Botched cybersecurity bill in Congress would allow more snooping

Americans concerned about protecting their personal information online — and that should be all of us — ought to know that Congress is trying to approve a new framework for invading everyone’s privacy.

The Cybersecurity Information Sharing Act passed out of the Senate Intelligence Committee, 14-1. Sen. Ron Wyden, an Oregon Democrat, was the lone dissenter. Missouri Republican Sen. Roy Blunt was among the “yes” votes.

The act’s intent is noble, but its execution is flawed. It aims to increase the flow of information between private companies and government about data vulnerabilities. With better information, companies and the government could better respond to threats.

Dig into the details, however, and what is ostensibly a security bill proves to be as much about surveillance. The bill contains almost no privacy protections to ensure that all of the personal data flying around is handled responsibly. The federal government could access Americans’ email, financial records, personal photographs and other digital information without oversight.

The bill does not require corporations to share people’s information, but they’d have no real incentive not to. After all, the government has them covered. Corporations are not people in this case. The bill protects corporate privacy if not individual privacy.

The Cybersecurity Information Sharing Act is so broadly written that it encourages information sharing whenever there is something that “may result” in a security breach. That could be just about anything the government suggests, real or imagined.

Perhaps worst of all is what the bill does not contain.

Wyden asked the Intelligence Committee to amend it to forbid government agencies from mandating back doors in hardware and software. Law enforcement wants to be able to access everything, even if you encrypt it or put it behind a password. It wants a loophole in security that only it can use in every computer, smartphone and other device.

America must balance privacy demands against security demands. There is plenty of room for honest disagreement where they intersect, but government-mandated security holes are far outside the gray area.

Weaknesses in digital security rarely remain secret for long. Hackers and other miscreants identify back doors and exploit them for their own nefarious ends. Typically hackers search for flaws in the code that no one know about. In this case, their job will be far easier because they know the flaws are there at Uncle Sam’s insistence.

It’s not even clear that the government can be trusted to use back doors responsibly. Reports of data abuse by the National Security Agency are still fresh. Then there are stories of individual law enforcement officers of politicos looking to use proprietary data for their own personal or prurient ends.

Wyden isn’t alone in his concerns about surveillance and back doors. Silicon Valley and lawmakers from both major parties have aligned with him, but they face an uphill struggle.

Scholars often note that America’s legal system has a hard time keeping up with rapidly changing technology. This act has the opposite feel. Lawmakers rush to appear to be doing something about data breaches and online security without thinking through all the implications of their bill.

This story was originally published April 12, 2015 at 10:00 AM with the headline "Botched cybersecurity bill in Congress would allow more snooping."