Aletho News

ΑΛΗΘΩΣ

Privacy advocates blast ‘surveillance bill in disguise’ after CISA tucked into spending deal

RT | December 17, 2015

Under the cover of a late-night session of Congress, House Speaker Paul Ryan announced a new version of the “omnibus” federal government funding bill that includes a version of the Cybersecurity Information Sharing Act, outraging privacy advocates.

The new version combines three bills, two passed by the House, and one – the Cybersecurity Information Sharing Act (CISA) – that had already passed the Senate by a vote of 74 to 21.

A long-standing critic of government overreach in surveillance, Senator Ron Wyden (D-Oregon), who voted against the Senate bill, issued a statement on Wednesday stating that it was a “bad bill when it passed” and “worse bill today.”

“Americans deserve policies that protect both their security and their liberty. This bill fails on both counts,” said Wyden, adding that “cybersecurity experts say CISA will do little to prevent major hacks and privacy advocates know that this bill lacks real, meaningful privacy protections.”

Under the latest version, the bill creates the ability for the president to set up “portals” for agencies like the FBI and the Office of the Director of National Intelligence so that companies can hand information about potential threats directly to law enforcement and intelligence agencies instead of the Department of Homeland Security. It allows for more data sharing between the public and private sector while shielding companies from liability.

It also changes the criteria for when information shared for cybersecurity reasons can be used in law enforcement investigations. Previously, the backchannel use of data could only occur in cases of “imminent threats,” while the new bill requires just a “specific threat.”

The Electronic Frontier Foundation has strongly opposed cybersecurity bills over the past five years. In a statement, it said they did nothing to address the real problems the government faces, “like computer data breaches that are caused by unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.”

Other advocacy groups, such as Fight for the Future, have previously referred to the bill as “a surveillance bill in disguise.”

The group’s campaign director, Evan Greer, called it “a disingenuous attempt to quietly expand the U.S. government’s surveillance programs.”

“Congress has failed the Internet once again,” she added, “now it’s up to President Obama to prove that his administration actually cares about the Internet. If he does he has no choice but to veto this blatant attack on Internet security, corporate accountability, and free speech.”

The bills were opposed not just by privacy advocates, but also civil society organizations, computer security experts, and many Silicon Valley companies. In April, a coalition of 55 civil groups and security experts signed an open letter opposing an earlier version of CISA.

The Department of Homeland Security itself warned in July that the bill could overwhelm the agency with data of “dubious value,” while at the same time “sweep[ing] away privacy protections.”

The EFF also said the CISA bill has no place in the federal budget package, a point shared by the Open Technology Institute (OTI).

“They’re kind of pulling a Patriot Act,” Robyn Greene, police counsel of OTI, told Wired. “They’ve got this bill that’s kicked around for years and had been too controversial to pass, so they’ve seen an opportunity to push it through without debate. And they’re taking that opportunity.”

December 17, 2015 Posted by | Civil Liberties, Deception, Full Spectrum Dominance | , , , , | Leave a comment

Amendments to CISA “Cybersecurity” Bill Fail in All Regards

By Mark Jaycox | EFF | September 1, 2015

Although grassroots activism has dealt it a blow, the Senate Intelligence Committee’s Cybersecurity Information Sharing Act (CISA) keeps shambling along like the zombie it is. In July, Senator McConnell vowed to hold a final vote on the bill before Congress left for its six-week long summer vacation. In response, EFF and over 20 other privacy groups ran a successful Week of Action, including over 6 million faxes opposing CISA, causing the Senate to postpone the vote until late September.

Senators submitted many amendments to the bill before going on vacation. The amendments, like the original language of the bill, fail to address key issues like the deep link between these government “cybersecurity” authorities and surveillance, as well as the new spying powers the bill would grant to companies.

