Last week, Congress had less than 48 hours to read the 2,242 page, $1.1 trillion government spending bill. Few read it or know what’s in it, but they passed the bill anyway.
Tucked away in the bill is The Cybersecurity Information Sharing Act (CISA). It’s an act the people don’t want. Apple, Twitter, Reddit, Google, Facebook, 55 civil liberties organizations, security experts, and academics, and other organizations fought against CISA. It was defeated. But there it is, attached to a must pass spending bill.
Sen. Rand Paul voted against the bill. He told “The Cats Roundtable” on New York’s AM-970, “It was over a trillion dollars, it was all lumped together, 2,242 pages, nobody read it, so frankly my biggest complaint is that I have no idea what kind of things they stuck in the bill.”
CISA can be found on page 1,728.
Congress has been working on the bill for two months, but was given less than two days to read the final version before voting on it. Paul blamed both parties for voting for something that no one could possibly have read.
Speaker of the House Paul Ryan unveiled the latest version at 2 a.m., when it was likely no one would notice. It eliminated any chance of debate on CISA.
“These unacceptable surveillance provisions are a black mark on a worthy package that contains the biggest tax cut for working families in decades, an accomplishment I fought for in weeks of negotiations,” Sen. Ron Wyden said in a statement on his website. “Unfortunately, this misguided cyber legislation does little to protect Americans’ security and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers’ private data with only cursory review.”
If the spending bill did not pass, the government would have shut down. When Ryan added CISA to the spending bill it was changed before being attached.
“They took a bad bill, and they made it worse,” Robyn Greene, policy counsel for the Open Technology Institute told Wired. “They’ve got this bill that’s kicked around for years and had been too controversial to pass, so they’ve seen an opportunity to push it through without debate.”
Stanford’s Jennifer Granick said, “this bill isn’t just about threat information sharing, it’s about enabling ISP monitoring in ways beyond current law that have not been clearly defined or explained.”
In the version of CISA that was passed, the president can set up portals where companies can give information directly to federal agencies. Supporters of the bill say the NSA won’t get access to the data, saying Section 105(c) prevents it. That section only discusses who runs the portals, not who has access to the information.
“The earlier bill had only allowed that backchannel use of the data for law enforcement in cases of ‘imminent threats,’ while the new bill requires just a ‘specific threat,’ potentially allowing the search of the data for any specific terms regardless of timeliness,” Wired said.
According to Ars Technica, the CISA part of the spending package gives corporate America legal immunity when sharing consumers’ private data about hacks and digital breaches with the Department of Homeland Security (DHS). The DHS can then funnel that information to other agencies, including the NSA and FBI, which can use that information for surveillance purposes.
Rep. Zoe Lofgren, said in a statement, “I was unable to vote for the Omnibus spending bill today because it included an extraneous provision purported to facilitate cybersecurity information sharing that—in effect—will function as a surveillance tool.”
According to Wired, “CISA’s information-sharing channel, ostensibly created for responding quickly to hacks and breaches, could also provide a loophole in privacy laws that enabled intelligence and law enforcement surveillance without a warrant.”
Motherboard wrote that this version of CISA, “allows ‘cybersecurity threat’ information to be shared directly with the NSA and the department of defense, specifically removes a provision that banned the government from using the information for ‘surveillance’ activities, and allows the government to use the information it gleans to prosecute any type of criminal activity, not just ‘cyber’ crimes.
Finally, the new version does not require personal information unrelated to ‘cyber threats’ to be scrubbed before it’s shared with government agencies.”
I fought for nearly a decade to prevent CISA in all its iterations, but Congress doesn’t care what I think. The most basic function of Congress is to read and understand a bill before passing it. They didn’t do that. And now you and I are going to suffer for it.