CDT: Cybersecurity bills raise major civil liberties concerns

Four bills before Congress would allow private companies to share cyberthreat information

A group of cybersecurity bills that the U.S. Congress may soon vote on contain serious privacy and civil liberties flaws, with some of the bills allowing private companies to share a wide range of their customers' online communications with government agencies, the Center for Democracy and Technology said.

The U.S. House of Representatives could vote later this month on two bills focused on encouraging private companies and the government to share cyberthreat information with each other, even though there are major civil liberties concerns with one of the bills and some outstanding questions about the second, CDT officials said during a press briefing Wednesday.

The Senate may vote on information-sharing legislation in May, CDT officials said. CDT raised concerns about four information-sharing bills, all of which would provide legal protections for private companies that share cyberthreat information with government agencies.

"[If] you look at most of these bills closely, you'll see that there are extraordinarily complex civil liberties problems in virtually every one of these bills," said Leslie Harris, CDT's president and CEO.

The Electronic Frontier Foundation has similar criticisms of the cybersecurity bills. Most of the information-sharing bills before Congress don't clearly define what a cybersecurity threat is, thus allowing broad information sharing between private companies and the government for ill-defined purposes, the EFF said.

The first House bill, the Cyber Intelligence Sharing and Protection Act, allows private companies to share broad information about cyberthreats with government agencies, with no requirement to strip out personal information, said Greg Nojeim, CDT's senior counsel. The bill, sponsored by Representative Mike Rogers, a Michigan Republican, would allow U.S. agencies to use the information shared by private companies for other national security and law enforcement purposes, in addition to cybersecurity, he said.

The Rogers bill may also allow private companies to take broad countermeasures against attacks, potentially including counterattacks, Nojeim said. The information-sharing bills "trump all privacy laws" in their permission for companies to share information with government agencies, he said.

The Rogers bill contains no privacy oversight, the EFF said. "The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for 'cybersecurity purposes,'" the EFF said in a blog post. "Just invoking 'cybersecurity threats' is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law."

The Rogers bill has broad support in the House, however, with 106 co-sponsors. Several companies, including AT&T, Microsoft, Facebook, Intel and IBM, have also voiced support. The bill "provides a solid framework and useful legal protections to permit the timely flow of actionable threat information in order for organizations to better protect themselves and customers," Christopher Padilla, IBM's vice president of governmental programs, wrote in a November letter to Rogers.

CDT officials raised similar concerns about the Secure IT Act, a bill sponsored by eight Republican senators, including Senator John McCain of Arizona. The McCain bill requires some federal IT contractors to share broad cybersecurity information with the government, CDT said.

Representatives of Rogers and McCain did not immediately return messages seeking comment on CDT's concerns.

With bipartisan support for cybersecurity legislation, there's a growing pressure in Congress to move forward with a handful of bills, CDT's Harris said. Leaders in the House have designated the week of April 23 as cybersecurity week, with votes on the Rogers bill and the Precise Act, another information-sharing bill with fewer civil liberties concerns, she said.

CDT also raised some concerns about the Precise Act, an information-sharing bill sponsored by Representative Dan Lungren, a California Republican, and the Cybersecurity Act, sponsored by Senator Joe Lieberman, a Connecticut Independent.

The Lungren bill more narrowly defines what information can be shared between private companies and the government than the Rogers bill, CDT said. But the bill raises concerns because it allows Internet service providers to monitor their subscribers' communications, and it may allow companies to deploy broad countermeasures against cyberattacks, CDT said.

The Lieberman bill also allows ISPs to monitor subscriber communications, and it allows companies to modify or block traffic to protect against "any action" that could compromise their IT systems, CDT said.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

More about BillCDTEFFElectronic Frontier FoundationFacebookIBM AustraliaIBM AustraliaIDGMicrosoftTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place