Senate cyber bill can't win over privacy advocates

Senate cyber bill can't win over privacy advocates
© Greg Nash

Almost none of the privacy concerns about a major Senate Intelligence Committee cyber bill were addressed during the measure’s recent markup, privacy advocates told The Hill Wednesday.

“The thing that stuck out to me most was how disappointed I was at the amendments,” said Robyn Greene, policy counsel for New America Foundation's Open Technology Institute.

The bill, known as the Cybersecurity Information Sharing Act (CISA), would give companies legal liability protections when sharing cyber threat data with the government.

CISA’s proponents — including major industry groups like the U.S. Chamber of Commerce and Financial Services Roundtable — argue the heightened exchange of data will bolster the nation’s cyber defenses, which have been repeatedly and increasingly breached in the last year. The bill has been a top priority for many government officials as well.

ADVERTISEMENT

But privacy advocates, the White House and several Senate Democrat had expressed fears that a draft of the measure would enable the National Security Agency (NSA) to collect more sensitive data on Americans.

Intelligence Committee leaders proclaimed they had fixed many of these issues with 12 privacy-related amendments adopted during a markup last week, when the bill passed out of committee by a 14-1 vote.

“The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill,” said Ranking Member Dianne FeinsteinDianne Emiel FeinsteinFeinstein says she thinks Biden will run after meeting with him Trump judicial nominee Neomi Rao seeks to clarify past remarks on date rape Bottom Line MORE (D-Calif.) in a Wednesday statement.

Privacy groups anxiously awaited the final text to see if they agreed. After the bill was filed late Tuesday, disappointed advocates started weighing in.

“Some of the changes are significant and go some distance toward responding to the concerns we and other have raised,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology. “However, at the end of the day, the bill still authorizes companies in the private sector to share information about their users’ communications directly with the NSA.”

“This is still a fundamentally flawed bill,” added Drew Mitnick, policy counsel at digital rights advocate Access Now.

Privacy advocates focused on several areas of concern: the bill is too lax about sharing data within the government; it expands government authority to use that data; and it is not aggressive enough in requiring companies to remove personal data before sharing it with the government.

A major sticking point as lawmakers have debated cyber info-sharing bills is which agencies should receive cyber data from private firms.

A bipartisan consensus has developed that the Department of Homeland Security (DHS), as a civilian agency, should be in charge of the public-private data exchange.

The Intelligence panel agreed. CISA encourages companies to go through DHS. Firms can only share directly with intelligence agencies in a non-electronic fashion.

But the bill still enables instantaneous sharing within the government once it gets in through the DHS, privacy advocates argued.

CISA fails to “cement control” for DHS over the public-private info-sharing program, Greene said.

It makes the agency “a door to the rest of the government,” she added. “It creates a situation in which the NSA is receiving every threat indicator.”

Armed with that information, privacy advocates think CISA empowers the government to use it in too many contexts.

“These are fairly vast uses,” Mitnick said.

During the markup, several people noted the committee added additional situations in which the cyber data could be used.

CISA’s draft language already allowed for cyber threat data to be used for counterterrorism purposes, such as stopping the imminent use of a weapon of mass destruction or terrorist act.

In markup, lawmakers tacked on a provision authorizing agencies to use the data to help thwart imminent threat of “serious economic harm.”

“The law enforcement use permissions are still broad enough to make the bill as much about surveillance as it is about cybersecurity,” Nojeim added.

The bill’s backers — including Feinstein and Intelligence Committee Chairman Richard BurrRichard Mauze BurrHarris on election security: 'Russia can't hack a piece of paper' Schiff: Evidence of collusion between Trump campaign, Russia 'pretty compelling' The Hill's 12:30 Report — Presented by Kidney Care Partners — Lawmakers scramble as shutdown deadline nears MORE (R-N.C.) — disputed these points.

“The government may only use shared data for cybersecurity purposes,” Burr said.

Feinstein also defended the bill’s provisions requiring companies to scrub personal data before sharing with the government.

Privacy advocates maintained Wednesday that the directives are inadequate because they fail to create an “affirmative duty for companies to actually determine what information is private or not,” Mitnick said.

“There has been misinformation about this bill, so let me be clear,” Feinstein said. “The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats — NOT personal information — in order to better defend against attacks.”

The committee also added an amendment directing federal agencies to scrub known personal information before sharing data within the government.

Even before CISA’s final text was released, privacy advocates were skeptical the bill would be satisfactory.

Sen. Ron WydenRonald (Ron) Lee WydenOvernight Health Care — Presented by National Taxpayers Union — Drug pricing fight centers on insulin | Florida governor working with Trump to import cheaper drugs | Dems blast proposed ObamaCare changes Top Dems blast administration's proposed ObamaCare changes Drug pricing fight centers on insulin MORE (D-Ore.), a staunch civil-liberties proponent, voted against the measure last Thursday, calling it a “surveillance bill” in all but name.

Whether this opposition hurts the bill’s chances is unclear.

The White House has yet to weigh in, as have Senate Democrats like Tom CarperThomas (Tom) Richard CarperDems slam EPA plan for fighting drinking water contaminants EPA to announce PFAS chemical regulation plans by end of year Overnight Energy: Zinke joins Trump-tied lobbying firm | Senators highlight threat from invasive species | Top Republican calls for Green New Deal vote in House MORE of Delaware and Patrick LeahyPatrick Joseph LeahyThe Hill's Morning Report - Can Bernie recapture 2016 magic? Leahy endorses Sanders for president ‘Contingency’ spending in 3B budget deal comes under fire MORE of Vermont. All expressed opposition to the bill’s discussion draft and could help quash CISA.

Carper, the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, is backing his own cyber info-sharing measure, a version of a White House proposal, that is more friendly to privacy advocates.

If CISA fails, it’s expected lawmakers will try to combine the Intelligence panel’s bill with a version of Carper’s offering.