April 27, 2016 11:06 AM
This week, the U.S. House of Representatives will vote on the Email Privacy Act (H.R. 699) sponsored by Rep. Kevin Yoder (R-Kan.). The Competitive Enterprise Institute strongly supports this legislation, which would amend the 1986 Electronic Communications Privacy Act (ECPA) to require that the government obtain a warrant, based on a showing of probable cause, to compel a cloud computing provider to divulge the contents of a user’s private electronic communications. The Email Privacy Act enjoys strong bipartisan support, with well over 300 House cosponsors—a majority of House Republicans and Democrats.
Yesterday, CEI joined dozens of public interest groups, companies, and activists in a coalition letter urging members of Congress to vote for H.R. 699. Reforming ECPA isn’t a new priority for CEI. We first urged Congress to rewrite the statute in written testimony to the House and Senate Judiciary Committees in 2010.
Existing law doesn’t adequately protect Americans from warrantless searches of their private data stored with cloud and mobile providers. Congress must make clear that law enforcement cannot access users’ private information—such as stored emails and backup files—without showing probable cause or even notifying users that the government has accessed their private data. The Email Privacy Act would protect Americans’ privacy by making clear that the Fourth Amendment to the Constitution, which protects the “right of the people to be secure … against unreasonable searches and seizures,” applies in the digital world.
March 10, 2016 5:03 PM
Today, the Federal Communications Commission (FCC) unveiled a proposal to regulate how broadband providers may collect and use their customers’ information. These rules, which the FCC’s five commissioners will vote on later this month, mark the agency’s first major attempt to expand its power over the Internet since its controversial February 2015 decision to reinterpret federal law as authorizing the Commission to regulate Internet service providers as public utilities. That move, which FCC Chairman Tom Wheeler justified as necessary to protect so-called “net neutrality,” came after the Obama administration intervened in the FCC’s rulemaking process to insist the agency adopt a heavy-handed approach to Internet regulation.
According to the agency, the new rules will give consumers the “tools they need to make informed choices about how and whether their data is used and shared by their broadband providers.” But since 1986, when Congress passed the Electronic Communications Privacy Act, it’s been illegal for a service provider to “intercept” any “electronic communication”—including Internet traffic—without first obtaining “prior consent” from “one of the parties to the communication.” In other words, your broadband provider can’t monitor your Internet traffic without your consent, except in very limited circumstances (for example, when a court orders interception of your traffic, or your provider needs to monitor it for cybersecurity purposes).
December 15, 2015 6:42 PM
Later this week, the House is slated to vote on a $1.1 trillion “omnibus” spending bill to fund the federal government through next fall. Naturally, the legislation will likely contain numerous riders and add-ons that address issues unrelated to appropriations, ranging from oil exports to compensation for 9/11 victims. But one potential addition to the lengthy omnibus bill is extremely troubling: according to several reports, House leaders are considering adding cybersecurity information sharing to the package. Rushing a cybersecurity bill through Congress before the holidays is premature, especially given how little we know about the details of a potential cyber addition to the omnibus.
Congress has been busy with cybersecurity legislation this year. In October, the Senate passed the Cybersecurity Information Sharing Act, known as CISA. Earlier, in April, two cybersecurity bills passed the House—the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA). Each of these bills aims to tackle legal barriers that limit how companies can share what they learn about cyber attacks with other businesses or government agencies. But these three bills differ in certain key respects, so the two houses of Congress will need to reconcile these differences before sending any legislation to President Obama’s desk.
November 12, 2015 4:43 PM
The behemoth Consumer Financial Protection Bureau (CFPB) played a big role in Tuesday night’s GOP presidential debate on Fox Business, both during the commercials and in the candidate’s answers.
A new ad by American Action Network that made its debut during commercial break correctly linked the CFPB—created by the Dodd-Frank so-called financial reform act rammed through Congress in 2010—to denial of mortgages and car loans due to the CFPB’s costly and paternalistic rules that hit Main Street bank and credit unions. The candidates critical of Dodd-Frank dinged those same policies, but often without naming the CFPB.
Carly Fiorina called out the CFPB directly and for another disturbing policy. She pointed out that the CFPB is an entity with “no congressional oversight that is digging through hundreds of millions of your credit records.”
The “digging” refers to CFPB’s massive database of mortgage and credit card info that rivals that of the National Security Agency in both size and intrusiveness. As former House Speaker Newt Gingrich wrote recently in The Wall Street Journal, “Every month the CFPB … gathers data on 22 million mortgages, 5.5 million student loans, two million bank accounts with overdraft fees, and hundreds of thousands of auto sales, credit scores and deposit advance loans.” My Competitive Enterprise Institute colleague Iain Murray and I have been writing about the troublesome database and its threat to privacy since the CFPB created it more than two years ago.
November 4, 2015 4:43 PM
Most Americans own a smartphone and use cloud computing services such as Gmail, Dropbox, and Facebook. Increasingly, we store sensitive data on our devices and in the cloud—but is it safe?
On Tuesday, October 20, 2015, the Competitive Enterprise Institute held a briefing to discuss the current debate over data encryption. It was moderated by CEI Associate Director of Technology Studies Ryan Radia. Watch the video below:
October 26, 2015 9:13 PM
This week, the U.S. Senate will vote on the Cybersecurity Information Sharing Act. Also known as “CISA,” the bill aims to improve cybersecurity by making it easier for companies and the government to share information about potential cyber threats with each other. (The latest version of CISA is here; a package of amendments slated to be voted on is here.) But CISA suffers from a serious flaw that Senate lawmakers have repeatedly ignored: the bill doesn’t put agencies on the hook if they misuse information shared with them in the name of cybersecurity.
