Are our work emails, our medical records, and our financial information safe online? Or have we been leaving our digital doors unlocked?
Given the high-profile cybersecurity failures in recent weeks, from the Sony hacks to the brief takeover of the U.S. Central Command twitter feed, these questions are being asked with a new intensity.
On Tuesday, the president will give his annual State of the Union address, and we already know that cybersecurity will be getting some serious attention during the speech. Indeed, the president has already unveiled proposals aimed at enhancing online privacy and cybersecurity, including allowing private companies greater leeway to share sensitive personal information that they believe is connected to a cyber-threat with the government.
While it is clear that more can and should be done to keep our digital world secure, not all solutions are created equal. So how do the president's proposals stack up?
The president's consumer privacy proposals – a federal data breach notification law and expanded protections for student information – are steps in the right direction, though the notification law must not be allowed to override more protective state laws. And the information sharing proposal, though better than alternative suggestions out there, fails to include clear privacy guidelines to keep sensitive personal information from flowing to the NSA and other intelligence agencies.
Before we give the government more power to collect our private information, we must deal with the suspicionless surveillance revealed by Edward Snowden. We also ought to focus on common sense security measures, including educating users on cyber-hygiene and encouraging companies to adopt basic security best practices, like two-factor authentication and encryption, to prevent hacks. This would be more effective, and less invasive, than expanding surveillance authorities or creating exemptions to existing privacy law.
The president's information sharing proposal is better than bills like CISPA or the Feinstein-Chambliss Senate package last year, which would have allowed the government to collect communications content in the name of cybersecurity and then use that to investigate whistleblowers. It's still unnecessary, however, and could potentially raise serious privacy concerns.
Moreover, federal regulation should set minimum standards for data protection but allow states to enact stricter standards if they so choose. In other words, federal standards should be the floor, not the ceiling. Yet the president's data breach proposal would preempt stronger state notification laws, which would actually weaken the notification requirements across the country.
The administration deserves some credit for being more privacy protective than members of Congress, like the proponents of CISPA, who just want to open the floodgates to information sharing with intelligence agencies and the military while conferring broad legal immunity for private companies. But we remain skeptical that these measures are necessary or wise, and we continue to strongly urge the administration to deal with NSA reform before further weakening American privacy laws in the name of cybersecurity.