Einstein 3 Privacy Concerns VoicedSenate Panel Asked: Will Personally Identifiable Info be Exposed?
Philip Reitinger, Department of Homeland Security deputy undersecretary for the National Protection and Programs Directorate, told the Senate Committee on the Judiciary's Subcommittee on Terrorism and Homeland Security that DHS envisions deploying Einstein 3 as an intrusion prevention system.
Einstein 1 monitors network flow and Einstein 2 detects system intrusions.
"This more robust version of Einstein would provide the federal government with an improved early warning and an enhanced situational awareness; the ability to automatically detect malicious activity; and the capability to prevent malicious intrusions before harm is done," Reitinger said.
But Gregory Nojeim, senior counsel and director of Project Freedom, Security and Technology at the Center for Democracy and Technology, cited press accounts that Einstein 3 would rely on pre-defined signatures of malicious code that might contain personally identified information, and threaten the privacy of law-abiding citizens.
"While Einstein 2 merely detected and reported malicious code, Einstein 3 is to have the capability of intercepting threatening Internet traffic before it reaches a government system, raising additional concerns," Nojeim testified.
Einstein 3 reportedly could operate within the networks of private telecommunications companies, and Nojeim wondered if the technology could analyze private-to-private communications. "If Einstein were to analyze private-to-private communications, that would likely be an interception under the electronic surveillance laws, requiring a court order," he said.
Reitinger assured the committee that DHS is sensitive to privacy rights and civil liberties protection with the deployment of Einstein. He said DHS has added layers of protection by creating an oversight and compliance officer position within the Office of the Assistant Secretary for Cybersecurity and Communications, whose primary function is the monitoring and oversight of the Einstein program. In addition, he said, DHS's chief privacy officer is a member of the Einstein development team and reviews all components of the Einstein system to determine which elements require a privacy impact assessment .
"The Privacy Office will continue to perform thorough privacy analysis and publish as much of the privacy analysis as possible, consistent with security classification," Reitinger said. "More broadly, the DHS Privacy Office provides privacy training and oversight to U.S.-CERT personnel and the operators of the Einstein system. The DHS Office for Civil Rights and Civil Liberties is participating in the design, planning and execution of the Einstein program, providing proactive advice on how enhanced cybersecurity efforts may be conducted in a manner consistent with civil rights and civil liberties."
The committee received further assurance from Associate Deputy Attorney General James Baker, who said that the Justice Department is providing legal guidance on Einstein to federal agencies. "We have analyzed the Einstein program and taken steps to ensure that our cybersecurity efforts not only rest on sound legal footing but also vigorously protect civil liberties and privacy."
Despite these assurances, Nojeim suggested the subcommittee consider legislation to require independent audits of Einstein 3 to ensure that no private-to-private communications are scrutinized, and require a report to Congress if they are.
"The government should monitor its own networks for intrusion, but account for the chill to free speech and the right to petition the government that invasive monitoring could cause," Nojeim said. "Intrusion detection programs such as Einstein should be made more transparent."