Slashdot Mirror
US Budget Bill Passes With CISA Surveillance Intact (npr.org)
An anonymous reader writes: Early on Friday, the U.S. Senate approved the 2,000 page 'omnibus' budget bill that allocated $1.15 trillion in government funding. Later in the day, President Obama signed it into law. Because the budget bill was so important, many other pieces of unrelated legislation were tacked onto it, including the Cybersecurity Information Sharing Act, a bill notable for giving the government increased internet surveillance powers. Civil rights activists and tech experts largely consider it a "privacy disaster," and several lawmakers voted against the budget bill solely for CISA's inclusion. Senator Ron Wyden (D-OR) said, "Unfortunately, this misguided cyber legislation does little to protect Americans' security, and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers' private data with only cursory review." Corporations in the U.S. will now have "legal immunity when sharing consumers' private data about hacks and digital breaches."
The full omnibus is available online (PDF). The CISA provisions start on page 1,728.
Is privacy such an enemy of the state now that they have to push it through in the budget bill? Why is ramming this through such a high priority for the Senate? Privacy used to be a second class issue. It hurts to watch our interests be so blatantly ignored by our governing body.
That country is a joke. No wonder it's going down the drain.
I am disgusted by how many people happily accepted this situation where the government actively works against the public interest, all in the name of security, for your own good.
All the people responsible for this treachery, and the people working for them, deserve a fair trial.
Get a VPN already, Slashdot offers a lifetime PureVPN membership for 69$, but the offer is only valid for the next 14 hours.
https://deals.slashdot.org/sal...
The majority of network break-ins are as result of companies or governments being asleep behind the wheel. There needs to be monitoring to find when break-ins happen. When break-ins happen companies need to be able to share signatures to look for break-ins on other networks. Sharing is also needed to allow the government to see if there are break-ins on their networks. My guess is there will be procedures that state that personal information not relevant to the break-in will need to be removed or destroyed from the information that is shared.
Completely unrelated laws "riding" on other bills... There should be a law against that.
The act clearly states on page 1740 that personal information needs to be removed from data that is shared. The act also states that any violation of this will require notification of the person if this is not followed. The act also states that privacy and civil liberties factors are included. Before people need to read the and attempt to understand before jumping to conclusions.
Yes and this is the same government that couldn't be bother to apply for a FISA warrant when spying because applying after the fact to a secret court with no opposition was too burdensome.
Thank you for clearing up this truly beneficial piece of information.
In fact, I did see that you paraphrased instead of quoted. Undoubtedly, there is an exception written in to bypass such requirements. They only put those lines into legislation to fool simpletons such as yourself.
Computer security is inherently a technological problem. Attempting a political solution to a technological problem rarely succeeds. When faced with a technological problem, it is often a much better idea to look for a technological solution.
Since we're talking about computer security, the obvious answer in this case is to use the Rust programming language.
Rust's very own web page describes it as ``a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.'' It also says it has ``guaranteed memory safety'', ``threads without data races'' and ``zero-cost abstractions''.
I think that Rust is the solution to technological security problems. From what I can tell about it, Rust is the kind of programming language that makes it nearly impossible to write buggy code. Since security problems are a type of bug, if you don't have buggy software then you don't have security problems.
So all we need to do is start using Rust for everything. It will take time and it won't be easy but we should rewrite all of our existing software in Rust. I think that's the only way we can move into this uncertain future safely. We need to use a programming language like Rust for everything.
Here's a conclusion I am comfortable jumping to: corporations own America, and if you don't have lots of money you are screwed.
If you don't like what the business is doing... don't buy from them! It's called making a decision. You don't have any right to tell a business what to do with what you willingly give them, but you do have the right (and responsibility!) to not give it to them in the first place.
The real problem here is people expect to get what they want without giving something up in exchange. Sorry, but life doesn't work that way, and it never has!
Businesses have always had the right to just give up information to whomever they wanted to. They just hardly did it out of respect, to keep competition from getting it (portfolios of clients for salespeople, for one), and build trust with their customers. Break that trust, and you should break yours in the best way possible: by not giving them your money or time. Once a business no longer has your money / information, then they'll start to make better decisions, too!
These all-in-one compromise bills are what it's best at. The people get the short straw every time. They pay for their own enslavement.
So basically any private data can be *sold* to NSA etc. for political, commercial and 'terrorist' surveillance as long as the company self declares it 'for cyber attack analysis'.
Ask yourselve a simple question, why would a vague minor 'cyber threat' data exchange get pushed through in a budget measure if it was so innocuous? Obviously it was what we thought it was, a cover to legalize all the bulk mass warrantless surveillance shit that is still going on.
And I say 'Sold', because several companies lobied for it, which suggest to me they've been promised money in exchange for the data. A hidden subsidy into US corps to buy their complicity in the surveillance.
