CDT: Cybersecurity bills raise major civil liberties concerns

Four bills before Congress would allow private companies to share cyberthreat information

A group of cybersecurity bills that the U.S. Congress may soon vote on contain serious privacy and civil liberties flaws, with some of the bills allowing private companies to share a wide range of their customers' online communications with government agencies, the Center for Democracy and Technology said.

The U.S. House of Representatives could vote later this month on two bills focused on encouraging private companies and the government to share cyberthreat information with each other, even though there are major civil liberties concerns with one of the bills and some outstanding questions about the second, CDT officials said during a press briefing Wednesday.

The Senate may vote on information-sharing legislation in May, CDT officials said. CDT raised concerns about four information-sharing bills, all of which would provide legal protections for private companies that share cyberthreat information with government agencies.

"[If] you look at most of these bills closely, you'll see that there are extraordinarily complex civil liberties problems in virtually every one of these bills," said Leslie Harris, CDT's president and CEO.

The Electronic Frontier Foundation has similar criticisms of the cybersecurity bills. Most of the information-sharing bills before Congress don't clearly define what a cybersecurity threat is, thus allowing broad information sharing between private companies and the government for ill-defined purposes, the EFF said.

The first House bill, the Cyber Intelligence Sharing and Protection Act, allows private companies to share broad information about cyberthreats with government agencies, with no requirement to strip out personal information, said Greg Nojeim, CDT's senior counsel. The bill, sponsored by Representative Mike Rogers, a Michigan Republican, would allow U.S. agencies to use the information shared by private companies for other national security and law enforcement purposes, in addition to cybersecurity, he said.

The Rogers bill may also allow private companies to take broad countermeasures against attacks, potentially including counterattacks, Nojeim said. The information-sharing bills "trump all privacy laws" in their permission for companies to share information with government agencies, he said.

The Rogers bill contains no privacy oversight, the EFF said. "The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for 'cybersecurity purposes,'" the EFF said in a blog post. "Just invoking 'cybersecurity threats' is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law."

The Rogers bill has broad support in the House, however, with 106 co-sponsors. Several companies, including AT&T, Microsoft, Facebook, Intel and IBM, have also voiced support. The bill "provides a solid framework and useful legal protections to permit the timely flow of actionable threat information in order for organizations to better protect themselves and customers," Christopher Padilla, IBM's vice president of governmental programs, wrote in a November letter to Rogers.

CDT officials raised similar concerns about the Secure IT Act, a bill sponsored by eight Republican senators, including Senator John McCain of Arizona. The McCain bill requires some federal IT contractors to share broad cybersecurity information with the government, CDT said.

Representatives of Rogers and McCain did not immediately return messages seeking comment on CDT's concerns.

With bipartisan support for cybersecurity legislation, there's a growing pressure in Congress to move forward with a handful of bills, CDT's Harris said. Leaders in the House have designated the week of April 23 as cybersecurity week, with votes on the Rogers bill and the Precise Act, another information-sharing bill with fewer civil liberties concerns, she said.

CDT also raised some concerns about the Precise Act, an information-sharing bill sponsored by Representative Dan Lungren, a California Republican, and the Cybersecurity Act, sponsored by Senator Joe Lieberman, a Connecticut Independent.

The Lungren bill more narrowly defines what information can be shared between private companies and the government than the Rogers bill, CDT said. But the bill raises concerns because it allows Internet service providers to monitor their subscribers' communications, and it may allow companies to deploy broad countermeasures against cyberattacks, CDT said.

The Lieberman bill also allows ISPs to monitor subscriber communications, and it allows companies to modify or block traffic to protect against "any action" that could compromise their IT systems, CDT said.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?