CISA’s basic premise—that information sharing can improve cybersecurity—makes sense, as I’ve long argued. Every day, big Internet companies deal with all kinds of cyber attacks, many of which target data that providers store on their customers’ behalf. Internet firms learn from the attacks they experience, and over time, they can improve the resiliency of their systems. Similarly, the more willing companies are to share information about cyber threats with federal agencies upon request, the better the government will be equipped to investigate and punish cyber criminals.
August 31, 2015 4:35 PM
On Friday, the U.S. Court of Appeals for the District of Columbia Circuit handed down its much-awaited ruling in Obama v. Klayman, one of several lawsuits challenging the legality of the NSA’s bulk collection of Americans’ telephone records. In 2013, the District Court for D.C. issued a preliminary injunction after it found the plaintiffs were “substantially likely” to show that the NSA was collecting their telephone records in violation of the Fourth Amendment to the U.S. Constitution. The D.C. Circuit disagreed with this conclusion, reversing the preliminary injunction and sending the case back to the lower court for further proceedings.
Although the D.C. Circuit’s decision in Klayman has major implications for future cases about government surveillance, it won’t immediately affect the NSA’s bulk collection program. When the District Court in D.C. granted the plaintiffs a preliminary injunction, the court decided to “stay” its preliminary injunction pending an appeal—meaning the NSA could continue its bulk collection while the lawsuit made its way through the federal courts. This process has taken longer than expected, with nearly two years elapsing since the preliminary injunction issued in December 2013.
August 27, 2015 1:26 PM
The Daily Beast’s Justin Glawe has written an article about a North Dakota law aimed at limiting law enforcement use of unmanned aircraft systems (UAS), or drones. He claims that the law was watered down by police interests and corporate lobbyists, and that the weakened protections now authorize law enforcement’s use of non-lethal UAS-mounted weapons:
With all the concern over the militarization of police in the past year, no one noticed that the state became the first in the union to allow police to equip drones with “less than lethal” weapons. House Bill 1328 wasn’t drafted that way, but then a lobbyist representing law enforcement—tight with a booming drone industry—got his hands on it.
The bill’s stated intent was to require police to obtain a search warrant from a judge in order to use a drone to search for criminal evidence. In fact, the original draft of Representative Rick Becker’s bill would have banned all weapons on police drones.
Then Bruce Burkett of the North Dakota Peace Officer’s Association was allowed by the state house committee to amend HB 1328 and limit the prohibition only to lethal weapons. “Less than lethal” weapons like rubber bullets, pepper spray, tear gas, sound cannons, and Tasers are therefore permitted on police drones.
Scary stuff, right? I certainly don’t want the police to have armed UAS—whether they be deployed with lethal or non-lethal weapons—and requiring warrants is a good first step. But based on a reading of the statute in question, it does not appear to do what Glawe and others claims it does.
August 5, 2015 12:59 PM
Today, the U.S. Senate is scheduled to vote on the Cybersecurity Information Sharing Act (CISA), which is a serious threat to civil liberties and privacy.
CEI’s Ryan Radia offered these thoughts:
CISA doesn’t provide any meaningful deterrent against government agencies using information they receive from companies in ways that exceed the uses authorized by the Act. Although CISA requires agencies to issue guidelines that are supposed to prevent the misuse of information shared under the Act, this is hardly reassuring. Agencies violate their own internal procedures and guidelines all the time with impunity, from the IRS to the State Department.
That’s why it’s critical that any cyber information sharing legislation include a provision that gives relief to individuals injured by governmental misuse of information shared by companies. In this Congress, and in the last two Congresses, the House passed cyber threat information sharing legislation that allowed injured parties to sue the government for damages (i.e., a waiver of sovereign immunity). Another approach to deterring misconduct, used in the Wiretap Act, would bar the government from using evidence in court that is derived from shared cyber threat information for purposes beyond those allowed by the bill. Either a waiver of sovereign immunity or a suppression remedy needs to be included in any bill that liberalizes information sharing, or else companies won’t be able to meaningfully ensure that the government doesn’t use information they share with it for impermissible purposes.
Read more on CISA:
April 21, 2015 11:29 AM
The Competitive Enterprise Institute, TechFreedom and a coalition of free-market groups issued an open letter to Members of Congress, urging them to consider amendments to the National Cybersecurity Protection Advancement Act (NCPAA) of 2015. The NCPAA intends to increase cyber security by facilitating greater sharing of potential cyber threats by private companies with each other and with government. But it also raises real privacy concerns because potential Cyber Threat Indicators could include private information like email content or Internet usage history.
“Congress must ensure that agencies can’t strongarm companies into sharing information involuntarily, and that agencies can be held liable for recklessly misusing private data they might receive. And agencies should be barred from using such information for regulatory purposes or for unrelated criminal prosecutions,” said Ryan Radia, Associate Director of Technology Studies at the Competitive Enterprise Institute. “Finally, the existing bill’s blanket immunity for ‘defensive measures’ could encourage unauthorized access to protected computers, potentially endangering innocent bystanders caught in the middle of cyberattacks.”
The letter proposes eight amendments: