On Friday, Congress will vote on a mutated version of security threat sharing legislation that had previously passed through the House and Senate. These earlier versions would have permitted private companies to share with the federal government categories of data related to computer security threat signatures. Companies that did so would also receive legal immunity from liability under the Electronic Communications Privacy Act (ECPA) and other privacy laws. Today’s language, renamed the Cybersecurity Act of 2015 (Division N of the omnibus budget bill) mostly assembles the worst parts of the earlier bills to threaten privacy even further.
We have about two days to figure out what this so-called Cybersecurity Act (OmniCISA) means for consumer privacy in the US. That unfortunate timing is thanks to Speaker Paul Ryan’s decision to include language announced at 2am this morning as part of a must-pass spending bill scheduled for a vote Friday.
Tom Wheeler, Chair of the Federal Communications Commission (FCC), and Edith Ramirez, Chair of the Federal Trade Commission (FTC) might want to call on Speaker Ryan to pull the OmniCISA language from the spending bill and allow more time for debate. That’s because the bill as written appears to interfere with both agencies’ authority to issue privacy rules that would protect Americans from spying by the entities that have the most comprehensive access to our private data, our Internet Service Providers (ISPs). Here’s why.
OmniCISA says that:
Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor—
(A) an information system of such private entity; …
(D) information that is stored on, processed by, or transiting an information system monitored by the private entity under this paragraph.
This language means that, regardless of what rules the FCC or FTC have now or will have in the future, private companies including ISPs can monitor their systems and access information that flows over those systems for “cybersecurity purposes.”
Earlier this year, the FCC issued an Open Internet Order that classified Internet broadband service as a Title II service for network neutrality reasons. Subsequently, in May, the FCC announced that its Open Internet Order “applies the core customer privacy protections of Section 222 of the Communications Act” — which requires that providers “shall only use, disclose, or permit access to individually identifiable customer proprietary network information” in the provision of services. Experts anticipate that the agency will conduct a rulemaking to set more explicit privacy rules to protect Americans and to give providers more guidance.
Some fuss has been made about the turf war burbling up between the FCC and the Federal Trade Commission (FTC), which traditionally enforced consumer privacy rights prior to the Open Internet Order and reclassification. Last month, the two agencies announced a Memorandum of Understanding For Continued Cooperation on Consumer Protection Issues to detail how they would work together on this issue. The Memorandum makes clear that the agencies believe the FTC can protect consumer privacy by addressing non-common carrier activities engaged in by common carriers, even as the FCC regulates common carriers’ privacy practices.
It appears that OmniCISA is trying to stake out a category of ISP monitoring that the FCC and FTC can’t touch, regardless of its privacy impact on Americans.
This section of OmniCISA would not only interfere with future privacy regulations, it limits the few privacy rules we currently have.
The Wiretap Act is a provision of law that conditions the ability of telephone companies and Internet Service Providers to monitor the private messages that flow over their networks. The Wiretap Act says that these wire and electronic communications service providers can “intercept, disclose, or use that communication in the normal course of … employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service” (emphasis added). Similarly, ECPA allows providers to access stored information, and then to voluntarily share it for the same reasons. This language allows providers to conduct some monitoring of their systems for security purposes — to keep the system up and running and to protect the provider.
But it appears OmniCISA would waive these provisions of the Wiretap Act and ECPA. Why do that except to expand that ability to monitor for broader “cybersecurity purposes” beyond the legal ability providers already have to intercept communications in order to protect service, rights, or property?
So this bill isn’t just about threat information sharing, it’s about enabling ISP monitoring in ways beyond current law that have not been clearly defined or explained.
The essence of CISA and OmniCISA is to allow private entities to give the federal government categories of data that could be called cyber threat information in exchange for legal immunity for sharing that information, even if it includes private personal information. I’ve written here that a good information sharing bill should be clear about what types of information we are talking about sharing in the name of enhanced security practices. Vulnerability information means software flaws, virus signatures, threat signatures and the like. Security experts agree that private data, the kind protected by ECPA and other privacy laws, is only rarely needed for such reports. Nevertheless, OmniCISA would allow for sharing personally identifiable information by default and gives companies that share liability protection even if there’s no need to share the private data.
I’ve also written (back in 2012!) that these “notwithstanding any other law” threat sharing bills will interfere with the ability of states, especially California and New York, to protect consumers and consumer privacy with statutes regulating the collection, use and disclosure of sensitive information. Such California laws include CalECPA, Shine the Light notifications, Smart Meter utility data protection, the Financial Information Privacy Act, the Reader Privacy Act, Security of Personal Information Law, and more.
Information sharing, generally a good thing, is nevertheless is not going to make a huge cybersecurity difference. Security experts and a bi-partisan coalition of privacy groups told Congress that we don’t need to waive communications privacy laws — as OmniCISA does — to promote sharing of threat signatures. So why are we sacrificing even more American privacy on this altar? It’s amazing that, given all we are learning about government surveillance, Congress will actually vote to expand the federal government’s capacity to obtain personal data from private companies without court order.
Several civil liberties groups and individuals have written about their concerns with this bill and I share some of those links below.
- R Street: Don’t include CISA in omnibus
- Robyn Greene of New America’s Open Technology Institute on the politics and privacy substance of the bill: Omnibus Funding Bill Is a Privacy and Cybersecurity Failure
- Marcy Wheeler of Emptywheel on provisions that would cripple the tiny Privacy and Civil Liberties Oversight Board’s ability to explore whether US covert activities harm Americans’ rights: Shorter Devin Nunes: There Are Privacy-Violating Covert Counter-Terrorism Programs We’re Hiding
- Fight for the Future: BREAKING: CISA-like cyber surveillance added to must-pass “omnibus” budget bill, gutted of privacy protections