Earlier this week the White House released a legislative proposal aimed at enhancing cybersecurity by authorizing new information sharing between the private sector and the government. The White House proposal contains important privacy protections not present in CISPA and CISA – bills which ignored the public outcry for reform of NSA surveillance over Americans. However, the White House proposal relies heavily on privacy guidelines and use restrictions that are currently unwritten, leaving unanswered questions about their effectiveness.
White House Proposal Stands Above CISPA on NSA Sharing, But By an Inch or a Mile?
The White House proposal would require companies to take reasonable steps to filter out information related to innocent persons before sharing it for cybersecurity purposes. This front-end protection is a critical distinction from CISPA, the House bill passed just prior to the Snowden disclosures. The White House proposal also requires federal agencies to establish privacy procedures for the disclosure, receipt, use, and retention of information shared for cybersecurity.
The White House proposal also takes a key step forward from CISPA in requiring application of privacy guidelines before sharing with agencies outside the Department of Homeland Security (DHS) – including the NSA – can occur. This is an another important distinction from CISPA, which permits real-time sharing of communications with NSA. Required application of privacy protections in favor of real-time or automatic sharing within government should be a foundation for cybersecurity proposals in Congress.
However, these privacy protections – destruction of irrelevant information, anonymizing information retained, and penalties for privacy violations – have yet to be developed by DHS and other federal agencies. The White House’s proposal does not elaborate on what specific privacy policies and procedures must be established, nor does the proposal set a timeline for their implementation. What these procedures ultimately require and when they are enacted will determine whether the information sharing system is protective of privacy, or whether it is essentially a backdoor wiretap.
This is disappointing because it means, in practice, the White House proposal could be an inch or a mile from CISPA in protecting Americans’ communications. Greater clarity and guarantees of privacy protection are needed before any information sharing should begin. New cybersecurity policy should not force Internet users to choose between being hacked by cyber criminals and being snooped on by NSA.
Funneling Americans’ shared communications to NSA, as CISPA would permit, is not only problematic for privacy, it also appears unnecessary for security. During a House Intelligence Committee hearing on cybersecurity last November, NSA Director Mike Rogers stated that in the context of network defense, “This is not what we want to see. I don’t want to see people’s personal data,” and that including such information in cyber threats shared “would be a negative for us. It will lead to a slower sharing of information.”
Other Provisions Offer Improvements, But Serious Questions Remain
The White House proposal allows law enforcement to use information shared for cybersecurity for other purposes. Specifically, law enforcement can use shared information for investigation and prosecution of 1) computer crimes, 2) threats of death or serious bodily harm, 3) serious threats to minors, or 4) conspiracy charges for those offenses. This is a strong improvement over the White House’s 2011 proposal. However, there are still significant issues that should be addressed. “Computer crime” is undefined, there is no requirement that the threat of bodily harm be imminent, and the inclusion of conspiracy could implicate innocuous online communications. Further, the restrictions on law enforcement use must also be established through unwritten procedures with no timeline for enactment. As with the privacy procedures, the law enforcement use restrictions ought to be in place before information sharing begins.
While the White House proposal requires companies to take “reasonable efforts” to remove PII before sharing it with the government, it is unclear whether this protection applies broadly enough. The proposal only requires companies to take any steps to strip PII of individuals “reasonably believed to be unrelated to the cyber threat.” This could leave victims and individuals whose computers are co-opted to spread attacks – who are certainly “related” to the threat – unprotected. Legislation should require reasonable efforts to strip out irrelevant PII of all individuals other than perpetrators of a cyber attack.
The White House proposal is considerably more privacy protective than other major cybersecurity legislation in play, such as CISPA and CISA. Still, more can and must be done if we are to develop policy on cybersecurity that ensures Internet users online activities are safe, secure, and private.