Cybersecurity

Ominous Cybersharing Legislation Finds a Seat on the Omnibus

CISA is alive and appears to have the White House's support.

|

Maybe don't purchase a pressure cooker as a Christmas present for the foreseeable future.
Dave Bredeson | Dreamstime.com

Lodged toward the bottom of the 2000-plus page, $1.1 trillion omnibus spending bill is the Cybersecurity Act of 2015 (it starts on page 1,728 here if you're feeling like a masochist). This is what has come of the Cybersecurity Information Sharing Act (CISA), the controversial (in tech quarters where people are paying attention anyway) legislation that encourages private businesses to share customer data with the federal government in exchange for liability from lawsuits in the case of data breaches, all under the guise of fighting cybercrime.

The controversy is that this alleged cybersecurity legislation actually appears to be a new form of authorization for surveillance. Experts say it won't actually improve cybersecurity at all (partly because the federal government has a poor reputation for handling such data), and major tech companies like Apple, Google, and Twitter oppose it.

But here it is, being shoved into a "must pass" bill, escorted in by new Majority Leader Paul Ryan (R-Wisc.). Evan Greer, campaign director of Fight for the Future, an activist group fighting the passage of CISA-style privacy-threatening Internet regulations, has a dim view of the legislation.

"There's been a bunch of negative changes to the bill over the last couple of weeks," Greer says. "It went from something that was supposed to be a cybersecurity bill and has become a surveillance bill. It has even become a mass incarceration bill. … They'll be able to investigate, prosecute and jail people for a wide variety of offenses that having nothing to do with cybersecurity and terrorism."

I noted last week the problems with some of the privacy components being stripped out. What privacy advocates want is for the Department of Homeland Security (DHS) to handle making sure identifiable information gets redacted from information before it gets disseminated to organizations like the NSA. Why does it matter? Greer explained that the DHS, as a "civilian" organization has stricter rules about protecting private information than the NSA. Here's how TechDirt describes the weakening of the already weak CISA privacy protections:

  1. Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS. While DHS isn't necessarily wonderful, it's a lot better than NSA. And, of course, if this were truly about cybersecurity, not surveillance, DHS makes a lot more sense than NSA.
  2. Directly removes the restrictions on using this information for "surveillance" activities. You can't get much more direct than that, right?
  3. Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well. Obviously, this then creates tremendous incentives to push for greater and greater information collection, which clearly will be abused. We've just seen how the DEA has regularly abused its powers to collect info. You think agencies like the DEA and others won't make use of CISA too?
  4. Removes the requirement to "scrub" personal information unrelated to a cybersecurity threat before sharing that information. This was the key point that everyone kept making about why the information should go to DHS first—where DHS would be in charge of this "scrub". The "scrub" process was a bit exaggerated in the first place, but it was at leastsomething of a privacy protection. However, it appears that the final version being pushed removes the scrub requirement (along with the requirement to go to DHS) and instead leaves the question of scrubbing to the "discretion" of whichever agency gets the information. Guess how that's going to go?

A handful of privacy-oriented legislators from both parties, Rep. Justin Amash (R-Mich.), Rep. Zoe Lofgren (D-Calif.), Rep. Jared Polis (D-Colo.) and Rep. Ted Poe (R-Texas), sent a letter to other legislators expressing concerns about privacy protections being stripped out.

In response, Rep. Adam Schiff (D-Calif.) a supporter of CISA, sent out a letter decrying some of the privacy fears as myths. Of course, since the 2,000-page Omnibus just dropped late last night, legislators and lawyers are going to have to go through the bill with a fine-tooth comb and try to figure out what actual privacy protections are real and what is simply smoke and mirrors.

