Last night Speaker of the House Paul Ryan submitted a 2,000-page omnibus bill, which includes the full text of the Cybersecurity Information Sharing Act of 2015 (CISA), which the Senate passed in October.
CISA, in reality is a government surveillance bill, which makes it easier for private sector companies to share user information with the government. It removes all user privacy and liability protections in the name of “cybersecurity,” turning Internet companies into “defacto surveillance” conglomerates.
Wired Magazine says “CISA Gets an F+ for security and an A for spying.”
Wired highlights the false claims Senate Intelligence Committee chairman Sen. Richard Burr made after the committee passed CISA by a vote of 14 to 1. Burr argued CISA “successfully balanced security and privacy. The bill protects Internet users’ personal information and allows new avenues for companies and federal agencies to coordinate responses to cyberattacks.”
But, a coalition opposing CISA, Wired reports claims it does the opposite:
CISA goes far beyond [cybersecurity], and permits law enforcement to use information it receives for investigations and prosecutions of a wide range of crimes involving any level of physical force.
“The lack of use limitations creates yet another loophole for law enforcement to conduct backdoor searches on Americans—including searches of digital communications that would otherwise require law enforcement to obtain a warrant based on probable cause. This undermines Fourth Amendment protections and constitutional principles.”
Evan Greer, campaign director for Fight the Future, which has directed a multi-faceted campaign against the bill, also says:
It’s a disingenuous attempt to quietly expand the U.S. government’s surveillance programs. It’s clear this bill was never intended to prevent cyber attacks.”
According to TechDirt.com, the bill strips out all privacy protections, allowing the government to abuse and ignore the Fourth Amendment, turning “CISA into a full on surveillance bill.” Personal information would be freely shared with the National Security Agency (NSA) and the Department of Defense and much more. TechDirt.com writes that CISA:
- Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS. While DHS isn’t necessarily wonderful, it’s a lot better than NSA. And, of course, if this were truly about cybersecurity, not surveillance, DHS makes a lot more sense than NSA.
- Directly removes the restrictions on using this information for “surveillance” activities. You can’t get much more direct than that, right?
- Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well. Obviously, this then creates tremendous incentives to push for greater and greater information collection, which clearly will be abused. We’ve just seen how the DEA has regularly abused its powers to collect info. You think agencies like the DEA and others won’t make use of CISA too?
- Removes the requirement to “scrub” personal information unrelated to a cybersecurity threat before sharing that information. This was the key point that everyone kept making about why the information should go to DHS first — where DHS would be in charge of this “scrub”. The “scrub” process was a bit exaggerated in the first place, but it was at least something of a privacy protection. However, it appears that the final version being pushed removes the scrub requirement (along with the requirement to go to DHS) and instead leaves the question of scrubbing to the “discretion” of whichever agency gets the information.
The Omnibus Bill has not yet passed Congress, but if it does the President is likely to sign.
In addition to CISA the Omnibus Bill contains language to continue funding the importation of refugees.
This article was first published on December 17, 2015.