March 24, 2015
Washington, DC - This afternoon, the House Permanent Select Committee on Intelligence introduced its cybersecurity information sharing bill called the “Protecting Cyber Networks Act.” Like, the Cybersecurity Information Sharing Act (CISA), its counterpart from the Senate Select Committee on Intelligence, the Protecting Cyber Networks Act fails to protect privacy, could undermine Internet security, and would do more to increase cyber-surveillance than to enhance cybersecurity.
This bill draws largely upon CISA, which OTI strongly opposed (see our analysis here), along with a coalition of 47 other privacy advocates and security experts.
The “Protecting Cyber Networks Act”:
· Authorizes companies to share excessive amounts of information with one another and with the government;
· Fails to effectively require companies to remove unnecessary personal information before sharing anything with the government;
· Authorizes the federal government to use information it receives under this bill for purposes far outside the scope of identifying and investigating cybersecurity threats, including investigations into and garden-variety violent crimes, regardless of whether that crime is imminent;
· Authorizes state and local law enforcement to use information it receives to investigate and prosecute any felony.
· Requires the government agency that receives information from companies to automatically and indiscriminately share everything it receives with military and intelligence agencies, including the National Security Agency and the Office of the Director of National Intelligence;
· Authorizes companies to monitor any of the activities and communications of their users to identify threats to any system anywhere;
· Provides sweeping liability protections for companies that undermine what limited privacy requirements the bill sets forth, and offer customers who are harmed by companies’ negligent monitoring or sharing of their information no recourse to redress the harm; and
· Authorizes companies to act as vigilantes by deploying defensive measures, also commonly known as countermeasures. While the authorization to deploy defensive measures is narrower than it is in CISA, it could still have unintentional destructive effects on innocent bystanders’ computer networks, or devices connected to their networks.
The House Permanent Select Committee on Intelligence is expected to consider and approve the Protecting Cyber Networks Act on Thursday, March 26, 2015.
“Like CISA, the Protecting Cyber Networks Act will significantly increase cyber-surveillance, and it may even undermine cybersecurity rather than enhance it,” said Robyn Greene, Policy Counsel at New America’s Open Technology Institute. “The House Intelligence Committee’s bill will open the digital floodgates, letting massive amounts of Americans’ personal information flow to the NSA and other intelligence agencies, without even the court oversight that other surveillance authorities are subject to. That information could then be used to investigate a vast array of garden-variety violent crimes that have nothing to do with cybersecurity.”
“It’s unbelievable that the Congressional committees charged with overseeing our intelligence agencies are working to further empower the NSA with dangerously overbroad information sharing legislation, rather than acting to rein in the NSA mass surveillance programs that were revealed nearly two years ago,” Greene continued. “Supporters of the Senate and House Intelligence Committees’ cybersecurity information sharing bills should expect fierce and vocal opposition from privacy advocates and security experts, especially if it gets a vote before strong surveillance reforms are enacted.”