General, Security

Congress Deals Two Blows to Internet Privacy

  • March a Bad Month for User Privacy
  • PCNA a Better Bill
  • Committee Chairman: Actually, it’s OK
  • Not all Bad News
  • Here’s the Catch
  • A Company that Cares About Privacy

March a Bad Month for User Privacy

During March, people who believe in an ordinary user’s fundamental right to data privacy came out swinging against the Senate’s Cybersecurity Information Sharing Act (CISA) – saying that despite the theme of protection suggested by the title, the actual purpose of the bill is to increase the American government’s ability to spy on its own citizens.

Those voices of dissent were unconvincing to members of a Senate committee, who voted 14-1 in its favor. Now a House committee has its own version of CISA. Called the Protecting Cyber Networks Act (PCNA), it passed on March 26.

At first glance, these bills seem security-focused. Like PCNA, CISA would allow firms to hand over any hacking details to the federal government, who could then disperse the information to other companies that might be affected. However, proponents argue that the two pieces of legislation make it more likely that for-profit organizations would hand over personal data on their customers to the NSA and other internal US spy groups.

PCNA a Better Bill

Although the House bill was ostensibly an improved rewriting of CISA, privacy analysts are not impressed with PCNA.

“You have pretty much non-existent privacy protections, along with new powers to spy on and monitor users,” explains Electronic Frontier Foundation legal advisor Mark Jaycox, “all while being provided broad immunity.”

According to Robyn Greene, legislative attorney for the Open Technology Institute, the law would make it easier for data to flow into the Office of the Director of National Intelligence and the NSA, disregarding civil rights outlined in the Privacy Act of 1974 and the Electronic Communication Privacy Act of 1986. CISA and PCNA additionally make it possible for federal agents to use the information they collect beyond its stated technological purposes to build cases against any violent offender.

To some extent, PCNA is friendlier to government spying. While each bill authorizes the transfer of information related to potential violence, the House version doesn’t necessitate urgency.

“That means they can use this to investigate a lot of crimes that may not even be happening imminently or threatening anyone’s life,” comments Greene, adding that it allows law enforcement – even at the state and local levels – to gather data using a wide net and look through it to find evidence that would allow them to predict crimes.

The basic argument of the bill itself, although it’s not how it’s been presented by lawmakers, is that privacy should be sacrificed in the name of protection from cyberattacks and bodily harm.

Committee Chairman: Actually, it’s OK

Congressman David Nunes, chairman of the intelligence committee, said that the bill will protect American IT systems against hackers, who are developing more sophisticated approaches all the time. He additionally argued that support for the bill was bipartisan and that its privacy safeguards were substantial.

The chairman’s mention of privacy is an indication that those who spoke out about the privacy failings of CISA were not completely unheard. Also, additional language was added to make it sound as if the legislation was anti-spying, stating that PCNA does not give unbridled permission to the NSA, Pentagon, or any other entity to spy on a particular individual.

However, disallowing the government from pinpointing specific people for surveillance is not a firm privacy guideline, according to ACLU lawyer Gabe Rottman. PCNA doesn’t include a rule that would make it unlawful for the Department of Homeland Security to forward information to various intelligence bureaus.

Regardless of the nod to privacy concerns, “Unfortunately the underlying mechanism whereby sensitive personal information shared with the government flows to military and intelligence agencies is still there,” says Rottman.

Not All Bad News

One element of PCNA is a step in the right direction, according to Greene. In that House bill, firms must remove all sensitive personal data that is irrelevant to hacking prior to transferring it to Homeland Security. CISA disallows companies from giving any private user details to the government that they “know” to contain identifying data on unrelated users, while PCNA disallows corporations from transferring anything they “reasonably believe” to include such information.

Although it is a minimal language change, PCNA’s use of the notion of reasonability instead of knowledge means that firms won’t be able to send as much sensitive data to the government.

Here’s the Catch

The problem is that sensitive details can be sent en masse if hacking occurs – and we all know that hacking is on the rise.

“If I’m one of a million victims of a botnet, and an internet service provider is sending the government all the ‘threat indicators’ associated with that botnet,” Greene says, “that could include information about every one of those victims.”

The two bills should reach the floors of Congress by the end of April.

A Company that Cares About Privacy

At Superb, we believe essentially in the privacy of our users’ data. That’s just one of the reason why our customers love us.

By Kent Roberts