By: Brandon Bybee
When the Cybersecurity Information Sharing Act,[1] (CISA,) was on the floor of the Senate in October of 2015, significant pushback was exhibited by major corporations.[2] Despite those pushbacks the bill passed in the Senate on October the 27th.[3] It was then received in the House on the following day, where it has been held at the desk ever since.[4] If passed in the House and signed into law, the bill would have brought significant privacy concerns to information technology experts who had been following the proposed legislation.[5] Technically, the bill is still being held on the House desk for floor consideration, however it is unlikely that it ever leaves. This isn’t because the bill won’t pass, it’s because quietly, it already has.
On December 18, 2015, President Obama signed into law a $1.1 trillion funding bill,[6] that included provisions and amendments involving everything from oil exports to abortion policies.[7] These various provisions, or policy instructions, are commonly known on Capitol Hill as “riders.”[8] One of those riders, neatly tied in, among provisions regarding transportation and intelligence authorization, is Division N, The Cybersecurity Act of 2015.[9] The act combines the Senate enacted CISA passed in October with other cybersecurity acts passed in the House, but effectively, the CISA, which caused all the backlash, is now law.
So why are cyber experts up in arms about the act? According to Sam Theilman, “The bill would allow private industry to share user information with the Department of Homeland Security, which would be compelled to share it across “relevant government agencies”, presumably including the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).”[10] Days before the Appropriations Act was to be passed, Congressman Jared Polis addressed the implications of tying the CISA into the Appropriations Act[11], but the bill still slipped past into law. Congressman Polis cited a Press Release by the Open Technology Institute, which highlighted some of the ramifications of the bill.[12]
Some of the most pertinent privacy implications include, “Increas[ing] government access to Americans’ personal data with dangerously weak privacy protections,”[13] effectively allowing government agencies to avoid liability when actions are taken pursuant to the bill,[14] and perhaps most importantly, “Undermin[ing] Americans’ rights to privacy and due process by authorizing law enforcement to use information in investigations unrelated to cybersecurity.”[15] So what does this all mean in layman’s terms? Essentially, a government agency can request personal information of an American citizen, from a private entity (such as Google, or Facebook,) and be granted that information regardless of whether the citizen was involved in an actual cybersecurity threat. This information sharing would allow neither the government, nor the private entity to be held liable.[16]
Congressman Polis addresses the unfortunate impact of including the CISA within the Consolidated Appropriations Act, “by slipping this bill into must-pass legislation, House leaders are giving privacy-minded members of Congress an impossible choice: allow a bill that threatens Americans’ civil liberties to become law or force a government shutdown.”[17] He goes on to assert the daunting implications of the bill’s passage, “companies will be encouraged to disseminate information about our patterns of Internet use and even the content of our online communications to the government in virtually all circumstances.”[18] We live in a generation where the NSA and the Patriot Act have raised national concern on government intervention into private citizens’ privacies to possibly the highest level in history. It’s a scary concept that even today, in that atmosphere, a bill as invasive as CISA can still become law, without most people even knowing.
[1] Cybersecurity Information Sharing Act of 2015, S. 754, 114th Cong. (2015).
[2] See Sam Theilman, Apple, Google and Twitter among 22 tech companies opposing Cisa bill, the guardian (Oct. 21, 2015), http://www.theguardian.com/technology/2015/oct/21/apple-google-and-twitter-among-22-tech-companies-opposing-cisa-bill [hereinafter Theilman] (listing the companies that had opposed the legislation according to a internet poll).
[3] Cybersecurity Information Sharing Act of 2015, S. 754, 114th Cong. (2015) (enacted).
[4] Cybersecurity Information Sharing Act of 2015, S. 754, 114th Cong. (bill tracking) (2015) (LEXIS).
[5] See, e.g., Robyn Greene, Cybersecurity Information Sharing Act of 2015 is Cyber-Surveillance, Not Cybersecurity, Open Technology Institute (Apr. 9, 2015), https://www.newamerica.org/oti/cybersecurity-information-sharing-act-of-2015-is-cyber-surveillance-not-cybersecurity/ (asserting that the bill would allow for a significant increase in the level of private Americans’ internet information available to government agencies).
[6] Consolidated Appropriations Act of 2015, H.R. 2029, 114th Cong. (2015).
[7] See Mike DeBonis & Kelsey Snell, Here’s what made it in to Congress’s big spending and tax bills, The Wash. Post (Dec. 16, 2015), https://www.washingtonpost.com/news/powerpost/wp/2015/12/16/heres-what-made-it-into-congresss-big-tax-and-spending-bills/#cyber (listing the various policy instructions that made their way into the bill).
[8] Id.
[9] Consolidated Appropriations Act of 2015, H.R. 2029, § N, 114th Cong. (2015).
[10] Theilman, supra note 2.
[11] See Jared Polis, Congress, don’t be fooled by cybersurveillance bill, CNN Opinion (Dec. 18, 2015), http://www.cnn.com/2015/12/18/opinions/polis-cybersecurity-legislation-congress/index.html [herinafter Polis] (imploring Congress to recognize what the bill entailed).
[12] Press Release, Open Tech. Inst., Omnibus Funding Bill is a Privacy and Cybersecurity Failure (Dec. 16, 2015) https://www.newamerica.org/oti/omnibus-funding-bill-is-a-privacy-and-cybersecurity-failure/ [hereinafter Open Tech.] (summarizing the privacy concerns contained within the Consolidated Appropriations Act).
[13] Id.
[14] Id.
[15] Id.
[16] Polis, supra note 11 (“The bill would encourage companies to share information about cyberthreats with the federal government by granting them protection from liability.”)
[17] Id.
[18] Id.
Photo Source: http://www.rstreet.org/wp-content/uploads/2015/03/463286157.jpg