WASHINGTON D.C. — A coalition of free-market groups issued an open letter to Members of Congress, urging them to consider amendments to the National Cybersecurity Protection Advancement Act (NCPAA) of 2015. That bill is intended to increase cyber security by facilitating greater sharing of cyber threat indicators (CTIs) by private companies with each other and with government, and by government with private companies that may face attack. But it also raises real privacy concerns because CTIs could include private information like email content or Internet usage history.

We should all be more skeptical about Congress’s ability to design complex legal regimes around cyber security,” said Berin Szoka, President of TechFreedom. “It’s critical that Congress sunset this bill and require better reporting, especially about how much private information might be shared along with true cyber threat indicators. It’s unlikely that Congress will strike exactly the right balance between privacy and security the first time around, and so it should assume the bill will need to be modified based on how it actually works in practice.”

Congress must ensure that agencies can’t strongarm companies into sharing information involuntarily, and that agencies can be held liable for recklessly misusing private data they might receive. And agencies should be barred from using such information for regulatory purposes or for unrelated criminal prosecutions,” said Ryan Radia, Associate Director of Technology Studies at the Competitive Enterprise Institute. “Finally, the existing bill’s blanket immunity for ‘defensive measures’ could encourage unauthorized access to protected computers, potentially endangering innocent bystanders caught in the middle of cyberattacks.”

The letter proposes eight amendments:

  1. Include a 3-year sunset — or, failing that, a 5-year sunset, a proposal that was defeated in markup before the House Committee on Homeland Security Committee
  2. Improve reporting requirements so that, as Congress considers re-authorizing the bill, it has an accurate sense of how often private data are shared under the bill as cyber threat indicators (CTIs),
  3. Enhance agency accountability by ensuring that, if government agencies willfully disregard the bill’s privacy safeguards, injured parties have legal recourse;
  4. Suppress evidence unlawfully obtained as CTIs from use in criminal cases,
  5. Preserve common law remedies beyond enforcement of contracts and terms of service by which companies promise not to share personal information,
  6. Bar any regulatory coercion of information-sharing, whether through formal rulemaking or other means;
  7. More thoroughly bar use of CTIs “for regulatory purposes” by clarifying that this includes enforcement action and merger review as well as traditional rulemaking; and
  8. Clarify language authorizing defensive measures to ensure that the bill does not authorize and encourage collection of private information from innocent third parties whose systems might be used in botnet attacks.

We can be reached for comment at media@techfreedom.org. See more of our work on cybersecurity: