* Republican bill would give immunity for sharing data
* Shared data includes "network activity," possibly email
* ACLU calls McCain bill a "privacy nightmare"
By Joseph Menn
SAN FRANCISCO, March 6 A cybersecurity
bill introduced by Republican Senator John McCain could
dramatically expand the domestic reach of U.S. intelligence
agencies and potentially give them massive troves of emails,
civil liberties advocates said.
"This is a privacy nightmare that will eventually result in
the military substantially monitoring the domestic, civilian
Internet," said Michelle Richardson of the American Civil
Liberties Union.
Unlike the Democratic-led alternative supported by Majority
Leader Harry Reid, the McCain bill stresses voluntary
information sharing instead of regulation of critical industries
by the Department of Homeland Security. McCain's bill was
introduced last week.
But the types of information that could be shared are broad,
and the data would go to "cybersecurity centers" that
specifically include the National Security Agency's Threat
Operations Center and the U.S. Cyber Command Joint Operations
Center.
McCain spokesman Brian Rogers said such concerns were both
overblown and premature.
"Senator McCain's priority in crafting this bill has been to
make sure it strengthens our security while continuing to
safeguard the privacy of consumers," Rogers said. "He remains
open to addressing legitimate concerns as this process moves
forward."
The bill says private companies such as Internet service
providers could send the defense agencies evidence such as
"network activity or protocols known to be associated with a
malicious cyber actor or that may signify malicious intent."
Neither "network activity" nor "malicious intent" are
defined in the bill, and they could theoretically encompass
ordinary emails containing legal protest speech, the ACLU's
Richardson said.
"It does appear it includes a hole through which the NSA may
be able to drive a freight train," blogged Jerry Britto, a
senior research fellow at George Mason University's Mercatus
Center and an adjunct law professor at the university.
A staffer working on the bill who spoke on condition he not
be named said nothing in the legislation would allow sharing of
emails that did not pertain to attacks on information security
systems and that acts of civil disobedience would be off-limits.
As troubling to civil libertarians as the scope of the data
are the destination agencies and the lack of recourse. Companies
that tip off federal officials would be protected from lawsuits
and criminal charges over what they pass along.
"It is absolutely critical that if the government wants to
collect information, it go through a civilian agency," said the
ACLU's Richardson.
A Senate aide, speaking on condition of anonymity, said the
Senate is unlikely to pass either the McCain bill or the
Democratic version and that talks on a possible compromise could
begin in the coming weeks.
President Obama's proposed legislation, like the omnibus
bill Reid wants, would leave DHS in charge of cybersecurity. DHS
could ask for help from the NSA, but would be subject to closer
oversight than actions led by the NSA and other parts of the
Defense Department.
McCain last month said he wanted the NSA to be more
involved, and the agency is seen as having greater defensive and
offensive capability. Under his bill, which was co-authored by
seven other Republicans, the cybersecurity centers could use the
information they get to investigate crime and for "a national
security purpose."
A national security purpose "is about as broad as you could
be," said Jim Dempsey, vice president of the nonprofit Center
for Democracy & Technology, who also faulted other terms in the
bill.
"We thought this was an issue that was close to consensus
and close to a positive resolution, but seeing the direction
this Senate bill went in, I'm more pessimistic now. It runs a
real risk of dragging down the whole concept of information
sharing."
The NSA has powerful eavesdropping tools and is ordinarily
barred from turning them on U.S. persons not suspected of
working for foreign powers. A law that gave the major U.S.
telephone carriers immunity for past cooperation with the agency
permits greater surveillance with approval of a court that meets
in secret.
Richard Clarke, a former top counter-terrorism and
cybersecurity official in previous administrations, said that
putting the NSA in charge was nonsensical.
"NSA or Cyber Command can't be the face of the government
effort," Clarke said. "Why are we having this controversy?"
Former NSA and CIA director Michael Hayden also said the NSA
could use its capability under DHS leadership.
Though Reid has said he wants to bring the other bill to
floor for a debate and vote as soon as this month, he may not be
able to muster 60 votes to force the issue.
McCain's alternative is seen as a prelude to talks to see if
a consensus is possible.
"It is going to take some negotiation in the coming weeks,
but people are working around the clock," Richardson said.
A number of cybersecurity bills, generally with a narrower
focus, are also pending in the House of
Representatives .
(Editing by Eric Walsh)