CISPA Redux: New Cybersurveillance Bill Passes House
— Op Cyber Privacy (@OpCyberPrivacy) April 23, 2015
If enacted the law would allow customer information from private companies to be shared with the government with minor to nonexistent restraints. Another bill making its way through the House – the National Cybersecurity Protection Advancement Act (NCPA) – will setup the Department of Homeland Security as the federal agency coordinating the information sharing. Not surprisingly, privacy and cybersecurity advocates are calling the bill a disaster and warning that it will do more harm than good. Before the passage of the bill a letter signed by 55 civil society organizations, security experts and academics, called on House members to vote no on PCNA citing major concerns that the bill would:
· Authorize companies to significantly expand monitoring of their users’ online activities, and permit sharing of vaguely defined “cyber threat indicators” without adequate privacy protections prior to sharing: This could result in the unnecessary scrutiny of innocent Internet users online activities, and sharing of their personal information, and information about that Internet use, including content of their online communications.
· Require federal entities to automatically disseminate to the NSA all cyber threat indicators they receive, including personal information about individuals: This requirement fails to effectively cement civilian control of domestic cybersecurity information sharing and could vastly and unnecessarily increase the NSA’s access to innocent users’ information.
· Authorize overbroad law enforcement uses that go far outside the scope of cybersecurity: Law enforcement would be allowed to use cyber threat indicators to investigate crimes and activities that have nothing to do with cybersecurity, such as robbery, arson, carjacking, or any threat of serious bodily injury or death, regardless of whether the harm is imminent. The use authorizations included in this bill undermine traditional due process protections, and turn PCNA into a cyber-surveillance bill rather than a cybersecurity bill; and
· Authorize companies to deploy invasive countermeasures, euphemistically called “defensive measures”: The authorization for deploying defensive measures is narrower than in other bills, however PCNA still authorizes an entity to deploy a defensive measure that gains unauthorized access to computer systems of innocent third parties who did not perpetrate the threat, an action that would otherwise violate the Computer Fraud and Abuse Act. It may also authorize defensive measures that unintentionally harm innocent third parties.
Much like the retroactive immunity for the telcom companies participating in President Bush’s unconstitutional domestic spying program, this bill will legalize some activity that is likely already happened. But with the legal barriers/liability gone it will be open season on internet users’ private information.
In one sense this bill deregulates the data market, now everyone is for sale.