As Predicted, Congress Turned CISA Into A Clear Surveillance Bill... And Put It Into The 'Must Pass' Gov't Funding Bill

from the but-of-course dept

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Yesterday we warned that Congress was quietly looking to do two horrible things: (1) strip all pretense from the "cybersecurity" information sharing bills and turn them into full-on surveillance bills and (2) then shove it into the "must pass" omnibus bill which isto be about funding the government and nothing more. And... it looks like our warning was almost entirely accurate, as the bill has been released and within its, it includes CISA and has been stripped of many of the key privacy protections (if you want to find it, it's buried on page 1728), while expanding how the information can be shared and used. In part, due to concerns raised yesterday, a few of the absolutely worst ideas didn't make it into the final bill, but it's still bad (and clearly worse than what had previously been voted on, which was already bad!).The bill is due for a voteand sowould be the time to call your elected officials and let them know that this is a serious problem. The EFF has spoken out about how problematic this is, as have a group of free market think tanks There isopposition within Congress to this. We've seen a "Dear Colleague" letter sent around by a set of four members of Congress (two from each party) -- Reps. Zoe Lofgren, Justin Amash, Jared Polis and Ted Poe -- opposing this move, but chances are thatmembers of Congress actually havethat this is happening, which is why you should be callingto let them know how problematic this is.The House Intelligence Community counters that the claims being made against CISA are inaccurate, but they're being incredibly misleading. While the reports yesterday indicated that the bill would directly allow its use in "surveillance," the list of approved uses was changed slightly to effectively hide this fact. Specifically it says that the information via CISA can be used to investigate a variety of crimes -- and doesn't say "surveillance." But, obviously, surveillance isn't a "crime" that the government will be investigating. It's justthat the government will use to investigate crimes... which is now allowed under CISA. In earlier versions, the information was only to be used for "cybersecurity." But now that list has been expanded to cover a wide variety of crimes: "a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction."And how are those things going to be stopped? By ramping up surveillance, of course.Also, yesterday we noted that the proposed change would "remove" the privacy scrub requirements. The final bill didn't completely do that, but basically changed the standard to pretend that it's in there. Rather than demanding a full privacy scrub, the bill lets the Attorney General determine if DHS is doing a reasonable job with its privacy scrub. The same Attorney General who will now be using this same information to investigate all sorts of "criminal" activity. Guess what incentive the Attorney General has to make sure that privacy scrub is legit?Finally, the revised bill tries to hide the fact that the NSA will get access to this data with some super crafty language. Section 105(c) of the bill notes that the President can designate any other agency to set up a portal to receive information, but explicitly says that cannot be the Defense Department or the NSA. Thatgood, but is there as a total red herring. This is only about who runs the portal, not about who gets the information. So, DHS can still share the info with othersthe President could still designate, say, the FBI to get a portal... or the Director of National Intelligence (which oversees the NSA). However, CISA's supporters are pointing to this sections as "proof" that it won't be used by the NSA.Considering how much debate and concern there was over this bill, and the fact that basically all the major companies in Silicon Valley have come out against it -- and I still can't find a single computer security expert who thinks that this is needed for increasing our security, it's pretty obvious that this is not a cybersecurity bill. It's a surveillance bill that has no business being added to the omnibus bill.

Filed Under: cisa, cybersecurity, dhs, nsa, omnibus, omnibus bill, surveillance