Next Round in Cybersecurity Battle: The Senate

Two weeks ago, the House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). But thanks to internet activism and advocacy by organizations like the ACLU and the Electronic Frontier Foundation, 168 Congressmen voted “no,” including 28 Republicans, the House Democratic leadership, and a chunk of members who sit on the Intelligence and Homeland Security Committees.

What happens next? CISPA never had much of a chance in the Senate, but after the Obama Administration’s veto threat, and resounding bipartisan “no’”vote in the House, it won’t be going anywhere any time soon. The Senate will likely take up its own cybersecurity bill, S. 2105, the Cyber Security Act of 2012 (CSA), in June. The CSA is over two hundred pages long and deals with many cyber issues that are civil liberties neutral. But the CSA would also unnecessarily threaten our privacy.

While it is better than CISPA, the CSA similarly creates an exception to every privacy law on the books so that companies that hold our sensitive personal information can share it with the government, including possibly the military. Title VII of the bill governs information sharing. Here’s what you should know about it:

• What Information Can Be Shared: “Notwithstanding any provision of law,” meaning without regard to any existing privacy law, “cyber threat indicators” can be shared, just as with CISPA, but in this case only if companies make “reasonable efforts” to remove information that can be used to identify specific people unrelated to the cybersecurity threat. That restriction is of course a positive step, but standing alone, it is not enough.

• Who Can It Be Shared With: Information can be shared with government “exchanges,” which will be appointed by the Department of Homeland Security. The CSA does not require these exchanges to be in civilian agencies and therefore would permit the NSA or other military agencies to become direct repositories for broad swaths of American internet information. Information can also be shared with other companies.

• How Can the Information Be Used: The government can use the information for cybersecurity, but can also distribute it and use it for law enforcement purposes totally unrelated to cybersecurity. Further minimization procedures will be promulgated by DHS and approved by the Attorney General. Companies can use the information they receive from each other or the government for cybersecurity purposes.

• Oversight and Accountability: Privacy officers from various government agencies will write an annual report to Congress, but it need not be made public. The Privacy and Civil Liberties Oversight Board will do a report – that is, if the Board, which does not currently have any members, is ever constituted. The bill contains generic directives for heads of agencies to enforce the rules and report violations to the Justice Department.

While the legislation isn’t as bad as CISPA, because of its problems the ACLU and 33 other organizations from across the political spectrum have demanded changes to the bill, including eliminating the possibility of the NSA or other military agency directly collecting information on Americans’ internet use. You can contact your Senators here to tell them to oppose any bill that contains such an authority.