President Obama can put the kibosh on CISPA

by Joan McCarter

A year ago, the House of Representatives was poised to pass the Cyber Intelligence Sharing and Protection Act (CISPA). It was a dangerous bill, threatening to obliterate Internet users' privacy rights and, in fact, to trump every privacy law on the books. It would have let companies share users' private information, including the content of email and other communications without personal information being stripped out. And it would have given companies broad legal immunity to do that.

The White House issued a veto threat of that bill, on solid ground:

• "H.R. 3523 fails to provide authorities to ensure that the Nation's core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards. <...>"
  
  
• "The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes. <...>"
  
  
• It would "inappropriately shield companies from any suits where a company's actions are based on cyber threat information identified, obtained, or shared under this bill, regardless of whether that action otherwise violated Federal criminal law or results in damage or loss of life. <...>"
  
  
• And finally, it "effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres. <...>"

- more -

http://www.dailykos.com/story/2013/03/19/1195331/-President-Obama-can-put-the-kibosh-on-CISPA

With CISPA, "It's all just a little bit of history repeating..."

By Robyn Greene

<...>

Leaders of the House Intel Committee reintroduced CISPA with the same privacy flaws as last year. While they suggested at its unveiling that they worked with the privacy community and addressed our concerns, they didn't. This is the same bill, with the same problems...Last year, citing many of our privacy concerns, President Obama threatened to veto CISPA, making clear that protecting privacy and civil liberties is a priority in any cybersecurity legislation he signs. Today the ACLU and 33 other organizations sent a letter to the president, urging him to do it again.

Last year, President Obama cautioned that CISPA would repeal "important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards," while failing to establish "requirements for both industry and Government to minimize and protect personally identifiable information." He warned that CISPA "does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes." And he objected to CISPA's overly broad liability protections that would make it virtually impossible for Americans to sue a company for improperly sharing our private information with the government or with another company.

Finally, President Obama echoed our serious concerns about the militarization of the cybersecurity mission – concerns that the House Homeland Security Committees also addressed at a hearing last week, before which the ACLU testified. In his veto threat, the president warned that CISPA "effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres." He also stated unequivocally that "The Administration believes that a civilian agency…must have a central role in domestic cybersecurity, including for conducting and overseeing the exchange of cybersecurity information."

CISPA, as reintroduced, raises exactly the same concerns as it did when the president issued his veto threat. Sign our petition calling on President Obama to stand up for Americans' privacy and civil liberties once more, and re-issue his threat to veto CISPA.

http://www.aclu.org/blog/technology-and-liberty-national-security/cispa-its-all-just-little-bit-history-repeating

President Obama Shows No CISPA-like Invasion of Privacy Needed to Defend Critical Infrastructure

By Michelle Richardson

Last night the President signed an executive order (EO) aimed at ramping up the cybersecurity of critical infrastructure. Overwhelmingly, the EO focuses on privacy-neutral coordination between the government and the owners and operators of critical infrastructure (CI)—such as the banking, communication, power, and transportation sectors—which have long been regulated because of their fundamental role in the smooth operation of society. Now that these important entities are all connected to the internet, the administration insists that their cybersecurity be on par with their physical security.

There are two important information sharing advancements in the EO, and this time they are good for privacy. They do not include the many problems of legislation like the Cyber Intelligence and Sharing Protection Act (CISPA) because an executive order by definition cannot take away the privacy protections granted by current statutes. In other words, the EO cannot exempt companies from privacy statutes, or let the government collect new information. It can only act within its existing power to change policies and practices.

Two cheers for cybersecurity programs that can do something besides spy on Americans.

The first information sharing advancement greases the wheels of information from the government to the private sector. Section 4 lights a fire under agencies and directs them to share more information with companies—information they already have and can legally collect under current law. Information flowing in this direction is nowhere as near as problematic as the opposite direction. To the extent that corporate and congressional advocates claim that CISPA is needed for this purpose, the administration beat them to the punch. The EO directs the attorney general, the director of national intelligence and the secretary of homeland security to set up a system to get threat information to critical infrastructure owners and operators. They have four months to pull it together.

The second information sharing provision is a net positive for civil liberties. Section 5 directs the Department of Homeland Security, the Privacy and Civil Liberties Oversight Board (PCLOB) and the Office of Management and Budget to evaluate current interagency information sharing. There is plenty of cyber information floating around the executive branch and across different agencies. There doesn't appear to be any publicly available regulation of how that information is protected for privacy purposes, and it may very well be that it is protected by a mish-mash of originating statutes that treat different types of information with varying protections. By holding the agencies accountable to the Fair Information Practice Principles (FIPPs)—transparency, choice, minimization and more—we may see a government-wide cybersecurity privacy regime evolve. To get it done right, PCLOB will need to be funded and staffed up, and advocacy will be needed to keep the agencies true to the FIPPs, but the President has now declared them the bellwether for cybersecurity information.

Overall, the EO is a win for privacy and civil liberties. It's a good reminder that while some are focused like a laser on turning our internet records over to the National Security Agency, there are a lot of other things that government can do to advance cybersecurity instead. Now it's up to all of us to make sure Congress follows the President's lead.

http://www.aclu.org/blog/national-security-technology-and-liberty/president-obama-shows-no-cispa-invasion-privacy-needed