Slashdot Mirror
US Budget Bill Passes With CISA Surveillance Intact (npr.org)
An anonymous reader writes: Early on Friday, the U.S. Senate approved the 2,000 page 'omnibus' budget bill that allocated $1.15 trillion in government funding. Later in the day, President Obama signed it into law. Because the budget bill was so important, many other pieces of unrelated legislation were tacked onto it, including the Cybersecurity Information Sharing Act, a bill notable for giving the government increased internet surveillance powers. Civil rights activists and tech experts largely consider it a "privacy disaster," and several lawmakers voted against the budget bill solely for CISA's inclusion. Senator Ron Wyden (D-OR) said, "Unfortunately, this misguided cyber legislation does little to protect Americans' security, and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers' private data with only cursory review." Corporations in the U.S. will now have "legal immunity when sharing consumers' private data about hacks and digital breaches."
The full omnibus is available online (PDF). The CISA provisions start on page 1,728.
Is privacy such an enemy of the state now that they have to push it through in the budget bill? Why is ramming this through such a high priority for the Senate? Privacy used to be a second class issue. It hurts to watch our interests be so blatantly ignored by our governing body.
I am disgusted by how many people happily accepted this situation where the government actively works against the public interest, all in the name of security, for your own good.
All the people responsible for this treachery, and the people working for them, deserve a fair trial.
Get a VPN already, Slashdot offers a lifetime PureVPN membership for 69$, but the offer is only valid for the next 14 hours.
https://deals.slashdot.org/sal...
Completely unrelated laws "riding" on other bills... There should be a law against that.
The act clearly states on page 1740 that personal information needs to be removed from data that is shared. The act also states that any violation of this will require notification of the person if this is not followed. The act also states that privacy and civil liberties factors are included. Before people need to read the and attempt to understand before jumping to conclusions.
These all-in-one compromise bills are what it's best at. The people get the short straw every time. They pay for their own enslavement.
So basically any private data can be *sold* to NSA etc. for political, commercial and 'terrorist' surveillance as long as the company self declares it 'for cyber attack analysis'.
Ask yourselve a simple question, why would a vague minor 'cyber threat' data exchange get pushed through in a budget measure if it was so innocuous? Obviously it was what we thought it was, a cover to legalize all the bulk mass warrantless surveillance shit that is still going on.
And I say 'Sold', because several companies lobied for it, which suggest to me they've been promised money in exchange for the data. A hidden subsidy into US corps to buy their complicity in the surveillance.
And the solution? Well don't buy USA made kit. It kinda sucks and don't use USA services where possible. Americans don't have a lot of choice, but the rest of the world has.
In other news, we find out that UK has its own version of 'Parallel Construction', MI5 GCHQ not only spied on brits they briefed police in secret to arrest people and fake evidence trails. Now we know why they said "we briefed the police if people were innocent to let them go"... to explain all the meetings between spooks and police!
Many eyes!!!
My ism, it's full of beliefs.
Indeed, I wouldn't have voted for CISA, threat information is -already- shared without the immunity of CISA, so it's not needed. But it's also not that bad, if implemented as written. There are a few major companies that provide security services to other companies. Each has thousands of clients, and they already pool the relevant data to see trends.
Although the new law probably is not required, it also doesn't actually much more than what already happens, and should be happening. It's not that bad, assuming the feds don't stretch the meaning of the words beyond what it's trying to say. The wording could certainly be improved to a) limit the information shared with the government specifically (the security companies aren't interested in your personal identity, political beliefs, etc. The IRS clearly is.) Also b) be very clear it doesn't cover any use of the information for marketing or other purposes. The security people are interested in one thing, keeping users safe. We're not looking to see who bought sex toys, we're wanting to ensure that whatever is purchased with your credit card is actually purchased by the cardholder, not by a Russian carding ring.
That's like the 'meta data is anonymous' claim, its false. There is no way to strip user info from that data, as AOL found when they released their user searches. But in this case its simply cover. Each record is individual and has an id in it to make it a trivial cross join to pull up the details.
