[Cryptography] Opponents launch 11th-hour campaign to veto CISA bill

Henry Baker hbaker1 at pipeline.com
Tue Dec 15 13:10:20 EST 2015 

FYI -- "it's a surveillance bill by another name." -- Senator Ron Wyden

Go to the following web site; they will connect you to a number of people at the White House who are getting irritated by so many calls!

https://www.obamadecides.org/

-----
https://www.techdirt.com/articles/20151215/06470133083/congress-drops-all-pretense-quietly-turns-cisa-into-full-surveillance-bill.shtml

Congress Drops All Pretense: Quietly Turns CISA Into A Full On Surveillance Bill

by Mike Masnick

Tue, Dec 15th 2015 9:28am

Remember CISA?  The "Cybersecurity Information Sharing Act"?  It's getting much much worse as Congress and the administration look to ram it through -- and in the process, removing any pretense that it's not a surveillance bill.

https://www.techdirt.com/blog/?tag=cisa

As you may recall, Congress and the White House have been pushing for a "cybersecurity" bill for a few years now, that has never actually been a cybersecurity bill.  Senator Ron Wyden was one of the only people in Congress willing to stand up and directly say what it was: "it's a surveillance bill by another name."  And, by now, you should know that when Senator Wyden says that there's a secret interpretation of a bill that will increase surveillance and is at odds with the public's understanding of a bill, you should know to listen.  He's said so in the past and has been right... multiple times.

https://www.wyden.senate.gov/news/press-releases/wyden-cybersecurity-bill-lacks-privacy-protections-doesnt-secure-networks

https://www.techdirt.com/articles/20151207/17063433015/final-text-cisa-apparently-removed-what-little-privacy-protections-had-been-there.shtml

Either way, a version of CISA passed the House a while back, with at least some elements of privacy protection included.  Then, a few months ago it passed the Senate in a much weaker state.  The two different versions need to be reconciled, and it's been worked on.  However, as we noted recently, the intelligence community has basically taken over the process and more or less stripped out what few privacy protections there were.

And, the latest is that it's getting worse.  Not only is Congress looking to include it in the end of year omnibus bill -- basically a "must pass" bill -- to make sure it gets passed, but it's clearly dropping all pretense that CISA isn't about surveillance.  Here's what we're hearing from people involved in the latest negotiations.  The latest version of CISA that they're looking to put into the omnibus:

1. Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS.  While DHS isn't necessarily wonderful, it's a lot better than NSA.  And, of course, if this were truly about cybersecurity, not surveillance, DHS makes a lot more sense than NSA.

2. Directly removes the restrictions on using this information for "surveillance" activities.  You can't get much more direct than that, right?

3. Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well.  Obviously, this then creates tremendous incentives to push for greater and greater information collection, which clearly will be abused.  We've just seen how the DEA has regularly abused its powers to collect info.  You think agencies like the DEA and others won't make use of CISA too?

https://www.techdirt.com/articles/20151214/08492533071/dea-loses-big-drug-case-thanks-to-illegal-wiretap-warrants-prosecutor-calls-procedural-errors.shtml

4. Removes the requirement to "scrub" personal information unrelated to a cybersecurity threat before sharing that information.  This was the key point that everyone kept making about why the information should go to DHS first -- where DHS would be in charge of this "scrub".  The "scrub" process was a bit exaggerated in the first place, but it was at least something of a privacy protection.  However, it appears that the final version being pushed removes the scrub requirement (along with the requirement to go to DHS) and instead leaves the question of scrubbing to the "discretion" of whichever agency gets the information.  Guess how that's going to go? 

In short: while before Congress could at least pretend that CISA was about cybersecurity, rather than surveillance, in this mad dash to get it shoved through, they've dropped all pretense and have stripped every last privacy protection, expanded the scope of the bill, and made it quite clear that it's a very broad surveillance bill that can be widely used and abused by all parts of the government.

There is still some hesitation by some as to whether or not this bill belongs in the omnibus bill, or if it should go through the regular process, with a debate and a full vote on this entirely new and different version of CISA.  So, now would be a good time to speak out, letting your elected officials and the White House know that (1) CISA should not be in the omnibus and (2) that we don't need another surveillance bill.

In the meantime, if Congress were actually serious about cybersecurity, they'd be ramping up the acceptance and use of encryption, rather than trying to undermine it.

-----------------
http://thehill.com/policy/cybersecurity/263174-opponents-launch-11th-hour-campaign-to-kill-cyber-bill

Opponents launch 11th-hour campaign to kill cyber bill
 
By Cory Bennett - 12/14/15 03:54 PM EST

Privacy advocates have launched a last-ditch campaign to block a major piece of cybersecurity legislation that could soon be added to an expected omnibus spending deal.

The bill would encourage companies to share more data on hackers with the government.

Fight for the Future, which has been leading a coalition of digital rights and civil liberties groups opposing the measure, on Monday launched an online petition urging the White House to veto the final legislation.  The group also included a widget that allows people to call the White House to express their opposition.

https://www.obamadecides.org/

Privacy advocates have long argued that the legislation would allow the intelligence community to collect more private data on Americans.  Technologists and numerous technology companies have expressed similar concerns.

But many industry groups, lawmakers and even the White House counter that the bill is the necessary first step in the fight against hackers.  Privacy provisions in the measure will ensure personal data is not shared throughout the government, they say.

"Now is when we'll find out whether President Obama really cares about the Internet and freedom of speech, or whether he's happy to roll over and allow technologically illiterate members of Congress break the Internet in the name of cybersecurity," said Evan Greer, campaign director at Fight for the Future.

Lawmakers are on the cusp of having a final text ready and hope to have the bill on President Obama's desk before the year's end.

http://thehill.com/policy/cybersecurity/262985-week-ahead-congress-poised-to-finish-cyber-bill

Negotiators have been working since the Senate passed its Intelligence Committee-originated bill in October, six months after the House passed two complementary bills: one from the Intelligence panel, another from Homeland Security.

On Monday, privacy advocates said that lawmakers had decided to attach the bill to an omnibus spending bill that is expected as soon as Monday.  Most observers believe the tactic gives the cyber bill its best shot of getting through Congress in 2015, as only a handful of legislative days remain before the upcoming recess.

But several people with direct knowledge of the talks cautioned that no final decision had been made.

Multiple lawmakers have expressed opposition to the strategy, arguing that the final cyber text should get a standalone vote in both chambers.  Their resistance threatens to kill the omnibus strategy.

If the cyber bill does roll through Congress, Fight for the Future called on the White House to reject the measure.

Throughout the final negotiation process, digital rights groups have warned that lawmakers were omitting the most stringent privacy clauses, a claim the bill's backers reject.

http://thehill.com/policy/cybersecurity/262713-cyber-bill-deal-looms-as-negotiators-finalize-privacy-language

http://thehill.com/policy/cybersecurity/262864-house-leadership-reviewing-cyber-compromise

"This administration promised to veto any information sharing bill that did not adequately protect Internet users' privacy, and the final version of this bill doesn't even come close," Greer said.  "It's time for President Obama to deliver on his word."

More information about the cryptography mailing list