Blog

Cybersecurity vote nears, while military creeps online

12:30pm | 27 November 2012 | by Peter Micek, English

A flurry of activity in US Congress and the Oval Office could alter the privacy rights and cybersecurity of users in the US and abroad for decades to come. It also presents an opportunity to limit the military’s growing reach over cyberspace. 

This Thursday, Nov. 29, the Senate Judiciary Committee could vote on amendments to HR 2471 that would give law enforcement and intelligence agencies more surveillance power. Senator Leahy, Chair of the Judiciary Committee, originally proposed amendments in May 2011 as a way to update privacy rights online. However, it appears law enforcement lobbyists influenced a redrawing of the lines toward greater warrantless access. Leahy quickly clarified his position on Nov. 20, after criticism came from both the ACLU and the conservative FreedomWorks, whose petition platform has been used to send more than 7500 emails to congress, as well as from CDT and the Digital Due Process Coalition.

According to CNET, “Leahy's proposal would have allowed over 22 agencies -- including the Securities and Exchange Commission and the Federal Communications Commission -- to access Americans' e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant.” Those agencies currently lack explicit subpoena or warrant authority to access online communications. Leahy has withdrawn support for this amendment, but there remains a possibility that the Committee’s Ranking Member Sen. Chuck Grassley could introduce these harmful reforms for Thursday’s vote.

Leahy actually authored the 25-year-old Electronic Communications Privacy Act (ECPA), which the amendments would supplant. Passed in 1986, ECPA laid initial ground rules for privacy in the electronic age, setting arbitrary limits on government access to personal data like email and other stored communications. While ECPA provided significant protections for a while, the law has not kept pace with advances in technology; Leahy himself has admitted ECPA’s shortcomings, such as allowing government access to emails 180 days old without a warrant.

Access has supported attempts to update ECPA, including Rep. Logren’s “ECPA 2.0” bill, with its requirement of a warrant to access private communications data and location information. Indeed, users deserve up-to-date legislation giving them assurance that their expectations of privacy in email will be met in courts.

Access participated in the development of the Draft International Principles on Surveillance and Human Rights and other international fora, which aim to provide a strong framework for governments who are “failing to develop legal frameworks to adequately protect communications privacy, particularly in light of modern innovations in surveillance laws and techniques.” The Principles are open for comment until the end of the year (read more about it here).

Cyber information ‘sharing’

This month, the Senate narrowly defeated a proposal on cybersecurity information “sharing” championed by outgoing Sen. Joseph Lieberman. Its failure increases the likelihood of an executive order from President Obama to facilitate the transfer of cybersecurity threat data, such as online attack signatures and methods, between private companies, law enforcement and intelligence agencies.

The military actually pioneered the information transfer programs now considered by lawmakers for civilian use. Lieberman’s bill, like the defeated CISPA last summer, would have expanded a program the Department of Defense began last year to facilitate information sharing along its supply chain. Find that initiative, the Defense Industrial Base (DIB) Cyber Security / Information Assurance (CS/IA) Program, described here, and its operational arm here. That program has since transferred to the Department of Homeland Security, with an eye toward expanding to 200 companies. Reports suggest around 65 companies currently participate in CS/IA (see also this report by the Wiley Rein law office). A related program has not fared so well. The Defense Enhanced Cybersecurity Services (DECS) program lets critical infrastructure providers pay their ISPs more to receive information on cyber threats from the government. Its membership has shrunk from 17 to 6 companies.

The cyber sharing bills respond to the widespread calls to protect the nation’s “critical infrastructure,” major utilities like water reservoirs, power stations, and transportation systems, who are often under private management. However, any data sharing program requires civilian oversight; built-in privacy and due process protections; assurances that participation is purely voluntary; and measures to hold companies accountable for sharing our personal data, as Access stated last spring. The information shared must only be used for cybersecurity purposes, rather than to open the door for law enforcement’s widespread surveillance of citizens and prosecutions for unrelated crimes.

Cyberattacks and defense

Meanwhile, the militarization of cyberspace is being formalized. News reports show Obama has already signed a secret directive giving the military a green light to combat cyberterror more aggressively. The directive makes a new distinction between defensive, internal network security measures, and offensive “cyber-operations” beyond the government’s own networks.

On the international level, last month, some 60 nations met at the Budapest Conference on Cyberspace to discuss cybersecurity issues. According to Access Policy Director Jochai Ben-Avie, who attended and spoke at the Conference, cyber information sharing and public-private partnerships were major themes. The UN Office on Drugs and Crime (UNODC) has also recently released a paper titled, “The use of the Internet for terrorist purposes,” to aid governments investigating and prosecuting terrorist cases involving the internet.

Access welcomes any attempt to better define the military’s role in cybersecurity and to clarify constraints to its activities online. Given that cyberspace is an interconnected ecosystem, it is likely that military actions would affect legitimate and peaceful expression. For this reason, among others, civilian oversight, due process, transparency, and accountability mechanisms must be in place to ensure governments uphold their duty to protect human rights online, especially when dealing with cyber threats.

Users can visit Vanishing Rights to voice their support for privacy online. Around the world and across the various arms of the US government, we're seeing a lot of activity aimed at improving cybersecurity, but often with unintended consequences detrimental to user rights. Access firmly believes that user privacy should not, and need not, be sacrificed for increased cybersecurity. Rather, implementation of security measures like anonymization, end-to-end encryption, data minimization practices, and respect for digital due process -- along with the civilian oversight and transparency reporting described above -- are ways for governments and corporations to ensure protection for both user rights and cybersecurity.