obama_cybersecurity2
TechTank

Privacy and cybersecurity get political legs

Cameron F. Kerry

When I joined the Obama administration five years ago, I set out with like-minded colleagues at the Commerce Department to tackle key issues for the digital economy and protect the ecology of the Internet. At the top of the agenda were cybersecurity and consumer privacy.

These efforts were empowered by the White House and bore fruit with the 2012 privacy blueprint that articulated the Consumer Privacy Bill of Rights and with the 2014 National Institute of Standards and Technology (NIST) Cybersecurity Framework. Even so, these policy initiatives played supporting roles outside the spotlight.

Seeing cybersecurity and privacy take center stage in recent months has been a striking turn. A week ago, I joined some 800 government and industry leaders mixed with Stanford students at the White House Summit on Cybersecurity and Consumer Protection, where President Obama signed an executive order to improve cyber threat information-sharing. He and other members of his administration renewed calls for legislation to encourage such sharing by providing liability protection and guarding how personal information is shared; and corporate executives made up an amen chorus for use of the National Institute of Standards and Technology (NIST) to manage cyber risk.

The president has addressed cybersecurity and privacy issues frequently. At the Federal Trade Commission, he announced a package of measures on protecting student data, nationwide data breach notification, and consumer privacy legislation. The next day, he went to the National Cybersecurity Communications Integration Center to announce information-sharing legislation and plans for the Cybersecurity Summit. A day later in Iowa he returned to these subjects as part of a speech on promoting broadband.

In 2012, the rollout of the Consumer Privacy Bill of Rights was delayed because it was a candidate for inclusion in the State of the Union speech. In an election year that was about explaining what the president had done to help people recover from the Great Recession, it was a long shot candidate and ultimately was not in the speech. But this year, President Obama wove privacy and cybersecurity into discussions about national security and urged Congress “to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information.”

Congress also has embraced these issues. The last days of the 113th Congress saw the surprise passage of four bills on cybersecurity addressing responsibilities of federal agencies, which President Obama promptly signed. The 114th Congress has picked up where its predecessor left off, with members introducing several bills and several committees scheduling early hearings on cybersecurity and privacy. Everyone wants in:

  • The House Energy and Commerce Committee (data breach legislation on January 27)
  • Senate Homeland Security and Governmental Affairs (information sharing on January 27); House Science (cyber threats January 27)
  • Senate Commerce, Science and Transportation Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security (data breach notification on February 5)
  • House Education and the Workforce (student privacy on February 15); House Homeland Security (a series of hearings on information sharing).

Notably, the full Senate Commerce Committee took a thoughtful look at the Internet of things, a contrast to two years ago when I mentioned the Internet of things in a meeting with a congressional leader on technology issues and was greeted with a blank look and response, “What’s the Internet of things?”

A number of factors have sparked this heightened interest in these issues. As both parties seek to show they can govern and bridge partisan divides, they have discovered that privacy and cybersecurity are issues on which they can find common ground. President Obama’s recent speeches on these issues have all stressed bipartisanship. As he put it at the Stanford summit: “This should not be an ideological issue. And that’s one thing I want to emphasize: This is not a Democratic issue, or a Republican issue. This is not a liberal or conservative issue. Everybody is online, and everybody is vulnerable.”

In this vein, the Stanford gathering was billed as a summit on cybersecurity and consumer protection. One of its two plenary panels addressed “consumer oriented business and organizations.” Likewise, the January 12 announcement at the FTC was billed as “safeguarding American consumers and families.” As the economy moves beyond the Great Recession, more people are able to look to other issues and to the jobs of the future.

A recent Pew Research study showed a high level of consumer anxiety about these issues. It found that a majority of adults “feel that their privacy is being challenged along such core dimensions as the security of their personal information and their ability to retain confidentiality.” These dimensions include especially the ability to control information about them and how it is used.

These concerns have been magnified by the Snowden disclosures and the high-visibility attack on Sony Pictures. The Pew study found that “news stories about the revelations continue to register widely among the public” and that the erosion of confidence in common communications challenges is greatest among Americans aware of government surveillance. Outside the United States, the reaction to the Snowden disclosures has been profound, resulting in competitive losses to American businesses overseas. Policies to address privacy and security respond to these sentiments and to what has become a crisis of trust.

This landscape provides fertile ground for Congress and the White House to move forward on a variety of proposals. Below are some thoughts about some specific cybersecurity and privacy proposals that may move forward.

Data Breach

Establishing a single national standard for notifying customers and regulators of data breaches has broad support. For example, Chairman Rep. Marsha Blackburn (R-Tenn.) and Ranking Member Rep. Peter Welch (D-Vt.) of the Communications and Internet Subcommittee of the House Energy and Commerce Committee have announced they are planning a data breach bill together. Data breach was part of the administration’s 2011 cybersecurity legislation, and this year the administration has proposed a stand-alone notification bill. Sen. Thomas Carper (D-DE) has introduced a bill that shares much in common with the administration proposal. With 47 states and the District of Columbia having adopted data breach laws, having a consistent national standard is a logical and incremental step.

There are two key hurdles. One is the scope of preemption: preempting varying state laws makes federal breach legislation attractive to business, but state attorneys general and privacy advocates see this as weakening enforcement. These concerns can be met in part by authorizing states to enforce the federal law. The other major issue is the standard for notification–the threshold for notifying regulators and affected consumers—and how specifically the time for notification is spelled out. The majority of states trigger notice based on a risk of harm and provide a flexible time such as “expediently” or “without unreasonable delay.” The White House bill follows similar lines but generally would require notice to the Federal Trade Commission within 30 days.

Information-sharing

The idea that cybersecurity defense requires better sharing among companies and between the private and public sectors has wide support in principle. Information sharing is the most direct legislative response to threats like the Sony hack and has generated the most rhetoric about bipartisan cooperation (as evidenced by the number of hearings in the listing above). Intelligence committees in both houses are circulating draft bills. But information sharing also faces higher political hurdles than data breach notification. Recall that when the House passed Cyber Intelligence and Protection Act (CISPA) in 2013, the White House threatened a veto.

Author

Key questions are what liability protection companies receive for sharing information with the government, and what limitations are placed on the use of personal information shared with other companies or the government. Companies should not incur increased risk of liability by virtue of disclosing information (the equivalent of use immunity in the criminal law context), but some proposals are so broad they could make it possible to gain a shield against liability by disclosing (the equivalent of transaction immunity). With regard to use limitations, there is a clear need to use information that may help to attribute cyber exploits or prosecute perpetrators for crimes such as computer fraud or theft of intellectual property. The more difficult questions come as the list of potential crimes or other uses expands beyond what is directly related to detecting or responding to a cyber intrusion. There is also an issue as to how broad the NSA’s role should be in domestic cybersecurity.

The questions about government access to information and the NSA’s role that sank CISPA loom larger in the post-Snowden era. For example, the Center for Democracy and Technology (CDT) has staked out a position in opposition to the administration’s current proposal, which resembles what CDT sought in 2013. This sends a signal that the spectrum of support for strong privacy protections will be broad. There is a strong drive to get this done, but what is in the details and what committees and sponsors are involved will make a difference.

Surveillance reform

A debate about the boundaries of government surveillance and civil liberty, simmering since adoption of the USA PATRIOT Act in 2001, has boiled over in the wake of the Snowden disclosures. The debate has produced some interesting coalitions cutting across both parties, with libertarians and tech-oriented members squaring with defenders of intelligence and law enforcement practices.

Perhaps the least complex issue is updating the Electronic Communications Privacy Act of 1986 (ECPA) to require a warrant for stored electronic communications. The existing law allowing government access to these communications was enacted long before cloud computing and storage at the gigabyte and terabyte level, when opened emails were downloaded or deleted rather than stored online. A bill introduced by Senators Pat Leahy (D-Vt.) and Mike Lee (R-Utah) was reported unanimously by the Senate Judiciary Committee in 2012, and its House equivalent garnered 260 signatures in 2014. The legislation has not advanced or won unqualified support from the Obama administration because the Securities and Exchange Commission, along with other administrative enforcement agencies that lack the power to issue warrants, want to preserve their authority to use subpoenas for emails and other electronic records. It is now overdue. It is hard to rationalize why the same email stored in an Outlook account on a PC is protected by a warrant standard but available by subpoena when it’s stored in a Gmail account.

Support for ECPA reform was building even before the Snowden disclosures. A number of other measures have come to the fore since. The most prominent among these is the USA Freedom Act, introduced in the House by Rep. James Sensenbrenner (R-Va.) and the Senate by Leahy. This bill would curtail the bulk collection of telephone records and adopt other reforms such as making FISA proceedings more adversarial. The USA FREEDOM Act passed the House last summer 303-121, with some libertarians defecting because of changes to accommodate surveillance, but the Senate version failed a cloture vote. Both sponsors have expressed their intention to reintroduce their bills.

There are two new bills in this space that are related to surveillance and law enforcement access to information. Senators Hatch (R-Utah), Coons (D-Del.), and Heller (R-Nev.) reintroduced the LEADS Act (Law Enforcement Access to Data Stored Abroad), which in addition to updating ECPA prevents law enforcement from obtaining data stored overseas if that access would violate the laws of the country where it is stored or is not associated with a U.S. person. This takes up the issue presented by Microsoft’s challenge to a federal warrant for data of an Irish citizen in a data center in Dublin. In addition, the report from the Director of National Intelligence on the anniversary of the president’s surveillance directive disclosed that the administration is working with Congress on legislation “to give citizens of designated countries the right to seek judicial redress for intentional or willful disclosures, and for refusal to grant access or to rectify any errors in the information.” This refers to giving citizens of the European Union and elsewhere the same right of action under the federal Privacy Act that U.S. citizens have, a measure vital to sustaining the U.S.-E.U. Safe Harbor Agreement that enables transatlantic flows of data despite differences in legal systems.

It is also conceivable that proposals crop up to update law enforcement ability to conduct intercepts of communications on emerging technologies to allay the concerns that FBI Director James Comey and Robert Mueller have raised about losing this capacity. The Obama administration never came to terms on such a proposal, but it could do so yet or Congress could step in with a legislative fix.

The bipartisan support for these various reforms in different libertarian and tech-oriented strains makes it hard to make predictions based on party lines or ideology. But there is one difference from the last Congress that is likely to change the landscape for surveillance reform: the FISA Amendments Act authority for the telephone metadata collection expires June 1. Some have suggested a scenario that authority to continue ongoing investigations could enable the Section 215 program to live on in perpetuity. But with the president having said that the existing program should end and Congress should update the law, it is unlikely the administration would continue wholesale collection unilaterally. This puts some pressure on supporters of surveillance to come to terms and makes possible a grand bargain that continues and even expands some surveillance authorities but gives up others.

Baseline privacy legislation

The 2012 White House privacy blueprint “urge[d] Congress to pass legislation adopting the Consumer Privacy Bill of Rights” by codifying the rights defined in the blueprint, and President Obama promised in the forward to “work with Congress to put [these principles] into law.” At the Stanford summit, President Obama reiterated his promise to produce a draft of legislation by the end of February. This will jumpstart a debate about giving businesses and consumers a set of baseline rules for privacy protection in growing areas not addressed by existing sectoral privacy regimes. I have a strong rooting interest in this proposal as a principal architect and a drafter of the legislation before leaving the administration in late 2013. I always believed that broad reforms like these take several sessions of Congress to pass. But I am mindful that 2016 is a presidential election year and that the only time Congress overrode, did so by overriding numerous vetoes by George H. W. Bush. was to pass the Cable Television Consumer Protection Act of 1992. The result made for good consumer politics late in an election year by regulating cable television rates. Addressing consumers’ anxieties about their data online is the kind of consumer-and-voter-friendly measure that could catch on in a big election year.

There are compelling policy and political reasons for Congress and the administration to pass legislation on privacy and security. They are essential enablers of trust in a digital and increasingly data-driven society and economy, vital to America’s brand and American brand names in a networked world. American technology has led the way in creating that world, and if America lets others lead in responding to challenges that technology has produced, we are apt not to like the response.