And the solution? Well don't buy USA made kit. It kinda sucks and don't use USA services where possible. Americans don't have a lot of choice, but the rest of the world has.
In other news, we find out that UK has its own version of 'Parallel Construction', MI5 GCHQ not only spied on brits they briefed police in secret to arrest people and fake evidence trails. Now we know why they said "we briefed the police if people were innocent to let them go"... to explain all the meetings between spooks and police!
Many eyes!!!
My ism, it's full of beliefs.
Its Me
Indeed, I wouldn't have voted for CISA, threat information is -already- shared without the immunity of CISA, so it's not needed. But it's also not that bad, if implemented as written. There are a few major companies that provide security services to other companies. Each has thousands of clients, and they already pool the relevant data to see trends.
Although the new law probably is not required, it also doesn't actually much more than what already happens, and should be happening. It's not that bad, assuming the feds don't stretch the meaning of the words beyond what it's trying to say. The wording could certainly be improved to a) limit the information shared with the government specifically (the security companies aren't interested in your personal identity, political beliefs, etc. The IRS clearly is.) Also b) be very clear it doesn't cover any use of the information for marketing or other purposes. The security people are interested in one thing, keeping users safe. We're not looking to see who bought sex toys, we're wanting to ensure that whatever is purchased with your credit card is actually purchased by the cardholder, not by a Russian carding ring.
That's like the 'meta data is anonymous' claim, its false. There is no way to strip user info from that data, as AOL found when they released their user searches. But in this case its simply cover. Each record is individual and has an id in it to make it a trivial cross join to pull up the details.
Read the admission from the UK spooks, on their bulk anonymous surveillance, this is much closer to the truth of the situation:
http://www.theregister.co.uk/2015/12/16/big_brother_born_ntac_gchq_mi5_mass_surveillance_data_slurpingIntelligence agency staff have stated:
"These datasets vary in size from hundreds to millions of records. Where possible, Bulk Personal Datasets may be linked together so that analysts can quickly find all the information linked to a selector", such as a telephone number or search query. The information retrieved "may include, but is not limited to, personal information such as an individualâ(TM)s religion, racial or ethnic origin, political views, ... medical condition, sexual orientation, or any legally privileged, journalistic or otherwise confidential information."
The act clearly states on page 1740 that personal information needs to be removed from data that is shared. The act also states that any violation of this will require notification of the person if this is not followed.
Only information which is (A) personally identifiable, AND (B) not relevant to the investigation. Guess who decides relevance?
Meanwhile, we also know for a fact that it's rather easy to mine personal identifications out of aggregate "depersonalized" data, since there's a story on Slashdot every couple of weeks where someone has done it in order to get their Masters degree.
"Corporations in the U.S. will now have "legal immunity when sharing consumers' private data about hacks and digital breaches.""
You heard 'em fellas. You can't trust "the cloud".
In fact, both of my Senators, Sessions and Shelby, AND my Representative voted against. I don't think the CISA part of it was the reason they did, though. They're as much in favor of big government surveillance as most Congresscritters.
We live in strange times when Republican Senators from Alabama and Bernie Sanders vote the same on anything, albeit for different reasons.
Land of the free-ish.
Home of the "fuck you peon scum!"
Chas - The one, the only.
THANK GOD!!!
Cut and paste line numbers (unfortunately) included.
1740 section E: . .. include procedures that require a Fed-5
eral entity, prior to the sharing of a cyber 6
threat indicatorâ" 7
(i) to review such cyber threat indi-8
cator to assess whether such cyber threat 9
indicator contains any information not di-10
rectly related to a cybersecurity threat that 11
such Federal entity knows at the time of 12
sharing to be personal information of a 13
specific individual or information that 14
identifies a specific individual and remove 15
such information; or 16
(ii) to implement and utilize a tech-17
nical capability configured to remove any 18
information not directly related to a 19
cybersecurity threat that the Federal entity 20
knows at the time of sharing to be per-21
sonal information of a specific individual or 22
information that identifies a specific indi-23
vidual; and 24
(F) include procedures for notifying, in a 1
timely manner, any United States person whose 2
personal information is known or determined to 3
have been shared by a Federal entity in viola-4
tion of this title.
Section 1741 F:
(F) include procedures for notifying, in a timely manner, any United States person whose
personal information is known or determined to have been shared by a Federal entity in viola-
tion of this title.
