Congress Snuck a Massive Surveillance Expansion Into the Omnibus Budget

At the heart of the measure is expansion of the feds' ability to access data without a warrant.


Light Brigading/Flickr

This holiday season, Congress quietly gifted a major expansion in digital surveillance to the intelligence community by ratifying a version of the controversial Cybersecurity Information Sharing Act (CISA). This information-sharing legislation has been widely decried by privacy activists, computer scientists, and technology companies for empowering government agents to access massive new datasets under the guise of "cybersecurity." But it wasn't enough for Congress to pass a standalone version of the bill that the Senate approved in October. Instead, our esteemed legislators snuck this big lump of security-state coal into the major omnibus budget bill that Obama signed into law December 18.

Like the much-maligned PATRIOT Act before it, CISA is the most recent incarnation of a bad idea that Congress has been hung up on for years now. First proposed in 2011 as the Cyber Intelligence Sharing and Protection Act (CISPA), the "information-sharing" policies at the heart of these measures are a not-so-subtle pretext for expanding the feds' ability to access data without a warrant. The government's line goes like this: Information systems in the U.S. are subject to constant and evolving cyberthreats, but organizations are unable to learn from each other's experiences because sharing information about cyberattacks may expose themselves to lawsuits from customers whose data has been revealed. If intelligence agencies had access to this data, then they could swiftly and efficiently inform the relevant organizations about impending risks, allowing them to better defend themselves. 

But the holes in this line of thinking are evident. Numerous information-sharing initiatives already exist within the private sector and federal government. Government agencies have been unable to adequately inform even their own offices about known cyberthreats, so it is extremely unlikely that they will become magically more efficient when tasked with informing the nation as a whole. And computer-security experts dispute that inadequate information-sharing is a core impediment to improving the nation's cybersecurity. Meanwhile, some of the biggest CISA supporters actively attack the sort of strong encryption techniques that computer scientists advocate to actually improve cybersecurity.

CISA is not a cybersecurity bill at all, really, but a deceptive surveillance measure that will make us less secure.

The version of CISA that made it into the passed omnibus bill was even worse than the standalone versions that were so controversial in the past. It explicitly authorizes agencies to use data gathered under the guise of "cybersecurity" to prosecute individuals for unrelated crimes involving things like terrorism and intellectual-property violations. And the final text was stripped of the few privacy clauses won by civil liberties-minded legislators, such as a requirement that corporations and agencies do their best to scrub and anonymize the shared data. The final version contains no such meager measures.

What's worse, we will have no way of knowing whether our data has been shared by corporations or federal agencies because such information is immune from FOIA requests. And even if we could, we would lack any legal recourse against parties who improperly share our data.

Then there's the new data portal that CISA creates. The Department of Homeland Security (DHS) is authorized to share information gathered through CISA with intelligence agencies like the FBI and the National Security Agency (NSA), provided that it first scrubs the data of any "personally identifiable information" such as names, addresses, or financial information. But CISA also authorizes the president to create a separate data portal for intelligence agencies if the DHS system is "flawed"—which, given the DHS's history of subpar data management, is very likely to occur.

Many have compared the scale of expanded surveillance that CISA authorizes with the controversial PATRIOT Act of the post-9/11 period. Just as 9/11 terrorists were used to falsely justify bulk metadata collection, today's hackers are used to falsely justify bulk cyberthreat sharing. And as with the PATRIOT Act, legislators were given almost no time to read the hairy details before voting a new digital security state into law. Rep. Justin Amash (R-Mich.) reports that a handful of legislators drafted the final CISA text behind closed doors just hours before the vote with little to no real debate.

But say what you will about the PATRIOT Act—at least Congress was forthright about the expansion of surveillance and curtailment of civil liberties that it would entail. In the case of CISA, legislators snuck in a massive expansion of surveillance as a footnote to a major spending bill. While legislators who voted for the PATRIOT Act were at least aware of the magnitude of the changes that they authorized, it's likely that many in Congress were unaware of the CISA provisions in the omnibus bill at all, much less understood the new digital spying regime that they covertly create.

With the covert inclusion of a massive surveillance expansion in a major budget deal, we have reached a new loathsome normal. Government power is now so innocuous that not only do legislators feel comfortable stooping to these sordid tactics, they actually get away with it.

NEXT: Silencing Students: The 8 Most Loathsome Campus Censors of 2015

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

    1. Fuck off, slaver.

  1. Congress Snuck …

    There was no sneaking involved. They did it in the full light of day, with a smirk on their lips and a ‘because fuck you, that’s why’ in their hearts.

    1. That’s part of what is so frightening about the way things are done these days. The signal-to-noise ratio of media/internet information (to say nothing of the added distractions of everyday life) is so overwhelmingly flooded with irrelevant distractions that politicians can openly make naked power grabs like CISA without even hiding it. Few will notice, fewer will take the time to understand the implications, and the even smaller subset of people who raise the alarm will be drowned out by porn, cat videos, and biased hackery.

    2. Omnibus bills are bullshit. If you have let the government get so large that it is impossible to pay for it by individually funding each department, then you need to shut some shit down. Also this piggy backing unrelated legislation on the backs of other legislation (particularly massive must pass omnibus funding bills) need to die yesterday. You cannot possibly fairly represent a constituency’s interests is you can have conflicting and unrelated issues on the same bills.

  2. Not surprised. When there was NO bipartisan battle over this, and Obama even liked it, we should have know there was a Trojan in the program.

    It is approaching time for a revolution…in the historical sense.

    Sue me.

    Arrest me.

    Monitor me.

    Go ahead.

    WE are watching you also.

  3. “The hardest thing to explain is the glaringly evident, which everyone has decided not to see.”
    -Ayn Rand
    “When most of the public is slurping from a welfare trough, it is hard to make them care about much of anything.”

  4. Its like being exempt from the liability of hitting someone with your car, as long as you were willing to let somebody else drive it once in a while.

Please to post comments

Comments are closed.