by Adam Eisgrau
Managing Director, ALA Office of Government Relations
Cross-posted from District Dispatch
Loyal District Dispatch readers know that, literally for years, ALA and a strong coalition of groups and companies from across the political spectrum have been fighting privacy-unfriendly “cybersecurity,” aka “information” sharing, legislation most recently unveiled as the Cybersecurity Information Sharing Act (S. 754). CISA was meant merely to incentivize companies like internet service providers to share hints of “cyber-threats” with the government by shielding them from liability for doing so. The bill has been consistently and rightly criticized, however, for seriously compromising all of our personal privacy and for creating de facto new surveillance programs for the NSA and FBI. (Already heard enough? Click here to take action.)
Until very recently, those serious defects and strong grassroots efforts by ALA and many others kept CISA and its legislative predecessors from passing. In recent weeks, however, the Chairs of the powerful House and Senate Committees on Intelligence and Homeland Security secretly negotiated a compromise version of their several “information sharing” bills that the White House signaled it could approve if passed.
Late last night, that language — now as bad or worse than it’s ever been from a privacy perspective – was slipped as a “rider” by Speaker of the House Paul Ryan into the 2000+ page “omnibus” spending bill that Congress must pass to avoid a government shutdown. A vote on the omnibus is slated to take place Thursday just before Congress leaves town for the holidays.
Librarians and other civil liberties organizations may lose this fight, but we needn’t and shouldn’t go quietly! Join ALA President Sari Feldman in protesting this undemocratic deal.
The odds are long and time is tight, so Tweets are sweet. Please, click here to send one to your Member of Congress. It’s already set to ask him or her to tell Speaker Ryan that middle-of-the-night deals that give the NSA new surveillance tools have no place in the omnibus, and that it’s not too late for the Speaker to #StopCISA .
Your voice matters. Get mad and get LOUD, right now!
This week, the House Judiciary Committee held a hearing on reforming the Electronic Communications Privacy Act (ECPA). The ECPA is a federal law that controls how the government can access private communication records that are being stored by an online service provider (i.e. in the cloud). The reason for this hearing is that there is a bill currently pending that would change the ECPA to require a warrant before any government entity could gather this information. In the Senate, it’s the Electronic Communications Privacy Act Amendments Act and in the House it’s the Email Privacy Act.
Currently, there is a ruling from the Sixth Circuit that effectively does this: Warshak v. United States decided that email privacy is protected by the Fourth Amendment. This has caused most service providers to require the government to provide a warrant before they release any information. However, this ruling has not been codified into law and could be overturned by subsequent judicial proceedings.
By and large, this is seen as a way for civil agencies (primarily the Securities and Exchange Commission) to expand their power and access to information. Because they are civil agencies, they lack the power to issue warrants, and they have been looking for a new way to access this information through a new prerogative. Via the Electronic Frontier Foundation:
“The SEC testified that currently it does not use administrative subpoenas to obtain communications content from online service providers, and instead seeks emails directly from individuals. Yet the agency wants to be able to obtain not only older communications content from third parties, but also messages that are 180 days old or newer, which is authority that civil agencies currently do not have in any form—a point that Rep. Sensenbrenner (R-WI) made.”
The good news in all of this is that there are over 300 co-sponsors of this bill in the House (the most of any bill currently before Congress according to the ALA Washington Office), so it is likely to pass when and if it comes to a vote. However, as with all legislation, it isn’t over until it’s over, so interested parties are encouraged to contact their Senator and Representative. Via the District Dispatch:
Where H.R. 699 (and its Senate companion, S. 356) goes from here — and more to the point when — is unclear. Strong further advocacy by librarians, in harness with our many coalition partners, may well be what it takes to “spring” HR. 699 from the Committee in which it’s been mired for years but from which, this week, it may just have begun to emerge.
This may seem like a minor piece of technology change that has very little to do with libraries, but the right of an individual to maintain their privacy in all the environments of the modern world is a key part of intellectual freedom. Librarians need to stand for advances and laws that help codify these rights and that help protect individuals from warrantless searches. No civil government agency should have the right to trawl through any user’s online records without a warrant in the same way that they should not be allowed to search a person’s home or office without a warrant. Libraries should proactively stand for user privacy whenever they can, and the steps that Congress are making on this bill in limiting civil power to conduct warrantless searches is a step in the right direction.
Whenever any person has their privacy violated, this has a chilling effect on that person’s future expression of free speech and thought. In an increasingly technology driven world, more and more people (myself included) are keeping their personal thoughts on their digital devices under the assumption that, much like their locked desk drawers, these arenas are their own domains. The idea that a civil government agency could violate that privacy at any moment without a warrant or any probable cause is repugnant to the idea of intellectual freedom. ALA’s own Interpretation of the Library Bill of Rights as it relates to Privacy holds in high regard the right of all library users to maintain their privacy no matter what information or materials they are seeking. I believe that if we advocate for such a right inside our buildings (when users are using our networks to access their cloud-based digital files, for example), then we must advocate for that right to extend beyond the library’s doors.
