Senate cyber bill can’t win over privacy advocates

Almost none of the privacy concerns about a major Senate Intelligence Committee cyber bill were addressed during the measure’s recent markup, privacy advocates told The Hill Wednesday.

“The thing that stuck out to me most was how disappointed I was at the amendments,” said Robyn Greene, policy counsel for New America Foundation’s Open Technology Institute.

The bill, known as the Cybersecurity Information Sharing Act (CISA), would give companies legal liability protections when sharing cyber threat data with the government.

CISA’s proponents — including major industry groups like the U.S. Chamber of Commerce and Financial Services Roundtable — argue the heightened exchange of data will bolster the nation’s cyber defenses, which have been repeatedly and increasingly breached in the last year. The bill has been a top priority for many government officials as well.

{mosads}But privacy advocates, the White House and several Senate Democrat had expressed fears that a draft of the measure would enable the National Security Agency (NSA) to collect more sensitive data on Americans.

Intelligence Committee leaders proclaimed they had fixed many of these issues with 12 privacy-related amendments adopted during a markup last week, when the bill passed out of committee by a 14-1 vote.

“The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill,” said Ranking Member Dianne Feinstein (D-Calif.) in a Wednesday statement.

Privacy groups anxiously awaited the final text to see if they agreed. After the bill was filed late Tuesday, disappointed advocates started weighing in.

“Some of the changes are significant and go some distance toward responding to the concerns we and other have raised,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology. “However, at the end of the day, the bill still authorizes companies in the private sector to share information about their users’ communications directly with the NSA.”

“This is still a fundamentally flawed bill,” added Drew Mitnick, policy counsel at digital rights advocate Access Now.

Privacy advocates focused on several areas of concern: the bill is too lax about sharing data within the government; it expands government authority to use that data; and it is not aggressive enough in requiring companies to remove personal data before sharing it with the government.

A major sticking point as lawmakers have debated cyber info-sharing bills is which agencies should receive cyber data from private firms.

A bipartisan consensus has developed that the Department of Homeland Security (DHS), as a civilian agency, should be in charge of the public-private data exchange.

The Intelligence panel agreed. CISA encourages companies to go through DHS. Firms can only share directly with intelligence agencies in a non-electronic fashion.

But the bill still enables instantaneous sharing within the government once it gets in through the DHS, privacy advocates argued.

CISA fails to “cement control” for DHS over the public-private info-sharing program, Greene said.

It makes the agency “a door to the rest of the government,” she added. “It creates a situation in which the NSA is receiving every threat indicator.”

Armed with that information, privacy advocates think CISA empowers the government to use it in too many contexts.

“These are fairly vast uses,” Mitnick said.

During the markup, several people noted the committee added additional situations in which the cyber data could be used.

CISA’s draft language already allowed for cyber threat data to be used for counterterrorism purposes, such as stopping the imminent use of a weapon of mass destruction or terrorist act.

In markup, lawmakers tacked on a provision authorizing agencies to use the data to help thwart imminent threat of “serious economic harm.”

“The law enforcement use permissions are still broad enough to make the bill as much about surveillance as it is about cybersecurity,” Nojeim added.

The bill’s backers — including Feinstein and Intelligence Committee Chairman Richard Burr (R-N.C.) — disputed these points.

“The government may only use shared data for cybersecurity purposes,” Burr said.

Feinstein also defended the bill’s provisions requiring companies to scrub personal data before sharing with the government.

Privacy advocates maintained Wednesday that the directives are inadequate because they fail to create an “affirmative duty for companies to actually determine what information is private or not,” Mitnick said.

“There has been misinformation about this bill, so let me be clear,” Feinstein said. “The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats — NOT personal information — in order to better defend against attacks.”

The committee also added an amendment directing federal agencies to scrub known personal information before sharing data within the government.

Even before CISA’s final text was released, privacy advocates were skeptical the bill would be satisfactory.

Sen. Ron Wyden (D-Ore.), a staunch civil-liberties proponent, voted against the measure last Thursday, calling it a “surveillance bill” in all but name.

Whether this opposition hurts the bill’s chances is unclear.

The White House has yet to weigh in, as have Senate Democrats like Tom Carper of Delaware and Patrick Leahy of Vermont. All expressed opposition to the bill’s discussion draft and could help quash CISA.

Carper, the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, is backing his own cyber info-sharing measure, a version of a White House proposal, that is more friendly to privacy advocates.

If CISA fails, it’s expected lawmakers will try to combine the Intelligence panel’s bill with a version of Carper’s offering.