But “cybersecurity” is already intimately tied to surveillance—a problem CISA would only worsen. Documents released by the New York Times reveal the government used the Comprehensive National Cyber Security Initiative (CNCI) to pay telecommunications companies to spy on consumers using their networks. The CNCI includes initiatives for information gathering, but it’s always been presented to the public as fostering research and encouraging public awareness of cybersecurity problems—not spying on Americans’ Internet traffic.

The revelations are stunning. The NSA paid telecommunications companies nearly $300 million dollars in the 2010 fiscal year to invest in surveillance equipment as part of the CNCI. In fact, STORMBREW’s Breckenridge site was “100% subsidized with CNCI funding.”

In contrast, the DHS only requested $37.2 million during the same time period to support research and development in cybersecurity science and technology. Even if DHS received what it requested, does the American public really want surveillance to outweigh research and education 10 to 1?

The news is compounded by other recently-released Snowden documents that show how the NSA uses foreign intelligence laws to run an intrusion defense system (IDS) on US soil. The documents show that a Justice Department memo gave the agency permission to monitor Internet cables, “without a warrant and on American soil, for data linked to computer intrusions originating abroad — including traffic that flows to suspicious Internet addresses or contains malware.”

CISA—and its amendments—do not even begin to address these serious problems. Instead, they mandate information sharing with the intelligence community, creating even more cyberspying.

EFF will continue to oppose CISA—even if some of these amendments pass—because CISA’s vague definitions, broad legal immunity, and new spying powers allow for a tremendous amount of unnecessary damage to users’ privacy, and it’s highly unlikely that the public will learn about it. Even an amendment (#2612) offered by by Senator Al Franken, which narrows some of the definitions in CISA, does little to clarify its most troubling provisions.

What’s worse is that information-sharing bills like CISA are being painted as silver bullets to data breaches. They aren’t. The bills don’t address problems like unencrypted filespoor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.

Awful Amendments

Plenty of the amendments would make the bill even worse. We’ve already discussed the horrible CFAA amendment, #2626, proposed by Senator Sheldon Whitehouse. The amendment not only increases the scope of the already expansive Computer Fraud and Abuse Act (CFAA) but also authorizes injunctions against botnets (amending 18 U.S.C. § 1345) in a way that creates serious constitutional issues.  After all, much of what DOJ and FBI want to do in shutting down botnets is, arguably, a search or a seizure under the Fourth Amendment; moreover, such injunctions may prevent users from communicating, thus raising First Amendment issues.  The amendment is a great example of how not to amend the draconian CFAA. If the Senate wants to improve the CFAA, it should take a page out of our book.

Senator Carper has proposed another dubious change to CISA, amendment #2627. The bill attempts to codify the Department of Homeland Security’s EINSTEIN program without any public debate. EINSTEIN is an intrusion detection system—the parent of which was created by the NSA—to scan incoming Internet traffic to the federal government like emails and other connections. DHS has not told the public what agencies are using EINSTEIN. It’s possible that when you email your representative, DHS may also receive a copy. Before codifying EINSTEIN, DHS must be more transparent about the program. The most recent update from DHS about the program is from 2013, and many concerns have been raised about EINSTEIN’s legality and privacy implications. Unlike CISA, Senator Carper’s amendment mandates federal agencies create a plan to identify sensitive information and encrypt it; however, the clause exempts the Department of Defense and the intelligence community.  Nor does the amendment authorize additional funding for federal agencies to improve security.

Senator Carper’s attempt to make a horrible bill marginally better is admirable, but he—along with other Senators—should oppose the bill. Even the best amendments fail to fix CISA’s serious flaws.

Not Awful Amendments

Some of the amendments try to narrow the scope of the bill. Senator Chris Coons’ amendment #2552 would limit information sharing to that necessary to describe or identify a cybersecurity threat, while Senator Wyden’s amendment (#2621) would require companies and the government to remove personal information unrelated to the threat.

