Senate cyber bill can't win over privacy advocates

Senate cyber bill can't win over privacy advocates
© Greg Nash

Almost none of the privacy concerns about a major Senate Intelligence Committee cyber bill were addressed during the measure’s recent markup, privacy advocates told The Hill Wednesday.

“The thing that stuck out to me most was how disappointed I was at the amendments,” said Robyn Greene, policy counsel for New America Foundation's Open Technology Institute.

The bill, known as the Cybersecurity Information Sharing Act (CISA), would give companies legal liability protections when sharing cyber threat data with the government.

CISA’s proponents — including major industry groups like the U.S. Chamber of Commerce and Financial Services Roundtable — argue the heightened exchange of data will bolster the nation’s cyber defenses, which have been repeatedly and increasingly breached in the last year. The bill has been a top priority for many government officials as well.

ADVERTISEMENT

But privacy advocates, the White House and several Senate Democrat had expressed fears that a draft of the measure would enable the National Security Agency (NSA) to collect more sensitive data on Americans.

Intelligence Committee leaders proclaimed they had fixed many of these issues with 12 privacy-related amendments adopted during a markup last week, when the bill passed out of committee by a 14-1 vote.

“The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill,” said Ranking Member Dianne FeinsteinDianne Emiel FeinsteinNearly 140 Democrats urge EPA to 'promptly' allow California to set its own vehicle pollution standards Biden signs bill to bolster crime victims fund Stripping opportunity from DC's children MORE (D-Calif.) in a Wednesday statement.

Privacy groups anxiously awaited the final text to see if they agreed. After the bill was filed late Tuesday, disappointed advocates started weighing in.

“Some of the changes are significant and go some distance toward responding to the concerns we and other have raised,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology. “However, at the end of the day, the bill still authorizes companies in the private sector to share information about their users’ communications directly with the NSA.”

“This is still a fundamentally flawed bill,” added Drew Mitnick, policy counsel at digital rights advocate Access Now.

Privacy advocates focused on several areas of concern: the bill is too lax about sharing data within the government; it expands government authority to use that data; and it is not aggressive enough in requiring companies to remove personal data before sharing it with the government.

A major sticking point as lawmakers have debated cyber info-sharing bills is which agencies should receive cyber data from private firms.

A bipartisan consensus has developed that the Department of Homeland Security (DHS), as a civilian agency, should be in charge of the public-private data exchange.

The Intelligence panel agreed. CISA encourages companies to go through DHS. Firms can only share directly with intelligence agencies in a non-electronic fashion.

But the bill still enables instantaneous sharing within the government once it gets in through the DHS, privacy advocates argued.

CISA fails to “cement control” for DHS over the public-private info-sharing program, Greene said.

It makes the agency “a door to the rest of the government,” she added. “It creates a situation in which the NSA is receiving every threat indicator.”

Armed with that information, privacy advocates think CISA empowers the government to use it in too many contexts.

“These are fairly vast uses,” Mitnick said.

During the markup, several people noted the committee added additional situations in which the cyber data could be used.

CISA’s draft language already allowed for cyber threat data to be used for counterterrorism purposes, such as stopping the imminent use of a weapon of mass destruction or terrorist act.

In markup, lawmakers tacked on a provision authorizing agencies to use the data to help thwart imminent threat of “serious economic harm.”

“The law enforcement use permissions are still broad enough to make the bill as much about surveillance as it is about cybersecurity,” Nojeim added.

The bill’s backers — including Feinstein and Intelligence Committee Chairman Richard BurrRichard Mauze BurrSenate starts infrastructure debate amid 11th-hour drama The Hill's Morning Report - Presented by Facebook - A huge win for Biden, centrist senators The 17 Republicans who voted to advance the Senate infrastructure bill MORE (R-N.C.) — disputed these points.

“The government may only use shared data for cybersecurity purposes,” Burr said.

Feinstein also defended the bill’s provisions requiring companies to scrub personal data before sharing with the government.

Privacy advocates maintained Wednesday that the directives are inadequate because they fail to create an “affirmative duty for companies to actually determine what information is private or not,” Mitnick said.

“There has been misinformation about this bill, so let me be clear,” Feinstein said. “The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats — NOT personal information — in order to better defend against attacks.”

The committee also added an amendment directing federal agencies to scrub known personal information before sharing data within the government.

Even before CISA’s final text was released, privacy advocates were skeptical the bill would be satisfactory.

Sen. Ron WydenRonald (Ron) Lee WydenUp next in the culture wars: Adding women to the draft Democrats warn shrinking Biden's spending plan could backfire Democrats release data showing increase in 'mega-IRA' accounts MORE (D-Ore.), a staunch civil-liberties proponent, voted against the measure last Thursday, calling it a “surveillance bill” in all but name.

Whether this opposition hurts the bill’s chances is unclear.

The White House has yet to weigh in, as have Senate Democrats like Tom CarperThomas (Tom) Richard CarperBiden's bipartisan deal faces Senate gauntlet Top Democrat: 'A lot of spin' coming from White House on infrastructure Bipartisan framework remains mostly consistent on climate MORE of Delaware and Patrick LeahyPatrick Joseph LeahyThe Hill's Morning Report - Presented by Facebook - Biden sets new vaccine mandate as COVID-19 cases surge House clears .1 billion Capitol security bill, sending to Biden Senate passes .1 billion Capitol security bill MORE of Vermont. All expressed opposition to the bill’s discussion draft and could help quash CISA.

Carper, the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, is backing his own cyber info-sharing measure, a version of a White House proposal, that is more friendly to privacy advocates.

If CISA fails, it’s expected lawmakers will try to combine the Intelligence panel’s bill with a version of Carper’s offering.