Cybersecurity Privacy Practical Implications

Concerning Privacy and Cybersecurity Policy

Latest News

  • Massive Government Data Breach Even Worse than Reported: A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in Congress and the Senate in support of stronger security measures to protect personal data. (Jun. 25, 2015)
  • Senate Rejects User Surveillance Proposal: The Senate has rejected an amendment to the National Defense Authorization Act for 2016 that would transfer user data from private companies to government agencies without judicial oversight. Senator Patrick Leahy (D-Vt) urged Senators to oppose the amendment, stating "we need a cyber-security bill, not a cyber-surveillance bill." Last year, EPIC won a five-year court battle against the NSA for NSPD 54-the foundational legal document for U.S. cybersecurity policies. The Directive reveals the NSA's interest in enlisting companies to monitor user activity in the United States. (Jun. 17, 2015)
  • Massive Breach Impacts Millions of Government Employees: The Office of Personnel Management has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although 432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. (Jun. 10, 2015)
  • EPIC, Coalition to President: No Encryption Backdoors: EPIC and a coalition of civil society organizations and security experts urged President Obama to reject proposal to weaken encryption used in U.S. products. Administration officials, including FBI Director Comey, have advocated for broken encryption to enable law enforcement access to private communications. The letter details how weakened encryption undermines cybersecurity and economic security. EPIC previously led the effort to oppose the "Clipper Chip," the NSA's proposal for key escrow encryption that would have severely crippled the privacy and security of online communication. EPIC also recently expressed support for encryption and anonymity in a letter to a UN Rapporteur. (May. 20, 2015)
  • Senate Committee Approves Cyber Surveillance Bill: In a closed-door meeting, the Senate Select Committee on Intelligence approved the "Cyber Information Sharing Act of 2015". The bill would allow the government to obtain user information from private companies without judicial oversight. Companies would receive immunity for their disregard of existing privacy law. Senator Wyden, who opposed the measure, stated, "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name." Last year, EPIC won a five-year court battle against the NSA for NSPD 54—the foundational legal document for U.S. cybersecurity policies. The Directive reveals the government's long-standing interest in enlisting private sector companies to monitor user activity. (Mar. 14, 2015)
  • Executive Order Calls for More Cybersecurity Info "Sharing": President Obama announced today an Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security. (Feb. 13, 2015)
  • President Obama Announces New Cybersecurity Initiatives: Today the President announced several cybersecurity initiatives, including a proposal to facilitate private sector threat information disclosures. The White House proposal requires the removal of personal information prior to data transfers but privacy concerns remain. The President threatened to veto a previous bill that lacked privacy and civil liberties safeguards. A 2013 expert report set out 46 proposals for strengthening cyber security that the White House said it would adopt. EPIC supported these recommendations and has also recommended civilian leadership on cybersecurity. (Jan. 13, 2015)
  • Senate Cybersecurity Information Sharing Bill Proposed: Senators Dianne Feinstein and Saxby Chambliss have proposed the Cybersecurity Information Sharing Act of 2014. The Senate bill is similar to the House Cyber Intelligence Sharing and Protection Act (CISPA), which was opposed by civil liberties organizations and would have been vetoed by the White House if enacted. Like CISPA, the Senate bill allows companies to monitor private communications on their networks and to disclose user activity to the government. The bill would also exempt companies from liability for monitoring communications or disclosing user information. However, the Senate bill makes some attempt to limit the collection of personally identifiable information. EPIC recently won a five-year court battle with the NSA and obtained National Security Presidential Directive 54. The directive was issued by President Bush in 2008 and is the foundational legal document for U.S. cybersecurity policies. The Presidential Directive reveals the government’s long-standing interest in enlisting private sector companies to monitor user activity. For more information, see EPIC: Cybersecurity. (Jun. 20, 2014)
  • EPIC v. NSA: EPIC Obtains Presidential Directive for Cybersecurity: After almost five years, EPIC has obtained National Security Presidential Directive 54. The previously classified Presidential Directive contains the full text of the Comprehensive National Cybersecurity Initiative and "establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace." This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability. EPIC first sought public release of NSPD-54 with a Freedom of Information Act request, submitted to NSA in June 2009. After the agency failed to disclose the document, EPIC filed suit. When a federal district court ruled in 2013 that the Presidential Directive was not subject to the Freedom of Information Act, EPIC then filed an appeal with the DC Circuit Court of Appeals. The document has now been disclosed to EPIC. The case is EPIC v. NSA, a Freedom of Information Act lawsuit in D.C. Circuit Court. EPIC has several related FOIA cases with the NSA pending in federal court. For more information see EPIC - EPIC v. NSA (Cybersecurity Authority). (Jun. 6, 2014)
  • New Documents Reveal Close Ties Between NSA and Tech Companies, PBS Special to Air: New e-mails obtained under the Freedom of Information Act reveal former NSA Director Keith Alexander's close communication with technology companies regarding emerging cybersecurity threats. The CEOs of Google, Apple, Microsoft, and other technology companies were invited to classified briefings as part of the "Enduring Security Framework," a government initiative focused on sharing "cyber threat information with the private sector." EPIC previously sued the NSA to obtain records about the agency's collaboration with Google on cybersecurity, following the China hack in January 2010. In that case, the NSA refused to confirm or deny the existence of any records responsive to EPIC's request. EPIC had previously urged Google to routinely encrypt cloud-based services. PBS Frontline begins a two-part special this week that explores NSA surveillance and the role of tech companies. For more information, see EPIC v. NSA: Google/NSA Relationship and EPIC: Cybersecurity. (May. 12, 2014)


