What's All This Talk About the Gov't Snooping on Emails for Cybersecurity? Does It Affect Me?

(Image: Shutterstock.com)

On Thursday, Reuters put out a story headlined "US plan calls for more scanning of private Web traffic, email." Like the recent news of law enforcement calling upon the government to expand its ability to access emails and text messages for investigations, this story was sure to raise some questions as well.

What's this all about? 

What Reuters is reporting is a continuation of an executive order on cybersecurity that was signed last month. President Barack Obama announced his signing of the cybersecurity executive order and a new directive to enhance infrastructure security in his February State of the Union address. Both items were to facilitate better sharing of information regarding cyberattacks between the private sector maintaining critical systems and the government.

Is this new?

As we explain above, the executive order that is calling for more communication with the government about cyberattacks is not new. Legislation was introduced last year and re-introduced this year that would serve a similar purpose as well. Reuter's story delves into a plan that might help facilitate this type of communication:

The U.S. government is expanding a cybersecurity program that scans Internet traffic headed into and out of defense contractors to include far more of the country's private, civilian-run infrastructure.

As a result, more private sector employees than ever before, including those at big banks, utilities and key transportation companies, will have their emails and Web surfing scanned as a precaution against cyber attacks.

How is the government planning to snoop on employee emails and Internet movements while respecting privacy?

Reuters reported that the Department of Homeland Security is planning on using telecoms and defense contractors with security clearances to process the communications of companies who choose to participate:

The telecom companies will not report back to the government on what they see, except in aggregate statistics, a senior DHS official said in an interview granted on condition he not be identified.

"That allows us to provide more sensitive information," the official said. "We will provide the information to the security service providers that they need to perform this function." Procedures are to be established within six months of the order.

What do privacy advocates have to say?

If the program is voluntary -- meaning private businesses would have to choose to participate in allowing their communications and online movements to be scanned in cybersecurity efforts -- are there even privacy concerns? Reuters reported senior staff attorney with the Electronic Frontier Foundation Lee Tien saying that the program could raise questions about other activities that companies monitoring on behalf of the government could be collecting information on:

One technique for examining email and other electronic packets en route, called deep packet inspection, has stirred controversy for years, and some cybersecurity providers said they would not be using that. In deep packet inspection, communication companies or others with network access can examine all the elements of a transmission, including the content of emails.

Read more about the privacy concerns some have with "deep packet inspection," which was proposed by the U.N. Telecommunications Union.

Does it really affect me?

Unlike the recent push by law enforcement to expand their access to private, online communications for investigations, this is directed toward private sector companies managing critical infrastructure. Reuters reported a DHS official saying the government is not planning a cybersecurity program like this with communication companies that serve the public at large.

If you worked for a company that maintains critical infrastructure that also decided to participate in the government's program to monitor cybersecurity, then yes, this could impact you in the sense that, according to the plan, online movements and communications at work could be monitored by a defense contractor. The statistics from such monitoring is what would be reported to the government.

A similar bill that was killed in congress last year but was reintroduced in February -- the Cyber Intelligence Sharing Protection Act (CISPA) that would facilitated sharing of information between the government and private sector regarding cyberattacks -- does have some privacy advocates concerned over how it would impact individuals. Privacy advocates have for the past year been expressing discontent over the bill and its vague definitions as to what information could be shared.

The Huffington Post reported one of the groups re-launching a campaign against CISPA saying in a statement Tuesday that it would "allow companies to share private user information with the government in ways that are currently illegal, and provide legal immunity to companies that share information for vaguely defined 'national security' purposes."

James Lewis, a senior fellow and director of technology policy at the Center for Strategic and International Studies, though said this sentiment is not how the bill would work:

Under the current legislation, the government and companies would not share with each other the content of private emails, he said. Instead, a machine would search Internet traffic for patterns of "ones and zeros" in computer code that would signal a potential cyberattack, Lewis said.

Read more about the plans being developed to spot cybersecurity issues in Reuters' report here.

--

Related:

• Read Obama's Latest Executive Order and Directive Regarding 'Infrastructure Security'
• Law Enforcement Wants Your Text Messages Stored for Investigations
• CISPA: How the New Cybersecurity Bill Isn't SOPA But Some Say It's Just as Bad
• Here's How Authorities Can Legally Spy on Your Digital Life (And Congress Could Make It Easier)

Featured image via Shutterstock.com.