Despite the White House's threats of vetoing predecessors to CISA, new information seems to show the Obama administration wanting to use CISA for other forms of law enforcement besides cybersecurity and wants to make sure the NSA and Department of Defense may still have access to the information from private companies through other agreements outside CISA. The memo (read here, courtesy of Dustin Volz of Reuters) says at one point, "The final bill should track the Administration's proposal and allow for limited, specific law enforcement use of cyber threat information for non-cybersecurity purposes."

That concept did indeed make it into the final draft of the bill included in the omnibus. Here's a list of the non-cybersecurity, non-terrorism-related purposes the government would be able to use the information they gather from the Cybersecurity Act of 2015:

  • Any "specific" threat of serious bodily harm or serious economic harm. This includes terrorist acts but is not specific only to terrorism.
  • Investigating, preventing, or prosecuting any specific threat to a minor, including "sexual exploitation" and threats to physical safety.
  • Investigating some types of fraud and identity theft.
  • Investigating offenses related to espionage.
  • Investigating offenses related to protections of trade secrets.

Those are some pretty big loopholes in using the information domestically to track Americans for reasons that have absolutely nothing to do with fighting terrorism.

Stay tuned to see what happens as the omnibus bill gets more attention for the rest of the week.

NEXT: Why are gun rights supporters worried about bans on so-called assault weapons?

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. “There’s been a bunch of negative changes to the bill over the last couple of weeks,” Greer says. “It went from something that was supposed to be a cybersecurity bill and has become a surveillance bill

    Riiiiiight. Next thing you’re going to tell me is that a big pile of free government money attracts corruption.

  2. Statists gonna state.

  3. legislation that encourages private businesses to share customer data with the federal government in exchange for liability from lawsuits in the case of data breaches, all under the guise of fighting cybercrime

    So, if a company is negligent and my private information is stolen by nefarious third parties, it can make sure I have no redress by first giving that information away to a nefarious third party.

    That…makes sense.

    1. WHY YU NO TRSUT TEH GUBBERMENT

      1. Why, it’s something we do together! I just can’t figure out why we keep deciding to screw ourselves over.

      2. I do. Oh, I do.

        1. Well, besides trusting it to pick the worst, most authoritarian option in any given situation…

          1. Apparently we should trust it to end the private market in cyber security insurance too…

  4. Those are some pretty big loopholes in using the information domestically to track Americans for reasons that have absolutely nothing to do with fighting terrorism

    LIBERTARIAN MOMENT!!!

  5. Whack-a-mole.

  6. Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well.

    So, kind of a staging pre-warrant area for your personal data.

  7. To echo a sentiment expressed by Justin Amash last night –

    If the CISA portion of this bill is so important and uncontroversial, surely it could be removed and voted on separately rather than shoved in the middle of a massive Omnibus bill.

    1. But, we have to pass it to see what’s in it!

  8. In response, Rep. Adam Schiff (D-Calif.) a supporter of CISA, sent out a letter decrying some of the privacy fears as myths.

    Well I know who I wouldn’t be voting for if I were in his district.

  9. “Lodged toward the bottom of the 2000-plus page, $1.1 trillion omnibus spending bill….”

    Didn’t the Republicans once promise that they would no longer offer these type of monstrosities?

    1. This is the last time. They promise, it’s just sometimes we make them so angry, but they will try to be better.

    2. Two words. John Boehner. Oh no wait, Paul Ryan.

      1. I am straining, as all are, to see the difference, thus far…

    3. The GOP promised they would not offer up these types of monstrosities while the Dems were in control of Congress. The Dems aren’t in control of Congress, are they? Next time the Dems take control of Congress, just you watch – the GOP will keep their promise and not offer up this sort of monstrosity.

    4. Reagan said “Next year I won’t sign a deficit spending bill.”
      Of course he either forgot or was fibbing.

  10. Despite the White House’s threats of vetoing predecessors to CISA, new information seems to show the Obama administration wanting to use CISA for other forms of law enforcement besides cybersecurity and wants to make sure the NSA and Department of Defense may still have access to the information from private companies through other agreements outside CISA.

