As the end of the 2017 legislative session approaches, the U.S. Congress still has a lot of work to do. Not only are the pressing issues of healthcare and immigration making headlines, there are also a number of high-stakes cybersecurity and privacy issues on the table. Congress should use the remaining time wisely, focusing on strengthening security while protecting human rights. To help out, we’ve prepared this legislative guide.
Addressing the SS7 security crisis
Signaling System 7 (SS7) is a technology that connects mobile phone networks around the world. In 2014, researchers demonstrated a vulnerability in SS7 that could be exploited to allow anyone near-omniscient monitoring abilities, including the ability to read text messages, track phone locations, and eavesdrop on unencrypted calls from anywhere in the world. The Mexican government recently purchased a spyware system based on this exploit for $5 million, and this year criminals in Germany used the exploit to steal money from bank accounts. Rep. Ted Lieu and Sen. Ron Wyden have called on the Federal Communications Commission and the Department of Homeland Security to take action, but cellular networks are still vulnerable. Congress should act now to address this problem.
Federal data breach notification
The massive Equifax hack put the personal data of 143 million people in jeopardy. Unfortunately it’s just the latest, largest data breach in a long pattern. Although 48 states (and D.C.) have laws requiring companies to notify people if certain data are compromised, Congress has continually failed to pass a federal standard. Partly because of this patchwork, the people harmed by breaches continue to go without notice for long periods of time.
In the wake of the Equifax hack, members of Congress have, among other things, reintroduced the Personal Data Notification and Protection Act to require notification of certain data breaches within 30 days. The bill is a step in the right direction for corporate accountability, but it could use some work; it only covers a narrowly defined range of people’s information and it also preempts state laws, so states could not impose stronger requirements. But Congress cannot afford to wait for another breach to act. It now appears that Equifax knew about the vulnerability for months before the major attack, and this bill would have held them accountable.
Vulnerabilities Equity Process
When the U.S. government discovers or is notified about a previously unknown software vulnerability, they are meant to follow the Vulnerabilities Equities Process (VEP) to decide whether to disclose it for patching or hold it for offensive purposes. The VEP was “reinvigorated” following the Heartbleed debacle, though the text was only made public in response to Freedom of Information Act litigation by the Electronic Frontier Foundation and the government is still mostly opaque about its application. The PATCH Act would create a review board to codify the VEP, establish a public disclosure policy, and periodically report on disclosures. Much more limited in scope, the proposed Intelligence Authorization Act would require a report to Congress (not the public) on the past three years of VEP activity, including exact numbers of vulnerabilities discovered and disclosed.
Reforming Section 702
Section 702 of the Foreign Intelligence Surveillance Act (FISA) is one the most egregiously invasive legal authorities in the U.S. The law grants the National Security Agency (NSA) far-reaching authority to spy on digital communications, in secret, with scant judicial oversight. Section 702 provides legal authority for both the “PRISM” and “upstream” programs. It’s set to expire at the end of 2017.
The best thing Congress could do with Section 702 is to let it die. Unfortunately, President Trump and too many legislators support mass surveillance and are currently pushing not only for reauthorization, but permanency. Last December, Access Now called for reform of Section 702, and proposed a series of changes. By reforming Section 702, including codifying changes made this year based on a decision of the FISA Court, Congress can move closer to ensuring U.S. intelligence activities conform with human rights.
Two recently introduced bills (in the House and the Senate) would vastly increase border surveillance. Both fund biometric monitoring systems for all ports of exit in order to monitor and identify all non-U.S. persons. The Senate bill would also require collection of “iris scans and voice prints” from all non-U.S. citizens and mandate increased monitoring of visa applicants’ social media. Both bills would facilitate sharing of sensitive data with intelligence agencies like the NSA. These programs create new risks for all people impacted and undermine human rights. Along with other provisions, the bills represent an expensive, unnecessary, and Orwellian expansion of government authority.
“Backdoors” for law enforcement
In a recent speech, Deputy Attorney General Rosenstein said “the use of encrypted services pose a novel threat to public safety” and called for Congress to “preserve cybersecurity, without depriving law enforcement of the ability to lawfully access data.” He is singing an old tune: last year Senators Burr and Feinstein introduced a bill to provide this authority, despite experts’ near unanimous recommendations against it. Even if it were desirable to allow law enforcement to bypass strong encryption, there is no such thing as a backdoor that only the “good guys” can use. “Secure communication” with backdoors is not secure at all.
The Stop Enabling Sex Trafficking Act (SESTA), unfortunately, would not stop sex traffickers. Instead, it would weaken a law that’s been critical to protecting expression online by criminalizing any action by a service provider that “assists, supports, or facilitates a violation of federal sex trafficking laws.” This would require platforms to aggressively monitor all user content and create perverse incentives to remove non-criminal speech. The extra burden would make it broadly impractical for smaller companies to operate content-based platforms, creating new barriers for start-ups that would compete with large incumbents. As a result, SESTA would hinder innovation and increase censorship. Congress must stop it.
Securing the Internet of Things
The bi-partisan Internet of Things Cybersecurity Improvement Act would ensure that IoT devices purchased by the government meet minimum security standards. It would also amend current law to prevent criminal prosecution of researchers acting “in good faith” to find vulnerabilities in devices the government use. The bill is not perfect. For example, the definition of internet-connected devices is vague and extends far beyond the internet of things. Additionally, it only protects researchers working with devices similar to those the government buys — not the actual devices they use. Often, device vulnerabilities only manifest when they are in the context of a particular system; allowing research on devices “in the wild” would produce more valuable results. Still, with some minor changes, Congress should press ahead to make this into law.
The International Computer Privacy Act (ICPA) is one of many proposals to update the Electronic Communications Privacy Act, or ECPA, which governs privacy protections for digital communications. In a major change, ICPA would base jurisdiction over communications data entirely on the nationality and location of the person whose data were sought, not where the information is physically stored. The bill would require law enforcement to get a warrant before accessing any communications by U.S. persons, a much-needed change. It would also change the process for U.S. law enforcement access to data of non-U.S. persons. While it would increase protections in some instances, it would undermine existing treaties that govern such access. Congress must update ECPA, but this is not the right vehicle to accomplish that goal. While jurisdiction should not depend solely on where data are stored, courts should not be able to access foreign data without an agreement based on reciprocity and mutuality.
U.S./U.K. data sharing
On the same subject, Congress may soon revisit a proposal to give other governments direct access to user data in the United States. The law is a response to pressure from the U.K. government and a seriously backlogged process for cross-border access to data. This is a noble goal, but one it overshoots by a mile/1.6 km. The proposal would be ineffective and fail to protect human rights. Under the law, the U.K. and others would be able to enter into agreements to allow issuance of surveillance orders directly to U.S. companies. There is no guarantee that such agreements would satisfy human rights standards, and no draft agreement has yet been made public. The current process is in urgent need of reform. But Congress should find a solution that honors human rights standards by design.