Wednesday, the House Homeland Security Subcommittee on Cybersecurity passed a bill that will permit greater information sharing for cybersecurity efforts. Called the PRECISE Act, the bill as reported out of the subcommittee, will create an exception to privacy laws so that companies who hold Internet use information (like your browsing history or IP address) can share it in the name of protecting cybersecurity. This would be facilitated by a new public-private entity created to receive, process and distribute the data back out to companies and government agencies who would theoretically use it to protect their own networks.
For background, Congress and the administration have made increased information sharing a cornerstone of efforts to address cybersecurity threats. They claim that current anti-trust laws and privacy laws like the Electronic Communications and Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) don’t allow companies to share data relevant to threats from hackers, foreign governments and terrorists. But without the proper safeguards in place, there is a substantial risk that any new cybersecurity law could allow a flood of private and sensitive Internet use data to flow from corporations to the government. (We shared our concerns with the administration’s information sharing proposal with you last fall, and wrote in December to House Intelligence Committee leaders about a flawed proposal they are considering.)
Although the PRECISE Act is still flawed, it satisfies two important privacy principles. First, the bill ensures that the National Security Agency (NSA) doesn’t become the head of domestic cybersecurity efforts. It is absolutely critical that private industry or a civilian government agency lead these efforts — it would be wildly inappropriate for a military agency to collect information about US citizens on US soil, and given the NSA’s history of warrantless wiretapping, even leaving that possibility open should be a non-starter.
Second, the bill defines the information that companies can share specifically as the technical data necessary to understand and respond to a cyber-threat, and it requires that companies make an effort to strip out information that can be used to identify people unrelated to the threat. Other cybersecurity proposals have refused to define what can be shared or require that personal identifying information of innocent people be stripped out before the data is passed along to the government, permitting Internet use records, emails and more to be given to the government, almost without limit.
Earlier this week, FBI Director Robert Mueller said that cybersecurity threats will soon eclipse terrorism as the greatest threat to America. Read that again. We now have fair warning where the government will likely turn next to expand its extraordinary electronic surveillance powers. It’s going to take some work to make sure that Congress doesn’t pass a new cyber-PATRIOT Act and we’ll be needing your help. Check back here for more info.