This week: U.S. Congress tees up five cyber-surveillance proposals


A recent barrage of proposed cybersecurity bills in the U.S. Congress may appear to be about protecting digital information. One bill even uses the terms “security” 91 times and “threat” nearly 150 times. But this language obscures an important fact: These bills create brand new privacy-invasive surveillance powers. Every single one of these proposals would reward companies that send user information to the government, including the NSA and FBI, without adequately protecting user privacy. Congress may vote on at least two of the bills as early as this week.

To protect your rights and stop these dangerous cyber-surveillance bills, Access and our  allies have launched StopCyberSpying.com, giving you the chance to speak out and urge President Obama to veto these bills. Previously, Obama threatened to veto similar legislation called the Cyber Intelligence Sharing and Protection Act (CISPA). He presented three minimum requirements for cybersecurity legislation: (1) it must “carefully safeguard” privacy and civil liberties, (2) it must preserve the respective roles of civilian and intelligence agencies, and (3) liability protections must be “targeted.” All five of  the current proposals fail to meet these requirements. They also fail in several other ways, including failing to provide adequate transparency and safeguard the integrity of our communications systems.

Here is the current status of these five proposals (we know these acronyms and committee names are confusing. Hang in there — this is important.):

These bills allow companies to “share” just about any type of information, including personal information such as your computer’s IP address and email content. As technologists explain in a letter to leaders in Congress, much of this information is of little use to cybersecurity, and sharing it may even pose a threat to network security.

The bills would also increase the role of intelligence agencies in cybersecurity efforts, opening new avenues for government surveillance. In each case, the agency receiving the information is either encouraged or required to share it with other agencies. Most of the bills designate an office in the civilian Department of Homeland Security to act as the government portal. The PCNA further diminishes civilian leadership by placing leadership in an office of the head of U.S. intelligence. In addition, some of these bills allow agencies to use information ostensibly collected for cybersecurity to investigate a wide  array of crimes, many of which are unrelated to security.

Since these bills include extensive liability protections, they ensure that companies could send user information to the government with impunity — even if they would otherwise have violated other privacy protections. The CTSA, for example, provides companies absolute civil and criminal protection for even willfully harming users’ privacy.

Finally, these bills threaten network security. The three bills most likely to pass, CISA, the NCPA, and the PCNA, create new risks to security, allowing companies to take damaging “defensive measures.” In response, malicious hackers may try to disguise their identities so that damage would be misdirected to the wrong networks.

President Obama has issued clear guidance and criteria for cybersecurity legislation. Based on his own standards, each of these bills fail. Now we must step forward to ensure that the President acts to protect our privacy and network security. Join us by taking action now at StopCyberSpying.com.

Update, 4/22/2015: Access has now joined with allies in calling on Congress to reject CISA and the PCNA. Read the letter calling for a rejection of CISA here and the letters calling for a rejection of the PCNA here and here.