Encouraging news: both the ACLU and EFF say proposed amendments to the cybersecurity bill, S. 2105, address privacy concerns.
Michelle Richardson of the ACLU writes that the proposed changes would:
- Ensure that companies who share cybersecurity information with the government give it directly to civilian agencies, and not to military agencies like the National Security Agency. The single most important limitation on domestic cybersecurity programs is that they are civilian-run and do not turn the military loose on Americans and the internet.
- Ensure that information shared under the program be “reasonably necessary” to describe a cybersecurity threat.
- Restrict the government’s use of information it receives under the cyber info sharing authority so that it can be used only for actual cybersecurity purposes and to prosecute cyber crimes, protect people from imminent threat of death or physical harm, or protect children from serious threats.
- Require annual reports from the Justice Department, Homeland Security, Defense and Intelligence Community Inspectors General that describe what information is received, who gets it, and what is done with it.
- Allow individuals to sue the government if it intentionally or willfully violates the law.
- Ensuring that only civilian agencies—not the National Security Agency—are in charge of our nation’s cybersecurity systems.
- Ensuring data isn’t shared with law enforcement except in very specific, limited circumstances.
- Ensuring that data collected through cybersecurity programs can’t be used to prosecute other, unrelated crimes.
- Carve-outs for free speech and terms of service violations. The new privacy package makes it clear that Constitutionally-protected free speech and terms of service violations won’t constitute a “cybersecurity threat.”
Both organizations note that there are still remaining concerns that advocates will want to see addressed, but it does sound like there’s been some important progress.