Senator Dianne Feinstein says a new cyber security bill helps share information ‘through a purely voluntary process and with significant measures to protect private information.’ Did you volunteer your information? Photograph: KylaBorg / Flickr via Creative Commons
One of the most underrated benefits of Edward Snowden’s leaks was how they forced the US Congress to shelve the dangerous, privacy-destroying legislation– then known as Cispa – that so many politicians had been so eager to pass under the guise of “cybersecurity”. Now a version of the bill is back, and apparently its authors want to keep you in the dark about it for as long as possible.
Now it’s called the Cybersecurity Information Sharing Act (Cisa), and it is a nightmare for civil liberties. Indeed, it’s unclear how this kind of law would even improve cybersecurity. The bill was marked up and modified by the Senate intelligence committee in complete secrecy this week, and only afterward was the public allowed to see many of the provisions passed under its name.
Cisa is what Senator Dianne Feinstein, the bill’s chief backer and the chair of the committee, calls an “information-sharing” law that’s supposed to help the government and tech and telecom companies better hand information back and forth to the government about “cyberthreat” data, such as malware. But in reality, it is written so broadly it would allow companies to hand over huge swaths of your data – including emails and other communications records – to the government with no legal process whatsoever. It would hand intelligence agencies another legal authority to potentially secretly re-interpret and exploit in private to carry out even more surveillance on the American public and citizens around the world.
Under the new provisions, your data can get handed over by the tech companies and others to the Department of Homeland Security (not exactly acivil liberties haven itself), but then it can be passed along to the nation’s intelligence agencies … including the NSA. And even if you find out a company violated your privacy by handing over personal information it shouldn’t have, it would have immunity from lawsuits – as long as it acted in “good faith”. It could amount to what many are calling a “backdoor wiretap”, where your personal information could end up being used for all sorts of purposes that have nothing to do with cybersecurity.
But it’s not just privacy advocates who should be worried: transparency also takes a huge hit under this bill. Cisa would create a brand-new exception to the Freedom of Information Act (which is already riddled with holes), all the better to ensure everything in this particular process remains secret.
In typical intel-committee fashion, the Foia amendment wasn’t even made public until after it was passed by committee.
And despite the current administration’s unprecedented use of the Espionage Act to go after sources and whistleblowers, the intelligence committee apparently wants to give the government even more power to go after journalists’ sources, indicating in the bill that the government could use data obtained beyond anything to do with actual cybersecurity to go after anyone charged under the Espionage Act. That’s why the Sunshine in Government coalition sent a letter to the intelligence committee, calling on Senators to reject the bill as a clear danger to press freedom.
Given how much we’ve learned about the US government’s willingness to re-interpret the law in secret, these two secrecy provisions don’t exactly inspire confidence that Cisa won’t turn into yet another mass surveillance vehicle. This is why civil liberties groups are already mobilizing against it, imploring constituents to call their representatives before the bill gets any further. Last time Cispa came around the even the White House issued a veto threat based on privacy protections. But will they have the courage to do it again?
For tech companies, it’s unclear why they should trust the government on cybersecurity issues at this point. Tellingly, Google recently refused to share the code behind the now-infamous Heartbleed bug with the government before telling the public about it. The answer to why is probably linked to a New York Times story on the Snowden documents from last year that reported the NSA has, in the past, invited companies to share information with the goal to improve cybersecurity … only to turn around and use that information to weaken it.
Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The NSA’sCommercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret NSA document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into internet security products.
No one doubts cybersecurity and the risk of criminals breaking into computer systems is a problem, but by using unprovable numbers and ridiculous fear-mongering catch-phrases like cyber-Pearl Harbor or cyber-Armegeddon, the government hopes it can approve extraordinary new powers for itself, and untold windfalls for the massive cybersecurity industrial complex. Yes, the networks at many companies have been compromised, but equating every low-level hacker or prankster with cyberwar has become a lesson in absurdity. As cybersecurity expert Peter Singer has pointed out, squirrels are a far bigger threat to take down power grids in the United States than foreign hackers.
The best thing the government could probably do for cybersecurity is get its own house in order, starting with upgrading its terribly old computer systems that, in some agencies, are running a version of Windows that’s so old, Microsoft doesn’t even update it for the public anymore. Many agency websites don’t use basic HTTPS encryption, others, like the FBI, don’t use other basic forms of encryption to protect their emails. Why does the NSA continue to stockpile software vulnerabilities that could be disclosed to companies like Microsoft to make all of us safe?
The fact of the matter is the Snowden leaks have done more for cybersecurity than any info-sharing bill ever could. The major tech companies have leapt forward and are now competing on who is more secure because of worries that the NSA, and other intelligence agencies for that matter, are snooping wherever they can. Certainly there is more to do, but eviscerating privacy rights in the process is not the solution.