Cybersecurity bills in Congress threaten citizen privacy

The 62 page consumer privacy report released in February by the Obama White House drafts a framework for addressing data collection on online users by private companies.  Yet there is a blind eye being turned by the administration on its own data collection standards. The Obama administration has made great efforts to decrease the amount of privacy that citizens deserve.

Now there’s an attack on citizen privacy coming from Congress in the form of two bills aimed at protecting infrastructure against terrorist attacks. The Electronic Frontier Foundation writes that Rep. Mike Rogers’ Cyber Intelligence Sharing and Protection Act of 2011 (CISPA)and Sen. John McCain’s SECURE IT Act do the opposite of what the bills’ names suggest—instead of protecting privacy, these bills allowed unprecedented access to private citizens’ data:

“These ‘cybersecurity’ bills would give companies a free pass to monitor and collect communications, including huge amounts of personal data like your text messages and emails. Companies could ship that data wholesale to the government or anyone else provided they claim it was for ‘cybersecurity purposes.’”

CISPA in the House of Representatives is a complicated bill littered with jargon. What is striking is the first clause of the bill, titled “Intelligence Community Sharing of Cyber Threat Intelligence With Private Sector,” which claims that the intelligence community will be encouraged to share intelligence with private-sector entities. It also surprisingly claims that any information related to security threats will be exempt from disclosure and considered “proprietary information,” meaning that it will belong to a private company and not be disclosed under the Freedom of Information Act or other open government laws. This means that the federal government will potentially be able to claim that there is a cyber security threat and use this information against a person or group, but not have to disclose what this information is.

This is a threat to civil liberties. If used in that capacity, citizens would be denied their right to know what charges are being brought against them.

The Senate SECURE IT Act is similar to the Obama administration “consumer bill of rights” in that it claims it wants to encourage voluntary action on the part of private sector companies. Why legislation is necessary to encourage voluntary actions is unclear. What is clear is that once the Congress claims the right to tell private companies what to do in regards to cybersecurity threats, it can claim the right to tell them what to do in other cases. In a vein similar to the weakness of the aforementioned CISPA:

“The Secure IT Act, promoted as a measure to counter cyber attacks, would allow the NSA to collect the internet records of people who are not suspected of doing anything wrong. This unprecedented and broadly worded bill clears the way for internet providers, wireless carriers, and websites to share your personal information with military spy agencies.”

Additionally, the lack of transparency in the processes outlined would make citizens vulnerable to accusations without justification; security can hardly be maintained when one can be accused of wrongdoing and not be presented with the evidence for the accusations.

Both of these bills have provisions that would severely lessen the security that citizens enjoy online. In addition, there already exist PATRIOT Act contains provisions that allow secret courts to provide justification for surveillance on private citizens without having to disclose the reason, and the approval of warrants for electronic monitoring of individuals “for whatever reason.” These bills are one more strike against civil liberties.

So what is the solution? It is possible to draft legislation that accounts for security threats but that allows for transparency in the process and gives options for innocent people to protect themselves against unjustified probing.