Members of Congress have been meeting behind closed doors to hash out the final text of a major cyber-security bill that they hope to rush through a vote -- possibly before year end.
Privacy advocates and civil liberties groups, meanwhile, are making a last-ditch effort to derail the bill, which appears to leave out many clauses that would have protected the privacy of personal information and instead serves primarily to strengthen government surveillance capabilities.
House and Senate lawmakers have been holding unofficial meetings to merge three bills: the Senate Intelligence Committee's Cybersecurity Information Sharing Act (CISA), the House Intelligence Committee's Protecting Cyber Networks Act (PCNA), and the House Homeland Security Committee's National Cybersecurity Protection Advancement Act (NCPAA).
All three promote the sharing of information -- including things government has never had access to before, from credit card statements to prescription drug purchases to detailed financial and health records -- but NCPAA gives the most attention to concerns over the abuse of sensitive personal information.
Now "that measure might be the odd man out in the conference, since the two Intelligence committees have similar bills that are easier to combine," The Hill reports.
Instead, CISA -- a bill that privacy advocates, tech companies, security experts, and even the DHS (Department of Homeland Security) have denounced for being more about surveillance than security -- is expected to serve as the basis for a final version of the combined bill.
"We've just learned that the Intelligence Committees are trying to pull a fast one," Nathan White, senior legislative manager at digital rights advocate Access, said in a recent email to supporters. "They've been negotiating in secret and came up with a Frankenstein bill -- that has some of the worst parts from both the House and the Senate versions."
Specifically, while the NCPAA would require companies to pass their data to the DHS, a civilian agency with stricter privacy regulations than the NSA, privacy advocates fear a loophole in the merged bill would allow the president to remove the DHS as the lead government entity managing information sharing.
In other words, no sooner has a sliver of reform of NSA surveillance gone into effect, than a new direct pipeline to the NSA could be opened.
"We want DHS to be the lead civilian agency -- not the FBI, who can prosecute you; not the NSA, who can spy on you," said Homeland Security Committee Chairman Michael McCaul, a co-sponsor of NCPAA, at a breakfast hosted this week by the Christian Science Monitor. McCaul also voiced concern that privacy protections in his bill will be weakened.
But "several people tracking the negotiations believe McCaul is under significant pressure from House Speaker Paul Ryan and other congressional leaders to not oppose the compromise text," The Hill reports.
In addition to contention over privacy issues, another sticking point in the private negotiations is thought to be a CISA clause that "would require the DHS to assess the cyber security readiness at roughly 65 companies behind the nation's infrastructure, and develop a plan for preventing a 'catastrophic' cyber attack." In other words, a measure that's actually aimed at enhancing cyber security, rather than surveillance, is proving problematic.
Concern about the rising surveillance state is a bipartisan issue. Grassroots organizer FreedomWorks, whose work has been praised by Senators Rand Paul and Ted Cruz and cited by The Washington Post and New York Times for its effectiveness in rallying conservative activists, warns that "the majority of the input [for the merged cyber bill] appears to be coming more from the intelligence committees, and not from the people who would actually have oversight of the information sharing regime in the Homeland Security Committees."
A group of 19 civil liberties organizations from across the political spectrum sent a letter to the White House and members of Congress, urging them to oppose the conferenced version of the bill. The groups argue that the language in the bill is overly broad, and because companies are protected from legal liability for the data they share, they have no incentive to redact irrelevant personal information.
Specifically, opponents argue that the bill:
- expands the term "cyber threat" to facilitate the prosecution of crimes unrelated to cyber security
- dramatically expands the amount of sensitive information held by government agencies, which have dismal records on data security
- institutes automatic transfer of personal information to intelligence agencies, including the NSA, that would be authorized to use the information for non-cyber security purposes
- allows private companies to transfer irrelevant and sensitive personally identifiable information to the government without accountability
- allows companies to use "defensive measures" to protect "information systems," which could unintentionally harm computers of innocent parties
- subverts the Freedom of Information Act, meaning you aren't even entitled to find out what information is being shared about you or with whom.
Many of the bill's most vocal supporters are the very same people looking to undermine encryption. Senator Dianne Feinstein -- who we can thank for bringing us CISA -- vowed this week to lead the charge to force companies to decrypt data. "I'm going to seek legislation if nobody else is," she said during an FBI oversight hearing Wednesday.
Contrast that with Germany, which is beefing up its encryption and touting end-to-end encryption for everything. According to Germany-based email encryption service Tutanota, the Interior Minister of Germany last month signed a charter to strengthen confidential communication online. German politicians are committed to protecting their citizens' right to privacy, possibly because:
25 years ago, the surveillance state GDR came to an end with the unification of Eastern and Western Germany. With it one of the most rigorous monitoring of the entire population came to an end. We as Germans have learned our lesson. We know how difficult it can be to live under total surveillance. We never want a system like this to monitor its own citizens 24/7 ever again.
Will Americans heed Germany's lessons from history?
"Don't let Congress fool you: cybersecurity bills aren't about 'information sharing,' they're about surveillance," the Electronic Frontier Foundation warns. The organization is urging people to tweet @RepMcCaul and ask him to stand up to House leaders.