    I just realized why it would be good to have a Republican back in the white house. It’ll make half the country care about this shit again.

  11. legislators and lawyers are going to have to go through the bill with a fine-tooth comb and try to figure out what actual privacy protections are real

    How about something like (still thinking about it) this approach?

    Assign one drafter or sponsor of the bill to each section. This person “takes full responsibility” for the section, and must publicize in simple written English its meaning. Subsequently, if the courts find “against” the section or the explanation, the explainer’s pension is zeroed.

    1. The explainer can opt to keep a portion of his or her pension if he or she is able to defeat a hungry grizzly bear in unarmed combat.

      1. Question: Debbie Wasserwan Schutlz vs. a hungry grizzly bear. Who wins?

        1. She slings her hair in his direction and the bear is blinded by all the grease in his eyes. At that point, she starts talking in that voice and bear commits suicide. Obviously Dirty Durbie winz!

        2. The bear eats Schultz, then dies when her toxin sacs break open during digestion. Winners: all Americans, and anyone who hates bears?

          1. Ding ding ding! Citizen X nailed that softball outta the park!

            Take your pick of our fabulous prizes Citizen X: A dinner date with DWS or a Mishima commemorative seppuku blade and instruction manual.

        3. I would like to go back and rescind my prior mocking of the kid who wrote a piece whining about why we aren’t doing more to protect wild animals from want, suffering and misery.

          I am for his argument now that I realize people want to make Debbie Wasserman Schultz fight animals.

    2. Needs more blood watering trees.

      1. THAT IS TURRIRST TALK

    3. That’d work perfectly if the legislators weren’t also the people selecting the people in the courts.

    4. the explainer’s pension is zeroed wood chipped.

  12. hi ive been lurking here since i read about woodchippers. i figure ive paid my dues. I just want to be able to type retard again anyway.

    1. Again? Splain yerself, amigo.

      1. He wanted to be able to type retard yesterday, too.

      2. I feel afair amount of shame over my self censoring. my low point was a few years ago. A Chicago Blackhawks fan site threatened to BANHAMMER me (their words) if I didnt change my language. I caved. This is a guy who in 1993 blew off a university administrative hearing after one of my classmates complained i called a weekend assignment gay. how far ive fallen. How they’ve worn me down

    2. Dude, that is microaggression against the developmentally delayed.

      1. Wasn’t retard an old PC term for idiot? Now the PC isn’t PC enough for the PC police?

        I’ll never keep up with all this.

  13. That concept did indeed make it into the final draft of the bill included in the omnibus. Here’s a list of the non-cybersecurity, non-terrorism-related purposes the government would be able to use the information they gather from the Cybersecurity Act of 2015:

    Any “specific” threat of serious bodily harm or serious economic harm. This includes terrorist acts but is not specific only to terrorism.

    So when can we expect indictments for all 535 members of congress, the US Treasury, and the litany of enforcement bureaus?

    1. Right after a mob of 50 million or so show up on the national mall with unnamed mulching devices?

    2. You think that “threat of serious economic harm” would mean they’re outlawing minimum wage hikes, but, no, it means they’re reauthorizing the Ex-Im Bank.

  14. Forget the loopholes, they’re authorizing themselves to look for criminal activity and we all know that means they gotta search everything. They’re listing all the things they’re (more or less) specifically looking for but it’s not going to limit in any way what they look at to find it. It’s the same reason they listen in on everybody’s phone conversations – they’re looking for terrorists and they’re authorized to listen in on terrorists, but the only way to know somebody’s not a terrorist is if they listen in on their phone conversations. So everybody gets covered by that same general warrant.

    I don’t see that this is any different than the cops showing up at your house wanting to search it and when you demand to see a search warrant having them tell you “Oh, we think your neighbor stole a TV set and hid it in your house so we don’t need a warrant because we’re investigating a crime your neighbor committed, not any crime committed by you. Oh, but if we do find any evidence of a crime you may have committed while we’re looking for that TV set your neighbor stole you can be sure we’ll be busting your ass.”

