Privacy advocates, a majority of the House of Representatives, leading senators from both parties, and the Department of Justice all agree that electronic communications privacy law passed in 1986 is woefully out of date, and must be updated in order to protect communications privacy in the century of big data, smartphones, and the Internet of Things. Basically everyone agrees that the Electronic Communications Privacy Act of 1986, known as ECPA, needs a major overhaul. There are numerous proposals before congress that would strengthen and modernize the law—including provisions even the surveillance-hungry DOJ has endorsed. That’s why it is confusing to see congress attempting to rush through a so-called ‘cybersecurity’ bill that would blow a massive hole in the core of ECPA.
The Cybersecurity Information Sharing Act (“CISA”), which cleared the Senate Intelligence Committee in a 14 to 1 vote earlier this month, would do two fundamentally dangerous things. First, it would allow corporations to share private user information with intelligence agencies, in bulk and pursuant to no established legal or criminal justice process. The law would trump ECPA, which prevents companies from sharing subscriber information—including IP addresses, phone numbers, credit card information, and more—with the government unless the sharing is related to a specific criminal investigation, pending court approval, or emergency. Second, CISA would grant corporations that share user data with the government immunity from lawsuits filed by angry consumers.
In other words, CISA would gut the very privacy law that congress is on the brink of strengthening, and ensure that litigation-wary companies don’t hesitate to share our private information with the Department of Homeland Security, even in bulk form. Once DHS gets its hands on this data, it would automatically share it with the NSA, the Department of Defense, and the Office of the Director of National Intelligence. These agencies could use the information in a variety of ways that have nothing to do with cybersecurity, including in some criminal investigations.
Civil liberties organizations including the ACLU and a wide array of technology experts signed a public letter to the head of the Senate Intelligence Committee last month, describing how the proposal "would significantly undermine privacy and civil liberties." In the letter, the advocates warn about how CISA creates "yet another loophole for law enforcement to conduct backdoor searches on Americans–including searches of digital communications that would otherwise require law enforcement to obtain a warrant based on probable cause."
[CISA] permits law enforcement to use information it receives for investigations and prosecutions of a wide range of crimes involving any level of physical force, including those that involve no threat of death or significant bodily harm, as well as for terrorism investigations, which have served as the basis for overbroad collection programs, and any alleged violations of various provisions of the Espionage Act.
What its advocates are touting as a ‘cybersecurity’ bill is actually, as Senator Ron Wyden says, "a surveillance bill by another name." If passed, CISA would become yet another avenue for intelligence and law enforcement agencies to spy on Americans without warrants or any form of judicial process. To add insult to injury, if passed in its current form, cybersecurity experts say the bill wouldn’t even do much to protect the country’s critical infrastructure from cyberattack.
Instead of making it easier for Google, AT&T, and Facebook to share massive quantities of private user information with the government, without worrying about pesky consumer rights lawsuits, congress should pump the brakes on CISA and get serious about finally moving ECPA reform over the finish line. The last thing we need is for congress to hand over yet more unaccountable, dragnet surveillance power to secretive and ineffective intelligence agencies—especially if it won’t do the public any good.