Congress Working in the Dark on Cybersecurity Bill

With a sweeping cybersecurity “information sharing” bill expected to become law early next year, passed in haste and against the strong opposition of the privacy and civil liberties community, the ACLU filed a lawsuit today to uncover what that legislation will actually authorize.

Last month, the Senate passed the Cybersecurity Information Sharing Act (CISA), a bill that allows companies to share user data with government agencies who, the government claims, are better positioned to defend the companies against hackers. In practice, CISA would be a new surveillance authority, permitting private companies to monitor and share with the government sensitive information about their users and customers, “notwithstanding any other provision of law.” As a result, we and others, including major tech companies, have opposed CISA on the basis of the bill’s plain text. But the privacy intrusions that CISA authorizes on its face may pale in comparison to what the bill allows when read in conjunction with a still-secret opinion from the Justice Department’s Office of Legal Counsel (OLC).

For the last four years, Senator Ron Wyden has been asking the OLC to withdraw and declassify an opinion it authored in 2003 interpreting “common commercial service agreements.” Senator Wyden has warned that the OLC’s opinion on “common commercial service agreements” is "inconsistent with the public’s understanding of the law" and is directly relevant to the congressional debate on CISA and cybersecurity legislation more broadly. And Senator Wyden has suggested that the executive branch has relied on the OLC opinion in the past and cautioned that it could rely on this secret interpretation in the future. Yet members of Congress remain unaware of how the OLC’s opinion would influence the meaning and implementation of the proposed cybersecurity legislation.

In March, the ACLU filed a Freedom of Information Act request seeking release of the opinion on “common commercial service agreements,” but the OLC denied the request and the Justice Department did not respond to our appeal. Today, the ACLU filed a lawsuit seeking to compel the OLC to release the opinion.

The OLC provides the executive branch with legal advice, helping the executive branch understand the limits on its authority imposed by statute, the constitution, and international law. These opinions are effectively binding on the executive branch. Not all of OLC’s advice is secret; some of it is mundane. But around the time the opinion on “common commercial service agreements” was written, the OLC was busy drafting secret interpretations of the law that authorized warrantless wiretapping, concluded that detainees at Guantanamo Bay lacked a constitutional right to habeas corpus, and sanctioned torture. This timing, coupled with Senator Wyden’s repeated warnings, suggests we have good reason to be concerned about this particular OLC opinion.

The last time Senator Wyden warned that the executive branch had adopted a troubling and secret interpretation of law, he turned out to be referring to one of the most sweeping surveillance programs ever directed at Americans—the NSA’s bulk collection of call records under Section 215 of the Patriot Act. Once Congress and the American public learned of that unlawful and secret interpretation, Congress put an end to it.

The American people are entitled to understand the real meaning of our laws. Indeed, the Freedom of Information Act was enacted to discourage agencies from developing bodies of secret law. Fortunately, CISA isn’t law yet. Congress still has to attempt to reconcile the somewhat different versions of the bill passed by the House and Senate, and it may not do so until January. Before our lawmakers expand the government’s surveillance authority under the guise of cybersecurity legislation, shouldn’t we—and the legislators themselves—know what the real consequences will be?

Stay Informed