The Volokh Conspiracy
Mostly law professors | Sometimes contrarian | Often libertarian | Always independent
The Omnibus Appropriations Act that President Obama signed into law last week has a provision called the Cybersecurity Act of 2015. The Cyber Act, as I'll call it, includes sections about Internet monitoring that modify the Internet surveillance laws. This post details those changes, focusing on how the act broadens powers of network operators to conduct surveillance for cybersecurity purposes. The upshot: The Cyber Act expands those powers in significant ways, although how far isn't entirely clear.
I. The Existing Provider and Computer Trespasser Exceptions
First, some context. The statutory surveillance laws, which generally consist of the Wiretap Act, the Pen Register statute and the Stored Communications Act, generally prohibit Internet surveillance subject to certain exceptions. Each of the laws has what is known as the provider exception. The provider exception allows telecommunications providers to conduct surveillance on their networks, and if necessary to disclose user communications, when it is "a necessary incident . . . to the protection of the rights or property of the provider of that service."
The idea for the provider exception first arose in the 1960s when the telephone company would listen in to fraudulent calls made by blue box users to try to identify the users. To figure out who was making the illegal calls, phone companies would listen in to identify callers. Courts held that the phone company has a right to listen in on user calls to protect its network from unlawful service. Importantly, the provider's right is limited to reasonable monitoring and disclosure. The provider can only listen in and disclose when it's really necessary to protect the network from the misuse.
For example, back in the days of fraudulent blue box use, the phone company could listen to the beginning of a fraudulent call to determine the identity of the caller and could hand over that information to the police. However, the phone company couldn't listen to or hand over the entire call. In effect, there is a tailoring rule under the provider exception. The provider can only monitor and disclose communications to protect its network, and it can only take steps necessary to protect its network.
There are very few judicial precedents on how these concepts apply to Internet monitoring. The provider exception was made statutory in 1968, and it was extended to the Internet in 1986. But Congress chose not to have a statutory suppression remedy for violations in the Internet context, which means that we don't get cases on how the provider exception would apply to monitoring Internet communications. It has generally been understood that in the Internet context, every network operator is a "provider" with respect to that chunk of the network. From there, we can analogize to the telephone cases where there is a suppression remedy and therefore cases. But how the provider exception applies to the Internet has remained pretty murky.
In part because of this murkiness, Congress enacted the computer trespasser exception in 2001. The trespasser exception allows network operators to consent to government monitoring of hackers inside their systems when the government is acting as part of an ongoing investigation. The idea is that the provider exception only allows monitoring for the provider's purposes, and that providers who lack the ability or interest to monitor hackers inside their networks may nonetheless be willing to consent to others monitoring those hackers. So 18 U.S.C. § 2511(2)(i) allows the government to monitor hacker communications inside a victim's network when the victim allows it and the government actor "has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant" to an ongoing investigation. It's a pretty limited exception, as it only authorizes monitoring of the hacker's own communications with the consent of the network operator.
II. The Cybersecurity Act of 2015
Now consider the new Cybersecurity Act, which was signed into law last Friday. Absent changes, it will stay in effect for 10 years: It sunsets on Sept. 30, 2025, according to § 111(a). Section 104 of the act is the key section on Internet surveillance. It is titled "Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats," and it permits network operators to take three kinds of steps "for cybersecurity purposes." First, network operators can monitor; second, they can operate defensive measures; and third, they can share information with others. The first two of these powers can be outsourced, too. With "written consent," a network operator can allow another entity to monitor its network and operate defensive measures on its behalf.
Importantly, each of these privileges are granted "notwithstanding any other provision of law," which is a phrase that at least in theory means that it trumps any other law that might get in the way. The law also supersedes any countervailing state law under an express preemption section, § 108(k). This means that § 104 grants network operators a legal privilege to monitor, operate defensive measures and share information in ways that may go beyond the more limited principle of the provider exception and computer trespasser exception and any related state laws.
But how far beyond? Let's take a closer look at each of the three new authorities.
III. Authority to Monitor
Start with the authority to monitor in § 104(a), which creates a privilege to "monitor" your own "information system" (or, with written consent, someone else's information system) for "cybersecurity purposes." There are a lot of defined terms here:
- "monitor" means "to acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system;"
- "information system" means "a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information;"
- "cybersecurity purpose" means "the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability;"
- "cybersecurity threat" in turn means "an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system." However, it does not include "any action that solely involves a violation of a consumer term of service or a consumer licensing agreement."
- Finally, "security vulnerability" means "any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control."
What does this do? First off, it broadly allows a network operator to conduct surveillance of his own network if done with the subjective purpose of protecting the network from hacking, denial of service attacks and other security vulnerabilities. Notably, unlike the provider exception and computer trespasser exception, there is no explicit tailoring requirement. The monitoring doesn't need to be reasonable or limited or only collect hacker communications. Instead, the key limit is a subjective one: The goal of the monitoring has to be to protect the network from misuse.
This naturally prompts the question of how broadly to construe "cybersecurity purposes." The problem is one that also exists under the provider exception, too. If the network operator is running the network but is also an employee of the company, are the relevant "rights and property" to be protected only in the proper functioning of the network, or are they the interests of the company more broadly? This issue is unresolved in the provider exception context. In the context of the traditional provider exception, we just don't have the cases to say.
Does the Cyber Act provide more answers? A few things stand out. First, as I read the language, the right to monitor appears to extend to "cybersecurity purposes" generally, not just for the protection of the network operator's own interests. And relatedly, the right to monitor includes scanning and acquiring data that is merely transiting the system, which means that the network operator can monitor (or have someone else monitor) for cybersecurity purposes even if the operator isn't worried about his own part of the network being the victim. Note the difference between this and the provider exception. The provider exception is about protecting the provider's own network. If I'm reading the language here correctly, this is a broader legal privilege to monitor for cybersecurity threats.
