On December 17, more than 50 advocacy organizations and cybersecurity experts joined The Constitution Project in sending a letter to members of Congress opposing inclusion of the Cybersecurity Act of 2015 in a must-pass omnibus spending package Congress will consider before its Christmas recess.
The Cybersecurity Act of 2015 would significantly increase access to personal online information by the National Security Agency and the FBI, and authorize the federal government to use that information for purposes totally unrelated to cybersecurity. It also fails to provide “strong privacy protections or adequate clarity about what actions can be taken, what information can be shared, and how that information may be used by the government,” the letter said.
The new language would permit companies to share vaguely defined “cyber threat indicators” with the government without first stripping out personally identifiable information unrelated to the threat, thereby posing a “threat to privacy, as well as to data security, as hackers and nation-state actors often seek out and steal personally identifiable information when they breach company and government networks,” the group wrote.
The legislation would also allow law enforcement to use cyber threat indicators to investigate and prosecute crimes and activities that have nothing to do with cybersecurity. These expanded use authorizations “undermine traditional due process protections, and turn it into a cyber-surveillance bill rather than a cybersecurity bill,” the letter said. TCP raised constitutional concerns about expanded use authorizations in its 2012 report on cybersecurity.
Members of Congress should have the opportunity to debate and vote on these “highly controversial” issues separately from the funding measure, the group said. Organizations signing the letter along with TCP include Access Now, American Civil Liberties Union, American Library Association, Center for Democracy and Technology, Electronic Frontier Foundation, FreedomWorks, New America’s Open Technology Institute, OpenTheGovernment.org, Restore the Fourth, and R Street.
The omnibus also includes other damaging and unnecessary policy riders. For example, it folds in the annual intelligence authorization bill, which includes a provision that strips the Privacy and Civil Liberties Oversight Board’s authority to access the information it needs to do its job. TCP earlier led a coalition of civil liberties and open government advocates in urging Congress to resist efforts to hamstring PCLOB’s ability to conduct its business.
The PCLOB — an independent agency within the executive branch that was established by Congress in response to recommendations by the 9/11 Commission — is charged with ensuring that the federal government’s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties. By statute, the PCLOB was empowered to access all relevant executive agency records, reports, audits, reviews, documents, papers, recommendations, and any other relevant materials, including classified information. Not anymore — the omnibus allows agencies to withhold from the PCLOB any information “regarding” covert action, and in so doing jeopardizes effective oversight of U.S. counterterrorism programs at a time when it is needed most.