The Competitive Enterprise Institute, TechFreedom and a coalition of free-market groups issued an open letter to Members of Congress, urging them to consider amendments to the National Cybersecurity Protection Advancement Act (NCPAA) of 2015. The NCPAA intends to increase cyber security by facilitating greater sharing of potential cyber threats by private companies with each other and with government. But it also raises real privacy concerns because potential Cyber Threat Indicators could include private information like email content or Internet usage history.
“Congress must ensure that agencies can’t strongarm companies into sharing information involuntarily, and that agencies can be held liable for recklessly misusing private data they might receive. And agencies should be barred from using such information for regulatory purposes or for unrelated criminal prosecutions,” said Ryan Radia, Associate Director of Technology Studies at the Competitive Enterprise Institute. “Finally, the existing bill’s blanket immunity for ‘defensive measures’ could encourage unauthorized access to protected computers, potentially endangering innocent bystanders caught in the middle of cyberattacks.”
The letter proposes eight amendments:
- Include a 3-year sunset, a proposal that was defeated in markup before the House Committee on Homeland Security Committee
- Improve reporting requirements so that, as Congress considers re-authorizing the bill, it has an accurate sense of how often private data are shared under the bill.
- Enhance agency accountability by ensuring that, if government agencies willfully disregard the bill’s privacy safeguards, injured parties have legal recourse;
- Suppress evidence unlawfully obtained from use in criminal cases,
- Preserve common law remedies beyond enforcement of contracts and terms of service by which companies promise not to share personal information,
- Bar any regulatory coercion of information-sharing, whether through formal rulemaking or other means;
- More thoroughly bar use of CTIs “for regulatory purposes” by clarifying that this includes enforcement action and merger review as well as traditional rulemaking; and
- Clarify language authorizing defensive measures to ensure that the bill does not authorize and encourage collection of private information from innocent third parties whose systems might be used in botnet attacks.