Ominous Cybersharing Legislation Finds a Seat on the Omnibus

Lodged toward the bottom of the 2000-plus page, $1.1 trillion omnibus spending bill is the Cybersecurity Act of 2015 (it starts on page 1,728 here if you’re feeling like a masochist). This is what has come of the Cybersecurity Information Sharing Act (CISA), the controversial (in tech quarters where people are paying attention anyway) legislation that encourages private businesses to share customer data with the federal government in exchange for liability from lawsuits in the case of data breaches, all under the guise of fighting cybercrime.

The controversy is that this alleged cybersecurity legislation actually appears to be a new form of authorization for surveillance. Experts say it won’t actually improve cybersecurity at all (partly because the federal government has a poor reputation for handling such data), and major tech companies like Apple, Google, and Twitter oppose it.

But here it is, being shoved into a “must pass” bill, escorted in by new Majority Leader Paul Ryan (R-Wisc.). Evan Greer, campaign director of Fight for the Future, an activist group fighting the passage of CISA-style privacy-threatening Internet regulations, has a dim view of the legislation.

“There’s been a bunch of negative changes to the bill over the last couple of weeks,” Greer says. “It went from something that was supposed to be a cybersecurity bill and has become a surveillance bill. It has even become a mass incarceration bill. … They’ll be able to investigate, prosecute and jail people for a wide variety of offenses that having nothing to do with cybersecurity and terrorism.”

I noted last week the problems with some of the privacy components being stripped out. What privacy advocates want is for the Department of Homeland Security (DHS) to handle making sure identifiable information gets redacted from information before it gets disseminated to organizations like the NSA. Why does it matter? Greer explained that the DHS, as a “civilian” organization has stricter rules about protecting private information than the NSA. Here’s how TechDirt describes the weakening of the already weak CISA privacy protections:

1. Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS. While DHS isn’t necessarily wonderful, it’s a lot better than NSA. And, of course, if this were truly about cybersecurity, not surveillance, DHS makes a lot more sense than NSA.
2. Directly removes the restrictions on using this information for ”surveillance” activities. You can’t get much more direct than that, right?
3. Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well. Obviously, this then creates tremendous incentives to push for greater and greater information collection, which clearly will be abused. We’ve just seen how the DEA has regularly abused its powers to collect info. You think agencies like the DEA and others won’t make use of CISA too?
4. Removes the requirement to ”scrub” personal information unrelated to a cybersecurity threat before sharing that information. This was the key point that everyone kept making about why the information should go to DHS first — where DHS would be in charge of this “scrub”. The “scrub” process was a bit exaggerated in the first place, but it was at leastsomething of a privacy protection. However, it appears that the final version being pushed removes the scrub requirement (along with the requirement to go to DHS) and instead leaves the question of scrubbing to the “discretion” of whichever agency gets the information. Guess how that’s going to go?

A handful of privacy-oriented legislators from both parties, Rep. Justin Amash (R-Mich.), Rep. Zoe Lofgren (D-Calif.), Rep. Jared Polis (D-Colo.) and Rep. Ted Poe (R-Texas), sent a letter to other legislators expressing concerns about privacy protections being stripped out.

In response, Rep. Adam Schiff (D-Calif.) a supporter of CISA, sent out a letter decrying some of the privacy fears as myths. Of course, since the 2,000-page Omnibus just dropped late last night, legislators and lawyers are going to have to go through the bill with a fine-tooth comb and try to figure out what actual privacy protections are real and what is simply smoke and mirrors.

Despite the White House’s threats of vetoing predecessors to CISA, new information seems to show the Obama administration wanting to use CISA for other forms of law enforcement besides cybersecurity and wants to make sure the NSA and Department of Defense may still have access to the information from private companies through other agreements outside CISA. The memo (read here, courtesy of Dustin Volz of Reuters) says at one point, “The final bill should track the Administration’s proposal and allow for limited, specific law enforcement use of cyber threat information for non-cybersecurity purposes.”

That concept did indeed make it into the final draft of the bill included in the omnibus. Here’s a list of the non-cybersecurity, non-terrorism-related purposes the government would be able to use the information they gather from the Cybersecurity Act of 2015:

• Any “specific” threat of serious bodily harm or serious economic harm. This includes terrorist acts but is not specific only to terrorism.
• Investigating, preventing, or prosecuting any specific threat to a minor, including “sexual exploitation” and threats to physical safety.
• Investigating some types of fraud and identity theft.
• Investigating offenses related to espionage.
• Investigating offenses related to protections of trade secrets.

Those are some pretty big loopholes in using the information domestically to track Americans for reasons that have absolutely nothing to do with fighting terrorism.

Stay tuned to see what happens as the omnibus bill gets more attention for the rest of the week.