Next week is "Cyber Week" in the House, and two deeply flawed bills are heading to the floor that would further undermine the privacy of every American’s data. These bills are intended to address the very real problem of companies having their databases hacked and their information stolen, but fail to adequately ensure that your personal information is protected when companies send information about these cyber attacks to the government.
Hackers are a real menace, stealing sensitive business files and millions of Americans’ passwords, financial records, and other sensitive data. The proponents of these bills argue that they will facilitate communication between companies that suffer these attacks and the government agencies that fight back against these often state-sponsored and well-funded cyber criminals. The two House bills that are supposed to accomplish this are the National Cybersecurity Protection Advancement Act (H.R. 1731) and the Protecting Cyber Networks Act (H.R. 1560).
In a letter to Congress, several dozen cybersecurity experts laid out some of the major concerns with these bills, noting that they had major problems with both of them, as well as with the Senate’s similar proposal, the Cybersecurity Information Sharing Act (CISA). The biggest issue they raise about these bills is that they allow the government to collect far more data than would actually be needed to investigate the source of these online attacks – including the private user information stored in these companies’ databases. That information is then shared with the National Security Agency (NSA), which means this information sharing bill starts to look more like a surveillance bill.
In order to ensure the privacy of this sensitive data, the cybersecurity experts recommended that at the bare minimum the companies sharing this information should be required to scrub all personally identifying information (PII), and that the data’s use be restricted to "securing systems". Unfortunately, neither bill fully guarantees the removal of this PII, and both would allow the government to share the cyber threat data across multiple agencies, including potentially the NSA.
Both bills also appear to allow this cyber threat information to be used to investigate crimes other than cyber attacks, which raises due process concerns in addition to privacy concerns.
A large number of civil liberties and digital privacy groups have also expressed major concerns these bills. Hopefully Congress will hear their concerns and amend the bills to protect Americans’ privacy. H.R. 1731, in particular, could be made acceptable with a few amendments. FreedomWorks has signed a coalition letter that suggests edits that would need to be made to the National Cybersecurity Protection Advancement Act in order for the bill to be acceptable.
UPDATE FreedomWorks has signed onto a coalition letter in opposition to H.R. 1560, the Protecting Cyber Networks Act, urging representatives to vote against this dangerously invasive bill.