The Senate Is Trying to Pass a Cybersecurity Bill Some Are Labeling the "Patriot Act 2.0"
Over 13 years since President George Bush signed the USA PATRIOT Act, giving the government unprecedented domestic surveillance powers, legislators are debating a bill that could have similarly onerous effects on the privacy of American citizens.
The Cybersecurity Information Security Act, which aims to encourage private companies to share users' personal information with the government without a warrant, recently cleared the Senate Intelligence Committee by a 14-1 vote.
First introduced in July 2014, the proposed law was designed to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes," according to its official title. In other words, it would allow the government and "private entities," like technology or manufacturing companies, to share Internet traffic data, like searches.
The Department of Homeland Security would be the main government agency collecting the data, but it would be allowed to share certain information with other federal agencies if it pertained to "terrorism" or an "imminent threat of death or serious bodily harm."
It's already raising some concerns: Because the information is being gathered voluntarily, critics believe the legislation is designed to expand surveillance agencies' ability to spy on Americans without a warrant, rather than protect America against digital attacks.
If this sounds familiar, it should. Just like intelligence and law enforcement agencies used the USA PATRIOT Act to dramatically increase their domestic surveillance capabilities, CISA threatens to enable governmental agents to eavesdrop on communications like never before.
"This bill is arguably much worse than CISPA and, despite its name, shouldn't be seen as anything other than a surveillance bill — think Patriot Act 2.0," ACLU media strategist Rachel Nusbaum wrote in a press statement.
In an email to Mic, Electronic Frontier Foundation legislative analyst Mark M. Jaycox explained the general gist of CISA as adding "a new authority for companies to monitor information systems to protect an entity's hardware or software. Once collected, companies can then share the information, which is also called 'cyber threat indicators,' freely with government agencies like the NSA."
Jaycox also pointed out that the bill allows companies to bypass the civilian Homeland Security Department entirely to directly interface with security agencies like the NSA, thus circumventing privacy regulations. He said that "the provision is ripe for improper and over-expansive information sharing," and could even allow the government to share the collected information for "non-security" purposes.
He also pointed out that since CISA specifically exempted itself from disclosure under the Freedom of Information Act, the public would have no idea what information was being shared with other federal agencies.
Growing opposition: In another uncanny similarity to the USA PATRIOT Act, CISA and bills like it are enjoying renewed support in Congress and the White House thanks in large part to the cyber-attack on Sony that led to theaters nationwide refusing to show North Korea-themed comedy The Interview. Although CISA would essentially deputize private companies to spy on their users and shield itself from effective oversight by the public, it's a bad idea that won't die.
Sen. Ron Wyden (D-Ore.), the only senator to vote against the bill in committee, released a statement claiming that "if information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill – it's a surveillance bill by another name."
The worst part? CISA wouldn't even combat some of the biggest current threats to U.S. cybersecurity, since the vast majority or incidents are the result of employee sloppiness or lax corporate security procedures.
"A recent report concluded that around half of federal breaches were due to bad habits of employees," Jaycox told Mic. "Last month's breach of health insurer Anthem is suspected to be from phishing emails."
Though concerns over cybersecurity are certainly worth investigating, as the follies of the USA PATRIOT Act demonstrated, another overreaching government surveillance bill is not the answer.