Though Flawed, The Homeland Security Committee’s Cybersecurity Bill Protects Privacy Better Than Other Information Sharing Bills

This week, the
House of Representatives will vote on two bills that would authorize companies
to share information about cyber threats with the government and with one
another. Yesterday, over the strong
opposition of New America’s Open Technology Institute, along with dozens
of other organizations and security
experts, it passed the Intelligence Committee’s Protecting Cyber Networks
Act (PCNA,
H.R. 1560). Today, it will vote on the Homeland Security Committee’s
National Cybersecurity Protection Advancement Act of 2015 (NCPAA,
H.R. 1731). Though some serious concerns remain, and we oppose both bills, when
it comes to protecting privacy, the NCPAA is superior to the PCNA.

Under the NCPAA,
companies would be authorized to share so-called “cyber threat indicators” with
the government. Compared to the PCNA, the NCPAA would do a better job of
protecting personal information from being shared with the government by more
narrowly defining the term “cyber threat indicators” and thereby more narrowly
limiting the scope of information to be disclosed.

Once the
government receives information under the NCPAA, it would be permitted to use
it only for cybersecurity purposes. Unlike under PCNA, law enforcement agencies
could not use the information to investigate crimes that have nothing to do
with cybersecurity. This limitation is critically important to ensuring that
this cybersecurity bill doesn’t become a backdoor for general-purpose
cyber-surveillance.

The NCPAA is
also an upgrade over the PCNA because it effectively cements civilian control
over domestic cybersecurity. It does not include a requirement that DHS
automatically disseminate all of the information it receives to the National
Security Agency (NSA).

The PCNA fails to protect privacy on all of these counts, and this week,
OTI joined a coalition of 55 civil society groups, security experts, and
academics in a letter voicing our strong opposition.

First, its
definition for cyber threat indicator is broader than the definition in the
NCPAA, so companies would be able to share more personal information with the
government.

Even worse, the
PCNA would authorize the government to use any of the information it receives
to prevent, investigate, and prosecute a vast array of crimes the have nothing
to do with cybersecurity. Those crimes
range the gamut from terrorism to carjacking and arson to garden-variety
violent crimes. These excessive use authorizations not only seriously threaten
Americans’ privacy, they also make the PCNA as much a cyber-surveillance bill as
it is a cybersecurity bill.

Finally, the PCNA
would undermine civilian control of cybersecurity information sharing because
it would require the government to automatically disseminate to the NSA every
indicator companies share with it. This would vastly increase the NSA’s access
to Americans’ personal information.

Neither bill is
perfect. They both take the over-broad approach of authorizing information
sharing “notwithstanding any other provision of law.” They could also harm
privacy by authorizing companies to engage in blanket monitoring of their users’
activities, so long as it is for cybersecurity purposes. Finally, both
authorize companies to deploy defensive measures, previously referred to as countermeasures,
which would otherwise be illegal under current anti-hacking statutes like the
Computer Fraud and Abuse Act. These measures could harm innocent third parties
and may actually undermine Internet security rather than enhance it.

Those serious concerns
aside, the NCPAA is still better than the PCNA when it comes to protecting
Americans’ privacy and establishing effective civilian control over a new
cybersecurity information sharing regime. However, we oppose both bills, as
well as the other cybersecurity information sharing bills currently on the
table.