As Predicted, Congress Turned CISA Into A Clear Surveillance Bill… And Put It Into The 'Must Pass' Gov't Funding Bill
from the but-of-course dept
Yesterday we warned that Congress was quietly looking to do two horrible things: (1) strip all pretense from the “cybersecurity” information sharing bills and turn them into full-on surveillance bills and (2) then shove it into the “must pass” omnibus bill which is supposed to be about funding the government and nothing more. And… it looks like our warning was almost entirely accurate, as the bill has been released and within its over 2000 pages, it includes CISA and has been stripped of many of the key privacy protections (if you want to find it, it’s buried on page 1728), while expanding how the information can be shared and used. In part, due to concerns raised yesterday, a few of the absolutely worst ideas didn’t make it into the final bill, but it’s still bad (and clearly worse than what had previously been voted on, which was already bad!).
The bill is due for a vote tomorrow and so right now would be the time to call your elected officials and let them know that this is a serious problem. The EFF has spoken out about how problematic this is, as have a group of free market think tanks.
There is some opposition within Congress to this. We’ve seen a “Dear Colleague” letter sent around by a set of four members of Congress (two from each party) — Reps. Zoe Lofgren, Justin Amash, Jared Polis and Ted Poe — opposing this move, but chances are that most members of Congress actually have no idea that this is happening, which is why you should be calling today to let them know how problematic this is.
The House Intelligence Community counters that the claims being made against CISA are inaccurate, but they’re being incredibly misleading. While the reports yesterday indicated that the bill would directly allow its use in “surveillance,” the list of approved uses was changed slightly to effectively hide this fact. Specifically it says that the information via CISA can be used to investigate a variety of crimes — and doesn’t say “surveillance.” But, obviously, surveillance isn’t a “crime” that the government will be investigating. It’s just the method that the government will use to investigate crimes… which is now allowed under CISA. In earlier versions, the information was only to be used for “cybersecurity.” But now that list has been expanded to cover a wide variety of crimes: “a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction.”
And how are those things going to be stopped? By ramping up surveillance, of course.
Also, yesterday we noted that the proposed change would “remove” the privacy scrub requirements. The final bill didn’t completely do that, but basically changed the standard to pretend that it’s in there. Rather than demanding a full privacy scrub, the bill lets the Attorney General determine if DHS is doing a reasonable job with its privacy scrub. The same Attorney General who will now be using this same information to investigate all sorts of “criminal” activity. Guess what incentive the Attorney General has to make sure that privacy scrub is legit?
Finally, the revised bill tries to hide the fact that the NSA will get access to this data with some super crafty language. Section 105(c) of the bill notes that the President can designate any other agency to set up a portal to receive information, but explicitly says that cannot be the Defense Department or the NSA. That sounds good, but is there as a total red herring. This is only about who runs the portal, not about who gets the information. So, DHS can still share the info with others and the President could still designate, say, the FBI to get a portal… or the Director of National Intelligence (which oversees the NSA). However, CISA’s supporters are pointing to this sections as “proof” that it won’t be used by the NSA.
Considering how much debate and concern there was over this bill, and the fact that basically all the major companies in Silicon Valley have come out against it — and I still can’t find a single computer security expert who thinks that this is needed for increasing our security, it’s pretty obvious that this is not a cybersecurity bill. It’s a surveillance bill that has no business being added to the omnibus bill.