Cybersecurity Legislation And Constitutional Rights: The Constitution Project

 The Constitution Project, a constitutional rights watchdog, recently posted a report titled Recommendations For The Implementation Of A Comprehensive And Constitutional Cybersecurity Policy.  The Constitution Project's Liberty and Security Committee wrote the report (which was dated Jan. 27th, 2012).  The report takes an in-depth look at constitutional privacy concerns with upcoming cybersecurity legislation.

A quick roadmap: the committee first analyzed the government's current information-monitoring setup for government systems.  In that analysis, the committee looked at possible 4th amendment violations.  The committee then applied that 4th amendment analysis to pending cybersecurity proposals and the concept of information-sharing in general.  The committee concluded that any cybersecurity proposal must have accompanying privacy safeguards to protect constitutional rights.  

Background

As a bit of background, the most important thing to know about cybersecurity legislation is the phrase "information-sharing."  Information-sharing is the buzzword consistent across all of the cybersecurity proposals (and there have been a number of them).  Information-sharing generally refers to the idea of the public and private sectors sharing cyber-threat information with each other.  The expectation is that by sharing cyberattack threat information, both the public and private sector can better stop on-going cyberattacks.  The proposals differ on how they would facilitate that information-sharing (some advocate for a national clearinghouse, some for closer public-private partnerships), but the baseline idea is the same.  

Considering that information-sharing is the focus of nearly all cybersecurity proposals, the committee is worried about the privacy ramifications of allowing the government to monitor information shared by the private sector.  Specifically, the committee believes that information sharing has the potential to violate individual's civil liberties and privacy rights.    

The US Government's Current Setup

To illustrate this concern, the committee looked at how the federal government currently monitors its own computer systems.  For example, the federal government uses a computer program called Einstein to monitor data on its computer networks.  Einstein basically combs through e-mails on government systems, gathers information, detects anomalies and intrusions, and attempts to block intrusions.  If Einstein flags a certain e-mail as suspicious, a component of DHS keeps a copy of that e-mail.  DHS could potentially access the content of that e-mail. 

In effect, this presents a 4th amendment question.  Does the government's use of Einstein constitute an unreasonable search and seizure?  In reaching an answer, we have to consider whether there is a reasonable expectation of privacy for government workers and private parties that communicate with government workers. 

Now, it's not groundbreaking that the federal government monitors its computer systems.  Most of us would expect that.  In fact, the committee explains that federal employees are aware of Einstein (or are more generally aware that electronic communications on government networks are monitored).  Government employees are informed that their communications may be monitored when they log-in to their work-stations; in order to log-in, the goverment employee must consent to that monitoring.  As such, the committee finds that  federal employees do not have a reasonable expectation of privacy in their electronic communications on government networks, and therefore, the Einstein technology probably does not violate the 4th amendment.

But hold the phone.  What about private parties that communicate with federal government employees over a federal network?  Of course, private entities send e-mails to government accounts.  Those e-mails fall under Einstein's gaze.  Do private entities have a reasonable expectation of privacy here?  The committee argued that they probably do.  Unlike their government counterparts, private entities don't consent to Einstein surveillance.  Private entities may not even be aware of Einstein's surveillance.  As such, private entities still have a reasonable expectation of privacy, so DHS reading their e-mails could constitute a violation of the 4th amendment.  

This concern with private entity communication monitoring lead the committee to the crux of its argument: the third-party doctrine.  The third party-doctrine is sort of a loophole to the reasonable expectation of privacy concept.  The jist of the doctrine is that by turning over communications to a third-party, an individual loses their 4th amendment protection.  According to the committee, the government has used the third-party doctrine as a justification of Einstein's interception, copying, and monitoring of e-mail content between private entities and the government on government systems.   In effect, by sending an e-mail to a government account, the private party has turned over that information.  "Information passed between private individuals and federal agency employees ceases to be private when it reaches its recipient."

Cybersecurity Legislation

Ok, but how is any of this relevant to cybersecurity legislation?  Well, consider that buzzword of all the various cybersecurity proposals: information-sharing.  Specifically, information-sharing between the private and public sector.  The committee was concerned that the new focus on information-sharing may violate individuals civil liberties.  Individuals like you and I routinely communicate to third-parties like banks, brokerage accounts, electric companies, etc.  These same third-parties are the critical infrastructure that cybersecurity legislation seeks to protect.  When we submit that information, the third-party doctrine could remove our reasonable expectation of privacy.  If cybersecurity legislation is going to facilitate more information sharing between the government and third-parties, then we have some serious privacy concerns. 

Looking back at Einstein, we see that the government has previously argued that private entities lose their reasonable expectation of privacy when communicating with the government.  Would individuals lose their reasonable expectation of privacy under these new information-sharing arrangements?  The committee is concerned they could. 

Safeguards  

So how do we solve the problem?  The committee believes that "critical safeguards [must] be incorporated into current and future government cybersecurity programs to ensure protection for fundamental constitutional rights."  The committee suggested the following safeguards:

• "Any federal agency developing new or expanded cybersecurity programs should develop a Privacy Impact Assessment"

• When passing cybersecurity legislation, Congress should provide key privacy metrics based on existing federal privacy laws

• The private sector should monitor private networks to the greatest extent possible

• "All cybersecurity programs relying on partnerships between the government and the private sector should include specific procedures to limit the sharing of citizen's personal information between the private sector and government actors"

• All sensitive personal information should be anonymized

Conclusion

The committee believes that the passage of cybersecurity legislation will raise several constitutional rights questions.  In looking at the federal government's current information monitoring structure, we can see that the third-party doctrine might justify government surveillance of private communications over government networks.  In the context of cybersecurity legislation, information-sharing arragnements might result in privacy violations.  The committee concluded that the third party doctrine "should not provide a justification for the federal government to monitor private communications over private networks without judicial oversight." 

***

This was an incredibly deep article; my summary can't fully do it justice.  Moreover, there were a lot of suggestions for safeguards that I didn't mention.  Again, check out the source article Recommendations For The Implementation Of A Comprehensive And Constitutional Cybersecurity Policy by the Constitution Project.  Definitely an interesting article, and highlights all of the privacy concerns swirling around cybersecurity legislation.