Read

User menu

Search form

Senate Passes Cybersecurity Bill With Huge Privacy Flaws – A Backdoor to Surveillance

Senate Passes Cybersecurity Bill With Huge Privacy Flaws – A Backdoor to Surveillance
Thu, 10/29/2015 - by Andy Greenberg and Yael Grauer
This article originally appeared on Wired

For months, privacy advocates have asked Congress to kill or reform the Cybersecurity Information Sharing Act, a bill that they say hides new government surveillance mechanisms in the guise of security protections. Now the Senate has shot down a series of attempts to change the legislation’s most controversial measures, and then passed it with those privacy-invasive features fully intact.

On Tuesday afternoon, the Senate voted 74 to 21 to pass a version of CISA that roughly mirrors legislation passed in the House earlier this year, paving the way for some combined version of the security bill to become law. CISA is designed to stem the rising tide of corporate data breaches by allowing companies to share cybersecurity threat data with the Department of Homeland Security, who could then pass it on to other agencies like the FBI and NSA, who would in theory use it to defend the target company and others facing similar attacks. That landslide vote was no doubt fueled in part by a year of massive hacks that hit targets including the health insurer Anthem, Sony, and the Office of Personal Management.

But privacy advocates and civil liberties groups see CISA as a free pass that allows companies to monitor users and share their information with the government without a warrant, while offering a backdoor that circumvents any laws that might protect users’ privacy. “The incentive and the framework it creates is for companies to quickly and massively collect user information and ship it to the government,” says Mark Jaycox, a legislative analyst for the civil liberties group the Electronic Frontier Foundation. “As soon as you do, you obtain broad immunity, even if you’ve violated privacy law.”

The version of CISA passed Tuesday, in fact, spells out that any broadly defined “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.” Privacy advocates consider that a vague and potentially reckless exemption in the protections of Americans’ personal information. “Every law is struck down for the purposes of this information sharing: financial privacy, electronic communications privacy, health privacy, none of it would matter,” says Robyn Greene, policy counsel for the Open Technology Institute. “That’s a dangerous road to go down.”

Before passing the bill Tuesday afternoon, Senators first voted on a series of amendments that sought to reform the bill’s privacy protections. They ultimately rejected all of them. One of those now-tossed amendments put forward by Senator Al Franken would have narrowed the definition of “cybersecurity threat” and “threat indicators” covered by the bill. Franken’s amendment lost by a vote of 35 to 60. Another amendment from Senator Ron Wyden required companies to remove personal data from those cyber threat “indicators” before sharing them unless that personal information is necessary to describe or identify the threat. It lost by a vote of 41 to 60.

CISA’s supporters argue that critics’ privacy concerns are misunderstandings. Senate Intelligence Committee chair Richard Burr last week released a list of “myths” about CISA, including its enabling of surveillance. The statement points out that CISA’s corporate information sharing is voluntary, and that companies are required to strip out personally identifiable information from any data before sharing.

“I still say today to those folks in this institution and outside this institution that are concerned with privacy, I think [Senator Dianne Feinstein] and I have bent over backwards to accommodate concerns,” Burr said on the Senate floor Tuesday morning. “Some concerns still exist. We don’t believe they’re necessarily accurate, and only by utilizing this system will we understand if we’ve been deficient anywhere.”

But privacy advocates have countered this argument about CISA’s voluntary nature by pointing out that companies could be required to participate in its data collection to receive help from the government, creating strong incentives to share data. “Not to comply might actually harm their corporate interests and put their customers at risk,” wrote Amie Stepanovich of the digital civil liberties group Access Now in an op-ed for WIRED. “A world where a company is forced to betray its users in order to protect them is backward indeed.”

And when it comes to removing users’ personal information from data before sharing it, the latest form of CISA is less privacy-protective than even the version of the bill known as the Protecting Cyber Networks Act that passed the House Intelligence Committee in March. That version of the legislation required that companies not share information that they “reasonably believe” to contain information that personal identifies users. But the same protection in the Senate bill stipulates that companies not give up information that they “know at the time of sharing” to contain that sensitive information. That lower bar means companies who don’t fully examine data they share could nonetheless pass it on to the government and plead ignorance of any users’ personal information it contains.

CISA still faces some hurdles to becoming law. Congressional leaders will need to resolve remaining differences between the bills passed in the Senate and the House. The Open Technology Institute’s Robyn Greene argues that the relatively close votes that rejected privacy-protecting amendments like Wyden’s and Franken’s show that there could still be strong debate over the details of the bill in that process. She points to the 41 votes in favor of Wyden’s amendment as a sign that the bill could even be filibustered to delay its ultimate passing into law. “There’s power in that and leverage to negotiate that Americans’ privacy is better protected,” Greene says. “There are Senators who will take a stand on this, and won’t accept a bill that doesn’t adequately safeguard privacy.”

President Obama could also still veto CISA, though that’s unlikely: The White House endorsed the bill in August, an about-face from an earlier attempt at cybersecurity information sharing legislation known as CISPA that the White House shut down with a veto threat in 2013.

CISA has faced opposition from the security community, which has largely objected to claims that information-sharing effectively stops cyberattacks. Tech firms also oppose the bills, arguing it will diminish their users’ trust in sharing private information with companies. Apple, Reddit, Twitter, the Business Software Alliance, the Computer and Communications Industry Association, and other tech firms have all publicly opposed the bill. And a coalition of 55 civil liberties groups and security experts all signed onto an open letter opposing the bill in April. Even the Department of Homeland Security itself has warned in a July letter that the bill could flood the agency with information of “dubious value” at the same time as it “sweep[s] away privacy protections.”

