On The Front Lines

Rutherford Institute Joins with Broad Coalition to Call on Congress to Adopt Constitutional Cybersecurity Policy with Privacy Protections

WASHINGTON, D.C. — The Rutherford Institute has joined with a coalition of national organizations to call on Congress to include strong privacy protections in any cybersecurity legislation it adopts. The groups issued a comprehensive report prepared by The Constitution Project’s (TCP) Liberty and Security Committee on which John W. Whitehead, President of The Rutherford Institute, serves. While acknowledging the importance of protecting government and private computer networks against cyber-attacks, the report states that any cybersecurity program adopted by the federal government must have clear legal safeguards to prevent unrestricted access by government officials to individuals’ private information when searching network communications for harmful material. Specifically, the coalition called for inclusion of strict use requirements, so that data would only be shared with law enforcement or other government agencies if there were probable cause of criminal activity.

The report is available online at http://www.constitutionproject.org/pdf/TCPCybersecurityReport.pdf.

“It is critical that Congress strike a balance between securing our modern infrastructure and protecting the private content that Americans need to transmit electronically in this day and age,” said Whitehead. “This report provides some critical guidelines for charting this new territory.”

Reportedly, more than 50 cybersecurity bills were introduced into Congress last year, many of which could permit all online communications with banks, hospitals, airlines, and other critical private industries—including personal, private communications accessed or sent across those industry networks—to be shared with the federal government “as a matter of course.” Without proper access, storage and use restrictions built into cybersecurity programs, government agents could have the ability to review personal information and the content of private communications, and Americans would be subject to “the equivalent of a perpetual ‘wiretap’ on their private communications and web browsing behavior.”

The coalition report, endorsed by legal and policy experts from across the ideological spectrum, contains 17 specific recommendations to protect Americans’ privacy rights and civil liberties. Some of the key recommendations include: Any data shared between the government and the private sector should have “sensitive personally identifiable information (PII) from Americans removed and sanitized”; Any cybersecurity legislation, regulation, or agency directive regarding information sharing should require (1) strict time limits for data retention, (2) data anonymization whenever possible, and (3) policies to decrease the risk of inadvertent or improper disclosure of PII; Congress should require that content obtained by the federal government through the cybersecurity program only be used as necessary to prevent cyber-attacks and protect networks. Content should not be shared with law enforcement or relied upon as evidence of a non-cybercrime, unless the content was a necessary component of data flagged as a possible cybersecurity threat; Independent oversight of the U.S. cybersecurity program should be established to ensure that Americans' privacy rights and civil liberties are protected. In particular, the Privacy and Civil Liberties Oversight Board should be fully established; and Congress should require periodic mandatory audits by the Inspectors General of all agencies involved in maintaining cybersecurity in the United States.