Worried about the Lieberman-Collins Cybersecurity Act? You should be. As we've explained before, it poses serious threats to online rights. Here's a one-page handout you can use as a reference. It's great for sharing with friends, handing to Senate staffers, publishing online, or using as talking points when explaining the issue to someone for the first time. Download it here and please spread it around!
The Cybersecurity Act (S. 2105) Threatens Online Rights
The Cybersecurity Act (S. 2105), sponsored by Sen. Lieberman and Sen. Collins, compromises core American civil liberties in the name of detecting and thwarting network attacks. While Internet security is of the utmost importance, safeguarding our networks need not come at the expense of our online freedoms. That’s why civil liberties groups, security experts, and Internet users oppose this bill.
The Cybersecurity Act is fundamentally flawed and dangerous for online rights:
- The bill uses dangerously vague language to define "cybersecurity threat indicators" (information that companies can share with the government), leaving the door open to abuse (intentional or accidental) in which companies share protected user information with the government without a judge ever getting involved.
- Data collected under the Cybersecurity Act can be shared with law enforcement for non-cybersecurity purposes if it “appears to relate to a crime” either past, present, or near future. This is overbroad and contrary to the spirit of our Constitution. Senator Wyden, talking about a similar provision in CISPA, noted “They would allow law enforcement to look for evidence of future crimes, opening the door to a dystopian world where law enforcement evaluates your Internet activity for the potential that you might commit a crime.” The CSA suffers the same "future crime" flaw.
- If companies overstep their authority, violating the privacy of Internet users for non-cybersecurity purposes or oversharing sensitive data with the government, it will be very difficult for individuals to hold these companies accountable by taking them to court. The bill puts incredibly high burdens on the plaintiff in such a case to prove that a company was not monitoring for the purpose of detecting cybersecurity threats and did not have a "good faith" belief that they were allowed to do it (whether they are right or wrong); or that they "knowingly" and "willfully" violated the restrictions of the law. Furthermore, the bill allows companies to bypass much of preexisting law designed to limit company disclosure of private communications – bedrock privacy law like the Wiretap Act and the Electronic Communications Privacy Act.
- The Cybersecurity Act would allow sensitive private communications to flow to the NSA, a U.S. military agency — contrary to a long held value that military agencies should not be engaged in collecting data on American citizens.
- This bill has been criticized by open government groups who rightly point out that the bill creates new exemptions to FOIA—making it that much harder for people to understand how much and what kind of data is being shared with the government and ensure that the government and companies do not abuse this authority.
There is much our country can and should do to safeguard our networks, but sacrificing the civil liberties of Internet users is neither desirable nor necessary for that goal. As a constituent and an Internet user concerned about my online rights, I urge my Senator to support privacy protective amendments and oppose the Cybersecurity Act.