Another important question is whether whether the act allows monitoring to catch theft of information from the network. Say you're at a company that has valuable trade secrets. You want to make sure that your employees aren't sending those trade secrets to others, so you want to watch your employees on the network pretty closely. Before the Cybersecurity Act, you needed to be pretty careful about doing that monitoring legally. You probably needed the consent of your employees to be monitored. But after the act, is that monitoring permitted? If an employee transmits trade secrets over the network, it seems plausible to say that, yes, it is. Transmitting trade secrets is an "unauthorized effort to adversely impact the . . . confidentiality . . . of . . . information" on the network. If so, a network operator can monitor to try to stop it.
If that reading is correct, the Cyber Act may give network operators broad monitoring powers on their own networks to catch not only hackers but also insiders trying to take information from the network.
Two point of caution. First, there's a lot of uncertainty in the language. The text describing what operators can monitor reflects a struggle with the same problem that Congress had enacting the Computer Fraud and Abuse Act (and, relatedly, the computer trespasser exception): Just how do you describe the unauthorized conduct that a cybersecurity law might target for surveillance? Instead of using "unauthorized access," the Cyber Act refers to "an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system," and expressly excludes "any action that solely involves a violation of a consumer term of service or a consumer licensing agreement." It's a long definition, but at bottom it hinges on the same word—authorization—as does the CFAA. Will courts have a clearer understanding of what counts as an "unauthorized effort" as what counts as "access without authorization"?
Second, it's worth noting that courts have sometimes struggled to interpret the phrase "nothwithstanding any other law." On its face, it seems to say that it trumps any other law that might get in the way. But courts haven't always interpreted it literally. Note this discussion from the Congressional Research Service:
Congress sometimes underscores statutory directives by requiring that they be undertaken "notwithstanding any other provision of law." This phrase seldom aids interpretation. It is the statutory equivalent of a parent telling a child "I'm serious," or "I really mean it." Despite the admonition, courts and administrators still must determine what the underlying directive means. And, ordinarily, there will still be other provisions of law that apply; the trick is to determine which ones. Courts have recognized these difficulties. One court, for example, ruled that a directive to proceed with offering and awarding of timber sale contracts "notwithstanding any other provision of law" meant only "notwithstanding any provision of environmental law," and did not relieve the Forest Service from complying with federal contracting law requirements governing such matters as non-discrimination, small business setasides, and export restrictions. "We have repeatedly held that the phrase 'notwithstanding any other law' is not always construed literally . . . and does not require the agency to disregard all otherwise applicable laws." In the few instances in which the "notwithstanding" phrase may be marginally helpful to interpretation, it still must play second fiddle to a clear and unambiguous statement of the underlying directive, and it is not as helpful as spelling out which other laws are to be disregarded.
Given that case law, it's not entirely clear how broadly to interpret the apparent monitoring privilege enacted by the Cyber Act.
IV. Authority to Use Defensive Measures
Let's turn next to the authorization to use defensive measures in Section 104(b). This provides the legal privilege "to operate a defensive measure" on your own "information system" (or, with written consent, someone else's information system) for "cybersecurity purposes," "in order to protect the rights or property" of the network owner. This introduces one new defined term: a defensive measure. Here's the definition:
- "defensive measure" means "an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability." However, it does not include "a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system."
This strikes me as largely a retread of the existing provider exception. Note the same language, "to protect the rights or property" of the network owner. It's arguably broader than the existing provider exception, in that it allows steps that "mitigate" the threat in addition to merely steps that observe or disclose the threat. But the mitigation is presumably limited to the threat itself, as harming the information system itself is not allowed under this provision.
V. Authority to Share Data
The last of the three authorities is granted in 104(c), which permits sharing of data, both outgoing (sharing what the entity has with others) and incoming (receiving data from others). Let's focus on the outgoing disclosure of data that the entity has. A network operator may, "for a cybersecurity purpose," share "a cyber threat indicator or defensive measure" with others. They can do this only after first removing, either manually or by "a technical capability" "any information not directly related to a cybersecurity threat" that the operator "knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual."
The new term "cyber threat indicator" is defined as "information that is necessary to describe or identify" any of the following items or any combination of them:
- "malicious reconnaissance," defined as "a method for actively probing or passively monitoring an information system for the purpose of discerning security vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat" and which here includes "anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability; "
- "a method of defeating a security control or exploitation of a security vulnerability;"
- "a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;"
- "a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;"
- "malicious cyber command and control," which is defined as "a method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or transiting an information system."
- "the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;" [or]
- "any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law."
This section expands on the provider exception because the disclosure does not need to be for the protection of the operator's own network. As I read the language, a network operator can disclose "a cyber threat indicator or defensive measure" to help the cybersecurity of others rather than just to protect his own network. Again, it's the subjective intent that matters: The disclosure has to be for a "cybersecurity purpose." Although there is also the requirement of scrubbing known personal data beforehand.
In short, it seems to me that the new Cyber Act substantially broadens the powers of network operators to monitor and disclose beyond the existing provider exception and trespasser exception. The new language focuses mostly on the purpose of the monitoring and disclosure, with relatively little in place about the scope of monitoring or disclosure (although there is a requirement of scrubbing personal data if known). And it seems to allow monitoring for cybersecurity purposes generally, including outsourcing of that role to others, instead of limiting the exception to monitoring to protect the provider's own network. With that said, there is a lot that is unclear, especially with regard to what counts as a "cybersecurity purpose."
For more on the Cybersecurity Act, see Jennifer Granick's post noting that this language would trump possibly forthcoming federal regulatory efforts and state privacy laws.