There is no second opinion that civil liberties and national security requirements must be reconciled. World over countries are finding it very difficult to reconcile civil liberties with national security and law enforcement requirements. It is high time for countries to respect and accept human rights protection in cyberspace.
As on date, India has failed to maintain this delicate balance. For instance, there is no parliamentary oversight of intelligence agencies in India. Similarly, projects like Aadhaar are not supported by any legislation at all. The cyber security, data security and civil liberties implications of Aadhaar project and biometric collection by UIDAI in India are well known and even the illegality of Aadhaar project has been questioned in many Indian courts.
Although cyber crimes and cyber attacks have increased in India yet companies and banks in India are not reporting cyber attacks, cyber crimes and cyber frauds. Faced with a serious situation, Indian government is planning a legislation mandating strict cyber security disclosure norms in India.
In United States, proposed laws like cyber intelligence sharing and protection act (CISPA), computer fraud and abuse act 2013, preventing real online threats to economic creativity and theft of intellectual property act of 2011 (PIPA), stop online piracy act (SOPA), have also been proposed. No doubt there are circumstances where a better and constitutionally sound version of these laws may be desirable in US.
The cyber intelligence sharing and protection act (CISPA) is a controversial United States proposed legislation that has faced stiff resistance from civil liberty activists of US. CISPA, if passed, would allow sharing of sensitive information by network service providers (NSPs) with the law enforcement and intelligence agencies without much procedural safeguards and judicial scrutiny.
The proposed legislation would have seriously civil liberties violation implications especially those affecting the privacy rights of US citizens. In the past, the White House threatened to veto the CISPA if Congress approves it in its current form. Through a statement of administration policy on cyber intelligence sharing and protection act (CISPA), the Obama administration said CISPA treats domestic cyber security as an intelligence activity whereas it should be a civilian one.
CISPA was reintroduced to the US House in February 2013 that would allow the exchange of electronic information between Internet service providers and US government possible. The White House has threatened to veto the cyber security law, CISPA, once again citing privacy concerns.
The White House Memo says that both government and private companies need cyber threat information to allow them to identify, prevent, and respond to malicious activity that can disrupt networks and could potentially damage critical infrastructure. The Administration believes that carefully updating laws to facilitate cyber security information sharing is one of several legislative changes essential to protect individuals’ privacy and improve the Nation’s cyber security.
While there is bipartisan consensus on the need for such legislation, it should adhere to the following priorities: (1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections.
The Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill.
The Administration remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cyber security data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately.
The Administration is committed to working with all stakeholders to find a workable solution to this challenge. Moreover, the Administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information. Further, the legislation should also explicitly ensure that cyber crime victims continue to report such crimes directly to Federal law enforcement agencies, and continue to receive the same protections that they do today.
The Administration supports the longstanding tradition to treat the Internet and cyberspace as civilian spheres, while recognising that the Nation’s cyber security requires shared responsibility from individual users, private sector network owners and operators, and the appropriate collaboration of civilian, law enforcement, and national security entities in government.
The Administration agrees with the need to clarify the application of existing laws to remove legal barriers to the private sector sharing appropriate, well-defined, cyber security information. Further, the Administration supports incentivising industry to share appropriate cyber security information by providing the private sector with targeted liability protections.
Even if there is no clear intent to do harm, the law should not immunise a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage or otherwise injure or endanger other entities or individuals.
In addition to updating information sharing statutes, the Congress should incorporate privacy and civil liberties safeguards into all aspects of cyber security and enact legislation that: (1) strengthens the Nation’s critical infrastructure’s cyber security by promoting the establishment and adoption of standards for critical infrastructure; (2) updates laws guiding Federal agency network security; (3) gives law enforcement the tools to fight crime in the digital age; and (4) creates a National Data Breach Reporting requirement.