As the widespread criticism of the SOPA/PIPA debacle began to subside with the indefinite shelving of the proposal, Congress is continues to consider alternative methods for increasing cybersecurity that damage online privacy. The current draft of the Cybersecurity Information Sharing Act of 2012 attempts to create ‘cybersecurity exchanges’ through which federal agencies and private entities could share confidential information without being subject to laws protecting individual privacy. Jim Harper from the Cato Institute explains his reading of the bill:
Reading over the draft, I was struck by sweeping language purporting to create “affirmative authority to monitor and defend against cybersecurity threats.” To understand the strangeness of these words, we must start at the beginning:
We live in a free country where all that is not forbidden is allowed. There is no need in such a country for “affirmative” authority to act. So what does this section do as it in purports to permit private and governmental entities to monitor their information systems, operate active defenses, and such? It sweeps aside nearly all other laws controlling them.
“Consistent with the Constitution of the United States and notwithstanding and other provision of law,” it says (emphasis added), entities may act to preserve the security of their systems. This means that the only law controlling their actions would be the Constitution.
It’s nice that the Constitution would apply, but the obligations in the Privacy Act of 1974 would not. The Electronic Communications Privacy Act would be void. Even the requirements of the E-Government Act of 2002, such as privacy impact assessments, would be swept aside.
The Constitution doesn’t constrain private actors, of course. This language would immunize them from liability under any and all regulation and under state or common law. Private actors would not be subject to suit for breaching contractual promises of confidentiality. They would not be liable for violating the privacy torts. Anything goes so long as one can make a claim to defending “information systems,” a term that refers to anything having to do with computers.
As Harper points out, the open-ended wording of this bill offers little protection for online privacy and essentially allows the government to act in ‘good faith’, without any significant limitations or mechanisms for accountability. This proposal is no better than SOPA or PIPA, which, if passed, would have enabled the government to shut down any websites containing links to online piracy websites where people could download illegal copies of music and movies.
As many have cited, there are good reasons for increased cybersecurity measures such as safeguarding the nation’s water and power systems, which experts have warned are already susceptible to cyber attacks from hackers. Fears over cyber attacks on systems such as air traffic controllers certainly provide adequate reason for concern. However, improvements in these areas of cybersecurity may be accomplished without creating venues for unregulated sharing of personal information between federal and private entities. Even if preventing the establishment of these ‘cybersecurity exchanges’ increases susceptibility to cyber attacks, that alone is not sufficient grounds for restricting Americans’ liberties under the First and Fourth Amendments protecting free expression and individual privacy.
The bill was introduced into Congress today and is supported by top members of the Senate Commerce, Intelligence, and Homeland Security Committees, among other members of Congress.