But these well-meaning changes don’t address the root problems in the bill: the outrageously broad and vague definition of “cybersecurity threat” and the granting of new authorities to spy on users. Senator Franken’s amendment #2612 attempts to address that definition, but even his amendment isn’t enough. Again, no amendment scales back the two new authorities to spy on users and launch countermeasures in the bill.

Other amendments are better, including Senator Patrick Leahy’s #2587, which would remove the current CISA provision exempting all “cyber threat indicators and defensive measures” received by the government from disclosure under the Freedom of Information Act and may help ensure the public can obtain information about how, if CISA is enacted into law, the information “sharing” system actually operates; Senator Jeff Flake’s 6-year sunset (#2582); and, Senator Mike Lee’s email privacy amendment (#2556), which would codify US v. Warshak by amending the Electronic Communications Privacy Act to require warrants for email and other stored content.

While some advocates will paint these amendments as “steps forward,” the amendments merely shuffle deck chairs on the Titanic—even with the better amendments, the bill is still a bad idea. The Senators are going about the wrong strategy. Democrats and libertarian Republicans should be opposing CISA outright. That’s why we’re asking users to continue emailing their Senators to stop this bill. While CISA is the very definition of a zombie bill, the public outcry against it has made a difference. But we can’t stop now. Join us by tweeting, faxing, or emailing your Senator.

September 2, 2015 Posted by | Civil Liberties, Full Spectrum Dominance | , , | Leave a comment

A Surveillance Bill by Any Other Name Smells Just As Foul

By Nathaniel J. Turner | ACLU | July 28, 2015

An impressive coalition has formed to oppose a new surveillance bill masquerading as cybersecurity legislation.

Privacy and civil liberties organizations, free market groups, and others from across the political spectrum are joining this week in a common chorus call: Stop CISA.

Proponents of CISA — the Cybersecurity Information Sharing Act — claim the Senate bill would help prevent cyber-crimes by improving information sharing between the government and the private sector. But in reality, CISA only succeeds in expanding government surveillance and weakening privacy while making Americans less secure online. The bill as drafted would have done nothing to stop the high-profile breaches at Sony, Anthem, and, most recently, the Office of Personnel Management, which holds terabytes of sensitive information about millions of government employees.

For several years, certain elements of the business community and national security hawks in Congress have pressed for legislation like CISA. In April, the House passed a package of similar cybersecurity information sharing bills, which were opposed by the ACLU and bevy of other privacy and civil liberties groups, but were in some ways dramatically better than the bill now pending in the Senate.

CISA’s vague language and expansive definitions will give the government new ways to collect and use the personal information and communications of innocent Americans, all without a warrant or any review by an independent court or overseer. CISA would allow companies to share information with the government relating to a “cybersecurity threat,” a term defined so broadly in the bill that it could include huge swaths of emails and text messages.  The handover of user information under CISA would be permitted even if otherwise prohibited by existing data privacy laws, like the Electronic Communications Privacy Act. The law would also give companies broad legal protections even if they improperly share consumer data.

And, perhaps unsurprisingly, the information shared by companies would automatically be forwarded to numerous intelligence, military, and law enforcement agencies, including the NSA and FBI.

Once in the government’s hands, CISA allows for the shared information to be used in garden-variety law enforcement cases that have nothing to do with cybersecurity. For example, the government could use private emails and messages received from communications providers like Comcast, Facebook, Google, or Verizon to investigate and prosecute whistleblowers who report serious misconduct to the press. That’s a serious concern given that the Obama administration has already prosecuted more national security whistleblowers than all other administrations combined.

As an added bonus for government snoopers, CISA also includes a new exemption to the Freedom of Information Act, which will make it harder for groups like the ACLU to obtain documents from the government to determine how it is using — or misusing — the shared information.  That means, for example, that it could be nearly impossible for us to find out how much private information is flowing from companies to the government or how the government is using it.