    1. They’re marching ahead at breakneck speed to make it possible for elected officials and unelected bureaucrats to be able to punish their enemies over any suspected illegal activity, which when everything is illegal and they have every single bit of data on ever individual in the country at their disposal with no constraint on getting or using it, will be all to easy. Libertarian moment.

    2. So everybody gets covered by that same general warrant.

      The fiction writer James Madison wrote a lovely short story about general warrants being verboten.

  15. The security state will not be stopped. Let’s suppose that against all odds, this law fails to pass or be signed into law. Well that may or may not be true of the next version of this law, and the enxt and the next and the next. Eventually whatever opposition there is, will be worn down and defeated before they even realize what happened. Such is the problem with legislatures. An arbitrary body making arbitrary proclamations will make arbitrary law. Statutory law needs to die.

    1. I think we actually need a constitutional amendment banning omnibus bills. The amendment should state that it is unlawful to even bring to the floor any bill which contains other bills or anything unrelated to the bill at all, or to amend it at any time later to include other bills or unrelated items. Anyone caught violating this rule shall be banned immediately from public office, forever. Also a limit on pages of bills would be great, say 10 pages.

      Until we start doing things like this, it will just keep getting worse. There is no transparency of government at all as it exists today.

      1. I think we actually need a constitutional amendment banning omnibus bills.

        Interestingly enough, the Confederate States of America, whose Constitution was almost a clone copy of the USA Constitution (except with more positive mentions of slavery) had a provision that banned what they used to call “log-rolling” by saying that every bill’s content must be succinctly and accurately described within it’s title. I’ll see if I can’t find the text of that.

        1. Interestingly enough, the Confederate States of America, whose Constitution was almost a clone copy of the USA Constitution (except with more positive mentions of slavery)

          You might be interested in this side-by-side comparison of the US and CS constitutions.

          1. I’m so interested in fact that I gleaned my quote from that page. Thanks though 🙂

      2. Here it is;
        Section 9 Subsection 20.

        Every law, or resolution having the force of law, shall relate to but one subject, and that shall be expressed in the title.

      3. Oddly enough, citizen’s initiatives in at least some states are specifically prohibited from including two or more issues. If the citizenry themselves want to put a bill before the committee of the whole they have to make it so that nobody can get stuck voting for a three-pack that includes two cans of peaches and one can of weasel shit just because they really like peaches. Legislators I’m guessing have no objection to weasel shit.

        1. Legislators I’m guessing have no objection to weasel shit.

          For one thing, it allows them to dodge responsibility for voting shitty laws into existence by saying “I had to vote for tyranny otherwise they were going to kill your grandma!”

      4. 41 states have single subject rule. https://en.wikipedia.org/wiki/Single-subject_rule

        Minnesota has in its constitution “No law shall embrace more than one subject, which shall be expressed in its title.”

      5. IL State Constitution:

        Bills, except bills for appropriations and for the
        codification, revision or rearrangement of laws, shall be
        confined to one subject. Appropriation bills shall be limited
        to the subject of appropriations.
        A bill expressly amending a law shall set forth
        completely the sections amended.

  16. Rubio trying to Hit Cruz on this shit has made me 100% hate Rubio (instead of 93%)

    So much so that I actually like that Cruz responds back with mostly bullshit Mexican Amnesty attacks immediately every time.

    Mr Rubio : you want to know every phone call I’ve made for the past 5 years ? Fuck you. Get a warrant. Then get a time machine, and go back 5 years ago and tell them to start recording numbers.

  17. “You have to wait till it passes before we find out what’s in it” -Ryan Pelosi 2016

  18. That’s impossible. Obama LOVES civil liberties and would never spy on his own people.

  19. Marxists and other totalitarians have infested the centralized government.

Please to post comments

Comments are closed.