1746 (2)
REMOVAL OF CERTAIN PERSONAL INFORMA-9
TION.â"A non-Federal entity sharing a cyber threat 10
indicator pursuant to this title shall, prior to such 11
sharingâ" 12
(A) review such cyber threat indicator to 13
assess whether such cyber threat indicator con-14
tains any information not directly related to a 15
cybersecurity threat that the non-Federal entity 16
knows at the time of sharing to be personal in-17
formation of a specific individual or information 18
that identifies a specific individual and remove 19
such information; or 20
(B) implement and utilize a technical capa-21
bility configured to remove any information not 22
directly related to a cybersecurity threat that 23
the non-Federal entity knows at the time of 24
sharing to be personal information of a specific 25
individual or information that identifies a spe-1
cific individual.
Section 1754:
(A) shall include guidance on the fol-1
lowing: 2
(i) Identification of types of informa-3
tion that would qualify as a cyber threat 4
indicator under this title that would be un-5
likely to include information thatâ" 6
(I) is not directly related to a 7
cybersecurity threat; and 8
(II) is personal information of a 9
specific individual or information that 10
identifies a specific individual. 11
(ii) Identification of types of informa-12
tion protected under otherwise applicable 13
privacy laws that are unlikely to be directly 14
related to a cybersecurity threat. 15
(iii) Such other matters as the Attor-16
ney General and the Secretary of Home-17
land Security consider appropriate for enti-18
ties sharing cyber threat indicators with 19
Federal entities under this title.
1756 (3) (longish one)
consistent with the 12
need to protect information systems from 13
cybersecurity threats and mitigate cybersecurity 14
threatsâ" 15
(A) limit the effect on privacy and civil lib-16
erties of activities by the Federal Government 17
under this title; 18
(B) limit the receipt, retention, use, and 19
dissemination of cyber threat indicators con-20
taining personal information of specific individ-21
uals or information that identifies specific indi-22
viduals, including by establishingâ" 23
(i) a process for the timely destruction 24
of such information that is known not to 25
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1757
be directly related to uses authorized under 1
this title; and 2
(ii) specific limitations on the length 3
of any period in which a cyber threat indi-4
cator may be retained; 5
(C) include requirements to safeguard 6
cyber threat indicators containing personal in-7
formation of specific individuals or information 8
that identifies specific individuals from unau-9
thorized access or acquisition, including appro-10
priate sanctions for activities by officers, em-11
ployees, or agents of the Federal Government in 12
contravention of such guidelines; 13
(D) consistent with this title, any other ap-14
plicable provisions of law, and the fair informa-15
tion practice principles set forth in appendix A 16
of the document entitled ââNational Strategy for 17
Trusted Identities in Cyberspaceâ(TM)â(TM) and pub-18
lished by the President in April 2011, govern 19
the retention, use, and dissemination by the 20
Federal Government of cyber threat indicators 21
shared with the Federal Government under this 22
title, including the extent, if any, to which such 23
cyber threat indicators may be used by the Fed-24
eral Government; 25
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1758
(E) include procedures for notifying enti-1
ties and Federal entities if information received 2
pursuant to this section is known or determined 3
by a Federal entity receiving such information 4
not to constitute a cyber threat indicator; 5
(F) protect the confidentiality of cyber 6
threat indicators containing personal informa-7
tion of specific individuals or information that 8
identifies specific individuals to the greatest ex-9
tent practicable and require recipients to be in-10
formed that such indicators may only be used 11
for purposes authorized under this title; and 12
(G) include steps that may be needed so 13
that dissemination of cyber threat indicators is 14
consistent with the protection of classified and 15
other sensitive national security information.
1768 c (ii)
in a manner that protects from 1
unauthorized use or disclosure any cyber 2
threat indicators that may containâ" 3
(I) personal information of a spe-4
cific individual; or 5
(II) information that identifies a 6
specific individual; and 7
(iii) in a manner that protects the 8
confidentiality of cyber threat indicators 9
containingâ" 10
(I) personal information of a spe-11
cific individual; or 12
(II) information that identifies a 13
specific individual.
We went from patriot act frying an to the crispy fryer.
OK so there are a few more mentions of PI in the bill reagarding he govt's duty to report to the public the number of times cyberthreat info was shared and how many times PI was shared but it doens't seem to be the privacy disaster it's being made out to be by some. Maybe I need the bill explained to me by someone who understands its implications better.
The night before my divorce was finalized, I had a bachelor party. It was huge and I was very drunk. They tell me that I had a good time.
Not that this matters. I just figured I'd add it to the list of absurdities that are being posted in this thread. I don't get why people are spinning this as a good thing.
"So long and thanks for all the fish."
I don't see anyone spinning it as a good thing, but it's not OMG PRIVACY ARMAGEDDON either. Grow up.
Sorry still dont' get what is so bad. It doesn't compel sharing. THe objection I read here:
http://www.wired.com/2015/03/c...
is that only info "known at the time it was shared to be innocent PI" must be stripped . This is supposedly some sort of gigantic loophole. Well it's a true fact (damn those!) that in a DDOS the vicitm has small chance of sorting out the innocent from the guilty, so they therefore can't share that information? Makes no sense.
