Cybersecurity bills are normally looked at as being terrible for privacy. But a new one being considered by the Senate has a bonus—it's still bad for privacy, but it could also kill whatever is left of net neutrality.
Portions of the cybersecurity bill that the Senate is considering, which is modeled on CISPA, could be construed to subvert net neutrality, according to a coalition of civil liberties groups.
The bill, championed by Senate Intelligence Chair Dianne Feinstein, is called the Cybersecurity Information Sharing Act of 2014 and, as we wrote when it was initially introduced by Feinstein earlier this month, looks to be every bit as bad as the Cybersecurity Information and Sharing Protection Act bill the internet has already rallied against twice.
In a letter to Feinstein, a coalition of 22 civil liberties groups just called CISA a disaster for the internet that would "facilitate a vast flow of private communications data to the NSA" and could infringe on net neutrality policy.
The groups—which including the American Civil Liberties Union, Center for Democracy and Technology, Electronic Frontier Foundation, and Demand Progress—note that the last time the Senate considered a cybersecurity bill, back in 2012, specific protections were written in to protect the free and open internet.
The Cybersecurity Act of 2012—the last cybersecurity bill considered by the Senate—had a clause that said nothing in the bill could be "construed to authorize or limit liability for actions that would violate the regulations adopted by the Federal Communications Commission on preserving the open Internet, or any successor regulations thereto, nor to modify or alter the obligations of private entities under such regulations."
CISA has no such clause. The group notes that terms popular throughout CISA, such as "cybersecurity threat" and "countermeasure" are poorly defined and could be used by service providers to harm the free and open internet.
"The July 2012 bill also contained provisions clarifying that nothing in the Act, including overbroad application of the terms 'cybersecurity threat' and 'countermeasure,' could be construed to modify or alter any Open Internet rules adopted by the Federal Communications Commission," the group wrote. "Net neutrality is a complex topic and policy on this matter should not be set by cybersecurity legislation."
Beyond that, the group notes that CISA's overly broad terminology would make it much easier for the NSA and local police departments to conduct surveillance.
"CISA ignores [the NSA] revelations," the groups wrote. "Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA. CISA omits many of the civil liberties protections that were incorporated, after thorough consideration, into the cybersecurity legislation the Senate last considered."
Among the group's concerns with CISA are the fact that "cyber threat" information from CISA would be funneled from the Department of Homeland Security, a civilian agency, to the Department of Defense (and NSA), a military one.
As we mentioned in our earlier coverage, the bill would also create the possibility of "backdoor wiretaps" by local police, who could request that companies give them information that pertains to any crime, even if a person is only tangentially related to a cybersecurity concern. An example of someone being related to a "cyber threat" can be as simple as receiving a spam email, according to Amie Stepanovich, a lawyer with the civil liberties group Access, who is not listed on Thursday's letter.
The bill has not yet been considered by Feinstein's committee, but the Senator indicated in a press release earlier this month that it is planning to do so soon.