US Budget Bill Passes With CISA Surveillance Intact

An anonymous reader writes: Early on Friday, the U.S. Senate approved the 2,000 page 'omnibus' budget bill that allocated $1.15 trillion in government funding. Later in the day, President Obama signed it into law. Because the budget bill was so important, many other pieces of unrelated legislation were tacked onto it, including the Cybersecurity Information Sharing Act, a bill notable for giving the government increased internet surveillance powers. Civil rights activists and tech experts largely consider it a "privacy disaster," and several lawmakers voted against the budget bill solely for CISA's inclusion. Senator Ron Wyden (D-OR) said, "Unfortunately, this misguided cyber legislation does little to protect Americans' security, and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers' private data with only cursory review." Corporations in the U.S. will now have "legal immunity when sharing consumers' private data about hacks and digital breaches." The full omnibus is available online (PDF). The CISA provisions start on page 1,728.

War on Privacy

[pellik]

Is privacy such an enemy of the state now that they have to push it through in the budget bill? Why is ramming this through such a high priority for the Senate? Privacy used to be a second class issue. It hurts to watch our interests be so blatantly ignored by our governing body.

Re:War on Privacy

[KGIII]

I believe, if certain Slashdot posters are to be taken as the consensus, it's the Republicans and they want us to die.

Actually, I think they just don't actually give a shit any more.

Re:War on Privacy

[tlambert]

I believe this bill was making it's way through the legislative process and then the Eric Snowden disclosure happened.

And? The concurrency of the two unrelated things is rather irrelevant. The Snowden disclosure happened because (A) The government was engaged in illegal activity, and (B) Snowden decided to be a whistleblower.

Which would have been a protected action, were he an employee, but instead head was a 1099 contractor, like all the Uber drivers.

How many high profile network break-ins have happened since then?

Lots. They're generally not announced to the public, unless they involve credit cards or medical records.

Juniper Networks just announced yesterday a major compromise.

No, they announced a software patch for a problem that could have been used to compromised the security of VPN communications, but there's no evidence that it was ever used to do so, and some evidence that the change was made to the system by the employee of a government agency to allow them to eavesdrop on VPN conversations.

OPM was hacked and information for 20Million current and former employees and their spouses and children were compromised.

The agency should not have been keeping records on their spouses and children, since they were not employees, but even so, the compromised information was mishandled by the OPM. This was not a demonstration of skill on the part of the people who penetrated the system, it was a demonstration of incompetence on the people who were tasked with ensuring the system could not be penetrated.

This legislation has been needed for years. It is about time congress passed it.

This legislation was never needed. It's only utility is for making information collection for government agencies an unfunded mandate that has to be paid for by the companies whose systems the information is transiting.

The purpose of doing this is to make the companies adding strong privacy features to their software, particularly mobile phone and tablet software, among others, responsible for, and punishable for not, revealing said information, on demand, and without warrant.

In other words, it's an attempt to force companies to include back doors, or face fines when demands for information simply can not be accomodated to the governments satisfaction, for technological and mathematical reasons.

BTW: You have your dates wrong: the Snowden disclosure occurred in 2013; the bill was first introduced to to the Senate Intelligence Committe over a hear later, in 2013, during the 113th congress.

It's a really asinine piece of legislation. Paul Ryan (R, WI) should be removed from office over this nasty piece of crap, let alone the way he got it shoved through.

Re: War on Privacy

The bill offers immunity to PRISM partners and telcos/ISPs who collaborate with the government to spy on US citizens. Snowden's leaks raised the possibility that citizens would sue the private collaborators for betraying private data to the government without judicial oversight. Now, that can't happen, because in the middle of a 2,000 page amendment to a budget bill the government has promised immunity to those who help the government spy on its citizens without a warrant.

Re:War on Privacy

[nmb3000]

Is privacy such an enemy of the state now that they have to push it through in the budget bill? Why is ramming this through such a high priority for the Senate? Privacy used to be a second class issue. It hurts to watch our interests be so blatantly ignored by our governing body.

I agree, which is why I strongly suggest that everyone interested in this take a minute to look at the omnibus vote records from the House and the one for the Senate. If your representatives voted different than you want, take a few minutes to reach out to them. A phone call, email, or even (gasp) a physical letter will let them know what you think.

Re:War on Privacy

[erikkemperman]

There are countless avenues within U.S. gov't that he could have followed

Really? Name one whistleblower who followed one of those "countless avenues" to any effect, while not having G-men systematically wreck their lives.

Thomas Drake and friends tried, and suffered for it.

Re:War on Privacy

As some whose entire (fingerprints, history, and the information of my family and friends... they got it all) information is out in the wild from the OPM hack, and someone that had to deal with illegal government requests from Qwest (don't ever refuse if you know what's good for you), I'd like to point out how piss-poor OPM security measures were (it took years of threatening lawsuits just to get "on file" listed in place of SS on SBU forms that travel within and outside my agency) and how this will actually decrease the security of everyone.

The government has already proven they are incapable of securing anyone's information, and they have now opened the floodgates for everyone's information to be targeted.

