Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Government

US Budget Bill Passes With CISA Surveillance Intact (npr.org) 153

An anonymous reader writes: Early on Friday, the U.S. Senate approved the 2,000 page 'omnibus' budget bill that allocated $1.15 trillion in government funding. Later in the day, President Obama signed it into law. Because the budget bill was so important, many other pieces of unrelated legislation were tacked onto it, including the Cybersecurity Information Sharing Act, a bill notable for giving the government increased internet surveillance powers. Civil rights activists and tech experts largely consider it a "privacy disaster," and several lawmakers voted against the budget bill solely for CISA's inclusion. Senator Ron Wyden (D-OR) said, "Unfortunately, this misguided cyber legislation does little to protect Americans' security, and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers' private data with only cursory review." Corporations in the U.S. will now have "legal immunity when sharing consumers' private data about hacks and digital breaches." The full omnibus is available online (PDF). The CISA provisions start on page 1,728.
This discussion has been archived. No new comments can be posted.

US Budget Bill Passes With CISA Surveillance Intact

Comments Filter:
  • War on Privacy (Score:5, Interesting)

    by pellik ( 193063 ) on Saturday December 19, 2015 @10:50AM (#51149877)
    Is privacy such an enemy of the state now that they have to push it through in the budget bill? Why is ramming this through such a high priority for the Senate? Privacy used to be a second class issue. It hurts to watch our interests be so blatantly ignored by our governing body.
    • Re: (Score:3, Insightful)

      by KGIII ( 973947 )

      I believe, if certain Slashdot posters are to be taken as the consensus, it's the Republicans and they want us to die.

      Actually, I think they just don't actually give a shit any more.

      • by Anonymous Coward

        More Democrats than Republicans voted for this Omnibus (As in, "Everything you want aboard the Omni-bus!") budget bill, in both the House and Senate.

        But don't worry, Slashdot's nerds will always blame the Republicans, as usual.

        • by Anonymous Coward

          More Democrats than Republicans voted for this Omnibus

          I'll give you that, now answer me something. Who (from which party) inserted CISA into the budget bill?

    • by Anonymous Coward

      Politicians don't care what you want because you're not the one giving them campaign money. Until we have real meaningful campaign finance reform we're never going to have politicians that care what we think.

      Politicians claim that they do not give donors special considerations, so we should call their bluff. Instead of a book full of complicated campaign finance laws we just need a simple government agency that processes all campaign contributions and anonymizes them before giving them to the candidate of c

    • Re:War on Privacy (Score:5, Insightful)

      by nmb3000 ( 741169 ) <nmb3000@that-google-mail-site.com> on Saturday December 19, 2015 @01:12PM (#51150373) Journal

      Is privacy such an enemy of the state now that they have to push it through in the budget bill? Why is ramming this through such a high priority for the Senate? Privacy used to be a second class issue. It hurts to watch our interests be so blatantly ignored by our governing body.

      I agree, which is why I strongly suggest that everyone interested in this take a minute to look at the omnibus vote records from the House [govtrack.us] and the one for the Senate [govtrack.us]. If your representatives voted different than you want, take a few minutes to reach out to them. A phone call, email, or even (gasp) a physical letter will let them know what you think.

    • Re:War on Privacy (Score:5, Interesting)

      by Blue Stone ( 582566 ) on Saturday December 19, 2015 @01:47PM (#51150543) Homepage Journal

      I read a rather insightful comment elsewhere saying that our securocrats have simply redefined privacy.

      Privacy is now defined as 'the state not currently looking at what information they hold on you'.

      Rather chilling, I thought.

    • Re:War on Privacy (Score:4, Interesting)

      by kheldan ( 1460303 ) on Saturday December 19, 2015 @02:21PM (#51150675) Journal

      Is privacy such an enemy of the state now that they have to push it through in the budget bill?

      Riders on sweeping bills like the one that keeps the Federal government's doors open are SOP for our government, and has been for a long time now. Very often things literally get sneaked into it, hoping it doesn't get noticed, considering the full text of the bill is thousands of pages. It's 'high priority' for the Senate because otherwise the Federal government literally shuts down due to no funding; people literally get sent home without pay, contractors don't get paid, services to citizens stop, etc.

      ..enemy of the state..

