Excellent analysis by the Electronic Frontier Foundation’s Jennifer Granick of the proposed Cybersecurity Act of 2009 that gives President Barack Obama and the Secretary of Commerce unprecedented new powers to regulate the Internet and ignore privacy laws while doing it.
Notes Granick:
“Essentially, the Act would federalize critical infrastructure security. Since many of our critical infrastructure systems (banks, telecommunications, energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government. This is a potentially dangerous approach that favors the dramatic over the sober response.
“One proposed provision gives the President unfettered authority to shut down Internet traffic in an emergency and disconnect critical infrastructure systems on national security grounds goes too far. Certainly there are times when a network owner must block harmful traffic, but the bill gives no guidance on when or how the President could responsibly pull the kill switch on privately-owned and operated networks.
“Furthermore, the bill contains a particularly dangerous provision that could cripple privacy and security in one fell swoop: ‘The Secretary of Commerce— shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access…’
“In other words, the bill would give the Commerce Department absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review. The broad scope of this provision could eviscerate statutory protections for private information, such as the Electronic Communications Privacy Act, the Privacy Protection Act, or financial privacy regulations.
“Even worse, it isn’t clear whether this provision would require systems to be designed to enable access, essentially a back door for the Secretary of Commerce that would also establish a primrose path for any bad guy to merrily skip down as well. If the drafters meant to create a clearinghouse for system vulnerability information along the lines of a US/CERT mailing list, that could be useful, but that’s not what the bill’s current language does.”
And Granick points to another quite worrisome provision that I missed in my column last week:
“A privacy threat still in the cocoon is the provision mandating a study of the feasibility of an identity management and authentication program with just a nod to “appropriate civil liberties and privacy protections.” There’s reason to fear that this type of study is just a precursor to proposals to limit online anonymity.
“But anonymity isn’t inherently a security problem. What’s “secure” depends on the goals of the system. Do you need authentication, accountability, confidentiality, data integrity? Each goal suggests a different security architecture, some totally compatible with anonymity, privacy and civil liberties. In other words, no one “identity management and authentication program” is appropriate for all internet uses.”
Had the Internet and this proposed law been around at the time of the American founding, “The Federalist Papers” and much else in the way of public debate and discussion about the proposed U.S. Constitution might never have been published.
Great work by Granick. Let’s hope others on the Left are also paying attention and will start waving red flags about a very dangerous piece of legislation that is sponsored, oh by the way, by Sen. Jay Rockefeller, the West Virginia Democrat, and Sen. Olympia Snowe, the Maine Republican.
