Response to S.2105: To enhance the security and resiliency of the cyber and communications infrastructure of the United States.
I urge you to oppose John McCain's new cybersecurity legislation.
I come to this conclusion having read the important provisions of the Bill (for reference: http://www.gpo.gov/fdsys/pkg/BILLS-112s2105pcs/pdf/BILLS-112s2105pcs.pdf), specifically:
Title VII - Information Sharing
As with much security-focused legislation that has passed in the United States in the last ~11 years both government and private entities are given broad sweeping powers to violate (in the opinion of this citizen) the Fourth Amendment of the Constitution which states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The important language here (which one could interpret as purposefully broad) is "papers, and effects." Is not the information which a private citizen chooses to put into the custody of private entities such as Google, Facebook, Apple, and Microsoft one of our "effects"?
For background to these arguments please consider:
- Section 701. "monitor information systems of the entity and information that is stored on, processed by, or transiting the information systems for cybersecurity threats"
- Section 702. "any private entity may disclose law-fully obtained cybersecurity threat indicators to any other private entity."
- No where in this bill is ability of private entities to store private information used in "monitoring of information systems" defined thus in clear violation of many privacy laws.
Granted the above are to be interpreted so as to not violate "any other provision of law," but they still have give broad sweeping powers to private entities to monitor and store sensitive information of private citizens with no congressional oversight what-so-ever. The only proviso that this bill provides is that:
The Secretary, in consultation with the Director of National Intelligence, the Attorney General, and the Secretary of Defense, shall establish— (1) a process for designating appropriate Federal entities (such as 1 or more Federal cybersecurity centers) and non-Federal entities as cybersecurity exchanges;
Director of National Intelligence, the Attorney General, and the Secretary of Defense? No Congressional oversight? It seems to me that the choice of what Federal agencies end up controlling these "cybersecurity centers" would have a direct impact on Interstate Commerce. Isn't that your job Senators?
The bill of course goes on to grant amnesty to any person or entity who is involved in the collection of such "cybersecurity threat indicators" which is so broad sweeping it almost certainly incentives bad behavior:
IN GENERAL. —No civil or criminal cause of action shall lie or be maintained in any Federal or State court against any entity, and any such action shall be dismissed promptly, based on— (1) the cybersecurity monitoring activities authorized by paragraphs (1) and (2) of section 701;
I really do not mean this to be condescending and trite but what are you thinking? All we the citizens see is the end product. How did we get here? Who was involved? Why does this type of bill continue to be introduced onto the floor(s) of the House and the Senate?
I say this because: We want to help. When I say we I mean the Technology sector in this country. Many companies (my own included) cannot afford to pay for lobbyists and frankly shouldn't have to. Send out your aides, get the CTOs of this country on the phone. I'm sure they'd be happy to talk to you.