McCain argued that NSA and U.S. Cyber Command are the "only institutions currently capable" of protecting the country from cyber attacks.

McCain introduced his bill as an alternative to the Cybersecurity Act, which is authored by Sens. Joe Lieberman (I-Conn.) and Susan CollinsSusan Margaret CollinsCollins to endorse LePage in Maine governor comeback bid McConnell privately urged GOP senators to oppose debt ceiling hike GOP senator will 'probably' vote for debt limit increase MORE (R-Maine) and has the support of the White House.

The Lieberman-Collins bill, which is set to come up for a Senate vote in the coming weeks, would give the Homeland Security Department the power to set mandatory security standards for computer systems deemed critical to national security.

McCain and other critics argue the Lieberman-Collins bill would impose burdensome regulations on businesses.

ACLU’s Richardson said that, while she is no fan of the Lieberman-Collins bill, it is preferable to McCain's Secure IT Act.

"It's all on a continuum of ‘1984’ to moderately bad," Richardson said.

The Lieberman-Collins bill would encourage companies to share information about cyber threats with the Homeland Security Department, which Richardson said is more appropriate than sharing data with military spy agencies. But she noted the bill does not bar the Homeland Security Department from handing the information over to other agencies, including NSA.

She also noted that the Lieberman bill requires that companies make a "reasonable effort" to strip personally identifiable information, such as names, email addresses or phone numbers, from the data they share with the government.

Ryan Radia, associate director of technology studies at the Competitive Enterprise Institute, argued that from a civil liberties perspective, the McCain bill is actually slightly better than the Lieberman bill.

He explained that the under the McCain bill, companies only have immunity if the information they share is related to a cybersecurity threat. Under the Lieberman bill, the companies have immunity if they have a "good faith belief" that the information is related to a cybersecurity threat.

Radia said he expects that if either bill becomes law, government agencies will pressure companies to turn over as much information as possible.

"Any granting of immunity would be used by the government as an excuse to coerce companies into disclosing information," Radia said.