In the past decade the Senate and House of Representatives have attempted to address the ever-growing concerns surrounding cyber-attacks (i.e., independent computer-network attacks), and cyber-espionage (i.e., government funded network attacks) through a variety of legislation.[1] The majority of proposed legislation on this topic is targeted towards improving information sharing networks across both private and public sectors. Several executive orders have also been issued by President Obama to encourage and protect public-private information sharing systems.[2] However, in recent months a House cybersecurity bill (“CISA”) was recently passed in the Senate, with amendments, that has caused the public to fear their Privacy rights have been violated, often times citing to their Fourth Amendment protections.
The arguments waged against CISA are likely rooted in the fear that the government is overstepping its national security boundaries, which became inflamed in the wake of the popularized NSA surveillance on U.S. citizens.[3] This does not mean that CISA does not drastically expand the government’s ability to gather information, but the worries waged against the government might be misplaced.
The general purpose behind CISA is to promote both the private sector and the public sector’s protections against cyber-attacks and espionage by codifying a method for corporations and the government to engage one another to share any information pertaining to failed or successful hacks into the corporate servers.[4] This is a voluntary relationship entered into by the corporations, but it is not far-fetched to believe the private sector would be interested in entering into this public-private relationship. In Massachusetts and Colorado, there are organizations comprised solely of private corporations openly communicating with one another to help ensure the corporations’ servers are prepared for potential attacks.[5] Similarly, DHS has had their ISAO and ISAC initiatives operating for several years.[6] These initiatives are a voluntary collaboration of private corporations, in various industries, sharing information with one another and DHS regarding potential attacks on the corporations’ systems.[7]
The actions in MA and CO are very similar to the actions taken by DHS, with the exception that the government has no involvement with the former.
In terms of constitutional privacy rights, provided by the Fourth Amendment, the information CISA seeks to share is not dissimilar to that of both the MA/CO and DHS initiatives; however, it does appear to expand the types of information able to be shared marginally. One worry that is waged against the act is that these corporations might share information an individual shared with them. (e.g., addresses provided to the corporation by the individual/client) While the act does not explicitly enumerate the types of information to be shared, it is irrelevant when determining if a Constitutional right is being infringed upon, when looking at from the perspective of the individual.
The Third Party Doctrine established in common law, states that any information willing given to a corporation by an individual does not have any reasonable expectation of privacy associated with it.[8] Therefore, once the individual provided the corporation with their information, any Fourth Amendment claim against that information is lost. This doctrine is routinely used in enforcing by police officers when gathering information on a suspect by retrieving information from cell phone providers, specifically numbers the individual is calling, without a warrant.[9]
This is not to say that no privacy argument can be waged against corporations for sharing an individual’s information with the government, but any argument would have to rest on a statutory analysis of the Privacy Act, not the Constitution.
[1] See Cyber Threat Sharing Act of 2015, S. 456, 114th Cong. (2015); Protecting Cyber Networks Act of 2015, H.R. 1560, 114th Cong. (2015); National Cybersecurity Protection Advancement Act of 2015, H.R. 1731, 114th Cong. (2015); Cyber Intelligence Sharing and Protection Act of 2015, H.R. 234, 114th Cong. (2015).
[2] See Exec. Order No. 13,691 (encouraging public-private information sharing relationships); Exec. Order No. 13,636, 79 Fed. Reg. 50,891 (2013) (attempting to improve cybersecurity protective measure on critical infrastructure).
[3] Kristina Peterson, Congress Reins in NSA Spying Powers, Wall St. J., June 2, 2015 (reporting on how Congress addressed the NSA’s policy of collecting U.S. citizen telephone calls and text messages, which the NSA considered a part of their surveillance duties), http://www.wsj.com/articles/senate-passes-house-bill-overhauling-nsa-surveillance-program-1433277227.
[4] Cybersecurity Information Sharing Act of 2015, S. 754, 114th Cong. (2015).
[5] ACSC Fact Sheet, Advanced Cyber Security Center (Jan. 23, 2015) http://www.acscenter.org/about/acscfactsheet012315.pdf; WCX Concept, Western Cyber Exchange, http://www.wcyberx.org/#!wcx/cjg9.
[6] Information Sharing, Dep’t of Homeland Security, http://www.dhs.gov/topic/cybersecurity-information-sharing (last visited June 30, 2015).
[7] Id.
[8] Smith v. Maryland, 442 U.S. 735, 743–45 (1979) (holding “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties” and sharing this information with government actor’s does not violate constitutional rights).
[9] Id.