Cybersecurity encompasses an array of challenges to protect digital information and the systems they depend upon to affect communication. The interconnected world of computers forms the Internet, which offers new challenges for nations because regional or national borders do not control the flow of information as it is currently managed. The Internet, in the most basic sense, works like any other remote addressing system, for example, a telephone number corresponds to a particular device, a home or building address corresponds to a particular geographic location. The Internet's addressing system is called the Internet Protocol (IP).

Each computer network and computing device designed to communicate over the Internet must have a unique address to send or receive messages. The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for the task of managing these addresses so that each unique Internet device (computer, cell phone, personal digital device) has a unique IP number designation. This Internet addressing system translates these numbers into World Wide Web addresses best known by the extensions .com, .edu, .net, and .org. This addressing system makes it very easy for people to find the people and Web addresses they are seeking. IP registration information or WHOIS data on Internet address holders is a source of contention between privacy/free speech/human rights advocates and law enforcement and commercial and government interests.


What Privacy Rights May be Involved with Cybersecurity?

Privacy interest in cybersecurity involves establishing protocols and effective oversight regarding when, why, and how government agencies may gain access to personal information that is collected, retained, used, or shared. U.S. businesses and government share responsibility for the insecurity of consumer online personal information. There is no single federal minimum standard for data protection that enforces fair information practices (FIPs). Fair information practices regulate and enforce consumer privacy rights regarding data collection, retention, use, and sharing of personal information. The federal approach has focused not on the protection of personal information, but on the purpose of the information collection.

The history of U.S. government agencies conducting sanctioned and unsanctioned surveillance of domestic communication by colluding with telecommunications and wire communication companies is well known. (The Puzzle Palace, Inside the National Security Agency America's Most Secret Intelligence Organization (1983)- James Bamford) Domestic surveillance first began as a means of acquiring information on criminal activities and quickly moved to documenting people's engagement in social or political activities and their exercise of constitutionally protected rights to expression and assembly. Fundamentally, control of society is, in large part, about the ability of government to control communications.

One key challenge facing digital communications users is that this medium suits those inclined to spy unlike any other form of surveillance because the intruder can hide the fact that a communication has been compromised. The National Security Agency is no amateur at delving into personal communications that are secured by law or design from snooping.

Cybersecurity Interests

Consumer Cybersecurity Interest

Online consumers have been victimized by cyber-threats in the form of spyware; malicious computer viruses, worrms, or malware; and fraud or abusive sales tactics that lure consumers to invest in bogus products or services. Online consumers routinely fall victim to identity theft, as well as spam, phishing or pharming attacks.

Consumers are also facing the challenge of determining which products or services to trust to provide goods and services as advertised.

Political Advocacy and Academic Cybersecurity Interest

For individuals and organizations that rely on the Internet for research, access to information, collaboration, political participation, fundraising, coalition building, campaigns, advocacy, organized dissent, political speech, watchdog actions against government and businesses, freedom of expression, dissemination of information or for outreach to constituencies--cybersecurity does matter a great deal.

