House Intelligence Committee Approves Privacy-Threatening Cybersecurity Information Sharing Bill

Washington, DC - This morning, the House Permanent Select Committee on Intelligence unanimously approved its cybersecurity information sharing bill called the “Protecting Cyber Networks Act (PCNA).” The Committee failed to make significant changes that were necessary to better protect Americans’ privacy, and to ensure that the broad info-sharing authorized under the bill would not become a backdoor for government surveillance. The Committee somewhat narrowed the bill’s broad authorization for private actors to deploy defensive countermeasures against computer intruders, but that provision is still broad enough that the measures it would authorize could actually undermine Internet security rather than enhance it. The bill also strengthened the requirement to remove personal information, though it would still allow companies to share some unnecessary personal information with the government, which could then use all personal information it receives for a myriad of criminal investigations that have nothing to do with cybersecurity.

The PCNA draws largely upon the Cybersecurity Information Sharing Act (CISA), which OTI strongly opposes (see our analysis here), along with a coalition of 47 other privacy advocates and security experts.

The “Protecting Cyber Networks Act”:

• Authorizes companies to share excessive amounts of information with one another and with the government;

• Strengthens the requirement to remove personal information, but still fails to effectively require companies to remove all unnecessary personal information before sharing anything with the government;

• Requires the government agency that receives information from companies to automatically and indiscriminately share everything it receives with military and intelligence agencies, including the National Security Agency, the Central Intelligence Agency, and the Office of the Director of National Intelligence;

• Authorizes the federal government to use information it receives under this bill for purposes far outside the scope of identifying and investigating cybersecurity threats, including investigations into and garden-variety violent crimes, regardless of whether that crime is imminent;

• Authorizes state and local law enforcement to use information it receives to investigate and prosecute threats of death or serious bodily injury, regardless of whether that threat is imminent;

• Authorizes companies to monitor all of the activities and communications of all of their users to identify threats to any system anywhere;

• Provides sweeping liability protections for companies that undermine what limited privacy requirements the bill sets forth, and offer customers who are harmed by companies’ negligent monitoring or sharing of their information no recourse to redress the harm; and

• Authorizes companies to act as vigilantes by deploying vaguely-defined defensive countermeasures. While the authorization to deploy defensive measures is narrower than it is in CISA, it could still have unintentional destructive effects on innocent bystanders’ computer networks, or devices connected to their networks.

A redline of the Committee-approved bill is available here.

The House of Representatives is expected to vote on the Protecting Cyber Networks Act in April.

“The Protecting Cyber Networks Act would explicitly undermine every rule that is currently in place to protect Americans’ Internet privacy, and replaces them with dangerously weak protections. It would massively increase companies’ monitoring of our online communications and activities, and give them a nearly blank check to share that information with the government. Once all of that information is in the NSA and FBI’s hands, it could be used in investigations that have absolutely nothing to do with cybersecurity,” said Robyn Greene, Policy Counsel at New America’s Open Technology Institute. “This bill is a cyber-surveillance bill at least as much as it is a cybersecurity bill, and it is written so broadly that it could wind up making the Internet less safe. Instead of authorizing companies to funnel even more of Americans’ information to the NSA, Congress should be figuring out how to reform the surveillance authorities that currently allow the NSA to vacuum up every American’s phone records.”