Advocacy for privacy in the digital realm can not be a place-based proposition because the digital world is literally everywhere. As such, advocates of intellectual freedom must advocate for a clear right to privacy in cloud-based storage from warrantless snooping by the government. As previously stated, this would seem to be such a small change; however, as the ALA Washington Office has pointed out in their District Dispatch article linked above, moving this bill has been an incredibly slow and laborious process.
John “Mack” Freeman is the Marketing and Programming Coordinator for the West Georgia Regional Library. He is a past recipient of the Freedom to Read Foundation’s Conable Scholarship, and a 2015 ALA Emerging Leader.
By Adam Eisgrau
Director, ALA Office of Government Relations
Cross-posted from District Dispatch
It’s baaaaa-aaaack! S. 754, the often and aptly tagged “zombie” Cybersecurity Information Sharing Act of 2015 (CISA) reemerged this month in the Senate in new and, to be fair, somewhat improved guise. Massive opposition by a broad coalition of companies and civil society groups, including ALA, kept an even worse version from a vote this summer. But make no mistake; the bill in its current form is still being (mis)advertised by its sponsors as a means of preventing serious cyber-attacks like those perpetrated recently against the Office of Personnel Management, the Pentagon’s non-classified email system and Sony (among many other businesses).
CISA remains dangerously overbroad in key respects. It continues to pose a serious threat to personal privacy by allowing the internet, phone, financial services, credit bureaus and other institutions that hold your personal information to voluntarily “share” that data with federal security agencies if they believe they see indicators of a cyber-attack. The Department of Homeland Security (DHS) would serve as an initial “portal” for this data which they’d then be obligated to (over)share with many other arms of government at multiple levels, including the Department of Defense (DoD), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and state law enforcement agencies.
ALA and many of its coalition partners support key amendments by Senator Patrick Leahy (D-VT) to protect the Freedom of Information Act (No. 2587) and Senator Al Franken (D-MN) to narrow key definitions of terms like “cyberthreat” to better protect privacy (No. 2612).
Even if they are adopted, ALA urges every member of the Senate to vote “NO” if and when the CISA “Manager’s Amendment” to S. 754 reaches the floor.
Of special concern to libraries is a provision of the bill that, while narrowed in the Manager’s Amend-ment, could still expose library and municipal networks to disruption at the hands of defensive “countermeasures” taken by a company or government office that believes itself to be under cyber-attack.
In addition, with thanks for these points to the Open Technology institute, ALA also strongly opposes S. 754. Even as amended, the version of CISA that the Senate will vote on in a matter of days is still fatally flawed because of:
- Weak requirements for companies to remove personally identifiable information: The most important improvement the Senate can make to CISA during the amendment and debate process is to enhance the front-end protections for communications content and personally identifiable information (PII) by strengthening the requirement to remove that sensitive and unnecessary information. Strengthening this requirement would reduce all other privacy and civil liberties concerns, since there would be less PII to be mishandled or misused by the government or by companies. Because of how broadly CISA defines the term “cyber threat indicator,” the information that is shared could include a tremendous amount of unnecessary personal information. A chart outlining some of the types of “cyber threat indicators” that could be shared that could reveal the most personal information, is available here.
- Vague definitions of “cybersecurity threat” and “cyber threat indicator”: CISA’s definition for cybersecurity threat is the lynchpin for all of the authorities it creates. Entities may monitor their systems, sharing cyber threat indicators, and deploy defensive measures, in order to protect against a cybersecurity threat. However, CISA’s definition of cybersecurity threat includes any perceived threat, regardless of whether the action or event would be reasonably likely to cause harm. This definition is so broad that CISA could lead to significant over-sharing, which would undermine security objectives by forcing responders to sift through large quantities of unnecessary information, such as information concerning false positives. Additionally, CISA’s definition for cyber threat indicator includes some vague categories related to potential harms and “other attributes” that could lead to companies sharing unnecessary or inactionable content or PII. Thus, CISA’s broad definitions of “cybersecurity threat” and “cyber threat indicator,” and the resulting excessive sharing of useless information could significantly undermine its effectiveness because it could slow down or distract security experts as they try to identify and respond to legitimate threats.
- Authorization to share acquired information with any federal entity, including the NSA: Domestic cybersecurity and information sharing should be controlled by a civilian federal agency. Authorizing sharing with any federal entity enables companies to share information directly with military and intelligence agencies like the DoD, NSA and CIA, which undermines civilian control.
- Unclear authorization for DHS and all other federal entities to delay dissemination of cyber threat indicators to apply privacy guidelines and
remove unnecessary PII: While the Manager’s Amendment allows for some delay in dissemination of threat information, delay is only permissible if all appropriate federal entities, including DoD and the Director of National Intelligence consent to the means and purpose of the delay. This undermines civilian control, and does not make clear that DHS has the authority to delay dissemination of cyber threat indicators to other entities in order to apply the privacy guidelines and to remove improperly shared or unnecessary personal information.
Look for an action alert very soon with all the details you’ll need to help stop CISA now. Thanks!