Threats posed to political activity include deceptive campaign tactics that deface Websites, target donations for theft, create denial of service attacks on Websites, or send messages that are deceptive or misleading regarding the rules for voter participation on election day. If responses to cyber-attacks deny advocates access to the Internet and/or advanced communications networks, this would deny them the means to engage in a wide range of activities that could include election protection efforts during public elections, mobilize supporters for public protests, educate consumers, or empower constituencies to know and understand policy that impacts their lives. Academics and researchers must have a trustworthy and reliable means of exchanging ideas, participating in discussions, and collaborating on projects that advance their areas of research interest.

Business Cybersecurity Interest

Large and small companies have cyber-threats within and outside of their control such as data breaches, theft of company secrets, spying, attacks on computer networks, and damage to critical systems. Many companies are considering the challenges of cybersecurity and looking to new business applications such as cloud computing to secure data. However, cloud computing has enormous security and privacy risks relating to dependence on untrustworthy or unevaluated third parties.

New business and government services such as electronic health records and development and updating of critical infrastructure such as the Smart Grid each offer new cybersecurity privacy challenges for consumers.

National Security Cybersecurity Interest

The cyber-threats to any nation can range from disruption of an agency's networks or information services to the public to cyber-warfare. Depending on the agency, type of cyber-attack, its scope, duration, and effectiveness, the consequences for the online and offline operation of local, federal, or state government components can range from annoying delays in communications to serious damage to infrastructure threatening life or property.

Cyber-attacks or incidents that threaten the command and control structure of the national government or its assets including national defense, emergency response, and economic systems are of growing concern. The digital infrastructure of the nation must be treated as a strategic national asset. The new mission is to deter, detect, and defend against disruptions and attacks of all descriptions.



Cyberspace is global, but the freedoms that are protected by constitutional rights, human rights norms, and legal institutions are defined by treaty or geography. Cybersecurity may be defined by governments, but will have a lasting impact on many rights and civil liberties enjoyed by free people throughout the world who engage in cyber-communications. Freedom of expression, freedom of association, economic opportunity, and political discourse may be redefined by the course the United States charts for cybersecurity.

Decisions about how to define cybersecurity and who will define it may affect Internet anonymous speech, freedom of expression, free speech, and access to information. Those who have worked on Network Neutrality understand what manipulation of communications over the Internet might mean. However, in the realm of federal cybersecurity, transparency and oversight might not be part of the process.

The Obama Administration has engaged agencies of the federal government, large corporations, technology companies, technologists, legal scholars, and policy experts in the deliberative process related to establishing policy to secure cyberspace.

Cyberspace Policy Review

On May 29, 2009, President Barack Obama announced the Administration's plan to address the growing issue of digital information insecurity. The Administration engaged multiple participants to develop this plan.

Much of the nation's critical infrastructure is connected in some way to computer networks. Addressing digital communication system vulnerabilities touches on important privacy and security questions that must be answered. The President began this discussion on cybersecurity by stating:

It is now clear that this cyber-threat is one of the most serious economic and national security challenges we face as a nation. It's also clear that we are not as prepared as we should be as a government or as a country. In recent years some progress has been made at the federal level, but just as we failed in the past to invest in our physical infrastructure: our roads, our bridges, and rails. We failed to invest in the security of our digital infrastructure. No single official oversees cybersecurity policy across the federal government and no single agency has the responsibility or authority to match the scope and scale of the challenge...

The Obama Administration is challenging federal government agencies, large technology companies, corporate America, academics and digital media users to join efforts to secure the Internet and telecommunications systems from every form of cyber-threat or menace.

The goal of the Administration is to pursue a new aggressive and comprehensive approach to cybersecurity that would address all forms of cyber-based threats. The category of threats will include those faced by consumers, corporations, critical infrastructure, and networked local, state, and federal government agencies. Internet or networked computer based communications have moved beyond an option to a necessary tool for a highly interconnected world. The Internet has fundamentally changed the social, cultural, business, political, and educational experiences of people.

