Senate cyber bill can't win over privacy advocates

Senate cyber bill can't win over privacy advocates
© Greg Nash

Almost none of the privacy concerns about a major Senate Intelligence Committee cyber bill were addressed during the measure’s recent markup, privacy advocates told The Hill Wednesday.

“The thing that stuck out to me most was how disappointed I was at the amendments,” said Robyn Greene, policy counsel for New America Foundation's Open Technology Institute.

The bill, known as the Cybersecurity Information Sharing Act (CISA), would give companies legal liability protections when sharing cyber threat data with the government.

CISA’s proponents — including major industry groups like the U.S. Chamber of Commerce and Financial Services Roundtable — argue the heightened exchange of data will bolster the nation’s cyber defenses, which have been repeatedly and increasingly breached in the last year. The bill has been a top priority for many government officials as well.

ADVERTISEMENT

But privacy advocates, the White House and several Senate Democrat had expressed fears that a draft of the measure would enable the National Security Agency (NSA) to collect more sensitive data on Americans.

Intelligence Committee leaders proclaimed they had fixed many of these issues with 12 privacy-related amendments adopted during a markup last week, when the bill passed out of committee by a 14-1 vote.

“The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill,” said Ranking Member Dianne FeinsteinDianne Emiel FeinsteinSenate confirms Rosen for No. 2 spot at DOJ Senate confirms controversial 9th Circuit pick without blue slips Graham warns of 5G security threat from China MORE (D-Calif.) in a Wednesday statement.

Privacy groups anxiously awaited the final text to see if they agreed. After the bill was filed late Tuesday, disappointed advocates started weighing in.

“Some of the changes are significant and go some distance toward responding to the concerns we and other have raised,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology. “However, at the end of the day, the bill still authorizes companies in the private sector to share information about their users’ communications directly with the NSA.”

“This is still a fundamentally flawed bill,” added Drew Mitnick, policy counsel at digital rights advocate Access Now.

Privacy advocates focused on several areas of concern: the bill is too lax about sharing data within the government; it expands government authority to use that data; and it is not aggressive enough in requiring companies to remove personal data before sharing it with the government.

A major sticking point as lawmakers have debated cyber info-sharing bills is which agencies should receive cyber data from private firms.

A bipartisan consensus has developed that the Department of Homeland Security (DHS), as a civilian agency, should be in charge of the public-private data exchange.

The Intelligence panel agreed. CISA encourages companies to go through DHS. Firms can only share directly with intelligence agencies in a non-electronic fashion.

But the bill still enables instantaneous sharing within the government once it gets in through the DHS, privacy advocates argued.

CISA fails to “cement control” for DHS over the public-private info-sharing program, Greene said.

It makes the agency “a door to the rest of the government,” she added. “It creates a situation in which the NSA is receiving every threat indicator.”

Armed with that information, privacy advocates think CISA empowers the government to use it in too many contexts.

“These are fairly vast uses,” Mitnick said.

During the markup, several people noted the committee added additional situations in which the cyber data could be used.

CISA’s draft language already allowed for cyber threat data to be used for counterterrorism purposes, such as stopping the imminent use of a weapon of mass destruction or terrorist act.

In markup, lawmakers tacked on a provision authorizing agencies to use the data to help thwart imminent threat of “serious economic harm.”

“The law enforcement use permissions are still broad enough to make the bill as much about surveillance as it is about cybersecurity,” Nojeim added.

The bill’s backers — including Feinstein and Intelligence Committee Chairman Richard BurrRichard Mauze BurrOvernight Defense: Congressional leaders receive classified briefing on Iran | Trump on war: 'I hope not' | Key Republican calls threats credible | Warren plan targets corporate influence at Pentagon Key Republican 'convinced' Iran threats are credible Congressional leaders receive classified Iran briefing MORE (R-N.C.) — disputed these points.

“The government may only use shared data for cybersecurity purposes,” Burr said.

Feinstein also defended the bill’s provisions requiring companies to scrub personal data before sharing with the government.

Privacy advocates maintained Wednesday that the directives are inadequate because they fail to create an “affirmative duty for companies to actually determine what information is private or not,” Mitnick said.

“There has been misinformation about this bill, so let me be clear,” Feinstein said. “The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats — NOT personal information — in order to better defend against attacks.”

The committee also added an amendment directing federal agencies to scrub known personal information before sharing data within the government.

Even before CISA’s final text was released, privacy advocates were skeptical the bill would be satisfactory.

Sen. Ron WydenRonald (Ron) Lee WydenOregon man sentenced after threatening to chop off Dem senator's tongue House to vote on retirement bill next week Hillicon Valley: Trump signs order to protect US networks from Chinese tech | Huawei downplays order | Trump declines to join effort against online extremism | Facebook restricts livestreaming | FCC proposes new tool against robocalls MORE (D-Ore.), a staunch civil-liberties proponent, voted against the measure last Thursday, calling it a “surveillance bill” in all but name.

Whether this opposition hurts the bill’s chances is unclear.

The White House has yet to weigh in, as have Senate Democrats like Tom CarperThomas (Tom) Richard CarperOvernight Energy: EPA watchdog finds Pruitt spent 4K on 'excessive' travel | Agency defends Pruitt expenses | Lawmakers push EPA to recover money | Inslee proposes spending T for green jobs Lawmakers take EPA head to task for refusing to demand Pruitt repay travel expenses Dems request investigation of lobbyist-turned-EPA employee who met with former boss MORE of Delaware and Patrick LeahyPatrick Joseph LeahyOvernight Defense: Congressional leaders receive classified briefing on Iran | Trump on war: 'I hope not' | Key Republican calls threats credible | Warren plan targets corporate influence at Pentagon Key Republican 'convinced' Iran threats are credible Graham, Leahy request briefing on decision to yank personnel from Iraq MORE of Vermont. All expressed opposition to the bill’s discussion draft and could help quash CISA.

Carper, the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, is backing his own cyber info-sharing measure, a version of a White House proposal, that is more friendly to privacy advocates.

If CISA fails, it’s expected lawmakers will try to combine the Intelligence panel’s bill with a version of Carper’s offering.