Read the admission from the UK spooks, on their bulk anonymous surveillance, this is much closer to the truth of the situation:
http://www.theregister.co.uk/2015/12/16/big_brother_born_ntac_gchq_mi5_mass_surveillance_data_slurpingIntelligence agency staff have stated:
"These datasets vary in size from hundreds to millions of records. Where possible, Bulk Personal Datasets may be linked together so that analysts can quickly find all the information linked to a selector", such as a telephone number or search query. The information retrieved "may include, but is not limited to, personal information such as an individualâ(TM)s religion, racial or ethnic origin, political views, ... medical condition, sexual orientation, or any legally privileged, journalistic or otherwise confidential information."
The act clearly states on page 1740 that personal information needs to be removed from data that is shared. The act also states that any violation of this will require notification of the person if this is not followed.
Only information which is (A) personally identifiable, AND (B) not relevant to the investigation. Guess who decides relevance?
Meanwhile, we also know for a fact that it's rather easy to mine personal identifications out of aggregate "depersonalized" data, since there's a story on Slashdot every couple of weeks where someone has done it in order to get their Masters degree.
So far it appears that personal information will not be strippedout andthereis immunity for any collateral damage the passing of the PI may be responsible for and further useage of the PI for any reason (criminal investigation) by the receiving party is fair game even if unrelated to the original intent or if the PI was included by mistake or whatever. Gleaned my info from techdirt, so you may want to double check it.
In fact, both of my Senators, Sessions and Shelby, AND my Representative voted against. I don't think the CISA part of it was the reason they did, though. They're as much in favor of big government surveillance as most Congresscritters.
We live in strange times when Republican Senators from Alabama and Bernie Sanders vote the same on anything, albeit for different reasons.
Land of the free-ish.
Home of the "fuck you peon scum!"
Chas - The one, the only.
THANK GOD!!!
Cut and paste line numbers (unfortunately) included.
1740 section E: . .. include procedures that require a Fed-5
eral entity, prior to the sharing of a cyber 6
threat indicatorâ" 7
(i) to review such cyber threat indi-8
cator to assess whether such cyber threat 9
indicator contains any information not di-10
rectly related to a cybersecurity threat that 11
such Federal entity knows at the time of 12
sharing to be personal information of a 13
specific individual or information that 14
identifies a specific individual and remove 15
such information; or 16
(ii) to implement and utilize a tech-17
nical capability configured to remove any 18
information not directly related to a 19
cybersecurity threat that the Federal entity 20
knows at the time of sharing to be per-21
sonal information of a specific individual or 22
information that identifies a specific indi-23
vidual; and 24
(F) include procedures for notifying, in a 1
timely manner, any United States person whose 2
personal information is known or determined to 3
have been shared by a Federal entity in viola-4
tion of this title.
Section 1741 F:
(F) include procedures for notifying, in a timely manner, any United States person whose
personal information is known or determined to have been shared by a Federal entity in viola-
tion of this title.
1746 (2)
REMOVAL OF CERTAIN PERSONAL INFORMA-9
TION.â"A non-Federal entity sharing a cyber threat 10
indicator pursuant to this title shall, prior to such 11
sharingâ" 12
(A) review such cyber threat indicator to 13
assess whether such cyber threat indicator con-14
tains any information not directly related to a 15
cybersecurity threat that the non-Federal entity 16
knows at the time of sharing to be personal in-17
formation of a specific individual or information 18
that identifies a specific individual and remove 19
such information; or 20
(B) implement and utilize a technical capa-21
bility configured to remove any information not 22
directly related to a cybersecurity threat that 23
the non-Federal entity knows at the time of 24
sharing to be personal information of a specific 25
individual or information that identifies a spe-1
cific individual.
Section 1754:
(A) shall include guidance on the fol-1
lowing: 2
(i) Identification of types of informa-3
tion that would qualify as a cyber threat 4
indicator under this title that would be un-5
likely to include information thatâ" 6
(I) is not directly related to a 7
cybersecurity threat; and 8
(II) is personal information of a 9
specific individual or information that 10
identifies a specific individual. 11
(ii) Identification of types of informa-12
tion protected under otherwise applicable 13
privacy laws that are unlikely to be directly 14
related to a cybersecurity threat. 15
(iii) Such other matters as the Attor-16
ney General and the Secretary of Home-17
land Security consider appropriate for enti-18
ties sharing cyber threat indicators with 19
Federal entities under this title.
