Data Protection Tips for Proposed US Cybersecurity Laws

Proposed cybersecurity legislation is making business owners nervous – with good reason. These tips will help you be prepared no matter what US Congress does.

Is Washington waging a war on security technology? In April, U.S. Senators Richard Burr  and Dianne Feinstein introduced what became a highly controversial bill that -- if it were to be promulgated into law -- would effectively outlaw strong encryption.

By the end of it was thought the bill as good as dead in the water because of strong public opposition. This is potentially an overstatement. Despite a lack of support from their Senate colleagues, Burr and Feinstein have urged "patience" to Senate-watchers where the bill is concerned.

Proposed Cybersecurity Legislation

Meanwhile, Beltway insiders have reportedly indicated that there is substantial reluctance to go to battle against the technology industry in a presidential election year. Indeed, a separate legislative measure drafted by Senators Burr and John McCain (R-Ariz.) that would have made it easier for federal law enforcement to obtain the electronic communications data of private persons without worrying about pesky court orders or other due process measures was defeated late last month -- albeit narrowly.

With the Burr-Feinstein legislation on life support for now, an alternative bill -- introduced in both houses of the legislature, by Senator Mark Warner (D-Va.) and Representative Mike McCaul (R-Tex.) respectively -- has emerged as a possible compromise: The Digital Security Commission Act of 2016 is hailed by proponents as a measure that is far less "hasty" than the heavy-handed Burr-Feinstein bill.

The McCaul-Warner legislation would merely establish a commission -- made up of 16 people from across the public and private sectors -- who would study the issue of further encryption-related legislation and issue reports. Critics are skeptical, however, of the bill's ability to establish meaningful compromise.

Meanwhile, the FBI has been pushing for more electronic search-and-seizure leeway for quite some time. FBI Director James Comey has said that his top priority is to obtain the legal power necessary to be able to collect personal electronic communications data without obtaining a court order.

With all of this political posturing, cybersecurity- and privacy-minded companies should bear these three tips in mind to proactively keep their data safe -- regardless of which way the winds blow in Washington.

Look to California's Actions on Data Privacy

Are you considering founding a new company or relocating your current operations? Recent California legislation could potentially protect your company from law enforcers who may demand you break your own encryption or reverse-engineer your own products -- if your company is located within the state, that is.

On January 1, a California state law took effect banning the sale or use of voice data collected in that state via smart televisions or smart devices that connect to televisions (such as set-top boxes, DVRs, video-game consoles) for advertising purposes. The bill further bans any voice recognition operation by smart TVs "without prominently informing ... the user" (or, during installation, the user's designee). These measures resulted from lawsuits related to the alleged collection and improper use of consumer data by Vizio smart TVs.

More pertinently, however, a separate clause in the law protects California businesses from being compelled to modify their devices to assist law enforcement or other investigators. Undoubtedly this is a move to protect Silicon Valley and other California tech companies in the wake of the recent Apple-FBI encryption scuffle after December's terror attack in San Bernardino. 

Whether that part of the law will stand up against federal preemption is another story, but the California tech sector -- and those considering a move to California -- can at least take heart in knowing that their state government legally stands behind them when it comes to law enforcement-compelled reverse engineering and encryption breaking.

Business owners may want to encourage their own state legislatures to adopt similar measures. At the very least, you will want to keep informed about your own state's legislative efforts involving cybersecurity and data protection.

Consider a Warrant Canary

Certain types of federal law enforcement subpoenas and information requests -- such as National Security Letters, FISA court orders and the like -- are usually accompanied by a gag order, preventing the recipient from confirming or denying the existence of receipt of the subpoena or request (or, for that matter, the gag order). If the FBI gets its way, the federal government will enjoy even broader powers to issue broad information requests and bar speech about them.

The theory behind a warrant canary remains legally untested as of yet, but it goes like this: Regularly discuss and update your users, your customers and the public on the fact that you have not received any such demands or requests for information that are normally accompanied by a gag order. Thus when and if you do become subject to a gag order, your silence on the issue (and takedown or edit of the corresponding notice -- the "canary" -- on your website or in other communication) will at once be compliant and inform the world-at-large with a wink and a nod that Uncle Sam has his hand over your mouth.

Understand your risks with this legal theory, and be prepared to shell out for a lawyer if the day ever comes that you have to potentially kill your canary and face a government challenge in court. Still, the notion of the warrant canary bears consideration.(It has even picked up traction with the ACLU and the EFF.)

Use Dark Web for Good, Not Evil

While the vast majority of content on the Dark Web reportedly involves illegal, quasi-legal and/or otherwise unsavory activity, it also has legitimate purposes such as protecting whistleblowers.

In a recent "Ask Me Anything" session on Reddit, warrant-canary activist Nicholas Merrill noted that any organization can easily set up their own Dark Web version of a website, accessible via an onion browser like Tor. 

Mainstream services and websites, including Facebook and ProPublica, already have their own "hidden" Dark Web presences.(ProPublica even offers instructions on how to browse its site using Tor.)

"It would be a great thing if Reddit would set up a hidden-service version of their website," Merrill observed. Merrill also urged individual users to use hidden-service browsers for all of their web surfing activities so as to maintain their anonymity, whether or not they browse the Dark Web.

"There is nothing stopping you from accessing [a regular website like] Reddit using The Tor Project's Tor Browser and maintaining the anonymity of your IP address and geolocation," Merrill told Redditors. "In fact, it would relieve Reddit of some of the burden of protecting you if you would do so."

SecurityPlanet: