School house lock: How the U.S. government proposes to “protect” your data

Last week, Congress introduced a new, rights-abusing piece of cybersecurity legislation, the Cybersecurity Information Sharing Act (CISA), drafted by Senators Feinstein (D-CA) and Chambliss (R-GA).

The Senate bill is a challenger to the House’s much maligned Cyber Information Sharing and Protection Act (CISPA) authored by Representative Mike Rogers (R-GA). CISPA passed the House and awaits a vote in the Senate, although President Obama has promised to veto the legislation. The terms of both bills create new, unaccountable surveillance programs under the auspices of protecting so-called U.S. critical infrastructure, while neither offers real protection for internet users.

Transparency/fail

Of particular concern to Access is that both bills fail to incorporate necessary elements of transparency and public accountability, and have decreased protections for whistleblowers.  CISPA and CISA also provide comprehensive immunity for companies who share data improperly (but in good faith), and exempt all such sharing from disclosure or Freedom of Information Act requests. This is extraordinarily concerning as civil society groups often use FOIA requests to investigate how programs are actually used, and then utilize that information to file suit against organizations that betray the public trust. This process is necessary to secure the digital rights of users and provides an important avenue for users to seek redress when their rights are violated. Furthermore, while both bills require a review with an eye to privacy and civil liberties violations, the resulting reports are provided only to specified congressional committees; There is no requirement that these reports be published publicly or in an unclassified form.

Persons unknown

Each bill mandates the collection of user data from companies, but imposes different restraints to censor private information. CISPA (the House legislation), stipulates that the government take “reasonable efforts to limit the impact on privacy” although “reasonable efforts” isn’t defined in the bill. CISA instructs companies to “remove any information…that is known to be personal information of or identifying a United States person, not directly related to a cybersecurity threat,” which would effectively require companies to gather information on internet users to attempt to determine citizenship. However, in most cases, a company won’t be able to make this kind of a determination, so most users wouldn’t receive any privacy protections under this bill.

Either way, the provision amounts to a very weak privacy protection that is unfairly discriminatory against non-U.S. citizens, in contravention of international law and the International Principles on the Application of Human Rights to Communications Surveillance.  

Who can retain and use user information

As currently written, CISPA sends cybersecurity information directly to the intelligence community through the Director of National Intelligence. By way of contrast, CISA requires that the Department of Homeland Security (DHS) receive and store the information. However, CISA also requires cyber threat information to be sent simultaneously to several other agencies, including the Department of Defense and the National Security Agency. As such, DHS acts more as a cybersecurity portal for the intelligence community than a coordinator.

Accordingly, the effect of both bills is identical: the flow of large amounts of information, including personal information, directly into the hands of the U.S. intelligence community.

CISA also grants local law enforcement the ability to request information from private entities.  Technically, law enforcement is required to seek written consent; however, CISA permits agencies to seek documentation after initiating action if they feel they are presented with immediate cause.

All your data are belong to CISA

Once the federal government receives user information, CISPA allows indefinite retention to ensure the confidentiality of information systems and to safeguard them from unauthorized access, excluding terms of service (TOS) violations. Under CISA, the government can retain data that may have an adverse impact on the confidentiality or security of information, including terms of service violations.

By including TOS violations, CISA allows for anyone who accidentally logs into someone else’s Facebook to be labelled a cyber threat to “critical infrastructure,” which enables the government to request both users’ information. Moreover, that information can be retained for future prosecution under the Computer Fraud and Abuse Act and/or The Espionage Act. The Obama Administration has increasingly used the Espionage Act to prosecute whistleblowers for revealing unlawful or inappropriate government activity, making the inclusion of this provision particularly egregious and ripe for abuse.

Real cybersecurity reform is needed

Ultimately, cybersecurity cannot be achieved through a greater information dragnet. These bills are being touted as necessary to thwarting cyber threats – but most cyber attacks are the result of human error, such as clicking on a fake email link or registering at a compromised website. The increasing relinquishment of more personal information is not the solution. Instead, Access supports implementation of robust data security practices, such as those found in the Data Security Action Plan (DSAP).

Real cybersecurity solutions should focus on the types of security practices found in DSAP, user education and training, and funding of and research into meaningful information assurance practices. CISA and CISPA lag behind the cyber environment users live in, increase surveillance, and strip important protections for whistleblowers.

Access calls on Congress to discontinue efforts to mine personal information of users, and focus on real cybersecurity reform.