Read

Search form

Senate Passes Cybersecurity Bill With Huge Privacy Flaws – A Backdoor to Surveillance

Senate Passes Cybersecurity Bill With Huge Privacy Flaws – A Backdoor to Surveillance
Thu, 10/29/2015 - by Andy Greenberg and Yael Grauer
This article originally appeared on Wired

For months, privacy advocates have asked Congress to kill or reform the Cybersecurity Information Sharing Act, a bill that they say hides new government surveillance mechanisms in the guise of security protections. Now the Senate has shot down a series of attempts to change the legislation’s most controversial measures, and then passed it with those privacy-invasive features fully intact.

On Tuesday afternoon, the Senate voted 74 to 21 to pass a version of CISA that roughly mirrors legislation passed in the House earlier this year, paving the way for some combined version of the security bill to become law. CISA is designed to stem the rising tide of corporate data breaches by allowing companies to share cybersecurity threat data with the Department of Homeland Security, who could then pass it on to other agencies like the FBI and NSA, who would in theory use it to defend the target company and others facing similar attacks. That landslide vote was no doubt fueled in part by a year of massive hacks that hit targets including the health insurer Anthem, Sony, and the Office of Personal Management.

But privacy advocates and civil liberties groups see CISA as a free pass that allows companies to monitor users and share their information with the government without a warrant, while offering a backdoor that circumvents any laws that might protect users’ privacy. “The incentive and the framework it creates is for companies to quickly and massively collect user information and ship it to the government,” says Mark Jaycox, a legislative analyst for the civil liberties group the Electronic Frontier Foundation. “As soon as you do, you obtain broad immunity, even if you’ve violated privacy law.”

The version of CISA passed Tuesday, in fact, spells out that any broadly defined “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.” Privacy advocates consider that a vague and potentially reckless exemption in the protections of Americans’ personal information. “Every law is struck down for the purposes of this information sharing: financial privacy, electronic communications privacy, health privacy, none of it would matter,” says Robyn Greene, policy counsel for the Open Technology Institute. “That’s a dangerous road to go down.”

Before passing the bill Tuesday afternoon, Senators first voted on a series of amendments that sought to reform the bill’s privacy protections. They ultimately rejected all of them. One of those now-tossed amendments put forward by Senator Al Franken would have narrowed the definition of “cybersecurity threat” and “threat indicators” covered by the bill. Franken’s amendment lost by a vote of 35 to 60. Another amendment from Senator Ron Wyden required companies to remove personal data from those cyber threat “indicators” before sharing them unless that personal information is necessary to describe or identify the threat. It lost by a vote of 41 to 60.

CISA’s supporters argue that critics’ privacy concerns are misunderstandings. Senate Intelligence Committee chair Richard Burr last week released a list of “myths” about CISA, including its enabling of surveillance. The statement points out that CISA’s corporate information sharing is voluntary, and that companies are required to strip out personally identifiable information from any data before sharing.

“I still say today to those folks in this institution and outside this institution that are concerned with privacy, I think [Senator Dianne Feinstein] and I have bent over backwards to accommodate concerns,” Burr said on the Senate floor Tuesday morning. “Some concerns still exist. We don’t believe they’re necessarily accurate, and only by utilizing this system will we understand if we’ve been deficient anywhere.”

But privacy advocates have countered this argument about CISA’s voluntary nature by pointing out that companies could be required to participate in its data collection to receive help from the government, creating strong incentives to share data. “Not to comply might actually harm their corporate interests and put their customers at risk,” wrote Amie Stepanovich of the digital civil liberties group Access Now in an op-ed for WIRED. “A world where a company is forced to betray its users in order to protect them is backward indeed.”

And when it comes to removing users’ personal information from data before sharing it, the latest form of CISA is less privacy-protective than even the version of the bill known as the Protecting Cyber Networks Act that passed the House Intelligence Committee in March. That version of the legislation required that companies not share information that they “reasonably believe” to contain information that personal identifies users. But the same protection in the Senate bill stipulates that companies not give up information that they “know at the time of sharing” to contain that sensitive information. That lower bar means companies who don’t fully examine data they share could nonetheless pass it on to the government and plead ignorance of any users’ personal information it contains.

CISA still faces some hurdles to becoming law. Congressional leaders will need to resolve remaining differences between the bills passed in the Senate and the House. The Open Technology Institute’s Robyn Greene argues that the relatively close votes that rejected privacy-protecting amendments like Wyden’s and Franken’s show that there could still be strong debate over the details of the bill in that process. She points to the 41 votes in favor of Wyden’s amendment as a sign that the bill could even be filibustered to delay its ultimate passing into law. “There’s power in that and leverage to negotiate that Americans’ privacy is better protected,” Greene says. “There are Senators who will take a stand on this, and won’t accept a bill that doesn’t adequately safeguard privacy.”

President Obama could also still veto CISA, though that’s unlikely: The White House endorsed the bill in August, an about-face from an earlier attempt at cybersecurity information sharing legislation known as CISPA that the White House shut down with a veto threat in 2013.