The Cyberspace Policy Review set out 10 near-term actions. According the Cybersecurity Factsheet, the Administration has completed or will soon complete all of those items:

    1. Appoint a cybersecurity policy official responsible for coordinating the Nation's cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy. ◊ Complete. Howard A. Schmidt has been appointed as the Cybersecurity Coordinator.
    2. Prepare for the President's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCIactivities and, where appropriate, build on its successes. ◊ Complete. The direction and needs highlighted in the Cyberspace Policy Review and previous national cybersecurity strategy are still relevant, and we have updated that strategy on targeted cyber issues, such as identity management and international engagement.
    3. Designate cybersecurity as one of the President's key management prioritiesand establish performance metrics. ◊ Complete. All senior executives and senior leadership have been informed that cybersecurity is one of the President's key management priorities for the Federal Government. We have established metrics through the CyberStats program, and we have also worked with the Office of Management and Budget (OMB) to update the Federal Information Security Management Act (FISMA) metrics by which departments and agencies are graded on their cybersecurity. Together, we are shifting the Federal Government's approach to cybersecurity from a static, paper-based certification and accreditation to a dynamic, relevant process based upon continuous monitoring and risk assessment.
    4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate. ◊ Complete. Our second Director for Privacy and Civil Liberties official joined us from the Federal Trade Commission in December 2010.
    5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government. ◊ Complete. We have developed a formal interagency process as we continue to address policy and legal issues. As part of that process, we identified additional authorities that the executive branch needs to fulfill its mission, and we have requested those authorities as part of our legislative package.
    6. Initiate a national public awareness and education campaign to promote cybersecurity. ◊ Complete. We have created the National Initiative for Cybersecurity Education (NICE) with the dual goals of a cyber-savvy citizenry and a cyber-capable workforce, including raising awareness for consumers, enhancing cybersecurity education, and improving the structure, preparation, and training of the cybersecurity workforce. After the 2010 National Cyber Security Awareness Month, DHS launched a year-round national awareness campaign, which has held events around the country.
    7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. ◊ Complete. We have finished and will soon release the International Strategy for Cyberspace, which provides a unified foundation for the nation's international engagement on cyberspace issues.
    8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement. ◊ Complete. The National Cyber Incident Response Plan (NCIRP) was developed and tested during a national cyber exercise, Cyber Storm III. It is now in the final stages of being updated, based upon our experience using the plan in different cyber exercises.
    9. In collaboration with other EOPentities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. ◊ Complete. The White House Office of Science and Technology Policy has finalized a Cyber Research and Development Framework. Public release of the plan is expected to occur in May 2011.
    10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation. ◊ Complete. The National Strategy for Trusted Identities in Cyberspace (NSTIC) was released on April 15, 2011. The Department of Commerce will stand up a program office to coordinate the federal government and private sector in implementing this effort.

    Legislative Proposals

    The White House proposed cybersecurity legislation in May 2011. According to the White House, the proposed legislation will help safeguard personal data, help protect our national security by addressing threats to critical infrastructure, and help the government protect federal networks while at the same time creating stronger privacy and civil liberties protections. The Fact Sheet on the Proposal highlights the following features of the legislation:

    National Data Breach Reporting
    Penalties for Computer Criminals
    Voluntary Government Assistance to Industry, States, and Local Governments
    Voluntary Information Sharing with Industry, States, and Local Governments
    Critical Infrastructure Cybersecurity Plans
    Increase of Effort and Resources to Protect the Federal Network

    On January 5, 2011, Representative Bennie Thompson (D-MS) sponsored H.R. 174, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2011. H.R. 174 "seeks to enhance DHS' cybersecurity capacity by authorizing the DHS Office of Cybersecurity and Communications and creating a new Cybersecurity Compliance Division to oversee the establishment of performance-based standards responsive to the particular risks to the (1) .gov domain and (2) critical infrastructure networks, respectively." (Source: Press Release). It was referred to the House Committee of Homeland Security's Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

    The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies has held several hearings on the issue of cybersecurity. On June 24, 2011, the subsommittee held a hearing entitled "Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal." ( On April 15, 2011, the subcommittee held a hearing entitled "The DHS Cybersecurity Mission: Promoting Innovation and Securing Critical Infrastructure." On March 16, 2011, the subsommittee held a hearing entitled "Examining the Cyber Threat to Critical Infrastructure and the American Economy."

    National Strategy for Trusted Identities in Cyberspace (NSTIC)

    One objective of the White House's Cyberspace Policy Review was to develop a national plan for a public secure Internet identification program:

    "The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through a myriad of information, services and benefit programs and thus has no interest in the protection of the public's private information as well."
    Based on the White House's recommendations, an inter-agency writing team developed and released a Draft plan of the National Strategy for Trusted Identities in Cyberspace (NSTIC) in June 2010. NSTIC is seen as an acceleration and expansion of the initiatives developed by ICAM to the public domain. The Draft identified what it called the Identity Ecosystem - "a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely supports transactions ranging from anonymous to fully authenticated and from low to high value." The Draft was published on IdeaScale, and was open for the public to submit comments. (The page has since been removed, though MSNBC has maintained a screenshot.)

