- The Washington Times - Thursday, April 11, 2013

Opponents of a bill to let private companies share cybersecurity information with the federal government vowed Thursday to continue their fight, saying the proposed law would lead to broader government monitoring of the Internet.

The American Civil Liberties Union opposes the bill because “Companies can still share personal information with each other or the government [and] military agencies like the NSA are still allowed to collect American Internet information,” ACLU legislative attorney Michelle Richardson said.

The House Permanent Select Committee on Intelligence approved the bill 18-2 at a closed-door markup Wednesday, after adopting amendments designed to assuage fears that the proposal would allow broad government monitoring of domestic electronic communications and scoop up the private data of Americans for analysis by the National Security Agency.

The bill now is expected on the House floor as early as next week, according to congressional staff.

“This is not a surveillance bill,” said Rep. Mike Rogers, Michigan Republican and committee chairman. “This bill does not allow the NSA or any government agency to plug into domestic networks and listen in.”

During the two-hour-plus meeting, the committee rejected two amendments supported by Internet civil liberties advocates and proposed by the two Democrats who ended up voting against the bill — Reps. Adam B. Schiff of California and Janice D. Schakowsky of Illinois.

The Schiff amendment would have required companies sharing cybersecurity information — for instance, samples of network traffic data in real time — to make “reasonable efforts (which may include automated processes)” to strip out the personally identifiable or private data of individuals “unrelated to a cyberthreat.”

Mr. Schiff expressed disappointment that his amendment was voted down.

“It is not too much to ask that companies make sure they aren’t sending private information about their customers, their clients and their employees to intelligence agencies, along with genuine cybersecurity information,” he said in a statement.

The Software and Information Industry Association, which represents the big companies that make software, games and other digital content, opposed the amendment.

Personal or private data “may be intertwined with cybersecurity information in ways that make it hard to remove. That was our concern,” said David LeDuc, head of public policy for the association.

Mr. LeDuc offered as an example data tracing a hacker’s route into a compromised network, which might include his impersonating or taking over the machine of a person at the company to get access to the system. That trace data might contain names and passwords belonging to innocent third parties, Mr. LeDuc said.

Committee staffers said lawmakers had adopted a different amendment, one that would require the government to strip out personal data.

The amended bill would “require government to establish procedures to minimize the [cybersecurity threat] information they receive of any” personally identifying information, said Rep. C.A. Dutch Ruppersberger of Maryland, the committee’s ranking Democrat. His district includes NSA’s headquarters at Fort Meade.

He and Mr. Rogers spoke with reporters on a conference call this week ahead of the closed-door session.

Story Continues →