CISA text released: Cyber bill revisions fail to impress privacy campaigners

Reuters / Kacper Pempel
Senate lawmakers say the updated language in its Cyber Information Sharing Act will protect the nation’s computer networks against attacks, but privacy advocates say they aren’t satisfied with CISA's supposed safe-guards.

The Senate Intelligence Committee unveiled the 52-page proposal on Tuesday this week in an announcement that touts the bill as an improvement to cyber security in the United States through enhanced sharing of threat information between private entities and the federal government.

On the heels of several unsuccessful attempts in recent years to pass similar cyber-sharing bills, and recent major hacks, such as the assault against Sony Picture Entertainment in November, the latest offering could well be accepted by lawmakers.

“This legislation protects the privacy rights of Americans while also minimizing our vulnerability to cyber-attacks,” Senator Richard Burr (R-North Carolina), the committee chair, said in a statement on Wednesday announcing the bill.

READ MORE:'Privacy killer': Senate panel quitely passes CISA 'cybersecurity' bill amid fresh surveillance fears

The bill was approved by the panel last Friday through a 14-1 vote, RT reported at the time. The legislation is now waiting for consideration from the full Senate, perhaps as soon as April, according to the National Journal. As House lawmakers hammer out a companion bill and prepare a bi-partisan effort of their own, critics are again warning that more should be done to ensure any legislation contains protections to safeguard computer users from federal overreach and eavesdropping.

A dozen privacy-related amendments were tacked on to the latest bill during mark-up last week, according to Senator Dianne Feinstein (D-California), the ranking member of the Intelligence Committee. She says those additions “address many of the concerns that had been raised in regard to earlier drafts of the bill.”

Critics say that previous attempts at enshrining cyber-sharing legislation in law risked placed too much personal data in the hands of government. Feinstein acknowledged in a statement on Wednesday: “One lesson we learned from previous information sharing bills is that we need strong privacy provisions.”

But just as with past efforts to advance cyber-sharing bills through Congress, the Senate committee’s latest draft is fast drawing the ire of critics.

“Some of the changes are significant and go some distance toward responding to the concerns we and other have raised,” Greg Nojeim, a senior counsel at the Center for Democracy & Technology in Washington, DC, told the Hill this week. “However, at the end of the day, the bill still authorizes companies in the private sector to share information about their users’ communications directly with the NSA.”

“This is still a fundamentally flawed bill,” Drew Mitnick, a policy counsel at DC-based digital rights organization Access Now, added to the Hill. Robyn Greene, a policy attorney for New America Foundation's Open Technology Institute, said her biggest take-away from reading the proposal “was how disappointed I was at the amendments.”

The latest wave of concern comes days after Senator Ron Wyden, the lone “nay” vote during the Intelligence Committee’s 14-1 vote to advance the bill last week, called the proposal “a surveillance bill by another name.”

“There has been misinformation about this bill, so let me be clear,” Feinstein responded when the committee finally made the bill’s language public this week. “The goal of the bill is for companies and the government to voluntarily share information about cyber security threats—NOT personal information—in order to better defend against attacks.”

According to a statement published on the Intelligence Committee’s website, “There is no surveillance authority in this bill,” contrary to claims from critics.

“Sharing is purely voluntary and companies can only share cyber-threat information,” the clarification continued. “The government cannot use this information for broad foreign intelligence or counterintelligence purposes, or even for counterterrorism purposes in general. It can only use this cyber threat information for terrorism purposes in the event of an imminent terrorist act. The definition of cyber threat indicator was written to prevent the government from receiving information outside of cyber threats.”

Amendments to the latest proposal also call for establishing guidelines specific to privacy and civil liberties’ concerns regarding the receipt, retention, use and dissemination of cyber threat indicators.

In the House of Representative, Homeland Security Committee Chairman Michael McCaul (R-Texas) said on Tuesday this week that he plans to introduce a bill of his own similar to the one now before the Senate. The controversial Cyber Intelligence Sharing and Protection Act, or CISPA, was re-introduced in the House back in January by the bill’s original co-author, Rep. Dutch Ruppersberger (D-Maryland), after the Sony hack.

“The reason I’m putting bill [sic] in now is I want to keep the momentum going on what’s happening out there in the world,” Ruppersberger told the Hill at the time.