CDT: Cybersecurity bills raise major civil liberties concerns

A group of cybersecurity bills that the U.S. Congress may soon vote on contain serious privacy and civil liberties flaws, with some of the bills allowing private companies to share a wide range of their customers’ online communications with government agencies, the Center for Democracy and Technology said.

The U.S. House of Representatives could vote later this month on two bills focused on encouraging private companies and the government to share cyberthreat information with each other, even though there are major civil liberties concerns with one of the bills and some outstanding questions about the second, CDT officials said during a press briefing Wednesday.

The Senate may vote on information-sharing legislation in May, CDT officials said. CDT raised concerns about four information-sharing bills, all of which would provide legal protections for private companies that share cyberthreat information with government agencies.

“[If] you look at most of these bills closely, you’ll see that there are extraordinarily complex civil liberties problems in virtually every one of these bills,” said Leslie Harris, CDT’s president and CEO.

The Electronic Frontier Foundation has similar criticisms of the cybersecurity bills. Most of the information-sharing bills before Congress don’t clearly define what a cybersecurity threat is, thus allowing broad information sharing between private companies and the government for ill-defined purposes, the EFF said.

The first House bill, the Cyber Intelligence Sharing and Protection Act, allows private companies to share broad information about cyberthreats with government agencies, with no requirement to strip out personal information, said Greg Nojeim, CDT’s senior counsel. The bill, sponsored by Representative Mike Rogers, a Michigan Republican, would allow U.S. agencies to use the information shared by private companies for other national security and law enforcement purposes, in addition to cybersecurity, he said.

The Rogers bill may also allow private companies to take broad countermeasures against attacks, potentially including counterattacks, Nojeim said. The information-sharing bills “trump all privacy laws” in their permission for companies to share information with government agencies, he said.

The Rogers bill contains no privacy oversight, the EFF said. “The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for ‘cybersecurity purposes,'” the EFF said in a blog post. “Just invoking ‘cybersecurity threats’ is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law.”

The Rogers bill has broad support in the House, however, with 106 co-sponsors. Several companies, including AT&T, Microsoft, Facebook, Intel and IBM, have also voiced support. The bill “provides a solid framework and useful legal protections to permit the timely flow of actionable threat information in order for organizations to better protect themselves and customers,” Christopher Padilla, IBM’s vice president of governmental programs, wrote in a November letter to Rogers.

CDT officials raised similar concerns about the Secure IT Act, a bill sponsored by eight Republican senators, including Senator John McCain of Arizona. The McCain bill requires some federal IT contractors to share broad cybersecurity information with the government, CDT said.

A spokesman for McCain disagreed with CDT’s analysis. The Secure IT Act’s sponsors are open to changes to the bill, the spokesman said. “The Secure IT Act does not authorize any new government monitoring or surveillance and only authorizes the sharing of what is narrowly defined as ‘cyber threat information,'” the spokesman said in an email.

A spokesman for Rogers wasn’t immediately available for comment.

With bipartisan support for cybersecurity legislation, there’s a growing pressure in Congress to move forward with a handful of bills, CDT’s Harris said. Leaders in the House have designated the week of April 23 as cybersecurity week, with votes on the Rogers bill and the Precise Act, another information-sharing bill with fewer civil liberties concerns, she said.

CDT also raised some concerns about the Precise Act, an information-sharing bill sponsored by Representative Dan Lungren, a California Republican, and the Cybersecurity Act, sponsored by Senator Joe Lieberman, a Connecticut Independent.

The Lungren bill more narrowly defines what information can be shared between private companies and the government than the Rogers bill, CDT said. But the bill raises concerns because it allows Internet service providers to monitor their subscribers’ communications, and it may allow companies to deploy broad countermeasures against cyberattacks, CDT said.

The Lieberman bill also allows ISPs to monitor subscriber communications, and it allows companies to modify or block traffic to protect against “any action” that could compromise their IT systems, CDT said.