Constitution Project: Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy
The Constitution Project has released a new report, “Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy” (Project pdf; archive pdf), calling on Congress to include strong privacy protections in any cybersecurity legislation it adopts. The report is “endorsed by legal and policy experts (including former federal judges and prosecutors, retired military and intelligence officers, and law school professors) from across the ideological spectrum,” according to a press release.
From the report’s introduction:
It is important that our nation develop and operate cybersecurity programs and policies to reduce or eliminate these vulnerabilities. These programs, however, pose a potential threat to Americans’ privacy rights and civil liberties. As proposals have arisen that would enable the federal government to move toward monitoring all information transferred over private networks, individuals face the risk of being subjected to the equivalent of a perpetual “wiretap” on their private communications and web browsing behavior. Moreover, the debate regarding cybersecurity has been hampered by excessive secrecy surrounding the true nature and scope of the threat and the best mechanisms for protecting against it.
The report details items that could substantially affect individual privacy rights and civil liberties, cybersecurity programs such as Einstein (a Bush-era pilot program, continued under Obama, that seeks to have private telecommunications companies route the Internet traffic of civilian government agencies through hardware and software that would search for and block malicious computer codes; see more here and here) and legislation such as S. 413, the Cybersecurity and Internet Freedom Act of 2011, which would allow the executive branch to use a “kill switch” to limit Internet traffic in an emergency.
The report also lists recommendations on how to protect privacy rights and civil liberties in cybersecurity programs, including:
- Any data shared between the government and the private sector should have “sensitive personally identifiable information (PII) from Americans removed and sanitized.”
- Any cybersecurity legislation, regulation, or agency directive regarding information sharing should require (1) strict time limits for data retention, (2) data anonymization whenever possible, and (3) policies to decrease the risk of inadvertent or improper disclosure of PII.
- Congress should require that content obtained by the federal government through the cybersecurity program only be used as necessary to prevent cyber-attacks and protect networks. Content should not be shared with law enforcement or relied upon as evidence of a non-cybercrime, unless the content was a necessary component of data flagged as a possible cybersecurity threat.
- Independent oversight of the U.S. cybersecurity program should be established to ensure that Americans’ privacy rights and civil liberties are protected. In particular, the Privacy and Civil Liberties Oversight Board should be fully established.
- Congress should require periodic mandatory audits by the Inspectors General of all agencies involved in maintaining cybersecurity in the United States. These reports should include a discussion of the types and amount of information being shared with the federal government and how the information is used.