Some efforts to share more information about cyberthreats could open a Pandora’s Box of privacy and civil rights concerns, civil liberties advocates said on Thursday.
As Congress looks to pass wide-ranging cybersecurity legislation this year, several bills included proposals for increasing the flow of information between government agencies and private companies.
If not implemented carefully, such measures could undermine privacy and other limits on government intrusion, the Center for Democracy and Technology’s Gregory Nojeim said at a Capitol Hill briefing for staffers.
Two issues are of particular concern, he said. The amount and type of information that is collected or shared needs to be narrowly limited; and the use of that information needs to be used only for cybersecurity efforts, not other, unrelated crimes. Nojeim praised a bill approved by a House Homeland Security subcommittee on Feb. 1 that creates a quasi-governmental organization to oversee information sharing and defines what information can be shared.
“There is widespread agreement that ISPs (internet service providers) and other operators of computer networks need clearer legal authority in order to be able to share with each other – and with the government – signatures and other information about suspected attacks on their networks,” Nojeim wrote in a summary of the legislation. “However, since we are talking about privately owned and operated networks that carry personal communications, any sharing of information must be carefully controlled.”
Another bill, approved by the House Intelligence Committee last year, allows for almost unlimited information sharing and could allow officials to use the information in other investigations, he said.
Nojeim said drafts of a third bill, expected to be introduced in the Senate any day, limit the kind of information that can be collected, but leave the door open for other uses.
American Civil Liberties Union legislative counsel Michelle Richardson said any legislation needs to explicitly give civilian law enforcement agencies authority over domestic cybersecurity efforts.
While the Defense Department and the National Security Agency boast significant cyber resources, it is “wholly inappropriate” for military agencies to gather information on Americans, she said.
Richardson also warned of “mini kill switches” that could give the government the authority to shut down or control parts of the Internet. Senate Homeland Security Chairmand Joe Lieberman, I-Conn., says he won’t include a provision to give the president broad emergency authority over the Internet, but Richardson said more limited measures could still be included.