The Cybersecurity Act of 2012, or Lieberman-Collins Cybersecurity Act, like other Internet-related bills of the last few years, has produced its fair share of criticism and hyperbole from proponents and opponents alike. Its sponsors and supporters argue that it is essential for national security (what isn’t these days, really?), while opponents argue that it cedes too much power to the government over the Internet, and will create the legal architecture that will lead to a future Orwellian America.
In a certain sense, we already live in a Big Brother world, with a high degree of surveillance out on the streets and on our computers, and the level of personal information we hand over to sites like Facebook, which mine our data and would gladly hand it over to the NSA, for instance, if they but ask. Digital doppelgangers exist in the electronic aether that describe in great detail our political ideology and activities, religious dogma or lack thereof, sexual tendencies (or curiosity), medical conditions, and our precise location, not to mention the specifics of our daily movements.
No one will dispute that in this age of Stuxnet and Flame, that other countries or rogue groups might well attempt to hack and disrupt America’s critical infrastructure, but this can be done without sacrificing the civil liberties of Internet users. Senator Ron Wyden (D-OR), one of the great champions of Internet freedom, opposes the legislation, which is headed for a Senate vote soon. As Wyden notes, CSA “subordinate(s) all existing privacy rules and constitutional principles to the poorly defined interest of ‘cybersecurity.’”
For instance, the language defining cybersecurity threat is quite vague. “[A]ny action that may result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system,” reads the portion of the bill. But, as EFF recently emphasized, it’s the “cybersecurity threat indicators” which might be the most troubling.
EFF cites one particular bit of language that can be interpreted quite broadly and creatively by private entities who will be able to hand over information to the government with immunity. In this provision, a cybersecurity threat indicator can be “Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law.”
Under CSA, ISPs (Internet Service Providers) and online service providers like Facebook and Google can monitor and filter all information or traffic passing through its networks. With this broad definition, it’s possible that Facebook or Google could read emails or messages as per their duty in aiding the government in matters of national security.
One of the most troubling provisions in CSA has to be the fact that companies and the government are not required to disclose any cybersecurity threat indicator. In other words, Facebook or the NSA do not have to disclose the how and the why of any monitoring of online users, how that data is being processed, and whether it was useful at all. This is meant to combat legitimate national security threats, but it puts users online privacy in the crossfire.
As if this were not enough, there are no protections in CSA to prevent companies from funneling user information to the NSA, as EFF warns. What’s troubling here is that the NSA is part of the Department of Defense and, like the CIA, it is not allowed to operate domestically. CSA subverts this in a profoundly disturbing way.
As CSA moves inexorably toward its Senate floor vote, head over to EFF to fully immerse yourself in the various troubling aspects of the bill. If you feel strongly opposed to CSA, email your Senator with EFF’s form. EFF has also produced a handout that condenses the problems with CSA into a few talking points.