Surveillance Bill Slipped Into Federal Spending Budget

The controversial Cybersecurity Information Sharing Act (CISA) has been wrapped in crucial legislation handling much of the federal government's funding.

Larry Loeb, Blogger, Informationweek

December 18, 2015

3 Min Read
<p align="left">(Image: nikauforest/iStockphoto)</p>

9 Ways To Bulletproof Your Privacy Policy

9 Ways To Bulletproof Your Privacy Policy

9 Ways To Bulletproof Your Privacy Policy (Click image for larger view and slideshow.)

In a late-night session of Congress this week, Speaker of the House Paul Ryan (R-WI) announced an omnibus spending bill needed to prevent a government shutdown. However, buried in the 2,000 page document is the full text of the controversial Cybersecurity Information Sharing Act of 2015, which passed the Senate in October.

CISA has been widely criticized since it was first proposed in 2014. Senator Ron Wyden (D-OR) has called it "a surveillance bill by another name."

While the bill makes it easier for private sector companies to share user information with the government and other companies, it also removes privacy and liability protections in the name of better cybersecurity.

Critics like Wyden, along with other privacy advocates and many major tech companies, say removing those protections would turn Internet backbone companies into de facto surveillance organs. These companies would have no reason or incentive to preserve user privacy.

The omnibus version of the bill is even more invasive than previous versions. It removes the prohibition on information-sharing with the NSA, which means that information can be shared directly with the NSA (and US Department of Defense) without having to first go through the Department of Homeland Security, according to a report on TechDirt. 

The report also notes that the new version removes the restrictions on using information for surveillance activities, gets rid of the limitations that required the government to use only information for cybersecurity purposes, and ditches the requirement to scrub personal information unrelated to a cybersecurity threat before sharing that information.

[Read Tech Companies Get Poor Marks for Data Privacy.]

The Electronic Frontier Foundation issued a statement on the cybersecurity bill added to the Congressional year-end budget package, saying that it is "a combination of three bad cybersecurity bills passed by Congress this year: two pieces of legislation in the House," and CISA.

The EFF added:

The bills are also opposed by other privacy advocates, civil society organizations, computer security experts, and many Silicon Valley companies as the bills ignore the fact that companies and security experts can already share the much-needed technical information to stop computer security threats. Maybe more importantly, the bills do not address problems from the recent highly publicized computer data breaches that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.

In short, the EFF says that CISA will do nothing to ameliorate the true causes of cyberattacks, and that it merely serves as a way for the government to monitor the activities of users.

The House Intelligence Community has said that the claims being made against CISA are inaccurate. While surveillance is not directly listed as a use of the bill, the information gathered through CISA can be used to investigate a variety of crimes, such as "a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction."

**Elite 100 2016: DEADLINE EXTENDED TO JAN. 18, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 18, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.

Read more about:


About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights