The single biggest issue that stalled progress on a cybersecurity bill in July is a technological no-brainer.
While lawmakers continue to mull the bill when they return from August recess and privacy advocates continue to push for language to remove personal data from a proposed information-sharing program, it turns out erasing personal data is as easy as a few clicks to a keyboard.
Four of the 22 amendments pending for debate offer proposals for protecting data points that could identify individuals. Critics say the bill in its current form does not do enough to protect personally identifiable information.
The amendments aim to negate fears of privacy breaches by mandating that personal information unrelated to potential cyber threats be removed before data is shared.
Practically, removing consumers’ personal information would actually be fairly simple for companies to do. What’s more, it wouldn’t compromise the bill’s purpose of sharing cyber threats with the government.
In most cases, removing the information comes down to taking an extra step of deleting it before sending it, according to Ross Schulman, senior policy council at Washington-based think tank New America Foundation’s Open Technology Institute.
“It’s literally as easy as opening it up in a text editor and just hitting the backspace key a bunch of times to remove some information that’s in there that doesn’t need to be in there to make that piece of threat indicator useful,” Schulman said in an interview.
“The majority of the time the personal information is not actually integral to understanding the threat and therefore can be scrubbed pretty easily,” he added.
The bill, S. 754, centers on the concept that sharing cyber information between the private sector and the government will strengthen defenses against cyber attacks. The bill would encourage companies to share cyber threat indicators with the government by giving those that do liability protection.
But the personal information amendments won’t necessarily sail through. Many believe that adding another bureaucratic layer by requiring personal information removal might discourage companies from participating, according to Schulman.
“If what you are really striving toward is encouraging people to share a lot of this sort of information, you want to make it as easy as possible,” he said. “So if you tell them you have to open up each thread and you have sanitized the information in there, there is this worry that that will disincentivize people from sharing.”
Additionally, some just might not want the added obligation of identifying and removing personal information.
The amendments leave room for the possibility that if bits of personal information are vital for threat assessment, then they don’t need to be removed. Schulman posits those cases would be rare. “Most of the time the threat indicator is going to be some sort of code, personal data just doesn’t enter into it,” he said.
Sen. Ron Wyden (D-Ore.), an outspoken critic of the bill, said just before the August recess that characterizing the proposed data sharing program as voluntary is problematic. “It is voluntary as it relates to the companies. The companies can make the decision whether to share information,” Wyden told reporters. “But it’s mandatory for the consumer, the consumer doesn’t have the right to give permission to the company to share the information, the company does that.”
Wyden is the author of one pending privacy amendment that would require companies to remove personal information to an “extent feasible.”
Sens. Christopher Coons and Thomas Carper, two Democrats from Delaware, have offered amendments prohibiting the Department of Homeland Security from sharing any personal information with other government agencies.
It’s not just Democrats pushing for clarity about shared information. Sen. Dean Heller (R-Nev.) has proposed an amendment that would obligate entities sharing data with the government to strip any personal information they believe could be unrelated.