In 2012, the US Congress considered cybersecurity legislation that is expected to resurface in 2013. ARL and other library and civil liberty groups expressed serious privacy concerns with the bills considered in 2012.
As of February 11, 2013, House Intelligence Committee Chairman Mike Rogers (R-MI) and ranking member Rep. Dutch Ruppersberger (D-MD) are planning to re-introduce the Cyber Intelligence Sharing and Protection Act (CISPA) on February 13. On February 14, the committee will hold a hearing to discuss cyber threats facing the US. Also, the Obama administration is expected to issue a cybersecurity executive order sometime after the February 12 State of the Union address.
Cyber Intelligence Sharing and Protection Act of 2011 (CISPA)
On April 26, 2012, the US House of Representatives passed H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA). ARL joined with over 30 privacy-related organizations in a letter to Congress noting serious concerns with provisions in the legislation. The organizations stated that “this bill will allow companies that hold very sensitive and personal information to liberally share it with the government, which could then use the information without meaningful oversight for purposes unrelated to cybersecurity.”
ARL also joined with 40 members of the FOIA community in identifying significant flaws in the legislation. In that letter, the signatories stated, “in the interest of encouraging private companies to share cybersecurity threat information, the bill unwisely and unnecessarily cuts off all public access to cyber threat information before the public and Congress have the chance to understand the types of information that are withheld under the bill. Much of the sensitive information private companies are likely to share with the government is already protected from disclosure under the FOIA. Other information that may be shared could be critical for the public to ensure its safety. Any effort to expand the authority of the federal government to withhold information from the public should begin with careful consideration, including public hearings, by the House Oversight and Government Reform Committee, which has jurisdiction over FOIA.”
On April 25, the White House issued a Statement of Administration Policy on CISPA. The two-page policy statement begins:
The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation's vital information systems and critical infrastructure. The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive. Moreover, information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation's core critical infrastructure from cyber threats. Accordingly, the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form...
The statement describes flaws in the legislation and concludes, "if H.R. 3523 were presented to the President, his senior advisors would recommend that he veto the bill."
Cyber Security Act of 2012 and SECURE IT Act
The leading cybersecurity bill in the US Senate in 2012, the Cyber Security Act of 2012 (S. 3414), sponsored by Senators Joe Lieberman (I-CT), Susan Collins (R-ME), Jay Rockefeller (D-WV), Dianne Feinstein (D-CA), and Tom Carper (D-DE), encountered a significant defeat on August 2, 2012, when the bill failed to gain 60 votes for a key procedural vote. Amendments included in a July 19 version of the bill addressed some of the most important privacy concerns expressed by the library community and allied civil liberties groups, and ARL joined a series of letters to encourage the retention of these improvements as well as adoption of more protections for issues ranging from Freedom of Information Act requests to warrantless spying on e-mail. As amended, the bill was a significant improvement over the cybersecurity bill that has moved in the House of Representatives, known as CISPA. The Lieberman-Collins bill has the support of the White House, as well, but opposition from Senate Republicans and the Chamber of Commerce seems to have been decisive in its defeat. The Senate will not take the bill up again until 2013.
The core concerns with respect to the Cyber Security Act, as well as the related SECURE IT Act (S. 2151), include:
- Unprecedented limits to Freedom of Information Act requests prevent reasonable access to information about the operation of cybersecurity programs.
- Key terms are poorly or broadly defined, giving service providers excessive power to monitor and control users.
- Existing privacy laws are summarily bypassed, removing all protection for users so long as a service provider can claim that a cybersecurity threat or concern was involved.
- Military agencies, including the National Security Agency (NSA), are given too much potential power to monitor domestic civilian communications.
- Information collected pursuant to these cybersecurity purposes can be used for other purposes, including criminal investigations, giving a strong incentive for abuse.
For more details, see:
- Full text of S. 3414 (PDF)
- New York Times story on the bill’s demise (Aug. 2, 2012)
- ACLU blog post about the privacy changes (July 19, 2012)
- Center for Democracy and Technology statement on the privacy changes (July 19, 2012)
- letter from ARL, OpenTheGovernment, et al., May 14, 2012
- letter from ARL, Constitution Project, et al., May 10, 2012 (PDF)
- analysis by Center for Democracy and Technology, March 28, 2012 (PDF)