As Predicted, Congress Turned CISA Into A Clear Surveillance Bill... And Put It Into The 'Must Pass' Gov't Funding Bill
from the but-of-course dept
The bill is due for a vote tomorrow and so right now would be the time to call your elected officials and let them know that this is a serious problem. The EFF has spoken out about how problematic this is, as have a group of free market think tanks.
There is some opposition within Congress to this. We've seen a "Dear Colleague" letter sent around by a set of four members of Congress (two from each party) -- Reps. Zoe Lofgren, Justin Amash, Jared Polis and Ted Poe -- opposing this move, but chances are that most members of Congress actually have no idea that this is happening, which is why you should be calling today to let them know how problematic this is.
The House Intelligence Community counters that the claims being made against CISA are inaccurate, but they're being incredibly misleading. While the reports yesterday indicated that the bill would directly allow its use in "surveillance," the list of approved uses was changed slightly to effectively hide this fact. Specifically it says that the information via CISA can be used to investigate a variety of crimes -- and doesn't say "surveillance." But, obviously, surveillance isn't a "crime" that the government will be investigating. It's just the method that the government will use to investigate crimes... which is now allowed under CISA. In earlier versions, the information was only to be used for "cybersecurity." But now that list has been expanded to cover a wide variety of crimes: "a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction."
And how are those things going to be stopped? By ramping up surveillance, of course.
Also, yesterday we noted that the proposed change would "remove" the privacy scrub requirements. The final bill didn't completely do that, but basically changed the standard to pretend that it's in there. Rather than demanding a full privacy scrub, the bill lets the Attorney General determine if DHS is doing a reasonable job with its privacy scrub. The same Attorney General who will now be using this same information to investigate all sorts of "criminal" activity. Guess what incentive the Attorney General has to make sure that privacy scrub is legit?
Finally, the revised bill tries to hide the fact that the NSA will get access to this data with some super crafty language. Section 105(c) of the bill notes that the President can designate any other agency to set up a portal to receive information, but explicitly says that cannot be the Defense Department or the NSA. That sounds good, but is there as a total red herring. This is only about who runs the portal, not about who gets the information. So, DHS can still share the info with others and the President could still designate, say, the FBI to get a portal... or the Director of National Intelligence (which oversees the NSA). However, CISA's supporters are pointing to this sections as "proof" that it won't be used by the NSA.
Considering how much debate and concern there was over this bill, and the fact that basically all the major companies in Silicon Valley have come out against it -- and I still can't find a single computer security expert who thinks that this is needed for increasing our security, it's pretty obvious that this is not a cybersecurity bill. It's a surveillance bill that has no business being added to the omnibus bill.