Written by Mark M. Jaycox and Rainey Reitman
Senator Franken's New Amendment Would Strike Section 701 of the Cybersecurity Act of 2012, Removing Provisions that Permit Monitoring of Private Communications and Countermeasures.
As we noted last week, a new cybersecurity bill (S 3414) (PDF) was introduced with privacy protective measures championed by Senators Franken, Durbin, Wyden, Coons, Sanders, Akaka, and Blumenthal. The bill is a step in the right direction of protecting online rights, but still has major flaws that allow for nearly unlimited monitoring of user data or countermeasures (like blocking or dropping packets).
To address these concerns, Senator Franken is spearheading an amendment that would strike all of Section 701 (text below), the section of the bill which provides companies with the explicit right to monitor private user communications and engage in countermeasures. EFF is proud to support this amendment, though we continue to oppose the bill as a whole.
We’ve argued that the language of 701 is overly broad and could be interpreted by an overzealous ISP to let it block privacy-protective technologies like Tor. Companies have yet to answer why such excessive monitoring and use of countermeasures are needed when existing laws already allow some entities to protect their networks. And frankly, we don't want our online service providers turning into Digital Big Brothers.
We remain unconvinced that a cybersecurity bill is necessary at this time, and we're committed to fighting to ensure user privacy isn't sacrificed in the rush to pass a bill. While the most recent version of the bill has strong privacy protections, Section 701 continues to pose a real threat to the rights of users to communicate privately. We're glad that Sen. Franken is championing an amendment that tries to fix these serious flaws with the bill.
Please join us in calling on Washington to defend online privacy in the cybersecurity debates. Make your voice heard in Washington by contacting your Senators today.
SEC. 701. AFFIRMATIVE AUTHORITY TO MONITOR AND DEFEND AGAINST CYBERSECURITY THREATS.
(a) IN GENERAL.—Notwithstanding chapter 119, 121, or 206 of title 18, United States Code, the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), and sections 222 and 705 of the Communications Act of 1934 (47 U.S.C. 222 and 605), any private entity may—
(1) monitor its information systems and information that is stored on, processed by, or transiting such information systems for—
(A) malicious reconnaissance;
(B) efforts to defeat a technical control or an operational control;
(C) technical vulnerabilities;
(D) efforts to cause a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a technical control or an operational control;
(E) malicious cyber command and control;
(F) information exfiltrated as a result of defeating a technical control or an operational control;
(G) any other attribute of a cybersecurity threat, if monitoring for such attribute is not otherwise prohibited by law; or
(H) any combination of subparagraphs (A) through (G);
(2) operate countermeasures on its information systems to protect its rights or property from cybersecurity threats;
(3) consent to another private entity monitoring or operating countermeasures on its information systems and information that is stored on, processed by, or transiting such information systems in accordance with this section;
(4) monitor a third party’s information systems and information that is stored on, processed by, or transiting such information systems for the information listed in subparagraphs (A) through (H) of paragraph (1), if—
(A) the third party provides express prior consent to such monitoring; and
(B) such monitoring would be lawful under paragraph (1) or under any other provision of law if the third party were to perform such monitoring of its own networks; and
(5) operate countermeasures on a third party’s information systems to protect the third party’s rights or property from cybersecurity threats, if—
(A) the third party provides express prior consent to such countermeasures; and
(B) operating such countermeasures would be lawful under paragraph (2) or under any other provision of law if the third party were to operate such countermeasures on its own information systems to protect its own rights or property.
(b) USE AND PROTECTION OF INFORMATION.—A private entity performing monitoring or operating countermeasures under subsection (a)—
(1) may use cybersecurity threat indicators ac- quired under this title, provided such use is solely for the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from cybersecurity threats or mitigating such threats;
(2) shall make reasonable efforts to safeguard communications, records, system traffic, or other information that may be used to identify specific per- sons acquired in the course of such monitoring from unauthorized access or acquisition;
(3) shall comply with any lawful restrictions placed on the use of cybersecurity threat indicators, including, if requested, the removal or destruction of information that can be used to identify specific per- sons from such indicators;
(4) may not use cybersecurity threat indicators to gain an unfair competitive advantage to the detriment of the entity that authorized such monitoring or operation of countermeasures; and
(5) may use information obtained under any other provision of law.