    EPIC responded to the Draft NSTIC with a formal statement on the unique challenges the proposal presented for the continued protection of privacy and consumer rights. EPIC emphasized the need for:

    • A complete enumeration of the sources of the problems identified in the draft
    • A clear plan for privacy protection
    • A strategy for the protection of private communications by fair information practices
    • The assignment of responsibility of government agencies to oversee authorities, courts, and credential users regarding constitutional rights
    • The assurance that Internet users can continue to create, control, and own web content.

    EPIC also emphasized the importance of applying Fair Information Practices to all personally identifiable information that is collected, retained or used, and recommended an explicit statutory provision that would apply protections in the Federal Privacy Act to all credential-related information.

    On January 7, 2011, White House Cybersecurity Coordinator, Howard Schmidt and Commerce Secretary Gary Locke appeared at an event at Stanford University in California. In his speech, Locke detailed many potential threats on the Internet, claiming that the "cyber threat" was "one of the most serious economic and national security challenges we face as a nation." In order to lead the government's efforts on digital identity, Locke announced the creation of a National Program Office at the Department of Commerce, housed under the National Institute for Standards and Technology (NIST), that would be responsible for a digital identity framework.

    As described by Secretary Locke in his announcement: The new Program Office would spearhead the development of NSTIC, though implementation would be outsourced to the private market, eliminating the need for a single overseer or a central database. (However, because the federal government will not be maintaining the databases of information, they will not be subject to the protections provided in the Federal Privacy Act of 1974). The digital identity program is also designed to be entirely voluntary to users. In addition to private industry, the General Services Administration and the Department of Homeland Security were also slated to assist with development of the new programs.

    For the full NSTIC page, see EPIC: NSTIC

    International Strategy for Cyberspace

    On May 16, 2011, the White House announced the International Strategy for Cyberspace (ISC). The ISC outlines the United States' approach to cyber issues. The ISC states the goal of a "future for cyberspace that is open, interoperable, secure, and reliable." Policy priorities include:

    • Promoting International Standards and Innovative, Open Markets
    • Protecting Our Networks: Enhancing Security, Reliability, and Resiliency
    • Internet Governance: Promoting Effective and Inclusive Structures
    • Internet Freedom: Supporting Fundamental Freedoms and Privacy

    Department of Commerce's Cybersecurity Policy Framework

    On June 8, 2011, The Department of Commerce announced a new policy framework for cybersecurity and businesses online. The Department of Commerce Green Paper proposes voluntary codes of conduct for companies that do business online but are not part of the critical infrastructure sector. The framework makes specific policy recommendations, including:

    • Establish nationally recognized but voluntary codes of conduct to minimize cybersecurity vulnerabilities. For example, the report recommends that businesses employ present-day best practices, such as automated security, to combat cybersecurity threats and that they implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key Web sites. DNSSEC provides a way to ensure that users are validly delivered to the web addresses they request and are not hijacked.
    • Developing incentives to combat cybersecurity threats. The report also recommends exploring and identifying incentives that could include reducing "cyberinsurance" premiums for companies that adopt best practices and openly share details about cyberattacks for the benefit of other businesses.
    • Improve public understanding of cybersecurity vulnerabilities through education and research. Programs like the National Initiative for Cybersecurity Education should target awareness and training to the I3S and develop methods for cost/benefit analyses for cybersecurity expenditures.
    • Enhance international collaboration on cybersecurity best practices to support expanded global markets for U.S. products. This should include enhanced sharing of research and development goals, standards, and policies that support innovation and economic growth.

    The Green Paper was the product of the Internet Policy Task Force. The Department of Commerce launched the Internet Policy Task Force in April 2010. The Department of Commerce is seeking public comment on the Green Paper.


    EPIC Reports, FOIA and Testimony

    Organizations Working on Cybesecurity

    Papers and Articles

    Cybersecurity Infrastructure Surveillance Laws

    Cybersecurity Legislation in the 111th Congress

    News Articles

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.