WASHINGTON, D.C. -- Sharon Bradford Franklin, senior policy counsel at The Constitution Project (TCP), offered the following comments on the reintroduction today of the Cyber Intelligence Sharing and Protection Act (CISPA) in the U.S. House of Representatives:
"The safeguards for privacy rights and civil liberties contained in this cybersecurity bill are woefully inadequate. If passed in its current form, it would allow companies that hold sensitive personal information to share it with the federal government, including with agencies that have a history of domestic spying, which could then potentially use the information for purposes totally unrelated to cybersecurity.
"While the goal of protecting our nation's networks from cyberattacks is a laudable one, Congress must also address the very real threat this legislation poses to Americans' privacy rights and civil liberties."
The purpose of the legislation is to promote public-private cooperation in providing cybersecurity. The bill would allow the government to provide otherwise potentially restricted information about cyberthreats to private sector companies, and would in turn facilitate private companies -- such as Facebook, Google or internet service providers -- sharing information about their networks, possibly including sensitive personal information or the content of emails, with federal authorities.
Franklin suggested the legislation should be amended to:
- Ensure that civilian agencies, and not military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command, are the recipients of cyber threat information submitted by private companies;
- Require that private companies make reasonable efforts to remove information that can be used to identify specific individuals before they are allowed to share private data with the government;
- Prohibit the government from using the private information shared with it for national security purposes unrelated to cybersecurity, and thereby ensure that this program does not expand beyond its stated cybersecurity purposes to become a means for the government to collect and use vast quantities of constitutionally-protected personal information; and
- Require the government to develop policies and procedures to minimize the impact of the program on privacy and civil liberties.
Franklin noted that the bill introduced today is virtually identical to the Cyber Intelligence Sharing and Protection Act (H.R.3523) passed by the House in the last Congress. TCP joined a number of other privacy and civil liberties groups to oppose that legislation.
Yesterday, President Obama issued an executive order that directs federal agencies to work with the private sector to facilitate improved cybersecurity within the confines of existing federal laws. The president cannot override existing privacy laws with an executive order, and the order focuses on the provision of cybersecurity information from the government out to the private sector. In addition, the order explicitly requires federal agencies to develop privacy and civil liberties protections based upon the Fair Information Practice Principles (FIPPs), widely recognized guidance for robust privacy safeguards. As a result, the executive order poses far fewer threats to Americans' privacy rights than does CISPA, but Franklin said TCP would monitor its implementation.
TCP released its Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy in 2012.