In a flurry of preholiday activity, the 113th Congress enacted several dozen pieces of legislation during the final week of its lame duck session. While many of the bills represent routine or ceremonial legislation (including the Newborn Screening Saves Lives Reauthorization Act and a law declaring a section of Interstate Route 35 in Minnesota as the James L. Oberstar Memorial Highway), a few are generating interest—and in some cases, controversy—for their possible impact on privacy, information security, and other areas of interest to the information industry.
Intelligence Authorization Act for Fiscal Year 2015
Among the more controversial bills of late 2014 was the Intelligence Authorization Act for Fiscal Year 2015 (Public Law 113-293). It passed the Senate by a voice vote on Dec. 9 and was approved by the House of Representatives in a vote of 325 to 100 on Dec. 10. The president signed the bill into law—along with a number of other end-of-session bills—on Dec. 19. The primary purpose of the act is to provide appropriations for various intelligence agencies and activities. However, one section buried within the act is being claimed to expand government spying by authorizing the “acquisition, retention, and dissemination” of “any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication.”
Known as Section 309 of the act, and titled “Procedures for the Retention of Incidentally Acquired Communications,” it appears to apply to “any intelligence collection activity not otherwise authorized by court order, … subpoena, or similar legal process. …” The act requires intelligence agencies to adopt rules covering these activities and has limits on how long the information can be retained, but does not address any limitations on these activities. The section was added by the Senate just prior to its voice vote and was not specifically debated in the House.
In a brief skirmish prior to the House vote, Rep. Justin Amash (R-Mich.) sent a letter to his colleagues lambasting Section 309, describing it as “one of the most egregious sections of law I’ve encountered during my time as a representative: It grants the executive branch virtually unlimited access to the communications of every American.” In response, the United States House Permanent Select Committee on Intelligence issued a fact sheet on the act indicating that Amash’s assertion is a “myth” and that “Section 309 provides no authority to collect any communications whatsoever. Instead, Section 309 protects privacy rights by requiring the government to adopt procedures to destroy communications collected outside the United States after five years. …”
Legislative language is often very convoluted and nuanced. Reading the legislation, it appears that there may be some truth to both positions. The language about acquiring communications without consent or other authorization can be read as applying to activities that are already underway as part of various programs already in place. (Whether those programs are legal or meritorious are separate questions.) Or it could be read as placing no restrictions on additional communications-interception activities. Similarly, the 5-year retention rule is very specific, yet there are several exceptions to the rule, including one that allows for retention when a communication is “reasonably believed to constitute evidence of a crime.” Under the Constitution, gathering criminal evidence is subject to the Fourth Amendment’s prohibitions against unreasonable searches. However, intelligence gathering is generally not subject to those prohibitions. Information gathered for intelligence purposes, but used for criminal investigation purposes, may violate the subject’s constitutional rights.
Federal Information Security Modernization Act of 2014
Less controversial was the Federal Information Security Modernization Act of 2014 (Public Law 113-283), also enacted in the final days of the 113th Congress. This law will support increased coordination among federal agencies for protecting federal information sources from hacking and other cyberthreats. It provides for shared oversight of information security operations between the Office of Management and Budget and the Department of Homeland Security; increased support from the Director of National Intelligence and the National Institute of Standards and Technology; and improved sharing of intelligence about cyberthreats, vulnerabilities, and risk assessment. The law is being cited as “bringing federal agency information security into the new millennium.”
National Cybersecurity Protection Act of 2014/Cybersecurity Enhancement Act of 2014
Looking more broadly at information security, Congress also passed the related National Cybersecurity Protection Act of 2014 (Public Law 113-282) and the Cybersecurity Enhancement Act of 2014 (Public Law 113-274). The two laws are intended to provide for a more integrated government and private sector response to cyberthreats by the creation of a “national cybersecurity and communications integration center” within the Department of Homeland Security. This center will be an “interface for the … sharing of information related to cybersecurity risks, incidents, analysis, and warnings” for both federal and nonfederal entities and companies (National Cybersecurity Protection Act). In addition, the National Institute of Standards and Technology is directed to work with government and private sector entities to establish an “industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure …” (Cybersecurity Enhancement Act).
No Vote on FOIA
Unfortunately, some bills did not get a vote in the final, hectic days of the 113th Congress, including the proposed Freedom of Information Act (FOIA) Improvement Act of 2014. This legislation would have addressed a number of criticisms and loopholes of FOIA by reducing costs for requests, penalizing agencies for slow responses, closing loopholes, and providing that frequently requested information be posted on agency websites. While the bill passed the Senate and was expected to pass in the House, it never made it to the floor of that chamber. At least one source speculates that some last-minute pushback from the Department of Justice and other agencies stalled the vote to a point at which it never happened. (For more on FOIA, see POLITICO’s coverage of new bills introduced in Congress that “would place a presumption of openness in the FOIA statute and require agencies to justify withholding of information by showing a specific harm that is foreseeable from disclosure.”)
Congress has not been the only branch of government acting in ways that could impact the information industry. The Supreme Court is continuing its recent trend of increased attention to patent and copyright issues by scheduling a number of such cases for argument in upcoming months. One case includes a question about whether royalties being paid under a patent licensing agreement continue after the patent has expired. Another involves the level of copyright protection for software, which is considered critical since the Supreme Court restricted patent protection for software in a summer 2014 decision. The court’s decisions for these cases are expected in late spring or early summer.