By Adam Eisgrau
Director, ALA Office of Government Relations
Cross-posted from District Dispatch
It’s baaaaa-aaaack! S. 754, the often and aptly tagged “zombie” Cybersecurity Information Sharing Act of 2015 (CISA) reemerged this month in the Senate in new and, to be fair, somewhat improved guise. Massive opposition by a broad coalition of companies and civil society groups, including ALA, kept an even worse version from a vote this summer. But make no mistake; the bill in its current form is still being (mis)advertised by its sponsors as a means of preventing serious cyber-attacks like those perpetrated recently against the Office of Personnel Management, the Pentagon’s non-classified email system and Sony (among many other businesses).
CISA remains dangerously overbroad in key respects. It continues to pose a serious threat to personal privacy by allowing the internet, phone, financial services, credit bureaus and other institutions that hold your personal information to voluntarily “share” that data with federal security agencies if they believe they see indicators of a cyber-attack. The Department of Homeland Security (DHS) would serve as an initial “portal” for this data which they’d then be obligated to (over)share with many other arms of government at multiple levels, including the Department of Defense (DoD), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and state law enforcement agencies.
ALA and many of its coalition partners support key amendments by Senator Patrick Leahy (D-VT) to protect the Freedom of Information Act (No. 2587) and Senator Al Franken (D-MN) to narrow key definitions of terms like “cyberthreat” to better protect privacy (No. 2612).
Even if they are adopted, ALA urges every member of the Senate to vote “NO” if and when the CISA “Manager’s Amendment” to S. 754 reaches the floor.
Of special concern to libraries is a provision of the bill that, while narrowed in the Manager’s Amend-ment, could still expose library and municipal networks to disruption at the hands of defensive “countermeasures” taken by a company or government office that believes itself to be under cyber-attack.
In addition, with thanks for these points to the Open Technology institute, ALA also strongly opposes S. 754. Even as amended, the version of CISA that the Senate will vote on in a matter of days is still fatally flawed because of:
- Weak requirements for companies to remove personally identifiable information: The most important improvement the Senate can make to CISA during the amendment and debate process is to enhance the front-end protections for communications content and personally identifiable information (PII) by strengthening the requirement to remove that sensitive and unnecessary information. Strengthening this requirement would reduce all other privacy and civil liberties concerns, since there would be less PII to be mishandled or misused by the government or by companies. Because of how broadly CISA defines the term “cyber threat indicator,” the information that is shared could include a tremendous amount of unnecessary personal information. A chart outlining some of the types of “cyber threat indicators” that could be shared that could reveal the most personal information, is available here.
- Vague definitions of “cybersecurity threat” and “cyber threat indicator”: CISA’s definition for cybersecurity threat is the lynchpin for all of the authorities it creates. Entities may monitor their systems, sharing cyber threat indicators, and deploy defensive measures, in order to protect against a cybersecurity threat. However, CISA’s definition of cybersecurity threat includes any perceived threat, regardless of whether the action or event would be reasonably likely to cause harm. This definition is so broad that CISA could lead to significant over-sharing, which would undermine security objectives by forcing responders to sift through large quantities of unnecessary information, such as information concerning false positives. Additionally, CISA’s definition for cyber threat indicator includes some vague categories related to potential harms and “other attributes” that could lead to companies sharing unnecessary or inactionable content or PII. Thus, CISA’s broad definitions of “cybersecurity threat” and “cyber threat indicator,” and the resulting excessive sharing of useless information could significantly undermine its effectiveness because it could slow down or distract security experts as they try to identify and respond to legitimate threats.
- Authorization to share acquired information with any federal entity, including the NSA: Domestic cybersecurity and information sharing should be controlled by a civilian federal agency. Authorizing sharing with any federal entity enables companies to share information directly with military and intelligence agencies like the DoD, NSA and CIA, which undermines civilian control.
- Unclear authorization for DHS and all other federal entities to delay dissemination of cyber threat indicators to apply privacy guidelines and
remove unnecessary PII: While the Manager’s Amendment allows for some delay in dissemination of threat information, delay is only permissible if all appropriate federal entities, including DoD and the Director of National Intelligence consent to the means and purpose of the delay. This undermines civilian control, and does not make clear that DHS has the authority to delay dissemination of cyber threat indicators to other entities in order to apply the privacy guidelines and to remove improperly shared or unnecessary personal information.