1756 (3) (longish one)
consistent with the 12
need to protect information systems from 13
cybersecurity threats and mitigate cybersecurity 14
threatsâ" 15
(A) limit the effect on privacy and civil lib-16
erties of activities by the Federal Government 17
under this title; 18
(B) limit the receipt, retention, use, and 19
dissemination of cyber threat indicators con-20
taining personal information of specific individ-21
uals or information that identifies specific indi-22
viduals, including by establishingâ" 23
(i) a process for the timely destruction 24
of such information that is known not to 25
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1757
be directly related to uses authorized under 1
this title; and 2
(ii) specific limitations on the length 3
of any period in which a cyber threat indi-4
cator may be retained; 5
(C) include requirements to safeguard 6
cyber threat indicators containing personal in-7
formation of specific individuals or information 8
that identifies specific individuals from unau-9
thorized access or acquisition, including appro-10
priate sanctions for activities by officers, em-11
ployees, or agents of the Federal Government in 12
contravention of such guidelines; 13
(D) consistent with this title, any other ap-14
plicable provisions of law, and the fair informa-15
tion practice principles set forth in appendix A 16
of the document entitled ââNational Strategy for 17
Trusted Identities in Cyberspaceâ(TM)â(TM) and pub-18
lished by the President in April 2011, govern 19
the retention, use, and dissemination by the 20
Federal Government of cyber threat indicators 21
shared with the Federal Government under this 22
title, including the extent, if any, to which such 23
cyber threat indicators may be used by the Fed-24
eral Government; 25
December 16, 2015 (1:04 a.m.)
U:\2016REPT\OMNI\FinalOmni\CPRT-114-HPRT-RU00-SAHR2029-AMNT1.xml
1758
(E) include procedures for notifying enti-1
ties and Federal entities if information received 2
pursuant to this section is known or determined 3
by a Federal entity receiving such information 4
not to constitute a cyber threat indicator; 5
(F) protect the confidentiality of cyber 6
threat indicators containing personal informa-7
tion of specific individuals or information that 8
identifies specific individuals to the greatest ex-9
tent practicable and require recipients to be in-10
formed that such indicators may only be used 11
for purposes authorized under this title; and 12
(G) include steps that may be needed so 13
that dissemination of cyber threat indicators is 14
consistent with the protection of classified and 15
other sensitive national security information.
1768 c (ii)
in a manner that protects from 1
unauthorized use or disclosure any cyber 2
threat indicators that may containâ" 3
(I) personal information of a spe-4
cific individual; or 5
(II) information that identifies a 6
specific individual; and 7
(iii) in a manner that protects the 8
confidentiality of cyber threat indicators 9
containingâ" 10
(I) personal information of a spe-11
cific individual; or 12
(II) information that identifies a 13
specific individual.
OK so there are a few more mentions of PI in the bill reagarding he govt's duty to report to the public the number of times cyberthreat info was shared and how many times PI was shared but it doens't seem to be the privacy disaster it's being made out to be by some. Maybe I need the bill explained to me by someone who understands its implications better.
The night before my divorce was finalized, I had a bachelor party. It was huge and I was very drunk. They tell me that I had a good time.
Not that this matters. I just figured I'd add it to the list of absurdities that are being posted in this thread. I don't get why people are spinning this as a good thing.
"So long and thanks for all the fish."
The majority of network break-ins are as result of companies or governments being asleep behind the wheel. There needs to be monitoring to find when break-ins happen.
Companies and governments asleep behind the wheel will now wake up and monitor their systems to find when break-ins happen ...because CISA exists?
I am waiting for a coherent example of who this helps or who in the past this would have helped. Which company has ever gotten in trouble for sharing in good faith information about threats they face with a government agency?
When break-ins happen companies need to be able to share signatures to look for break-ins on other networks.
What prevents people from sharing signatures today? Where are all of those lawsuits from use of existing managed security products?