The working assumption is the NSA will use this is some cynical manner to just grab everyone's data. People, the NSA already HAS everyone's data. All the times we connect, to where for how long etc etc etc. Ditto DHS and who knows who else whether you're behind a VPN or what (according to the bragging going on in leaked documents).. so.. they want more of what they already have? Seems to me this just highlights for them what to look at (which they already collected and had stuffed away somewhere). So no, I am not seeing the uptick in the privacy threat. But I stand to be corrected by anyone who knows better.
To the president that is. That or he liked the whole package, considered it "a job well done."
Can confirm, sure as shit feels like this sometimes living here...
Makes me want to move to Canada or Norway.
Clearly you don't know what amendments are. Have a look...
Protections? What protections?
The act clearly states on page 1740 that personal information needs to be removed from data that is shared.
You misunderstand the context. This is for sharing of data already in possession of the government with non government consumers. The point many people find objectionable /w CISA is summary transport of their data to the government with no legal recourse... This does not address that. It only addresses retransmission outside of the government domain.
act also states that any violation of this will require notification of the person if this is not followed.
You mean this:
"any United States person whose personal information is known or determined to have been shared by a Federal entity"
This is a continuation of the same misunderstanding above. What matters is the information flowing **INTO** the government.
The act also states that privacy and civil liberties factors are included.
The entire point of the bill is wholesale bulk collection without legal recourse. Nobody gets in trouble for sharing data about actual threats with the government.
Before people need to read the and attempt to understand before jumping to conclusions.
Good advice.
You'd think the guy at the top could do his job. Too busy smoking pot as usual.
Exactly. I mean, we are demonstrably well past that point. This is more of a question of whether or not you get a reach-around with that mandatory cavity search you're receiving...or, well, whether they use regular lube, or the kind with mint in it (tingles).
Whereas I jump to a somewhat similar, but different conclusion: the population is finally apathetic enough about its own existence that we can begin double-blind human testing.
If you scroll up the thread there are a few posts saying that this law is a good law, that it is a long time coming, and things of that nature. In other words, people spinning it as a good thing. It was not in reference to you, hopefully you didn't think it was. If it were in reference to you, I'd have just responded to you. ;-)
But no, there's a few posts where people seem to think this is a good thing. That it is a law that we should have. I have taken a gander at the text and some other information (linked from the article - I cheated and looked earlier) and I'm not really seeing why this is a requirement. If it's for prosecution then the government gets to get a warrant or the company can already turn it over if they want. They're already able to share data, pretty much without restriction, among themselves with US laws.
Basically, it looks like it does nothing but add complexity with no real oversight and no real benefit that we'd not already have except maybe some benefit of being given notice and that looks to have a whole host of exclusions but my legalese isn't as refined as it once was.
"So long and thanks for all the fish."
Don't trust fear.
Don't put your trust in fear.
"Yes we Scan"
Personal information cannot be removed. Has everyone forgotten when the Netflix Prize offered an anonymized data set, where each customer was represented by a single number, and yet people were able to figure out who many of those numbers were?
All information about you identifies you. Some of it better than others, e.g. your last name identifies you better than your first, but put enough pieces of information together and you are individually identifiable, even if none of those pieces of information are your name.
Since Bernie and his Commie friends raided the DNC donor database, Bernie just made the NSA Watch List for Financial Terrorists and Organizations.
That is a Good Thing.
Estimates indicate that Bernie and his Commies have already raided the bank accounts and trust funds and retirement accounts of 25% on the DNC list. That puts the dollar haul to Bernie at about $350 million. That is a nice days work Bernie!
Now, Bernie's iPhome, Android phone and Blueberry are HOT on the NSA Financial Terror List with deliberate tracking and interception going at 30 millisecond intervals world wide. WOW.
If Bernie is sitting on a toilet with one of the cell phones and Spins the Role, NSA has IT on Audio! Hoy Hoy
Ha ha
All the privacy protections got removed. Sharing of all data back with the US gov is the entire point. What use is a US gov portal deep into the US private sector with data missing, logs altered, randomized... timestamps or ip's removed or text strings redacted ?
A protection might stay in place not to leak, talk about, keep in plain text, the data to a 3rd party and store in a correct way until the US gov needs the data.
ie the data is kept safe for the US gov and not talked about or findable in any way online by a 3rd party.
Having the US gov get the data and only the US gov is not a privacy protection its just a security clause to ensure "only" the US gov gets the personal domestic information.
Domestic spying is now "Benign Information Gathering"
LetÂs see if they can legislate away customers turning away from the tech companies...
Where is the fucking invisible hand of market when we need it?
Ron Wyden should then introduce a bill that repeals CISA...or hope that the Italian lock maker intervenes due to trademark infraction.