Monday, July 21, 2014

Groups say information-sharing CISA bill would threaten individual privacy


A group of privacy organizations has written a letter to Congress saying that a newly released draft version of a bill, the Cybersecurity Information Sharing Act of 2014(CISA), which aims to improve private and public sector sharing of cyber threat information, could pose a major risk to individuals' privacy.
The bill would threaten privacy by creating a free flow of threat information between the Department of Homeland Security and intelligence agencies including the National Security Agency (NSA), the letter states. There are not enough protections on how the government can use threat data obtained, according to the letter, which was written to bill authors Dianne Feinstein (D-CA), chair of the Senate Select Committee on Intelligence, Committee Vice Chairman Saxby Chambliss (R-GA), and other committee members.
There are also inadequate measures to protect personally identifiable information, according to the authors, who included dozens of privacy groups such as the Center for Democracy and Technology, the American Civil Liberties Union, and the Electronic Frontier Foundation.
“In the year since Edward Snowden revealed the existence of sweeping surveillance programs, authorized in secret and under classified and flawed legal reasoning, Americans have overwhelmingly asked for meaningful privacy reform and a roll back of the surveillance state created since passage of the Patriot Act. This bill would do exactly the opposite,” the letter states.
The bill could also allow federal agencies to use information for investigations and prosecutions without providing sufficient accountability. It would “allow the Federal Government to use information it receives for an unacceptably broad range of law enforcement purposes, including investigations and prosecutions under the Computer Fraud and Abuse Act and the Espionage Act. …Exemption from disclosure law may obstruct transparency regarding law enforcement use of such information.”
The CISA requires private sector entities to remove personal information about known U.S. citizens before threat indicators are shared. But this is “information that many entities will simply not possess.” Further, the bill does not require any effort by the government to remove personal information before threat information is shared.
The letter suggests a number of privacy-enhancing steps, including a requirement that reports are made by relevant federal inspectors general describing what information is received, how it is used, who gets it and how it is treated to protect privacy.
Also requested: that the DHS maintains the authority to prevent sensitive information from transmission to the intelligence community and military without privacy protections. The authors also suggest restricting the use of information received to actual cybersecurity activities, the prosecution of cybercrimes, the protection of individuals from imminent threat of physical harm or death, and the protection of children from serious threats. The letter also advises allowing individuals harmed by inappropriate sharing to sue the government if it intentionally or willfully violates the law.
The bill ignores many of the privacy protections that were incorporated into a similar bill, the Cybersecurity Act of 2012, which did not pass the Senate, the letter states. The concerns raised in the letter are similar to those that arose over the Cyber Intelligence Sharing and Protection Act, which passed the House in 2012 but did not make it through the Senate.
The Senate Intelligence Committee has yet to give an exact date for a markup of the bill.
http://www.gsnmagazine.com/

No comments:

Post a Comment