As Senators prepare for a final vote on the Cybersecurity Information Sharing Act (CISA) next week, digital rights advocates are lobbying harder than ever to defeat the public-private cyber threat data-sharing legislation they describe as a “surveillance bill masquerading as a cybersecurity bill.”
While most have focused on CISA’s potential to legalize Internet service providers’ limitless sharing of Americans’ private data with the government, one group is saying that potential could stretch across the Atlantic, and stress an already strained relationship with European allies to transfer data on European citizens to the U.S.
“The U.S Senate is poised to vote on the Cybersecurity Information Sharing Act (CISA), a privacy-invading surveillance bill masquerading as a cybersecurity bill,” Access, a digital rights group, wrote in a Medium post late Wednesday. “While there are many, many problems with this legislation, one of the most egregious is how it relates to the recent European court decision on “Safe Harbor” — and how it enables the collection of even more of our private data.”
Two weeks ago the European Court of Justice struck down the so-called “Safe Harbor” agreement, which allowed some 5,000 U.S. and EU tech companies to self-certify they were transferring and processing the data of EU citizens in compliance with EU privacy standards.
According to former NSA contractor Edward Snowden — the whistleblower responsible for revealing U.S. surveillance programs that led to the court’s ruling — the agreement was used to facilitate surveillance practices legalized in Section 702 of the FISA Amendments Act. Section 702 lets NSA tap the physical infrastructure of the Internet, like undersea fiber cables, to collect and surveil the content of communications in transit between borders, as opposed to just metadata about those communications collected in the U.S.
Absent the agreement, companies face legal uncertainty in transferring data across the Atlantic until the two sides ink a new deal, which has been in the works for the last year and a half.
“Companies are now trying to figure out how to conduct business while protecting their users’ rights,” Access wrote. “CISA would make the problem even worse. It would increase the breadth of U.S. spying and further cement the corporate-intelligence relationship, thus making it much harder for the U.S. and E.U. to come to a new agreement on how to handle data.”
If adopted, CISA would let companies like Facebook, Twitter and others share limitless data on “cyber threat indicators” with the Department of Homeland Security, free of any legal repercussions. According to Access, Fight for the Future, the Electronic Frontier Foundation and other privacy activists, that data could include private information on Americans swept up incidentally in collection, like Social Security numbers, IP addresses, emails and account passwords.
Senate Majority Leader Mitch McConnell finally brought the long-stalled bill to the floor earlier this week, along with a manager’s amendment containing more than half of the amendments Republicans and Democrats agreed to consider before the bill was delayed ahead of Congress’ August recess.
Those amendments include a system for filtering out such private information at DHS, before it’s disseminated across other federal agencies, according to bill proponents who took to the floor to defend it yesterday.
“The latest version of the bill requires agencies give notice to U.S. persons when their information is improperly shared, but a last minute change removed the benefit for non-U.S. persons,” Access wrote. “To make matters worse, those agencies would have broad discretion over how to use information for non-cybersecurity purposes — all without a warrant.”
Another amendment proposed tacking onto the bill legislation passed by the House earlier this week to grant European Union citizens similar privacy rights enjoyed by Americans under the Privacy Act — another attempt at repairing relations with Europe over the Snowden disclosures, which have hurt U.S. companies’ credibility and market share across the Atlantic.
Connecticut Democratic Sen. Chris Murphy withdrew an amendment that would have included the Judicial Redress Act in a vote on CISA over concerns it wouldn’t receive due consideration amid the broader fight. Many including Wisconsin Republican Rep. Jim Sensenbrenner, who authored the bill in the House, cite the legislation as a necessary step in getting the EU to agree to a new “Safe Harbor 2.0” agreement.
While the Judicial Redress Act allows EU citizens to seek legal remedies with the government for mishandling private data, it does not allow them to take legal action against tech companies themselves.