Skip to story The U.S. Capitol building in Washington, DC. Bill Clark/Getty Images
Congress is hellbent on passing a cybersecurity bill that can stop the wave of hacker breaches hitting American corporations. And they’re not letting the protests of a few dozen privacy and civil liberties organizations get in their way.
On Wednesday the House of Representatives voted 307-116 to pass the Protecting Cyber Networks Act, a bill designed to allow more fluid sharing of cybersecurity threat data between corporations and government agencies. That new system for sharing information is designed to act as a real-time immune system against hacker attacks, allowing companies to warn one another via government intermediaries about the tools and techniques of advanced hackers. But privacy critics say it also threatens to open up a new backchannel for surveillance of American citizens, in some cases granting the same companies legal immunity to share their users’ private data with government agencies that include the NSA.
“PCNA would significantly increase the National Security Agency’s (NSA’s) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity,” reads a letter signed earlier this week by 55 civil liberties groups and security experts that includes the American Civil Liberties Union, the Electronic Frontier Foundation, the Freedom of the Press Foundation, Human Rights Watch and many others.
“The revelations of the past two years concerning the intelligence community’s abuses of surveillance authorities and the scope of its collection and use of individuals’ information demonstrates the potential for government overreach, particularly when statutory language is broad or ambiguous,” the letter continues. “[PCNA] fails to provide strong privacy protections or adequate clarity about what actions can be taken, what information can be shared, and how that information may be used by the government.”
Specifically, PCNA’s data-sharing privileges let companies give data to government agencies—including the NSA—that might otherwise have violated the Electronic Communications Privacy Act or the Wiretap Act, both of which restrict the sharing of users’ private data with the government. And PCNA doesn’t even restrict the use of that shared information to cybersecurity purposes; its text also allows the information to be used for investigating any potential threat of “bodily harm or death,” opening its application to the surveillance of run-of-the-mill violent crimes like robbery and carjacking.
“This is little more than a backdoor for general purpose surveillance.”
Congressman Adam Schiff, who led the advocacy for the bill on the House floor, argued in a statement to reporters that PCNA in fact supports privacy by protecting Americans from future hacker breaches. “We do this while recognizing the huge and growing threat cyber hacking and cyber espionage poses to our privacy, as well as to our financial wellbeing and our jobs,” he writes.
“In the process of drafting this bill, protecting privacy was at the forefront throughout, and we consulted extensively with privacy and civil liberties groups, incorporating their suggestions in many cases. This is a strong bill that protects privacy, and one that I expect will get even better as the process goes forward—we expect to see large bipartisan support on the Floor.”
Here’s a video of Schiff’s statement on the House floor:
PCNA does include some significant privacy safeguards, such as a requirement that companies scrub “unrelated” data of personally identifying information before sending it to the government, and that the government agencies pass it through another filter to delete such data after receiving it.
But those protections still don’t go far enough, says Robyn Greene, policy counsel for the Open Technology Institute. Any information considered a “threat indicator” could still legally be sent to the government—even, for instance, IP address innocent victims of botnets used in distributed denial of service attacks against corporate websites. No further amendments that might have added new privacy restrictions to the bill were considered before the House’s vote Wednesday. “I’m very disappointed that the house has passed an information sharing bill that does so much to threaten Americans’ privacy and civil liberties, and no real effort was made to address the problems the bill still had,” says Greene. “The rules committee has excluded amendments that would have resolved privacy concerns…This is little more than a backdoor for general purpose surveillance.”
In a surprise move yesterday, the White House also publicly backed PCNA and its Senate counterpart, the Cybersecurity Information Sharing Act in a statement to press. That’s a reversal of its threat to veto a similar Cybersecurity Information Sharing and Protection Act in 2013 over privacy concerns, a decision that all but killed the earlier attempt at cybersecurity data sharing legislation. Since then, however, a string of high-profile breaches seems to have swayed President Obama’s thinking, from the cybercriminal breaches of Target and health insurer Anthem that spilled millions of users’ data, to the devastating hack of Sony Pictures Entertainment, which the FBI has claimed was perpetrated as an intimidation tactic by the North Korean government to prevent the release of its Kim Jong-un assassination comedy the Interview.
If the White House’s support stands, it now leaves only an upcoming Senate vote sometime later this month on the Senate’s CISA as the deciding factor as to whether it and PCNA are combined to become law.
But privacy advocates haven’t given up on a presidential veto. A new website called StopCyberspying.com launched by the internet freedom group Access, along with the EFF, the ACLU and others, includes a petition to the President to reconsider a veto for PCNA, CISA and any other bill that threatens to widen internet surveillance.
OTI’s Greene says she’s still banking on a change of heart from Obama, too. “We’re hopeful that the administration would veto any bill that doesn’t address these issues,” she says. “To sign a bill that resembles CISA or PCNA would represent the administration doing a complete 180 on its commitment to protect Americans’ privacy.”