UPDATE 12/18/2015: Congress passed the Cybersecurity Act of 2015 as part of the Omnibus spending bill, which the President signed into law today. The final version of the bill allows companies to share our personal information with the federal government, including the FBI and NSA, without adequate privacy protections.
A small group of members of Congress and staff have been meeting in secret to hammer out a compromise between three bills–two passed by the House and one by the Senate, and all three opposed by civil liberties and privacy advocates–which they sent to the White House to finalize earlier this week.
Unfortunately, the bill sent to the White House is a Frankenstein creation of some of the worst bits of the three bills, without necessary privacy protections (see our letter below for specifics).
Presumably, the White House will send a proposal back to Congress, and that will be stuck into the must-pass (or the government will shut down) omnibus spending bill.
But BORDC/DDF and 16 other civil liberties organizations from across the political spectrum issued a letter yesterday to the White House and Congress urging lawmakers to oppose the final “conferenced” version of this dangerous cyber bill that experts say will dramatically expand government surveillance while failing to make us safer from cyber attacks.
Click here to view the letter and complete list of signers as a PDF.
“The final version of this bill is an insult to the public and puts all of us in greater danger of cyber attacks and government surveillance,” said Evan Greer, campaign director of Fight for the Future, who organized the letter, “This was already a fundamentally flawed piece of legislation, and now even the meager privacy protections it provided have been gutted, exposing it for what it really is: a bill to dramatically expand abusive government spying.”
December 9, 2015
Dear President Barack Obama and Members of Congress,
The undersigned organizations urge you to oppose the newly negotiated “conference” legislation that purports to resolve differences between H.R. 1560, which includes both the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act of 2015 (NCPAA), and the Cybersecurity Information Sharing Act of 2015 (CISA, S. 754). The current version of these bills is the result of secret negotiations between the House and Senate intelligence committees at the expense of critical expert input from the House Committee on Homeland Security, and it loses any advantages and improvements in the Homeland Security Committee’s own cybersecurity bill, the NCPAA.
Many organizations and companies† opposed CISA in its earlier form because they believed it would damage Americans’ privacy without improving security. Civil liberties organizations’ concerns are well known. Companies share many of the same concerns. But companies also work hard to earn users’ trust when it comes to privacy. Without that trust, business suffers. Instead of addressing these concerns with the existing bills, the current proposal would build a government regime that makes it impossible for companies to guarantee the protection of customers’ civil liberties and privacy, while also failing to meaningfully improve cybersecurity.
Specifically, the text just negotiated is publicly reported to include the following gravely flawed changes to the passed bills. These changes would render it an unacceptably compromised piece of legislation that will be both unhelpful for cybersecurity and dangerous to Americans’ civil liberties. Specifically, It threatens to:
-Create a loophole that would allow the President to remove the Department of Homeland Security, a civilian agency, as the lead government entity managing information sharing;
-Reduce privacy protections for Americans’ personal information;
-Overexpand the term “cyber threat” to facilitate the prosecution of crimes unrelated to cybersecurity;
-Expand already broad liability protection for information disclosure;
-Preempt state, local or tribal disclosure laws on any cyberthreat information shared by or with a State, tribal, or local government; and
-Eliminate a directive to ensure data integrity.
Moreover, these modifications worsen bills that already contained fundamental flaws. These bills, in particular CISA, would already:
-Dramatically expand the amount of sensitive information held by government agencies with dismal records on data security;
-Undermine civilian agency leadership of cybersecurity efforts;
-Institute blind, automatic transfer of personal information to intelligence agencies, including the National Security Agency, that would be authorized to use the information for non-cybersecurity purposes;
-Allow private entities to transfer irrelevant and sensitive personally identifiable information to the government without accountability;
-Allow companies and other entities to use “defensive measures” to protect “information systems,” which could unintentionally harm systems and computers of innocent parties; and
-Provide unnecessarily expansive liability protections to companies, thereby undermining customer trust and limiting judicial remedies for those whose rights are violated.
Because it fails to resolve these weaknesses originally present within the three bills and makes new and alarming changes to them, we strongly object to the intelligence committee’s latest iteration of “cybersecurity” legislation and the undemocratic process that produced it.
Please join us in rejecting these new, troubling flaws and insisting that any version of cybersecurity legislation brought to the floor of either chamber draws heavily upon NCPAA and the expertise and extensive input of the House Committee on Homeland Security.
Advocacy for Principled Action in Government
American Library Association
Bill of Rights Defense Committee
Campaign for Liberty
Defending Dissent Foundation
Fight for the Future
Free Press Action Fund
Restore the Fourth