A broad coalition of privacy, civil liberties and open government groups joined TCP in sounding the alarm against new cybersecurity legislation proposed in the Senate, saying it omits many of the civil liberties protections that previous versions of the bill incorporated. The Cybersecurity Information Sharing Act, authored by Senate Intelligence Committee Chair Dianne Feinstein (D-Calif.) and ranking member Saxby Chambliss (R-Ga.), would create a “gaping loophole in existing privacy law” the groups wrote in a June 26 letter to Senate leaders.
The authors of the legislation say its purpose is to allow the government and private sector to share more information about attacks on computer networks. But the groups expressed concern that the bill would allow the government to approach private companies, ask for “voluntary” cooperation in sharing sensitive information, including communications content, and then use that information in a wide variety of law enforcement investigations without ever seeking court approval. Moreover, the provision requiring companies to strip out personally-identifiable information before sharing data with the government only requires them to do so if the information is not “directly related” to a cybersecurity threat, very broadly defined, and only if the companies “know” the information belongs to or identifies a “U.S. person,” information that many entities will simply not possess.
This danger of a potential end-run around the Fourth Amendment and other crucial privacy protections, such as the Foreign Intelligence Surveillance Act and the Electronic Communications Privacy Act, is compounded by the potentially broad immunity conferred on companies sharing data “in accordance” with the act, and the additional absolute defense when sharing occurs in violation of the act but in “good faith” reliance on the mistaken belief that the sharing is lawful, the groups wrote.
The new bill also allows broad sharing of the information received by the civilian Department of Homeland Security with the military and intelligence agencies, including with the National Security Agency. “This new flow of private communications information to NSA is deeply troubling given the past year’s revelations of overbroad NSA surveillance,” many of the same groups warned in a second letter also delivered to lawmakers on June 26.
TCP’s January 2012 report, Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy, analyzes the civil liberties risks posed by cybersecurity information sharing programs, and describes a series of recommendations to protect against these threats to constitutional freedoms.