Civil libertarians slam McCain US cybersecurity bill
* Republican bill would give immunity for sharing data
* Shared data includes "network activity," possibly email
* ACLU calls McCain bill a "privacy nightmare"
By Joseph Menn
SAN FRANCISCO, March 6 (Reuters) - A cybersecurity bill introduced by Republican Senator John McCain could dramatically expand the domestic reach of U.S. intelligence agencies and potentially give them massive troves of emails, civil liberties advocates said.
"This is a privacy nightmare that will eventually result in the military substantially monitoring the domestic, civilian Internet," said Michelle Richardson of the American Civil Liberties Union.
Unlike the Democratic-led alternative supported by Majority Leader Harry Reid, the McCain bill stresses voluntary information sharing instead of regulation of critical industries by the Department of Homeland Security. McCain's bill was introduced last week.
But the types of information that could be shared are broad, and the data would go to "cybersecurity centers" that specifically include the National Security Agency's Threat Operations Center and the U.S. Cyber Command Joint Operations Center.
McCain spokesman Brian Rogers said such concerns were both overblown and premature.
"Senator McCain's priority in crafting this bill has been to make sure it strengthens our security while continuing to safeguard the privacy of consumers," Rogers said. "He remains open to addressing legitimate concerns as this process moves forward."
The bill says private companies such as Internet service providers could send the defense agencies evidence such as "network activity or protocols known to be associated with a malicious cyber actor or that may signify malicious intent."
Neither "network activity" nor "malicious intent" are defined in the bill, and they could theoretically encompass ordinary emails containing legal protest speech, the ACLU's Richardson said.
"It does appear it includes a hole through which the NSA may be able to drive a freight train," blogged Jerry Britto, a senior research fellow at George Mason University's Mercatus Center and an adjunct law professor at the university.
A staffer working on the bill who spoke on condition he not be named said nothing in the legislation would allow sharing of emails that did not pertain to attacks on information security systems and that acts of civil disobedience would be off-limits.
As troubling to civil libertarians as the scope of the data are the destination agencies and the lack of recourse. Companies that tip off federal officials would be protected from lawsuits and criminal charges over what they pass along.
"It is absolutely critical that if the government wants to collect information, it go through a civilian agency," said the ACLU's Richardson.
A Senate aide, speaking on condition of anonymity, said the Senate is unlikely to pass either the McCain bill or the Democratic version and that talks on a possible compromise could begin in the coming weeks.
President Obama's proposed legislation, like the omnibus bill Reid wants, would leave DHS in charge of cybersecurity. DHS could ask for help from the NSA, but would be subject to closer oversight than actions led by the NSA and other parts of the Defense Department.
McCain last month said he wanted the NSA to be more involved, and the agency is seen as having greater defensive and offensive capability. Under his bill, which was co-authored by seven other Republicans, the cybersecurity centers could use the information they get to investigate crime and for "a national security purpose."
A national security purpose "is about as broad as you could be," said Jim Dempsey, vice president of the nonprofit Center for Democracy & Technology, who also faulted other terms in the bill.
"We thought this was an issue that was close to consensus and close to a positive resolution, but seeing the direction this Senate bill went in, I'm more pessimistic now. It runs a real risk of dragging down the whole concept of information sharing."
The NSA has powerful eavesdropping tools and is ordinarily barred from turning them on U.S. persons not suspected of working for foreign powers. A law that gave the major U.S. telephone carriers immunity for past cooperation with the agency permits greater surveillance with approval of a court that meets in secret.
Richard Clarke, a former top counter-terrorism and cybersecurity official in previous administrations, said that putting the NSA in charge was nonsensical.
"NSA or Cyber Command can't be the face of the government effort," Clarke said. "Why are we having this controversy?" Former NSA and CIA director Michael Hayden also said the NSA could use its capability under DHS leadership.
Though Reid has said he wants to bring the other bill to floor for a debate and vote as soon as this month, he may not be able to muster 60 votes to force the issue.
McCain's alternative is seen as a prelude to talks to see if a consensus is possible.
"It is going to take some negotiation in the coming weeks, but people are working around the clock," Richardson said.
A number of cybersecurity bills, generally with a narrower focus, are also pending in the House of Representatives . (Editing by Eric Walsh)