As part of an expanding cybersecurity program, it has been revealed that the Department of Justice quietly gave some Internet service providers immunity from violations of wiretapping laws, allowing them to intercept communications in the name of protecting critical infrastructure.
This is a reference to Section 2511 in the wiretapping law that makes it illegal to intercept communications without a warrant or consent from the user. An industry representative told CENT that the 2511 letters provide legal immunity from being prosecuted for violating this law.
“The documents concern a collaboration between the Defense Department, the Department of Homeland Security and private companies to allow government monitoring of private Internet networks,” EPIC stated on its website of the documents obtained through a Freedom of Information Act Request. “Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other ‘critical infrastructure’ industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation.”
The Enhanced Cybersecurity Services, which was previously called the Joint Cybersecurity Services Pilot, was expanded by President Barack Obama’s executive order issued in February 2013. Here’s how the program works:
ECS is a voluntary information sharing program that assists critical infrastructure owners and operators as they improve the protection of their systems from unauthorized access, exploitation, or data exfiltration. DHS works with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information. DHS develops indicators based on this information and shares them with qualified Commercial Service Providers (CSPs), thus enabling them to better protect their customers who are critical infrastructure entities. ECS augments, but does not replace, an entities’ existing cybersecurity capabilities.
The ECS program does not involve government monitoring of private networks or communications. Under the ECS program, information relating to threats and malware activities detected by the CSPs is not directly shared between the critical infrastructure CSP customers and the government. However, when a CSP customer voluntarily agrees, the CSP may share limited and anonymized information with ECS. See the Privacy Impact Assessment below for more details.
With the immunity given to ISP’s — CNET says AT&T and CenturyLink are the only two named participants but others are in the process of joining — EPIC’s Executive Director Marc Rotenberg said it is “helping private companies evade federal wiretap laws.”
“Alarm bells should be going off,” Rotenberg told CNET.
“These agencies are clearly seeking authority to receive a large amount of information, including personal information, from private Internet networks,” EPIC staff attorney Amie Stepanovich said, according to CNET.
Rotenberg also noted that under the executive order expanding cybersecurity measures to critical infrastructure, what constitutes “critical” could be open to interpretation.
“I could make a case for the criticality of several meat packing plants in Kansas. The disruption of the meat rendering facilities in Kansas would be very disruptive to the meat-eating habits of Americans,” Rotenberg said.
Read more of CNET’s story here.
- Read Obama’s Latest Executive Order and Directive Regarding ‘Infrastructure Security’
- What Expected Obama Executive Order Has Conservatives Concerned?
- What’s All This Talk of the Government Snooping on Emails for Cybersecurity? Does It Affect Me?
Featured image via Shutterstock.com.