President Bush today signed a homeland security bill that could have far-reaching implications for computer security and Internet privacy.
The homeland security bill includes a provision that shields Internet service providers (ISPs) from customer lawsuits if providers share private subscriber information with law enforcement authorities.
Another addition makes it easier for law enforcement to trace the location and identity of an Internet user suspected of posing an "imminent threat to national security interests" or perpetrating attacks on "protected computers" -- a term that encompasses both government computers and any system used in "interstate commerce or communication."
Proponents of the changes -- including Senate Judiciary Committee top Republican Orrin Hatch (Utah) -- said the provisions will provide greater flexibility for law enforcement and help protect key systems against cyberattacks.
Privacy advocates, however, said the new language is a back-door attempt to give the Bush administration the enhanced surveillance powers it failed to win in the USA Patriot Act. That law, enacted, in the wake of the 2001 terrorist attacks, increased the capability of intelligence agencies to eavesdrop on personal conversations.
"One of the best protections [under current law] is that communications providers can't simply become agents of the federal government and hand over customer information," said Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center, in a recent interview. "These provisions weaken those protections."
Another controversial provision added to the homeland security bill allows companies to share information with the government about electronic vulnerabilities -- without having to worry that such disclosures would be publicized.
The measure exempts cybersecurity disclosures from the Freedom of Information Act (FOIA), the law that allows citizens to obtain non-classified information from the government. It also makes it a criminal offense for any government employee to publicize vulnerabilities revealed by companies to government agencies.
American Civil Liberties Union Legislative Counsel Tim Edgar said that the FOIA exemption could prevent the public from learning about online threats.
"The problem with the bill is that it creates an unnecessary preemption to FOIA for businesses that could undermine national security rather than enhancing it," Edgar said.
Harris Miller, president of the Information Technology Association of America, said the technology industry supports the exemption.
"This is going to remove one of the huge impediments to companies being willing to share extremely sensitive information with the government, and will be an important step forward in government and industry efforts to fight cyberterrorism," he said.
Miller also said that a FOIA exemption without enforcement measures would be ineffective. "Without meaningful disincentives against government employees overriding the law, there is nothing to keep employees from just ignoring the restrictions," he said.
Other new language in the homeland security bill increases penalties for a range of computer crimes, including the possibility of life in prison for hackers whose actions result in "serious bodily injury" or death.
The bill also establishes law enforcement and corrections technology centers to develop investigative technologies to fight cybercrime. These cybersecurity components were added the same week that Congress approved legislation that would triple federal funding for computer security research.
In addition, the legislation includes a proposal passed by the Senate this year to establish an information technology equivalent of the National Guard.
The "NET Guard" measure -- introduced by Sen. Ron Wyden (D-Ore.) -- organizes a volunteer force of federal, state, local and private programmers and engineers which could be called upon in an emergency to help restore communications networks and other vital systems.
Congress sent the legislation to the White House along with several other technology-related bills. One creates a specific Internet domain for children, another is designed to keep small Webcasters in business and a third tries to jump-start federal e-government initiatives