None of that was enough to sway the Senate against CISA. “You had computer security researchers against this bill, much of Silicon Valley against this bill, privacy advocates and civil society groups against this bill,” says the EFF’s Jaycox. “Our biggest takeaway is disappointment.”

Originally published by Wired

Sign Up

Article Tabs

California, privatization, PG&E, investor-owned utilities, energy utilities, fire risk, fire damage, Global Climate Action Summit, public banks, energy prices, consumer fees

Oil companies heat and dry up the planet, power companies start fires on the dried up land – and we pay the bills.

cybersecurity programs, US cybersecurity, Fox journalists, Fox influence, biased reporting, Fox spin, Donald Trump

It’s not clear why 43-year-old Fox News general assignment reporter Lea Gabrielle would be the answer to the State Department's long-lasting cybersecurity problems.

Black Lives Matter is no longer a target for domestic oppression. The threat of their human rights work has now peaked the interest of oppressive entities abroad.

teacher strikes, treacher pay, union busting, right to work, Janus decision, teacher demands, union support

While many teachers and their unions in the major strike states are still in a watching and waiting mode, the revolt has spread and militancy is growing.

Donald Trump, German-American relations, Angela Merkel, transatlantic relationship, Trump insults, Trump tweets

Just a year and a half into the Trump presidency, anti-Americanism is on the rise here and German-American interests are quickly diverging.

Occupy Wall Street, OWS, Occupy protests, Zuccotti Park, wealth inequality, Occupy anniversary

How a movement that eschewed electoral politics is now showing up everywhere in the 2018 progressive resurgence.

California, privatization, PG&E, investor-owned utilities, energy utilities, fire risk, fire damage, Global Climate Action Summit, public banks, energy prices, consumer fees

Oil companies heat and dry up the planet, power companies start fires on the dried up land – and we pay the bills.

too big to fail, public banks, public banking, Bank of North Dakota, financial crisis

When the next crisis hits, the public will once again be called upon to step in and bail out Wall Street. We need to start seriously preparing an alternative response: public banks.

cybersecurity programs, US cybersecurity, Fox journalists, Fox influence, biased reporting, Fox spin, Donald Trump

It’s not clear why 43-year-old Fox News general assignment reporter Lea Gabrielle would be the answer to the State Department's long-lasting cybersecurity problems.

President Trump, Vice President Pence and first lady Melania Trump visit the Federal Emergency Management Agency headquarters in Washington, D.C., on June 6. Secretary of Homeland Security Kirstjen Nielsen and FEMA Administrator Brock Long are seated at r

As Hurricane Florence bears down on the East Coast, a "reprehensible" disclosure.

cybersecurity programs, US cybersecurity, Fox journalists, Fox influence, biased reporting, Fox spin, Donald Trump

It’s not clear why 43-year-old Fox News general assignment reporter Lea Gabrielle would be the answer to the State Department's long-lasting cybersecurity problems.

Posted 4 days 23 hours ago

Black Lives Matter is no longer a target for domestic oppression. The threat of their human rights work has now peaked the interest of oppressive entities abroad.

Posted 6 days 58 min ago
Illustration by Selman Design; Photographs by Tammy Bradshaw, Seth Wenig/Associated Press, Mark Makela for The New York Times, and Jeff Swensen for The New York Times.

Why the pitch from Alexandria Ocasio-Cortez and Bernie Sanders resonates in 2018.

Posted 6 days 1 hour ago
California, privatization, PG&E, investor-owned utilities, energy utilities, fire risk, fire damage, Global Climate Action Summit, public banks, energy prices, consumer fees

Oil companies heat and dry up the planet, power companies start fires on the dried up land – and we pay the bills.

Posted 21 hours 55 min ago
President Trump, Vice President Pence and first lady Melania Trump visit the Federal Emergency Management Agency headquarters in Washington, D.C., on June 6. Secretary of Homeland Security Kirstjen Nielsen and FEMA Administrator Brock Long are seated at r

As Hurricane Florence bears down on the East Coast, a "reprehensible" disclosure.

Posted 5 days 11 min ago

Black Lives Matter is no longer a target for domestic oppression. The threat of their human rights work has now peaked the interest of oppressive entities abroad.

cybersecurity programs, US cybersecurity, Fox journalists, Fox influence, biased reporting, Fox spin, Donald Trump

It’s not clear why 43-year-old Fox News general assignment reporter Lea Gabrielle would be the answer to the State Department's long-lasting cybersecurity problems.

Illustration by Selman Design; Photographs by Tammy Bradshaw, Seth Wenig/Associated Press, Mark Makela for The New York Times, and Jeff Swensen for The New York Times.

Why the pitch from Alexandria Ocasio-Cortez and Bernie Sanders resonates in 2018.

President Trump, Vice President Pence and first lady Melania Trump visit the Federal Emergency Management Agency headquarters in Washington, D.C., on June 6. Secretary of Homeland Security Kirstjen Nielsen and FEMA Administrator Brock Long are seated at r

As Hurricane Florence bears down on the East Coast, a "reprehensible" disclosure.