Digital privacy advocates and anti-surveillance lawmakers’ fears came to fruition early Wednesday when the House dropped its $1.1 trillion omnibus bill, complete with a rider to implement cyber threat data sharing legislation that’s divided representatives for months.
Groups including the Electronic Frontier Foundation, the American Civil Liberties Union, FreedomWorks and TechFreedom have been warning for weeks lawmakers rushing to finalize the Cybersecurity Information Sharing Act, passed by the Senate in October, would try to roll it into the must-pass omnibus.
“Congressional leadership is subverting fair process in order to pass a surveillance bill under the false flag of cybersecurity,” policy Access Now policy counsel Drew Mitnick said Wednesday.
Privacy-focused Republican Reps. Justin Amash of Michigan, Ted Poe of Texas and Democratic Reps. Zoe Lofgren of California and Jared Polis of Colorado said late Tuesday they were left out of last-minute talks on the cyber portion of the bill, which they and the others expected would be stripped of its privacy provisions by Republicans ahead of its release.
While the final version of the legislation, dubbed the Cybersecurity Act of 2015 on page 1,728 of the omnibus, goes beyond stopping hackers with more surveillance authorities since the Senate and two companion House bills went to conference, lawmakers managed to keep some privacy language in the bill, however vague.
Before any federal entity can share cyber threat indicators across the government, which web services like Facebook and Google will be able to give the government freely without violating user privacy terms of service agreements, the entity must assess whether the data “contains any information not directly related to a cybersecurity threat that such federal entity knows at the time of sharing to be personal information of a specific individual or information that identifies a specific individual and remove such information.”
It also directs entities “to implement and utilize a technical capability configured to remove any information not directly related to a cybersecurity threat,” and “include procedures for notifying, in a timely manner, any United States person whose personal information is known or determined to have been shared by a Federal entity in violation of this title.”
The bill directs the companies voluntarily sharing data to adopt the same measures, but does away with language that would have prevented the government from using information gleaned from sharing to investigate and prosecute other potential crimes, including “a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction.”
It designates the secretary of the Homeland Security Department and the U.S. attorney general to establish the portal through which companies will share data — a provision endorsed by privacy advocates to guarantee civilian oversight over where data goes afterward — but also give the president the power to establish portals at any other agency, with the exception of the National Security Agency or Department of Defense.
Neither will receive data until after it has gone through a privacy scrub at another portal.
“This would allow companies to share large amounts of private consumer information with government agencies, including possibly the FBI and NSA,” the ACLU said in a statement Wednesday. “This information can be used for criminal prosecutions unrelated to cybersecurity, including the targeting of whistleblowers under the Espionage Act.”
Speaker Paul Ryan has positioned the omnibus for a Friday vote, likely putting it on the president’s desk by the end of the week.
“Now is when we’ll find out whether President Obama really cares about the Internet and freedom of speech, or whether he’s happy to roll over and allow technologically illiterate members of Congress break the Internet in the name of cybersecurity,” Fight for the Future campaign director Evan Greer said.