Campaign for Liberty has joined a broad-based coalition in support of H.R. 4350, Representative Justin Amash's (MI-03) legislation repealing the Cybersecurity Information Sharing Act (CISA). CISA, which does little or nothing to protect our cybersecurity but does a lot to take away our privacy, was buried in last year's Omnibus spending bill.
The version of CISA included in the Ominbus is actually worse than the versions that passed the House and Senate as standalone bills last year. As I wrote at the time of the debate over the Omnibus:
As you can see from this chart prepared by the Open Technology Institute, almost every aspect of the new version of CISA is worse than the alternatives. Perhaps the worst aspect of this bill is that the changes make it clear that this bill has nothing to do with cyber security and everything to do with spying on us. As Techdirt reports:
The latest version of CISA that they're looking to put into the omnibus:
Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS. While DHS isn't necessarily wonderful, it's a lot better than NSA. And, of course, if this were truly about cybersecurity, not surveillance, DHS makes a lot more sense than NSA.
Directly removes the restrictions on using this information for "surveillance" activities. You can't get much more direct than that, right?
Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well. Obviously, this then creates tremendous incentives to push for greater and greater information collection, which clearly will be abused. We've just seen how the DEA has regularly abused its powers to collect info. You think agencies like the DEA and others won't make use of CISA too?
Removes the requirement to "scrub" personal information unrelated to a cybersecurity threat before sharing that information. This was the key point that everyone kept making about why the information should go to DHS first -- where DHS would be in charge of this "scrub". The "scrub" process was a bit exaggerated in the first place, but it was at leastsomething of a privacy protection. However, it appears that the final version being pushed removes the scrub requirement (along with the requirement to go to DHS) and instead leaves the question of scrubbing to the "discretion" of whichever agency gets the information. Guess how that's going to go?
In short: while before Congress could at least pretend that CISA was about cybersecurity, rather than surveillance, in this mad dash to get it shoved through, they've dropped all pretense and have stripped every last privacy protection, expanded the scope of the bill, and made it quite clear that it's a very broad surveillance bill that can be widely used and abused by all parts of the government.
Campaign for Liberty members who want to rein in the surveillance state should call their representative and tell them to cosponsor H.R. 4350.
Here and below is the coalition letter Campaign for Liberty cosigned in support of H.R. 4350:
On behalf of civil liberties and government accountability organizations from across the political spectrum, we encourage you to support H.R. 4350, introduced by Reps. Justin Amash, R-Mich., and John Conyers, D-Mich.
This bipartisan bill would repeal the Cybersecurity Act of 2015, secretly negotiated provisions that were hastily incorporated into the omnibus appropriations bill enacted late last year. As we and others have stated consistently, these provisions are unlikely to increase the government’s ability to detect, intercept and thwart cyber attacks, yet they institute broad and undefined data-collection capabilities that are certain to undermine government accountability and further erode privacy protections.
Questions of cybersecurity and privacy should be debated openly in a manner that allows legislators and the public to criticize and participate. These questions should not be obscured by backroom deals that exclude critical perspectives and due process, and that many security experts have argued could result in worse security problems and worse privacy violations than before.
The Cybersecurity Act of 2015 included provisions unacceptable to the technology community, privacy and open-government advocates, as well as ordinary Americans, including:
- A new avenue through which the government will receive personally identifiable information and communications content, expanding surveillance on innocent Americans;
- Immunity from liability for companies that unnecessarily share private user information with the government and other companies;
- No reasonable limits on the type of information that can be shared, such as individuals’ personal online communications;
- Authorization for law enforcement and the intelligence community to use this information for purposes unrelated to cybersecurity, including the investigation and prosecution of unrelated crimes.
- An exemption to the Freedom of Information Act, and preemption of state and local laws on disclosure that seriously undermine government accountability and transparency.
Measures to strengthen cybersecurity should not come at the expense of exposing law-abiding Americans’ private information to government surveillance. Additionally, it should not be necessary to extend law-enforcement authorizations to non-cybersecurity purposes.
We call on Congress to repeal these unnecessary provisions and start a new conversation about the right way to address real cybersecurity threats, without undermining the privacy and security of all Americans and the accountability of government.
R Street Institute
American Civil Liberties Union
American Library Association
Campaign for Liberty
Center for Democracy and Technology
Defending Dissent Foundation
Fight For The Future
Free Press Action Fund
Government Accountability Project
Open Technology Institute
Open the Government
Restore the Fourth
Tags: Campaign for Liberty, Justin Amash, CISA