Today, Access and a coalition of digital rights groups, companies, and security experts submitted a letter to U.S. President Obama urging him to pledge to veto the Cybersecurity Information Sharing Act (CISA), and any other bill that includes similar provisions that would hurt our basic right to privacy.
CISA would allow private companies to share user data, including information about your private online communications, with government agencies, including the NSA and CIA, under the guise of improving cybersecurity. Access previously highlighted this and many other flaws with the first draft of CISA, and many of these concerns still exist in the version of CISA that passed the Senate Select Committee on Intelligence last week.
In the most recent draft of the bill, user information would still flow straight from private companies, through the Department of Homeland Security, and on to military organizations, such as the National Security Agency (NSA). In our letter, we condemn the militarization of basic internet usage and make it clear that any information-sharing bill must place a civilian organization in charge of information management.
To alleviate privacy concerns, amendments were introduced during the bill’s mark-up in Committee that require the government to follow the Fair Information Practice Principles established by the National Institute of Standards and Technologies and to establish data retention and personal information protection guidelines set by the attorney general. However, these standards are open to secret interpretation by the government. For instance, the government has previously interpreted the plain text of a different statute to find that information on all phone calls across the U.S. is “relevant” to any given national security investigation. Moreover, CISA fails to require that all guidelines be made public, leaving the government free to abuse them secretly and with no accountability.
Compounding these threats, CISA contains exemptions to basic transparency mechanisms, such as the Freedom of Information Act, which prevents public oversight of government practices. By legislating secrecy, CISA strips users of basic protections against government misuse of personal information.
To solve these issues, the coalition letter specifies six characteristics of comprehensive cybersecurity legislation which both enhance and secure the privacy and civil liberties of users:
1. Create incentives and processes to improve digital security, including resolving known vulnerabilities in a timely fashion, making systems more resilient, and improving security architecture by design.
2. Empower a civilian federal agency to perform the government’s information assurance functions. The agency should not have a conflicting mission that would compromise its information assurance tasks.
3. Ensure that all administrative agencies that collect or handle personal information, including the White House, have on staff a Chief Information Officer, a Chief Privacy Officer, and a Chief Technology Officer with clearly published contact information. These officers should be responsible for establishing and publishing a responsible disclosure policy and process for vulnerability reporting.
4. Provide resources to educate users, companies, and other actors on cybersecurity threats and best practices for avoidance and mitigation.
5. Foster greater international dialogue of communication of cyber conflict red lines.
6. Establish strong transparency obligations that give as much access as possible to both governmental oversight bodies and the public.
The letter also explains that cybersecurity legislation should avoid certain traps, such as providing inadequate protections for privacy or civil liberties. Access believes that any bill that focuses exclusively on information sharing without additional measures to increase communications security is inherently incomplete. We will continue to oppose any proposed law or regulation that fails to adequately protect the security of all users.