My guess is there will be procedures that state that personal information not relevant to the break-in will need to be removed or destroyed from the information that is shared.
I vividly recall picking my nose watching c-span when amendment after amendment to clarify and correct these very issues were systematically defeated.
There is shit for requirements of filtering information going into the government system. Once in the system filtering requirements (e.g. suggestions) apply only to propagation of information out of the government domain.
To the president that is. That or he liked the whole package, considered it "a job well done."
The act clearly states on page 1740 that personal information needs to be removed from data that is shared.
You misunderstand the context. This is for sharing of data already in possession of the government with non government consumers. The point many people find objectionable /w CISA is summary transport of their data to the government with no legal recourse... This does not address that. It only addresses retransmission outside of the government domain.
act also states that any violation of this will require notification of the person if this is not followed.
You mean this:
"any United States person whose personal information is known or determined to have been shared by a Federal entity"
This is a continuation of the same misunderstanding above. What matters is the information flowing **INTO** the government.
The act also states that privacy and civil liberties factors are included.
The entire point of the bill is wholesale bulk collection without legal recourse. Nobody gets in trouble for sharing data about actual threats with the government.
Before people need to read the and attempt to understand before jumping to conclusions.
Good advice.
No one of any intelligence already does not "trust" the cloud.
I mean, who trusts their data to a machine that they do not have physical access to, but someone of unknown constitution does? That's like hacker 101.
Exactly. I mean, we are demonstrably well past that point. This is more of a question of whether or not you get a reach-around with that mandatory cavity search you're receiving...or, well, whether they use regular lube, or the kind with mint in it (tingles).
Whereas I jump to a somewhat similar, but different conclusion: the population is finally apathetic enough about its own existence that we can begin double-blind human testing.
If you scroll up the thread there are a few posts saying that this law is a good law, that it is a long time coming, and things of that nature. In other words, people spinning it as a good thing. It was not in reference to you, hopefully you didn't think it was. If it were in reference to you, I'd have just responded to you. ;-)
But no, there's a few posts where people seem to think this is a good thing. That it is a law that we should have. I have taken a gander at the text and some other information (linked from the article - I cheated and looked earlier) and I'm not really seeing why this is a requirement. If it's for prosecution then the government gets to get a warrant or the company can already turn it over if they want. They're already able to share data, pretty much without restriction, among themselves with US laws.
Basically, it looks like it does nothing but add complexity with no real oversight and no real benefit that we'd not already have except maybe some benefit of being given notice and that looks to have a whole host of exclusions but my legalese isn't as refined as it once was.
"So long and thanks for all the fish."
Re "procedures that state that personal information not relevant to the break-in will need to be removed or destroyed from the information that is shared."
"Senate Rejects All CISA Amendments Designed To Protect Privacy, Reiterating That It's A Surveillance Bill" (2015/10/27)
https://www.techdirt.com/artic...
"removal of personal information"
"removed FOIA exemptions"
""tightened" the definition of cybersecurity threats"
"more difficult for Congress to learn whether or not CISA is being used for domestic surveillance"
All the privacy protection and time limitations laws got removed early on. Its a US gov working with the US private sector free for all. Collect it all, keep it all and presented to nice new gov portals. No real reasons needed, no court oversight, no questions back to the private sector, no questions about what the gov and mil will do with the data. Just a huge flow from the US private sector for the US gov to keep and sort.
Domestic spying is now "Benign Information Gathering"
All the privacy protections got removed. Sharing of all data back with the US gov is the entire point. What use is a US gov portal deep into the US private sector with data missing, logs altered, randomized... timestamps or ip's removed or text strings redacted ?
A protection might stay in place not to leak, talk about, keep in plain text, the data to a 3rd party and store in a correct way until the US gov needs the data.
ie the data is kept safe for the US gov and not talked about or findable in any way online by a 3rd party.
Having the US gov get the data and only the US gov is not a privacy protection its just a security clause to ensure "only" the US gov gets the personal domestic information.
Domestic spying is now "Benign Information Gathering"
Ron Wyden should then introduce a bill that repeals CISA...or hope that the Italian lock maker intervenes due to trademark infraction.