In a preview of next Tuesday’s State of the Union address, President Obama spent this week rolling out a long list of new cybersecurity initiatives that includes legislation to protect consumers’ private data.
“As Americans, we shouldn’t have to forfeit our basic privacy when we go online to do our business,” Obama said in a speech at the Federal Trade Commission on Monday.
The series of announcements come after a year of high-profile data breaches at companies like JPMorgan Chase, Home Depot and Sony. There were 292 separate data breaches in 2014 alone, with 622 in 2013, according to the nonprofit Privacy Rights Clearinghouse.
The new proposals would require companies to notify users about data breaches within 30 days, criminalize selling stolen credit-card information outside the U.S., crack down on common hacking tools and create a Consumer Privacy Bill of Rights.
They would also expand the legal definition of unauthorized computer access and increase penalties under the Computer Fraud and Abuse Act (CFAA) — a law that has been used to bring charges in many controversial hacking cases, including the cases against Aaron Swartz and Andrew “Weev” Auernheimer.
According to Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, proposed changes to the CFAA could make cases like Auernheimer’s more commonplace by criminalizing any unauthorized access to computer data — even if the data’s owner leaves it unsecured.
“It introduces this idea that the computer owner can claim you knew you weren't supposed to access this information, and trigger the CFAA,” Jaycox explained.
While analysts who spoke with Al Jazeera America agree that mandatory breach notification is necessary, some are also concerned that the Administration’s proposal could override stronger state regulations and weaken power wielded by the state attorneys general to go after companies who fail to disclose breaches in a timely manner.
However, the most controversial plank in the Administration’s new platform could be a proposal that would encourage private companies to share data about cyber threats with the Department of Homeland Security and in the process offer immunity from any liability for sharing the data, which would likely include at least some private information on their users.
That has civil libertarians concerned how data-sharing agreements could provide a backdoor for the government to collect and store data on Americans — especially after recent revelations about mass surveillance programs at the NSA, the FBI and the Drug Enforcement Agency that often involve corporate partnerships.
“I do think there are significant privacy implications,” said Roxana Geambasu, a computer scientist at Columbia University. “The way the data is being shared, and what can be done with that data, needs to be very, very highly regulated. If companies are going to be sharing data about attacks that inevitably has to include personal information.”
The White House has yet to release real details on several of its proposals. Analysts agreed that the language in final legislation — especially who enforces it — will largely determine how the Obama Administration’s new proposals affect both civil liberties and security.
"The real problem with these laws is that the devil is in the details. A one-paragraph summary could be good, but the details could be bad," said Bruce Schneier, chief technology officer at Co3 Systems and a security expert. "And it could be because of a couple of words."