CISA has faced opposition from the security community, which has largely objected to claims that information-sharing effectively stops cyberattacks. Tech firms also oppose the bills, arguing it will diminish their users’ trust in sharing private information with companies. Apple, Reddit, Twitter, the Business Software Alliance, the Computer and Communications Industry Association, and other tech firms have all publicly opposed the bill. And a coalition of 55 civil liberties groups and security experts all signed onto an open letter opposing the bill in April. Even the Department of Homeland Security itself has warned in a July letter that the bill could flood the agency with information of “dubious value” at the same time as it “sweep[s] away privacy protections.”

None of that was enough to sway the Senate against CISA. “You had computer security researchers against this bill, much of Silicon Valley against this bill, privacy advocates and civil society groups against this bill,” says the EFF’s Jaycox. “Our biggest takeaway is disappointment.”

Originally published by Wired

Sign Up

Article Tabs

Twenty states, backed by Donald Trump’s Department of Justice, are trying in the courts to dismantle the law by attacking what they see as its Achilles heel: the individual mandate.

occupy, creative activism, activism, act out e165

A backlog that's symptomatic of a patriarchal system that not only devalues women but devalues survivors of sexual assault.

E.U. trade, U.S. trade war, aluminium tariffs, steel tariffs

“These tariffs aren’t even legal under U.S. law, let alone World Trade Organization laws. It seems rather odd to be citing national security and targeting countries including your closest allies.”

public banking, public banks, Bank of North Dakota, public financing, financing infrastructure, Wall Street influence, private-public investments

Private interests’ influence over banking consumes, rather than sustains, the public good.

Dodd-Frank act, Volcker Rule, bank deregulation, Wall Street lobby, proprietary trading, SEC

By revising the Volcker Rule, a centerpiece of the 2010 Dodd-Frank act, the feds are pushing financial regulation in a direction that should worry everyone.

The Trump administration has backtracked on its policy but offered no immediate plan for reuniting families. Photograph: Guillermo Arias/AFP/Getty Images

NGOs say bringing parents and children back together is an enormous puzzle with no clear system from the administration.

EPA, pollution deaths, pollution risks, Donald Trump, Scott Pruitt, respiratory illness

The authors used EPA’s own risk assessments to estimate the number of illnesses and early deaths prevented by clean air and water rules Trump is now trying to erase.

The Associated Press reports that young migrant children forcibly separated from their parents are being sent to facilities that critics described as "prisons for babies." (Photo: @NIJC/Twitter)

Those who have visited the facilites describe "play rooms of crying preschool-age children in crisis."

Twenty states, backed by Donald Trump’s Department of Justice, are trying in the courts to dismantle the law by attacking what they see as its Achilles heel: the individual mandate.

wage theft, corporate crimes, CEO pay,

An eye-opening new report has documented billions of dollars of corporate theft from workers. The government is turning a blind eye.

public banking, public banks, Bank of North Dakota, public financing, financing infrastructure, Wall Street influence, private-public investments

Private interests’ influence over banking consumes, rather than sustains, the public good.

Posted 4 days 21 hours ago
E.U. trade, U.S. trade war, aluminium tariffs, steel tariffs

“These tariffs aren’t even legal under U.S. law, let alone World Trade Organization laws. It seems rather odd to be citing national security and targeting countries including your closest allies.”

Posted 3 days 17 hours ago
U.S. Border Patrol agents take into custody a father and son from Honduras near the U.S.-Mexico border on June 12, 2018, near Mission, Texas. The asylum seekers were then sent to a processing center for possible separation. Photo: John Moore/Getty Images

A new report confirms that Trump and his advisers had been considering the brutal policy of separating migrant children from their parents at the border for as long as they’ve been in power.

Posted 4 days 22 hours ago
family separations, ICE, immigrant deportations,

The size and brutality of this particular raid in Ohio, along with the use of military tactics, have shocked even the most seasoned immigrants’ rights activists.

Posted 3 days 22 hours ago
occupy, creative activism, activism, act out e165

A backlog that's symptomatic of a patriarchal system that not only devalues women but devalues survivors of sexual assault.

Posted 2 days 15 hours ago
The Trump administration has backtracked on its policy but offered no immediate plan for reuniting families. Photograph: Guillermo Arias/AFP/Getty Images

NGOs say bringing parents and children back together is an enormous puzzle with no clear system from the administration.

occupy, creative activism, activism, act out e165

A backlog that's symptomatic of a patriarchal system that not only devalues women but devalues survivors of sexual assault.

Twenty states, backed by Donald Trump’s Department of Justice, are trying in the courts to dismantle the law by attacking what they see as its Achilles heel: the individual mandate.

E.U. trade, U.S. trade war, aluminium tariffs, steel tariffs

“These tariffs aren’t even legal under U.S. law, let alone World Trade Organization laws. It seems rather odd to be citing national security and targeting countries including your closest allies.”

wage theft, corporate crimes, CEO pay,

An eye-opening new report has documented billions of dollars of corporate theft from workers. The government is turning a blind eye.