Today, the White House released a legislative proposal aimed at enhancing cybersecurity by authorizing new information sharing between the private sector and the government. The White House proposal contains some privacy protections not present in the Cyber Intelligence and Sharing Act (CISPA), legislation passed in the House just prior to the Snowden revelations and reintroduced last week. However, the White House proposal has significant problems regarding law enforcement’s use of Internet users’ information.
“Strong cybersecurity and enhanced coordination between the private sector and government to tackle cyber crimes is essential to protecting our country,” said Harley Geiger, CDT Senior Counsel.
“The White House proposal protects the rights of Internet users more than CISPA in several respects, such as requiring companies to take steps to protect users’ privacy before sharing their communications with the government,” Geiger added. “However, the White House proposal allows companies to share user information with the Department of Homeland Security regardless of any privacy law, and allows Homeland to share that information with other law enforcement agencies for purposes unrelated to cybersecurity.”
“The White House proposal relies heavily on privacy guidelines that are currently unwritten. What these guidelines say and when they are applied will be critical to protecting Internet users. Privacy protections and use restrictions must be in effect before information sharing occurs,” Geiger concluded.
Based on CDT’s review, the White House proposal would:
- Allow companies and government agencies to share any information related to cybersecurity threats, regardless of any other law, with other companies and a cybersecurity center headed by the Department of Homeland Security;
- Continue to allow companies to share information related to cybersecurity threats directly to other federal agencies, such as NSA or FBI, as they can do today under existing law, but companies would not have any additional liability protection if they do so;
- Require companies to take unspecified “reasonable” steps to strip information that would identify a specific person before sharing the information, but only for individuals “reasonably believed to be unrelated to the cyber threat”;
- Require government agencies to create unspecified procedures to anonymize and safeguard information shared with the cybersecurity center; and
- Allow law enforcement to use information shared for cybersecurity purposes to also respond to any “computer crime,” threats of death or bodily harm, any serious threat to a minor, and conspiracy charges for those offenses.