Privacy advocates blast ‘surveillance bill in disguise’ after CISA tucked into spending deal

U.S. Speaker of the House Paul Ryan © Gary Cameron
Under the cover of a late-night session of Congress, House Speaker Paul Ryan announced a new version of the “omnibus” federal government funding bill that includes a version of the Cybersecurity Information Sharing Act, outraging privacy advocates.

The new version combines three bills, two passed by the House, and one – the Cybersecurity Information Sharing Act (CISA) – that had already passed the Senate by a vote of 74 to 21.

A long-standing critic of government overreach in surveillance, Senator Ron Wyden (D-Oregon), who voted against the Senate bill, issued a statement on Wednesday stating that it was a “bad bill when it passed” and “worse bill today.”

Americans deserve policies that protect both their security and their liberty. This bill fails on both counts,” said Wyden, adding that “cybersecurity experts say CISA will do little to prevent major hacks and privacy advocates know that this bill lacks real, meaningful privacy protections.”

Under the latest version, the bill creates the ability for the president to set up “portals” for agencies like the FBI and the Office of the Director of National Intelligence so that companies can hand information about potential threats directly to law enforcement and intelligence agencies instead of the Department of Homeland Security. It allows for more data sharing between the public and private sector while shielding companies from liability.

It also changes the criteria for when information shared for cybersecurity reasons can be used in law enforcement investigations. Previously, the backchannel use of data could only occur in cases of “imminent threats,” while the new bill requires just a “specific threat.”

The Electronic Frontier Foundation has strongly opposed cybersecurity bills over the past five years. In a statement, it said they did nothing to address the real problems the government faces, “like computer data breaches that are caused by unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.”

Other advocacy groups, such as Fight for the Future, have previously referred to the bill as “a surveillance bill in disguise.”

The group’s campaign director, Evan Greer, called it “a disingenuous attempt to quietly expand the U.S. government’s surveillance programs.”

“Congress has failed the Internet once again,” she added, “now it’s up to President Obama to prove that his administration actually cares about the Internet. If he does he has no choice but to veto this blatant attack on Internet security, corporate accountability, and free speech.”

The bills were opposed not just by privacy advocates, but also civil society organizations, computer security experts, and many Silicon Valley companies. In April, a coalition of 55 civil groups and security experts signed an open letter opposing an earlier version of CISA.

The Department of Homeland Security itself warned in July that the bill could overwhelm the agency with data of “dubious value,” while at the same time “sweep[ing] away privacy protections.”

The EFF also said the CISA bill has no place in the federal budget package, a point shared by the Open Technology Institute (OTI).

“They’re kind of pulling a Patriot Act,” Robyn Greene, police counsel of OTI, told Wired. “They’ve got this bill that’s kicked around for years and had been too controversial to pass, so they’ve seen an opportunity to push it through without debate. And they’re taking that opportunity.”