Over the last month, privacy advocates have slammed the Cybersecurity Information Sharing Act, arguing that it's surveillance legislation hidden in a security bill's clothing. But those protests didn't stop a Senate committee from passing the bill by a vote of 14-1. And now they haven't stopped the House's intelligence committee from following in the Senate's surveillance-friendly footsteps.
On Thursday the House Intelligence Committee passed the Protecting Cyber Networks Act (PCNA), a near-mirror image of the cybersecurity data-sharing bill known as CISA that the Senate intelligence committee passed two weeks ago. The Protecting Cyber Networks Act, like CISA, would create new legal authorizations for companies to share cybersecurity threat information with government agencies, who would then be able to share that attack data with potential targets to help protect them. But critics say the two bills also create dangerous channels by which private companies could share users' sensitive information with agencies like the NSA.
Despite seeming attempts at privacy improvements, critics say the House version of the bill is in most major respects just as problematic as the Senate version. "You have pretty much non-existent privacy protections, along with new powers to spy on and monitor users...all while being provided broad immunity," says Mark Jaycox, a legislative analyst with the Electronic Frontier Foundation who has closely followed both House and Senate bills. "It creates a perfect storm for sharing personal information with intelligence agencies."
Both pieces of legislation, says Open Technology Institute policy counsel Robyn Greene, would create new loopholes for private companies to share users' data with intelligence agencies including the NSA and the Office of the Director of National Intelligence, giving companies the leeway to ignore laws like the Privacy Act of 1974 and the Electronic Communication Privacy Act of 1986. And both bills also allow the government to use that data for more than cyberattack protection, including investigating violent crimes like robbery and carjacking.
In some ways, Greene says, the House bill is actually more amenable to surveillance. While both bills allow the government to collect data that could represent a "threat of bodily harm or death," the House's bill doesn't require that threat to be "imminent." "That means they can use this to investigate a lot of crimes that may not even be happening imminently or threatening anyone’s life," says Greene. "It creates situation in which state and local law enforcement can collect this information and mine it to develop evidence of these threats."
In a statement following the vote, House intelligence committee chairman David Nunes defended the bill, writing that it will "help defend U.S. networks against a wide array of cybercriminals who are becoming more active and more threatening every day. It’s a bipartisan approach with strong privacy protections that will have a deep impact on this growing problem. In light of the urgency of the situation, I encourage House members to support this bill.”
As Nunes' statement hints, the House committee did seem to respond to earlier privacy criticisms of the Senate's CISA bill, adding a section to explicitly titled "Prohibition of Surveillance." That section states that nothing in the bill "shall be construed to authorize the Department of Defense or the National Security Agency or any other element of the intelligence community to target a person for surveillance."
But that prohibition doesn't actually offer concrete privacy protections, says the American Civil Liberties Union legislative counsel Gabe Rottman. And there's nothing in the bill to stop private companies' data that's shared with the Department of Homeland Security from being passed on to the NSA or other intelligence agencies. "Just because you say it can’t be used for surveillance doesn’t mean it can’t be used for surveillance by another name," he warns. "Unfortunately the underlying mechanism whereby sensitive personal information shared with the government flows to military and intelligence agencies is still there."
One real improvement in the House bill compared with CISA, says OTI's Greene, is a new provision that requires companies to strip out any information that could identify users unrelated to a cybersecurity threat before passing the information on to the government. In the Senate's CISA, by contrast, that requirement has a major loophole: it extends only to data the company "knows at the time of sharing" to be the sensitive, personal info of innocent users. But in the House's bill, that protection has been amended to prevent the sharing of any data a company "reasonably believes" to contain personally identifying information. That's a much wider protection for users' data because even if companies haven't proven that data is personally identifying---but merely believe it to be so---they're prevented from sharing it with the government.
But even so, Greene points out that any personally identifying information related to a cyber threat---and the bill defines those threats very broadly---would still be fair game. "If I’m one of a million victims of a botnet, and an internet service provider is sending the government all the 'threat indicators' associated with that botnet, that could include information about everyone of those victims," she says. "That personal information, once shared with the government isn’t just used for identifying the source of the threat. It can also be used to investigate a myriad of crimes that have nothing to do with cybersecurity."
Both the House and Senate versions of the cybersecurity bill are expected to reach votes on the House and Senate floor by late April. It's not yet clear what odds the bills face in either of those larger legislative bodies or whether it can avoid a veto from President Obama. In 2013, after all, Obama threatened to veto the Cybersecurity Intelligence Sharing and Protection Act (CISPA), an earlier, ultimately failed attempt at cybersecurity data sharing legislation. In that instance, the Obama administration argued that the bill hadn't done enough to protect Internet users' personal information. “Citizens have a right to know that corporations will be held accountable---and not granted immunity---for failing to safeguard personal information adequately,” a White House statement read at the time.
If the privacy community's criticism are any measure, Congress's latest attempts at cybersecurity data-sharing legislation aren't faring much better.
