OmniCISA Pits DHS Against the FCC and FTC on User Privacy

Publication Type: 
Other Writing
Publication Date: 
December 15, 2015

On Friday, Congress will vote on a mutated version of security threat sharing legislation that had previously passed through the House and Senate. These earlier versions would have permitted private companies to share with the federal government categories of data related to computer security threat signatures. Companies that did so would also receive legal immunity from liability under the Electronic Communications Privacy Act (ECPA) and other privacy laws. Today’s language, renamed the Cybersecurity Act of 2015 (Division N of the omnibus budget bill) mostly assembles the worst parts of the earlier bills to threaten privacy even further.

We have about two days to figure out what this so-called Cybersecurity Act (OmniCISA) means for consumer privacy in the US. That unfortunate timing is thanks to Speaker Paul Ryan’s decision to include language announced at 2am this morning as part of a must-pass spending bill scheduled for a vote Friday.

Tom Wheeler, Chair of the Federal Communications Commission (FCC), and Edith Ramirez, Chair of the Federal Trade Commission (FTC) might want to call on Speaker Ryan to pull the OmniCISA language from the spending bill and allow more time for debate. That’s because the bill as written appears to interfere with both agencies’ authority to issue privacy rules that would protect Americans from spying by the entities that have the most comprehensive access to our private data, our Internet Service Providers (ISPs). Here’s why.

OmniCISA says that:

Notwithstanding  any  other provision of law, a private entity may, for cybersecurity purposes, monitor—

(A) an information system of such private entity; …

(D)  information  that  is  stored  on,  processed  by,  or  transiting  an  information  system monitored by the private entity under this paragraph.

This language means that, regardless of what rules the FCC or FTC have now or will have in the future, private companies including ISPs can monitor their systems and access information that flows over those systems for “cybersecurity purposes.”

Earlier this year, the FCC issued an Open Internet Order that classified Internet broadband service as a Title II service for network neutrality reasons. Subsequently, in May, the FCC announced that its Open Internet Order “applies the core customer privacy protections of Section 222 of the Communications Act” — which requires that providers “shall only use, disclose, or permit access to individually identifiable customer proprietary network information” in the provision of services. Experts anticipate that the agency will conduct a rulemaking to set more explicit privacy rules to protect Americans and to give providers more guidance.

Read the full post at Just Security