The House Just Passed a Major Expansion of Government Surveillance in the Guise of Cybersecurity
And it must be stopped in the Senate.
In what can only be described as a travesty for responsible, transparent lawmaking, the House of Representatives just passed a Frankenstein monster of a “cybersecurity information sharing” bill that will massively expand government surveillance authorities if it’s not defeated in the Senate.
And, to rub salt in the wound, House leadership used arcane procedural tricks to block privacy-protective amendments and to privilege the version of the bill preferred by the House intelligence committee, which is more privacy invasive than the version passed by the Committee on Homeland Security.[*]
The bill that passed would, if adopted by the Senate, create a new and secretive cybersecurity spy agency, broadly authorize the sharing of personal information with the NSA, and allow its use in ways that look a lot like the surveillance programs revealed over the past two years.
The House’s draft will now go to the Senate, which has an even worse bill waiting in the wings. Just as the privacy and civil liberties community is engaged in a battle to reform the Patriot Act or allow it to expire, we are being forced to simultaneously jump start our efforts against a major new surveillance offensive—these so-called “cybersecurity” bills that will do little to better protect our computers, but will give the government vast new authority to spy on us without any reason to think we’ve done anything wrong.
Now, calling these bills “surveillance” authorities is a serious charge. To understand why it’s warranted takes a bit of explanation.
First, it’s important to understand what we mean by “information sharing.” Right now, private companies have broad authority to share cyber threat information both among themselves and with the government. They also have the authority to monitor their own computers for hacking or data theft. There are, however, important privacy protections in existing laws like the Electronic Communications Privacy Act (“ECPA”) that limit the sharing of sensitive, personally identifiable information absent an exception, of which there are several.
The House bill cuts through all of those existing privacy protections. It says “notwithstanding any law,” companies can share “cyber” information among themselves and with the government, and be virtually immune from lawsuit or criminal exposure in doing so. In other words, “information sharing” is a bit of a misnomer; it’s more accurate to call it a sweeping new exception to all existing privacy laws.
The House bill does require a company to review and remove anything that it reasonably believes at the time of sharing to be personal and not directly related to the cyber threat. But that’s weaker protection than it sounds because it doesn’t restrict sharing to only the information necessary to address the cyber threat. In other words, as long as the company has an argument that the information is plausibly “directly” related to the threat, it can share with impunity, even if there’s no reason for the government to have it.
But, the “surveillance” piece of the bill really happens at the next step: what the government can do with personal information shared by companies once it’s disseminated. The House Intelligence bill will require that, once all the information not stripped is shared with the government, it all flows automatically to the military, including the NSA and the Office of the Director of National Intelligence (which then can/will share with the CIA, presumably).
Once there, the information can be used for purposes far removed from cybersecurity. The House Intelligence bill would permit federal, state, and local law enforcement agencies to use the information for a wide array of non-cybercrimes, including violations of the Espionage Act, which has been deployed by the Obama administration to aggressively prosecute national security whistleblowers and investigate reporters like James Risen, who was almost forced to disclose his source for a story in which the CIA screwed up and gave Iran information that could lead to a nuclear weapon.
Our colleagues at the Open Technology Institute, the Center for Democracy and Technology, and the Electronic Frontier Foundation have exhaustively catalogued the serious civil liberties, privacy, and open government issues with the House bills that were voted on today. We’ve also signed a letter with transparency and media law groups in strong opposition to the House intelligence bill for, among other things, allowing use in Espionage Act cases.
Now the fight turns to the Senate. And, unless the privacy and civil liberties communities really go all out, things are bleak. This is, after all, where Majority Leader Mitch McConnell (R-KY), despite the two-year drumbeat of revelations of mass surveillance of individuals suspected of no wrongdoing, has introduced a bill to reauthorize the Patriot Act, without any privacy protections, until 2020. Unless the community hits the bricks—as we did over CISPA in 2013—we will lose.
There’s lots we can and should be doing to improve cybersecurity, including encouraging the use of encryption, facilitating information sharing among private sector entities, and safeguarding critical infrastructure. What we shouldn’t be doing, however, is passing a bill that gives even more personal information on innocent individuals to the NSA and allowing that information to be mined for purposes unrelated to protecting against hackers. That’s exactly what these bills do, and it’s entirely fair to call them what they are: new surveillance powers.
[*] There’s a bit of legislative arcana to unpack here. Today, the House passed the version of the bill proposed by the House Committee on Homeland Security. Yesterday, it passed the House Intelligence Committee draft, which is worse for privacy. Next comes “engrossment,”where the House clerk finalizes the draft that goes over for Senate considerationby mashing the two bills together without change to any of the substantive provisions. This means that, for instance, the broader use authorizations in the House Intelligence Committee bill will co-exist alongside the narrower authorizations in the Homeland Security bill.
Practically, and especially if the Senate passes a bill that looks more like the House intelligence committee bill, this gives the House intelligence committee bill a significant advantage in whatever process the two chambers decide on to reconcile differences between their respective bills. In other words, even though the House passed two competing bills, the House intelligence committee bill is more likely to survive intact in negotiations with the Senate. Most of the more privacy protective provisions in the other bill are likely to drop off.
This is particularly concerning given that the Homeland Security bill passed with broader support than the House intelligence committee bill (307 to 116 versus 355 to 63). While we oppose both bills, the fact that the House intelligence committee bill has effectively become the base bill to reconcile with the Senate is, indeed, salt in the wound.