Congress just made it easier for the NSA and FBI to get your private information.
Tucked into Congress’ 2,000 page spending bill passed today was a controversial cyber-surveillance rider. This provision, which was strongly opposed by the ACLU, is yet another iteration of the Cybersecurity Information Sharing Act, which we have repeatedly criticized as a surveillance bill that would have done nothing to stop cyber breaches, such as the Anthem or OPM hack. In an apparent flip-flop, the Obama administration appears to support inclusion of the rider — despite his opposition to similar proposals in the past.
Here is what the bill means for your privacy:
Companies can now share your private information with the government, preempting all other privacy laws.
The bill allows companies to share “cyber threat indicators” with DHS, the FBI, and other federal agencies. “Cyber threat indicators” are broadly defined and could include private information, such as your IP address (indicating location), email attachments, other personal identifying information, even your private communications. By default, there is no requirement that companies strip all personally identifying information before sharing this information with the government. Though there are several laws on the books that prevent companies from sharing certain types of private information, these laws are explicitly preempted by the provisions.
Companies will face no liability for sharing your personal information with DHS — even if there are negative consequences.
Companies face no liability — even when bad things happen — for information that is shared with DHS or potentially other agencies designated by the president (which could include the FBI). So, consumers have little opportunity for redress in cases where their private information is shared without consent or even notice.
Given that the liability provisions amount to a virtual blank check for companies that decide to share private consumer information with the government, it is no surprise that the some business groups, such as the U.S. Chamber of Commerce, strongly supported the cyber-surveillance provisions.
Any information shared also goes to the NSA and FBI.
Any information that is provided to agencies will be automatically sent to law enforcement and intelligence agencies, such as the NSA and FBI. By default, all personal identifying information does not have to be stripped before these agencies get this information.
Private information shared can be used to prosecute you for crimes that have nothing to do with cybersecurity.
The bill allows the FBI and other agencies to use information they receive to investigate and to prosecute crimes that have nothing do with cybersecurity. Under the bill, this information can be used for crimes relating to protection of trade secrets, fraud and identify theft, or the Espionage Act, which has been used to target whistleblowers.
So, what can you do to protect yourself?
Companies are free to decide whether to participate in these new “cyber sharing” programs. They can choose to put their consumers’ privacy and liberty first — and keep private information truly private.
That is exactly what consumers should demand. And, if companies aren’t willing to make this commitment, we should take our information elsewhere.