Skip to main content

Meet CISA, A De Facto Cyber Patriot Act

The final changes to the so called “cybersecurity bill” say that the data shared by companies, which can now include personally identifiable information and be shared directly with the NSA, can also be used for surveillance activities and to chase down other types of crimes, pointing to a sort of cyber Patriot Act.

House Speaker Paul Ryan managed to push CISA into the “omnibus” budget bill, but not before Congress stripped out all of its privacy protections and turned it from what was originally meant to be a cybersecurity bill into a de facto surveillance bill. When the final version of the “cybersecurity” bill was being merged from multiple similar bills, Congress removed the few privacy protections the Senate version had when it received the necessary votes to pass.

Initially, the CISA bill required that the data that is shared with the government by private companies must first pass through DHS, a civil agency, to strip personally identifiable information before the NSA would get the data.

The cybersecurity bill was supposed to force companies to share "cyber threat data," not personal information. Now, this requirement has been removed from the final bill, and companies can be forced to share the data directly with the NSA or the Department of Defense. Scrubbing the data of personal information is also "at the discretion of the agency," which could mean it will happen much less often now.

The final version of this new bill also removes the prohibition of using this data for "surveillance" activities. It removes the restriction of using the data for "cyber crimes" and now includes "other crimes," as well. It's reminiscent of the Patriot Act and National Security Letters, which were initially being promoted as solutions to stop terrorists, but ended up being used mainly for drug crimes.

This "cybersecurity" bill could now end up being a next-generation "cyber Patriot Act" that further expands the NSA’s surveillance powers, just two-and-a-half years after Snowden’s revelations exposed the mass surveillance being conducted by the NSA.

The bill now also offers complete liability protection for the companies sharing this data, even if the companies are guilty of "gross negligence and willful misconduct." This isn’t unlike the immunity that telecom companies got in 2008 in the FISA Amendments Act, which was extended in 2012 for another five years after pressure from President Obama and Dianne Feinstein, who was then the Chairman of the Senate Intelligence Committee.

That immunity law made the telecoms great partners to the NSA, because now they could comply with any request the NSA was making, without worrying about any privacy laws or a proper warrant from a judge. The new cyber Patriot Act could have the same effect on tech companies, who may be fighting for user privacy now, but they may not be so inclined to do it after they receive complete immunity for sharing large amounts of user data with the government.

Evan Greer, the campaign director of Fight for the Future, one of the main digital rights groups fighting against CISA, said the following about the latest changes:

“It’s not surprising at all that Congressional leadership wants to use a sneaky loophole to rush this cyberspying bill through without any real transparency or debate on the final text. In the last week, they’ve dropped all pretenses that this is bill to improve security.”“Gutting the already insufficient civil liberties protections that the bill offered has made it clear that this is a mass incarceration bill that will empower the government to prosecute and jail people using the data they collect from companies through this program for a wide range of offenses that have nothing to do with cybersecurity or terrorism.”

He also called on President Obama, who has already promised in the past to stop any cybersecurity bill that doesn’t have strong privacy protections, to veto the bill.

“Now is when we’ll find out whether President Obama really cares about the Internet and freedom of speech, or whether he’s happy to roll over and allow technologically illiterate members of Congress [to] break the Internet in the name of cybersecurity. This administration promised to veto any information sharing bill that did not adequately protect Internet users’ privacy, and the final version of this bill doesn’t even come close. It’s time for President Obama to deliver on his word,” added Greer.

Update, 12/16/15, 9:45am PT: Senator Ron Wyden, who is a member of the Senate Intelligence Committee and has called CISA a "surveillance bill by another name" in the past, issued a statement on the latest, "worse" version of the bill as well:

“This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even worse bill today. Americans deserve policies that protect both their security and their liberty. This bill fails on both counts. Cybersecurity experts say CISA will do little to prevent major hacks and privacy advocates know that this bill lacks real, meaningful privacy protections,” said Wyden.


Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.