A push by the White House and Congress to enable the private sector to share cybersecurity information with the government runs the risk of violating individual privacy, warns a Jan. 27 report from The Constitution Project.

The Washington, D.C.-based think tank argues that without specific safeguard to protect personally identifiable information, a legal doctrine governing the use of data access by third parties could be used to create in effect a mass federal wiretapping program.

The legal principle in question, the third party doctrine, holds that individuals do not have the right of privacy over information voluntarily turned over to a third party, even if in doing so they assume that the third party will not further distribute that information.

The federal government uses the third party doctrine to justify monitoring of Internet traffic between private individuals and federal employees transmitted over federal networks in a Homeland Security Department effort known as Einstein. The Justice Department office of legal counsel says, the paper notes, that a sender of emails loses the reasonable expectation of privacy over the contents of the message since the recipient has the right to forward it elsewhere.

Because proposed cybersecurity legislation by the White House and members of Congress calls on private sector industries such as banking, medicine and air travel to share cybersecurity information with the government, the government could end up monitoring communications sent across private networks, too, the paper says.  

The White House cybersecurity proposal unveiled in 2011 specifically would authorize Internet service providers to lawfully turn over to DHS information, including the contents of communications, regarding cybersecurity threats - but DHS would be able to further redistribute that information to law enforcement if the contents contain information about any crime, whether cyber-related or not.

"The fact that an individual may have consented to the copying and automatic screening of his or her communications for malicious signatures does not necessarily mean that the individual has also consented to having that information stored for human review or transferred to federal or local law enforcement," the paper says.

The third party doctrine should not be so broadly applied, the paper says, stating that some U.S. courts--including the Supreme Court--have sought to eliminate or heavily restrict it.

"Many of our day-to-day activities necessarily involve sharing digital information with third parties; unwavering adherence to the third-party doctrine in its current form would render the Fourth Amendment's privacy protections ineffective," it says.

For more:
- download the paper, "Recommendations for the Implementation Of A Comprehensive and Constitutional Cybersecurity Policy" (.pdf)

Related Articles:
House Cybersecurity Task Force suggests incentives, info-sharing 
Cyber crime losses exaggerated, say researchers 
Privacy concerns over House Intelligence cybersecurity info sharing bill