And despite CISA’s promise to open the floodgates for private information to flow to the government without any privacy protections, it fails at actually delivering better cybersecurity. As we learned with the hack at the OPM, the government is not a reliable guarantor of data security. Hackers were able to access the personal information of millions of Americans — including Social Security numbers, birthdates, and records about citizens’ finances, health, associations, and even sexual orientation—that applicants for security clearances must disclose to the government. All that additional information would make the government an even more desirable target for cybersnoops and cybercrooks.

CISA is more than just a bad solution to a serious problem. It would actually make cybersecurity worse while compromising basic democratic protections for personal privacy. The Senate must reject this surveillance bill. But if it decides to send this travesty to the president, he should veto the bill, consistent with his past threats against similarly atrocious bills.

Do your part to Stop CISA.

July 28, 2015 Posted by | Civil Liberties, Full Spectrum Dominance | , , , , , , , , | Leave a comment

Analog resistance: Activists protest CISA by faxing Congress

RT | July 28, 2015

Privacy activists are flooding Congress with messages of opposition to the cyber surveillance bill due to be considered by the Senate, using faxes rather than emails in order to poke fun at lawmakers’ antiquated understanding of technology and privacy.

Fight for the Future, a nonprofit fighting for privacy and against government surveillance, has set up a page dubbed “Operation: Fax Big Brother,” which lets anyone generate and customize a fax protesting the Cybersecurity Information Sharing Act (CISA). Each fax is then sent to all 100 Senators. The group has not said how many faxes have been sent so far.

CISA sailed through the Senate Intelligence Committee in March, with Oregon Democrat Ron Wyden being the sole dissenter. Senate is expected to take up a vote on the bill before the August 7 recess. A similar proposal, known as CISPA, was approved by the House of Representatives in 2013 but died in the Senate after public opposition compelled President Barack Obama to threaten a veto.

“Groups like Fight for the Future have sent millions of emails, and they still don’t seem to get it,” Evan Greer, the group’s campaign manager, told the Guardian. “Maybe they don’t get it because they’re stuck in 1984, and we figured we’d use some 80s technology to try to get our point across.”

According to the group, since 2012 civil liberties activists have sent hundreds of thousands of calls and tweets and over 2.6 million emails to Congress opposing overreaching cybersecurity laws. However, the fax stunt does not just have publicity value. Lawmakers often use analog technology like faxes and pagers in order to hide their digital tracks from Freedom of Information Act (FOIA) inquiries, claims a Senate staffer who spoke to the Guardian.

Sponsored by Senator Dianne Feinstein, a California Democrat, CISA seeks to enlist the support of corporations in collecting user data in the name of cybersecurity, providing them with liability protection if they share the data with federal agencies such as the NSA. Once they have the data, federal agencies would be able to share it freely with each other. What’s more, information shared with the government by the companies will be specifically exempt from FOIA disclosures.

Gabe Rottman, a legislative counsel with the American Civil Liberties Union, described the bill as a “new and vast surveillance authority that might as well be called Patriot Act 2.0 given how much personal information it would funnel to the NSA.”

The US Chamber of Commerce and a number of major corporations are backing the bill. In addition to Facebook and Google, Comcast and AT&T also favor CISA, as do Bank of America and Blue Cross Blue Shield Association.

Proponents of CISA have cited a spree of data breaches over the past year, from corporations such as Sony and healthcare provider Anthem to government agencies including the Department of State and Office of Personnel Management (OPM), as a reason to beef up cybersecurity. Critics have countered that CISA is not doing anything to protect networks from threats, and everything to vacuum up Americans’ data.

“With all these breaches, there’s a lot of fearmongering going on in DC,” says Fight for the Future’s Greer. “They just say: ‘This is a problem – we’ve got to do something!’ And this is the something they’re going to do. It’s not just that this won’t fix things – it’ll make them worse. And it’ll give sweeping legal immunity to some of the largest companies in the world and open us all up to new forms of surveillance.”

July 28, 2015 Posted by | Civil Liberties, Full Spectrum Dominance, Solidarity and Activism | , , , , , , , | 1 Comment