That this was passed under such tenuous conditions should make it clear how nefarious this legislation is. The government has declared its own people enemies of the state.

Re:War on Privacy

[Blue+Stone]

I read a rather insightful comment elsewhere saying that our securocrats have simply redefined privacy.

Privacy is now defined as 'the state not currently looking at what information they hold on you'.

Rather chilling, I thought.

Re:War on Privacy

[kheldan]

Is privacy such an enemy of the state now that they have to push it through in the budget bill?

Riders on sweeping bills like the one that keeps the Federal government's doors open are SOP for our government, and has been for a long time now. Very often things literally get sneaked into it, hoping it doesn't get noticed, considering the full text of the bill is thousands of pages. It's 'high priority' for the Senate because otherwise the Federal government literally shuts down due to no funding; people literally get sent home without pay, contractors don't get paid, services to citizens stop, etc.

..enemy of the state..

Yes, apparently, it is, now. Look at how the younger generation views the concept of 'privacy': they 'share' every gods-be-damned little thing on social media platforms, never really giving a single thought to who or how many people are actually able to access and use that data however they wish, and they're convinced that anyone who values 'privacy' and goes out of their way to keep their lives private are either 'too old to understand' or that they're criminals/terrorists/predators and 'have something to hide'. This (in my opinion, so take it with a grain of salt, please) is due to the younger generation having been indoctrinated, from birth, to believe 'privacy is bad and selfish', and 'good people share', and Corporate America and our own government is behind it. Three-letter agencies love being able to see everything all the time, and if they had their fondest wishes, I wouldn't at all be surprised if they'd have us required to have cameras and microphones in our homes and in our vehicles, 'for our own safety', naturally, but so far pesky things like the rule of law, the Constitution, and the concept of basic human rights has kept them from doing things like that.

Re:War on Privacy

[ClickOnThis]

Who (from which party) inserted CISA into the budget bill?

Apparently, it was House speaker Paul Ryan (R).

Why do you allow this travesty?

Completely unrelated laws "riding" on other bills... There should be a law against that.

Re:Why do you allow this travesty?

[KGIII]

We'll have to tack it onto the next budget.

I wish I were kidding.

Re:VPN

[KGIII]

I contacted them in the past. They log.

Don't buy USA, Don't use USA

So basically any private data can be *sold* to NSA etc. for political, commercial and 'terrorist' surveillance as long as the company self declares it 'for cyber attack analysis'.

Ask yourselve a simple question, why would a vague minor 'cyber threat' data exchange get pushed through in a budget measure if it was so innocuous? Obviously it was what we thought it was, a cover to legalize all the bulk mass warrantless surveillance shit that is still going on.

And I say 'Sold', because several companies lobied for it, which suggest to me they've been promised money in exchange for the data. A hidden subsidy into US corps to buy their complicity in the surveillance.

And the solution? Well don't buy USA made kit. It kinda sucks and don't use USA services where possible. Americans don't have a lot of choice, but the rest of the world has.

In other news, we find out that UK has its own version of 'Parallel Construction', MI5 GCHQ not only spied on brits they briefed police in secret to arrest people and fake evidence trails. Now we know why they said "we briefed the police if people were innocent to let them go"... to explain all the meetings between spooks and police!

Re:Nuremberg

[WaffleMonster]

Have you read the act?

Have you?

Try that first before equating the United States with Nazi Germany

I find it interesting when people invoke Godwin in a dismissive tone as if people are crazy for drawing comparisons. Nazi Germany was allowed to occur because of a whole series of events and defects in human character which really do have parallels everywhere.

Re:VPN

[Burz]

PIA doesn't log IIRC, and they have good deals.

Here is an email guide to start with (there are no ideally private email providers, but many are better than gmail). Riseup and ProtonMail look interesting.

A note about using PGP email: This still leaves a trail that is rich in metadata (the who/when/where parts of the messages). Only the what is concealed, leaving much to be desired.

More interesting are new messaging apps which the EFF has rated. I think Signal, Ostel+Jitsi and RetroShare look the most promising. Ring is a newcomer that uses OpenDHT and promises to be what Skype might have been.

For just increasing privacy a couple notches while browsing, add the following extensions (Firefox): Privacy Badger, HTTPS Everywhere, Adblock Edge (not sure if AE is really needed with PB). Using a Firefox derivative like IceWeasel or PaleMoon won't likely include ad-based features that might compromise privacy (though Mozilla is said to have removed ads anyway).

As for browsing with Tor, you cannot beat Qubes OS with the Whonix package. This will help you blend in more and prevent exploits over Tor from accessing any personal data. A system with IOMMU hardware and BIOS is recommended.

After all these years, I2P is still progressing and growing. It marries technologies like onion routing and DHT and its 'I2P Bote' messenger may be the best in class, IMO. Of course, I2P is meant to route all kinds of traffic and even has bittorrent built-in. I'd also recommend running I2P in a Qubes domain, although it comes with TAILS if you're more comfortable booting with that.