The House Just Passed a Major Expansion of Government Surveillance in the Guise of Cybersecurity
And it must be stopped in the Senate.
In what can only be described as a travesty for responsible, transparent lawmaking, the House of Representatives just a Frankenstein monster of a 鈥溾 bill that will massively expand government surveillance authorities if it鈥檚 not defeated in the Senate.
And, to rub salt in the wound, House leadership used arcane procedural tricks to block privacy-protective amendments and to privilege the version of the bill preferred by the House intelligence committee, which is more privacy invasive than the version passed by the Committee on Homeland Security.[*]
The bill that passed would, if adopted by the Senate, create a new and secretive cybersecurity spy agency, broadly authorize the sharing of personal information with the NSA, and allow its use in ways that look a lot like the surveillance programs revealed over the past two years.
The House鈥檚 draft will now go to the Senate, which has an even worse bill waiting in the wings. Just as the privacy and civil liberties community is engaged in a battle to reform the Patriot Act or allow it to expire, we are being forced to simultaneously jump start our efforts against a major new surveillance offensive鈥攖hese so-called 鈥渃ybersecurity鈥 bills that will do little to better protect our computers, but will give the government vast new authority to spy on us without any reason to think we鈥檝e done anything wrong.
Now, calling these bills 鈥渟urveillance鈥 authorities is a serious charge. To understand why it鈥檚 warranted takes a bit of explanation.
First, it鈥檚 important to understand what we mean by 鈥渋nformation sharing.鈥 Right now, private companies have broad authority to share cyber threat information both among themselves and with the government. They also have the authority to monitor their own computers for hacking or data theft. There are, however, important privacy protections in existing laws like the Electronic Communications Privacy Act (鈥淓CPA鈥) that limit the sharing of sensitive, personally identifiable information absent an exception, of which there are several.
The House bill cuts through all of those existing privacy protections. It says 鈥渘otwithstanding any law,鈥 companies can share 鈥渃yber鈥 information among themselves and with the government, and be virtually immune from lawsuit or criminal exposure in doing so. In other words, 鈥渋nformation sharing鈥 is a bit of a misnomer; it鈥檚 more accurate to call it a sweeping new exception to all existing privacy laws.
The House bill does require a company to review and remove anything that it reasonably believes at the time of sharing to be personal and not directly related to the cyber threat. But that鈥檚 weaker protection than it sounds because it doesn鈥檛 restrict sharing to only the information necessary to address the cyber threat. In other words, as long as the company has an argument that the information is plausibly 鈥渄irectly鈥 related to the threat, it can share with impunity, even if there鈥檚 no reason for the government to have it.
But, the 鈥渟urveillance鈥 piece of the bill really happens at the next step: what the government can do with personal information shared by companies once it鈥檚 disseminated. The House Intelligence bill will require that, once all the information not stripped is shared with the government, it all flows automatically to the military, including the NSA and the Office of the Director of National Intelligence (which then can/will share with the CIA, presumably).
Once there, the information can be used for purposes far removed from cybersecurity. The House Intelligence bill would permit federal, state, and local law enforcement agencies to use the information for a wide array of non-cybercrimes, including violations of the Espionage Act, which has been deployed by the Obama administration to aggressively prosecute national security whistleblowers and investigate reporters like James Risen, who was almost forced to disclose his source for a story in which the CIA screwed up and gave Iran information that could lead to a nuclear weapon.
Our colleagues at the , the , and the have exhaustively catalogued the serious civil liberties, privacy, and open government issues with the House bills that were voted on today. We鈥檝e also signed a with transparency and media law groups in strong opposition to the House intelligence bill for, among other things, allowing use in Espionage Act cases.
Now the fight turns to the Senate. And, unless the privacy and civil liberties communities really go all out, things are bleak. This is, after all, where Majority Leader Mitch McConnell (R-KY), despite the two-year drumbeat of revelations of mass surveillance of individuals suspected of no wrongdoing, has introduced a bill to reauthorize the Patriot Act, without any privacy protections, until 2020. Unless the community hits the bricks鈥攁s we did over CISPA in 2013鈥攚e will lose.
There鈥檚 lots we can and should be doing to improve cybersecurity, including encouraging the use of encryption, facilitating information sharing among private sector entities, and safeguarding critical infrastructure. What we shouldn鈥檛 be doing, however, is passing a bill that gives even more personal information on innocent individuals to the NSA and allowing that information to be mined for purposes unrelated to protecting against hackers. That鈥檚 exactly what these bills do, and it鈥檚 entirely fair to call them what they are: new surveillance powers.
[*] There鈥檚 a bit of legislative arcana to unpack here. Today, the House passed the version of the bill proposed by the House Committee on Homeland Security. Yesterday, it passed the House Intelligence Committee draft, which is worse for privacy. Next comes 鈥渆ngrossment,鈥漺here the House clerk finalizes the draft that goes over for Senate considerationby mashing the two bills together without change to any of the substantive provisions. This means that, for instance, the broader use authorizations in the House Intelligence Committee bill will co-exist alongside the narrower authorizations in the Homeland Security bill.
Practically, and especially if the Senate passes a bill that looks more like the House intelligence committee bill, this gives the House intelligence committee bill a significant advantage in whatever process the two chambers decide on to reconcile differences between their respective bills. In other words, even though the House passed two competing bills, the House intelligence committee bill is more likely to survive intact in negotiations with the Senate. Most of the more privacy protective provisions in the other bill are likely to drop off.
This is particularly concerning given that the Homeland Security bill passed with broader support than the House intelligence committee bill (307 to 116 versus 355 to 63). While we oppose both bills, the fact that the House intelligence committee bill has effectively become the base bill to reconcile with the Senate is, indeed, salt in the wound.