Senate cyber bill can't win over privacy advocates

Senate cyber bill can't win over privacy advocates
© Greg Nash

Almost none of the privacy concerns about a major Senate Intelligence Committee cyber bill were addressed during the measure’s recent markup, privacy advocates told The Hill Wednesday.

“The thing that stuck out to me most was how disappointed I was at the amendments,” said Robyn Greene, policy counsel for New America Foundation's Open Technology Institute.

The bill, known as the Cybersecurity Information Sharing Act (CISA), would give companies legal liability protections when sharing cyber threat data with the government.

CISA’s proponents — including major industry groups like the U.S. Chamber of Commerce and Financial Services Roundtable — argue the heightened exchange of data will bolster the nation’s cyber defenses, which have been repeatedly and increasingly breached in the last year. The bill has been a top priority for many government officials as well.

But privacy advocates, the White House and several Senate Democrat had expressed fears that a draft of the measure would enable the National Security Agency (NSA) to collect more sensitive data on Americans.

Intelligence Committee leaders proclaimed they had fixed many of these issues with 12 privacy-related amendments adopted during a markup last week, when the bill passed out of committee by a 14-1 vote.

“The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill,” said Ranking Member Dianne FeinsteinDianne Emiel FeinsteinFeinstein, Harris call for probe of ICE after employee resigns Jeh Johnson: Media focused on 'Access Hollywood' tape instead of Russian meddling ahead of election What’s genius for Obama is scandal when it comes to Trump MORE (D-Calif.) in a Wednesday statement.

Privacy groups anxiously awaited the final text to see if they agreed. After the bill was filed late Tuesday, disappointed advocates started weighing in.

“Some of the changes are significant and go some distance toward responding to the concerns we and other have raised,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology. “However, at the end of the day, the bill still authorizes companies in the private sector to share information about their users’ communications directly with the NSA.”

“This is still a fundamentally flawed bill,” added Drew Mitnick, policy counsel at digital rights advocate Access Now.

Privacy advocates focused on several areas of concern: the bill is too lax about sharing data within the government; it expands government authority to use that data; and it is not aggressive enough in requiring companies to remove personal data before sharing it with the government.

A major sticking point as lawmakers have debated cyber info-sharing bills is which agencies should receive cyber data from private firms.

A bipartisan consensus has developed that the Department of Homeland Security (DHS), as a civilian agency, should be in charge of the public-private data exchange.

The Intelligence panel agreed. CISA encourages companies to go through DHS. Firms can only share directly with intelligence agencies in a non-electronic fashion.

But the bill still enables instantaneous sharing within the government once it gets in through the DHS, privacy advocates argued.

CISA fails to “cement control” for DHS over the public-private info-sharing program, Greene said.

It makes the agency “a door to the rest of the government,” she added. “It creates a situation in which the NSA is receiving every threat indicator.”

Armed with that information, privacy advocates think CISA empowers the government to use it in too many contexts.

“These are fairly vast uses,” Mitnick said.

During the markup, several people noted the committee added additional situations in which the cyber data could be used.

CISA’s draft language already allowed for cyber threat data to be used for counterterrorism purposes, such as stopping the imminent use of a weapon of mass destruction or terrorist act.

In markup, lawmakers tacked on a provision authorizing agencies to use the data to help thwart imminent threat of “serious economic harm.”

“The law enforcement use permissions are still broad enough to make the bill as much about surveillance as it is about cybersecurity,” Nojeim added.

The bill’s backers — including Feinstein and Intelligence Committee Chairman Richard BurrRichard Mauze BurrOvernight Cybersecurity: House Intel votes to release Russia report | House lawmakers demand Zuckerberg testify | Senators unveil updated election cyber bill Senators introduced revised version of election cyber bill Overnight Cybersecurity: Zuckerberg breaks silence on Cambridge Analytica | Senators grill DHS chief on election security | Omnibus to include election cyber funds | Bill would create 'bug bounty' for State MORE (R-N.C.) — disputed these points.

“The government may only use shared data for cybersecurity purposes,” Burr said.

Feinstein also defended the bill’s provisions requiring companies to scrub personal data before sharing with the government.

Privacy advocates maintained Wednesday that the directives are inadequate because they fail to create an “affirmative duty for companies to actually determine what information is private or not,” Mitnick said.

“There has been misinformation about this bill, so let me be clear,” Feinstein said. “The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats — NOT personal information — in order to better defend against attacks.”

The committee also added an amendment directing federal agencies to scrub known personal information before sharing data within the government.

Even before CISA’s final text was released, privacy advocates were skeptical the bill would be satisfactory.

Sen. Ron WydenRonald (Ron) Lee WydenOvernight Finance: Stocks bleed as Trump seeks new tariffs on China | House passes .3T omnibus | Senate delay could risk shutdown | All eyes on Rand Paul | Omnibus winners and losers Trump will delay steel tariffs for EU, others Overnight Cybersecurity: Zuckerberg breaks silence on Cambridge Analytica | Senators grill DHS chief on election security | Omnibus to include election cyber funds | Bill would create 'bug bounty' for State MORE (D-Ore.), a staunch civil-liberties proponent, voted against the measure last Thursday, calling it a “surveillance bill” in all but name.

Whether this opposition hurts the bill’s chances is unclear.

The White House has yet to weigh in, as have Senate Democrats like Tom CarperThomas (Tom) Richard CarperWarren turns focus to Kushner’s loans Overnight Energy: Dems probe EPA security contract | GAO expands inquiry into EPA advisory boards | Dems want more time to comment on drilling plan Overnight Regulation: Senate takes first step to passing Dodd-Frank rollback | House passes bill requiring frequent reviews of financial regs | Conservatives want new checks on IRS rules MORE of Delaware and Patrick LeahyPatrick Joseph LeahyMcCabe oversaw criminal probe into Sessions over testimony on Russian contacts: report Graham calls for Senate Judiciary hearing on McCabe firing McCabe firing roils Washington MORE of Vermont. All expressed opposition to the bill’s discussion draft and could help quash CISA.

Carper, the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, is backing his own cyber info-sharing measure, a version of a White House proposal, that is more friendly to privacy advocates.

If CISA fails, it’s expected lawmakers will try to combine the Intelligence panel’s bill with a version of Carper’s offering.