Look for an action alert very soon with all the details you’ll need to help stop CISA now. Thanks!
by Helen Adams, Member, and Michael Robinson, Chair
IFC Privacy Subcommittee
The Collier School District in Florida now allows parents and guardians to see the titles of books their children (and wards) check out from the district’s school libraries. Colllier County’s “Parent Portal” is being offered as a means of heading off book challenges in the district, with the thought that parents themselves can police the books their children are reading, rather than asking the school to remove the book from the school library.
Although Florida’s library confidentiality statute does not bar schools from providing parents a student’s library records, it does not mean that it is ethical or appropriate for libraries to provide parents with the technological means to check their children’s circulation records and their reading choices. Established through case law, students have a First Amendment right to receive information in school libraries. Whether they exercise that right is dependent on whether they feel that their use of resources will be kept confidential. The district’s action will certainly chill some students’ use of resources that may be controversial and/or on sensitive topics. Instead of checking out some books, students will read the books in the library (hiding them somewhere on the shelves), have a friend check them out, or simply “borrow them” without benefit of checkout.
Do parents need to check the reading choices of their children? Younger elementary children often have difficulty managing the books they have checked out of the school library, so this means of confirming the number of books and when they are due may be useful to parents. However, the information can also be easily obtained by calling or emailing the school librarian. Is parental tracking of middle school students’ personal reading choices necessary? Tweens are beginning to explore new ideas including their sexual orientation and other sensitive topics. High school students are also in the process of maturing, establishing some personal independence, and preparing for life after high school. Why should they fear that their parents may surreptitiously check on what they are reading?
Instead, schools should encourage parents to talk to their children or young adults face-to-face or look at the physical books. Parents have the right (and responsibility) to guide their children’s reading – which does not mean spying on their child, but instead talking about the ideas in the books, discussing reading choices in relation to family values, and recommending books.
As librarians, we follow the Code of Ethics of the American Library Association that states in Article III, “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” It is incumbent on librarians to oppose practices that violate our ethics, especially those that concern the intellectual freedom of our patrons even if they are minors. There is a delicate balancing act between the rights of minors and the rights of parents. The Collier County “Parent Portal” shifts the balance too much toward the rights of parents and endangers the ability of students to read and think in an environment free from surveillance. It is a bad practice that the library profession must strongly advocate against before it becomes a precedent.
If the “Parental Portal” practice goes unchallenged, not only is students’ privacy substantially decreased, but also another opportunity for parent and child interaction about books, reading, and libraries will be lost. Students will grow up thinking surveillance of their reading and research topics is expected or the norm. In a time when privacy and confidentiality of personal data is endangered, it is important for school librarians to challenge this use of technology to diminish students’ privacy. Just because we can give parents remote access to students’ school library records does not mean it is the right thing to do.
Learn more about students’ and minors’ privacy by visiting the Students’ and Minors’ Privacy Resource Page.
Helen Adams is is a former school librarian in Wisconsin and currently an online instructor for the School Library and Information Technologies program at Mansfield University in Pennsylvania. She is the author of Protecting Intellectual Freedom and Privacy in Your School Library.
Mike Robinson is an associate professor and head of systems for the Consortium Library at the University of Alaska – Anchorage. Mike has worked with technology in libraries for most of his career and has a strong interest in online privacy as a cornerstone of intellectual freedom. He is currently the Chair of the Intellectual Freedom Committee of the Alaska Library Association.
crossposted from the ALA Washington Office
The FBI and its powerful backers in Congress have been pushing relentlessly for years for access to all of our electronic communications, even the ones we think we’ve protected. They want to require by law that any encryption technology and software we might use to protect our privacy be deliberately built to give all of law enforcement easy access to your otherwise secure phone calls, email, texts and other electronic communications. Cybersecurity experts around the globe repeatedly have said that such “back doors” can’t be secured and would be irresistible lures to spies and criminals of all kinds. Mandating them, the experts say, is a horrible idea. They’re right.
President Obama can end the immediate threat of Congress mandating “back doors” by making a single public statement opposing them. With a single mouse click, YOU can respectfully demand that he do exactly that by signing this “We the People” petition NOW.
“SaveCrypto.org,” a new national campaign to get hundreds of thousands of signatures on this petition, has just been co-launched by ALA and many other leading civil liberties organizations. Together, we can bolt the back door against intrusive government surveillance.
Please, add your name to the SaveCrypto petition to the President now . . . and pass it on!