Privacy Groups Blast Cyber-Sharing Included in Omnibus Spending Bill

Maksim Kabakou/

Congress is about to take its biggest step yet to bolster cybersecurity, but many fear it could expand surveillance.

After years of de­bate and man­euv­er­ing, a ma­jor cy­ber­se­cur­ity bill is fi­nally on the fast track to ap­prov­al after law­makers at­tached it to a $1.1 tril­lion gov­ern­ment spend­ing pack­age early Wed­nes­day morn­ing.

While busi­ness groups and na­tion­al se­cur­ity hawks are cheer­ing the news, it’s a ma­jor blow to pri­vacy ad­voc­ates, who fear the meas­ure will fun­nel more of Amer­ic­ans’ per­son­al in­form­a­tion in­to the hands of the Na­tion­al Se­cur­ity Agency.

The le­gis­la­tion, now called the Cy­ber­se­cur­ity Act of 2015, would en­cour­age com­pan­ies to share in­form­a­tion about com­puter vir­uses and oth­er cy­ber­se­cur­ity threats with each oth­er and the gov­ern­ment. The bill would shield com­pan­ies from law­suits by their users for giv­ing private in­form­a­tion to the gov­ern­ment as part of the pro­gram.

Sup­port­ers say the le­gis­la­tion is crit­ic­al for en­sur­ing the gov­ern­ment and private in­dustry can work to­geth­er to thwart at­tacks on the na­tion’s com­puter sys­tems. “This cy­ber­bill is a ‘Team Amer­ica’ ap­proach that will sig­ni­fic­antly im­prove ef­forts to fight cy­ber­crim­in­als and bet­ter pro­tect con­sumer data and in­tel­lec­tu­al prop­erty,” Tim Pawlenty, the CEO of the Fin­an­cial Ser­vices Roundtable, one of the many busi­ness groups lob­by­ing for the le­gis­la­tion, said in a state­ment. Sen. Di­anne Fein­stein, the top Demo­crat on the Sen­ate In­tel­li­gence Com­mit­tee, called the bill “an im­port­ant first step to fight back against dan­ger­ous cy­ber­at­tacks.”

But civil-liber­ties groups warn the latest ver­sion of the meas­ure has been stripped of some of the most sig­ni­fic­ant pri­vacy pro­tec­tions, trans­form­ing it in­to a sur­veil­lance bill.

“In­stead of passing re­forms that would have stopped the An­them or [Of­fice of Per­son­nel Man­age­ment] hack, Con­gress has chosen to ad­vance le­gis­la­tion that places the pri­vacy of Amer­ic­ans in fur­ther per­il,” Neema Singh Guliani, a le­gis­lat­ive coun­sel for the Amer­ic­an Civil Liber­ties Uni­on, said in a state­ment. “It would wrongly al­low com­pan­ies to share lar­ger amounts of con­sumer in­form­a­tion with gov­ern­ment agen­cies, po­ten­tially in­clud­ing the NSA. This in­form­a­tion could be used for crim­in­al pro­sec­u­tions un­re­lated to cy­ber­se­cur­ity.”

She urged com­pan­ies not to par­ti­cip­ate in the vol­un­tary in­form­a­tion-shar­ing pro­gram if the bill be­comes law.

Rep. Adam Schiff, the top Demo­crat on the House In­tel­li­gence Com­mit­tee, ar­gued that the le­gis­la­tion has strong pri­vacy pro­tec­tions. It would es­tab­lish the Home­land Se­cur­ity De­part­ment, a ci­vil­ian agency, as the main portal for re­ceiv­ing private sec­tor cy­ber­se­cur­ity in­form­a­tion and would dir­ect com­pan­ies to strip out per­son­al in­form­a­tion un­re­lated to a cy­ber threat.

“Ul­ti­mately, there is no great­er guar­ant­or of Amer­ic­ans’ pri­vacy than Amer­ica’s cy­ber­se­cur­ity,” Schiff wrote in a let­ter to oth­er law­makers ur­ging them to back the bill. “The Cy­ber­se­cur­ity Act of 2015 will help make our net­works safer and our pri­vacy se­cure.”

Al­though the bill would bar the NSA from dir­ectly re­ceiv­ing the data from the private sec­tor, it would in­struct the Home­land Se­cur­ity De­part­ment to share the in­form­a­tion it re­ceives with oth­er “rel­ev­ant fed­er­al en­tit­ies,” which pri­vacy ad­voc­ates note could in­clude the NSA or FBI. Law­makers re­moved pre­vi­ous lan­guage that would have re­quired that the gov­ern­ment only use the data for “cy­ber­se­cur­ity pur­poses,” which has pri­vacy ad­voc­ates wor­ried that the data could find its way in­to crim­in­al pro­sec­u­tions. And they ar­gue that the le­gis­la­tion doesn’t im­pose a strong enough re­quire­ment on com­pan­ies to re­move per­son­al in­form­a­tion from the data they give to the gov­ern­ment. 

“This ‘cy­ber­se­cur­ity’ bill was a bad bill when it passed the Sen­ate and it is an even-worse bill today. Amer­ic­ans de­serve policies that pro­tect both their se­cur­ity and their liberty,” Sen. Ron Wyden, an Ore­gon Demo­crat and out­spoken pri­vacy sup­port­er, said in a state­ment. “This bill fails on both counts.”

The le­gis­la­tion could re­ceive votes in the House and Sen­ate as early as Fri­day.

Both cham­bers have already ap­proved vary­ing ver­sions of the cy­ber­se­cur­ity bill earli­er this year. The White House had threatened to veto sim­il­ar bills in 2012 and 2013, say­ing they lacked ad­equate pri­vacy safe­guards. But Pres­id­ent Obama is ex­pec­ted to sign the le­gis­la­tion this time as part of the om­ni­bus spend­ing pack­age if it reaches his desk.

“We are pleased that the Om­ni­bus in­cludes cy­ber­se­cur­ity in­form­a­tion shar­ing le­gis­la­tion,” a seni­or ad­min­is­tra­tion of­fi­cial said in an emailed state­ment. “The Pres­id­ent has long called on Con­gress to pass cy­ber­se­cur­ity in­form­a­tion shar­ing le­gis­la­tion that will help the private sec­tor and gov­ern­ment share more cy­ber threat in­form­a­tion by provid­ing for tar­geted li­ab­il­ity pro­tec­tions while care­fully safe­guard­ing pri­vacy, con­fid­en­ti­al­ity, and civil liber­ties.”

—This art­icle has been up­dated with a com­ment from the ad­min­is­tra­tion. 

(Image via /