James Baker of the Justice Department recently testified to the Senate Judiciary Committee about ECPA reform, and in the process he touched on the provision of ECPA that prohibits ISPs from sharing subscriber data with the government in the absence of a court order. Mr. Baker hinted that this provision should perhaps be expanded to prohibit ISPs from sharing subscriber data with any third party in the absence of a court order:
A sixth potentially appropriate topic for legislation is the disclosure by service providers of customer information for commercial purposes. Under § 2702(c)(6) of ECPA, there are currently no explicit restrictions on a provider disclosing non-content information pertaining to a customer or subscriber “to any person other than a government entity.” This approach may be insufficiently protective of customer privacy. Congress could consider whether this rule strikes the appropriate balance between providers and customers.
This strikes me as a dangerous step from the point of view of cybersecurity. Let me give one example. In a distributed denial of service attack, infected consumer machines are instructed to send packets to a victim site, which is then overwhelmed by malicious traffic. An ISP can often tell which of their customers’ machines have been infected just by looking at the nature of the signals the machines are sending. If the ISP passes that information on to the victim site, the victim site or its service provider can shunt aside or drop signals from the infected computers as part of the target’s defenses.
Mr. Baker’s casual proposal to extend the ECPA bar on disclosure would seem to make such such defensive moves illegal in the absence of a court order. It seems to me that this would dramatically slow responses to denial of service attacks.
Am I missing something, or is the Justice Department just clueless? Orin Kerr, the batsignal is flashing!