As you may know, there are three cybersecurity information sharing bills pending before Congress right now. These bills would weaken privacy laws and enable surveillance at a time when we need stronger privacy protections. These are surveillance bills, not security bills.
Every one of the bills is an end run around privacy laws in the name of improving security information sharing with the Department of Homeland Security (DHS). The bills define “cyber threat indicators” in a confusing manner that could include server logs, the contents of emails, damage estimates, and more. This kind of private data is not what is generally needed to secure systems. Nevertheless, the bills say that private entities will be immune from liability for sharing this information with DHS (and other parts of government) “notwithstanding” any privacy laws.
Surveillance reform advocates are trying to stop these bills. There is a lot of support in Congress and from the White House. So, to succeed, we need your help and we need it now. We expect the bills to come to a vote mid-April.
As a security expert, would you be willing to sign a letter helping to educate Congress about what kind of information experts actually share to further cybersecurity and secure systems from future attack? By helping Congress understand what information is useful in security, we can stop a bill that would needlessly waive privacy.
Please let me know if you can sign on by no later than 8pm ET Sunday, April 12. Email to jennifer at law.stanford.edu your name, title and affiliation. We plan to use your titles and affiliations for information purposes only, not to indicate that your employer is also signing the letter. For example, my signature would be Jennifer Stisa Granick, Director of Civil Liberties, Stanford Center for Internet and Society* and the asterick text would say “*Titles and affiliations are for information purposes only.” If you want to sign but don’t want to include your title or affiliation, or don’t have one, please indicate so, and we will respect your wishes.
My plan is to circulate the letter to the sponsors of the bills and to the rest of Congress on Monday, April 13.
Please feel free to email me or set up a call with me if you have any questions about the bills or the letter.
Once again, I can be reached at jennifer at law.stanford.edu
Finally, please do forward this request to anyone you think might be knowledgeable about security information sharing, and interested in sighing the letter.
For more information on these laws, you can read here:
Jennifer Granick—The Right Way to Share Information and Improve Cybersecurity: http://justsecurity.org/21498/share-information-improve-cybersecurity/
OTI—VERSION 2.0 OF THE SENATE INTELLIGENCE COMMITTEE’S CYBER INFORMATION SHARING ACT IS CYBER-SURVEILLANCE, NOT CYBERSECURITY:http://www.newamerica.org/oti/version-20-of-the-senate-intelligence-committees-cyber-information-sharing-act-is-cyber-surveillance-not-cybersecurity/
CDT—Analysis of Cybersecurity Information Sharing Act of 2014: https://cdt.org/insight/analysis-of-feinstein-chambliss-cybersecurity-information-sharing-act-of-2014/
Thank you for your time, attention, and assistance in this important matter.