The U.S. Congress is moving forward quickly with legislation that would encourage private companies to share cyberthreat information with government agencies, despite concerns that two leading bills weaken consumer privacy protections.
The House of Representatives Intelligence Committee voted Thursday to approve the Protecting Cyber Networks Act (PCNA), just two days after the bill was introduced.
The House bill "is a cybersurveillance bill at least as much as it is a cybersecurity bill, and it is written so broadly that it could wind up making the Internet less safe," Robyn Greene, policy counsel at the New America Foundation's Open Technology Institute [OTI], said by email.
The PCNA requires government agencies to "automatically and indiscriminately" share information they receive with military and intelligence agencies, OTI said in a critique of the bill. The bill would allow other agencies to pass cyberthreat information to the FBI and the National Security Agency, where "it could be used in investigations that have absolutely nothing to do with cybersecurity," Greene said.
While the PCNA limits what personal information businesses can share with government agencies, it doesn't require companies to remove all personal information, OTI added. The bill also authorizes companies to monitor all activities and communications of users as a way to identify threats, OTI said.
The House bill would "explicitly undermine every rule that is currently in place to protect Americans' Internet privacy, and replaces them with dangerously weak protections," Greene added. "It would massively increase companies' monitoring of our online communications and activities, and give them a nearly blank check to share that information with the government."
The action in the House follows a closed-session vote earlier this month by the Senate Intelligence Committee to approve a similar bill, the Cybersecurity Information Sharing Act [CISA]. The next stop for CISA is a vote in the full Senate, and for PCNA, a vote in the full House. PCNA could come to the House floor as soon as April.
CISA has drawn opposition from 48 security experts and privacy advocates, and the House cyberthreat information-sharing bill "draws largely" from it, Greene said.
Both bills would protect companies that share cyberthreat information with each other or with government agencies from consumer lawsuits. Proponents of the cyberthreat information-sharing bills, including many tech companies, argue that more sharing of cyberthreat information can help businesses better respond to attacks, but victims of cyberattacks need assurances that information sharing won't lead to legal problems.
House Intelligence Committee members defended the bill, saying it will help defend U.S. networks against cybercriminals. The bill has strong privacy protections, Representative Devin Nunes, a California Republican and committee chairman, said in a statement.
The bill "helps pave the way for the expeditious passage of cyber information sharing legislation that can help turn the tide against hackers, cybercriminals and malicious state actors, while safeguarding privacy and civil liberties at every step of the way," Representative Adam Schiff, a California Democrat, said in a statement.
The bill came after several months of negotiations that included privacy groups, Schiff said through a spokesman. The committee addressed the main concerns raised by privacy groups, he added. The bill requires companies to remove personal information before sharing information with the government and limits the way government can use the data, he said.
The bill also does not authorize offensive countermeasures against attackers, he noted, even though that would be permitted in other information-sharing proposals.
"Protecting privacy was at the forefront during the process of crafting this bill, and I'm pleased by the progress weve made," Schiff said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is firstname.lastname@example.org.