      Yes, apparently, it is, now. Look at how the younger generation views the concept of 'privacy': they 'share' every gods-be-damned little thing on social media platforms, never really giving a single thought to who or how many people are actually able to access and use that data however they wish, and they're convinced that anyone who values 'privacy' and goes out of their way to keep their lives private are either 'too old to understand' or that they're criminals/terrorists/predators and 'have something to hide'. This (in my opinion, so take it with a grain of salt, please) is due to the younger generation having been indoctrinated, from birth, to believe 'privacy is bad and selfish', and 'good people share', and Corporate America and our own government is behind it. Three-letter agencies love being able to see everything all the time, and if they had their fondest wishes, I wouldn't at all be surprised if they'd have us required to have cameras and microphones in our homes and in our vehicles, 'for our own safety', naturally, but so far pesky things like the rule of law, the Constitution, and the concept of basic human rights has kept them from doing things like that.

      • I'm not quite sure where the idea came from, maybe the Brits, but South Africa has a brilliant article in our constitution that a bill dealing with the appropriation of fund or taxation can only deal with that and no other item.

        Somewhere we learned that lesson that the US government doesn't want to have to learn.

    • Yes it is important and like any other legislation our politicians see as important, if the legislation is rejected by voters they simply attach it to other bills such as budget bills. The US Government has been trying to eliminate privacy for many years. First they wanted to monitor the internet and phone conversations to win the "war on drugs" then it was to catch sex offenders and now it is a "necessary tool" for the war on terror. Even though CISA was rejected by US Citizens our politicians feel that th
      • Let me add that the Patriot Act was probably just a bunch of inserted bills that prior to 9/11 were unable to pass and had so many last minute add-ons that the paper was still warm from being printed when Congress passed the Patriot Act. Another example is the Affordable Care Act where Congresswoman Feinstein was quoted as saying "we have to pass it before we know what's in it".
  • by Anonymous Coward

    I am disgusted by how many people happily accepted this situation where the government actively works against the public interest, all in the name of security, for your own good.

    All the people responsible for this treachery, and the people working for them, deserve a fair trial.

  • Get a VPN already, Slashdot offers a lifetime PureVPN membership for 69$, but the offer is only valid for the next 14 hours.

    https://deals.slashdot.org/sal... [slashdot.org]

    • Re:VPN (Score:4, Informative)

      by KGIII ( 973947 ) <uninvolved@outlook.com> on Saturday December 19, 2015 @11:21AM (#51149975) Journal

      I contacted them in the past. They log.

      • If they're in the USA and log, they're effectively agents for the state, now.

      • Use Private Internet Access and a server in a jurisdiction that doesn't log.

        • How about no? I say we rent a bus, park it out front of the capitol, and begin throwing people under it until such time as they rescind this "law."

          Quietly ceding territory has never been a good long term strategy, and freedoms lost due to appeasements are rarely restored with ease.

    • I would jump all over this if they listed anything about not keeping records.

      The VPN I currently use makes a specific note about not keeping any records as a selling point, and they haven't given me any reason to believe otherwise so far.

    • Re:VPN (Score:4, Informative)

      by Burz ( 138833 ) on Saturday December 19, 2015 @05:38PM (#51151387) Homepage Journal

      PIA [privateint...access.com] doesn't log IIRC, and they have good deals.

      Here is an email guide [thesimplecomputer.info] to start with (there are no ideally private email providers, but many are better than gmail). Riseup and ProtonMail look interesting.

      A note about using PGP email: This still leaves a trail that is rich in metadata (the who/when/where parts of the messages). Only the what is concealed, leaving much to be desired.

      More interesting are new messaging apps which the EFF has rated. [eff.org] I think Signal, Ostel+Jitsi and RetroShare look the most promising. Ring [ring.cx] is a newcomer that uses OpenDHT and promises to be what Skype might have been.

      For just increasing privacy a couple notches while browsing, add the following extensions (Firefox): Privacy Badger, HTTPS Everywhere, Adblock Edge (not sure if AE is really needed with PB). Using a Firefox derivative like IceWeasel or PaleMoon won't likely include ad-based features that might compromise privacy (though Mozilla is said to have removed ads anyway).

      As for browsing with Tor, you cannot beat Qubes OS with the Whonix package. This will help you blend in more and prevent exploits over Tor from accessing any personal data. A system with IOMMU hardware and BIOS is recommended.

      After all these years, I2P is still progressing and growing. It marries technologies like onion routing and DHT and its 'I2P Bote' messenger may be the best in class, IMO. Of course, I2P is meant to route all kinds of traffic and even has bittorrent built-in. I'd also recommend running I2P in a Qubes domain, although it comes with TAILS if you're more comfortable booting with that.

    • by AHuxley ( 892839 )
      The problem with a VPN is that the US and UK security services have no problem with allowing them. ie discovery of the original ip does not pose any real technical challenge to most advanced nations (5 eye and friends).
      "No logs" becomes moot if the original network or provider ip leaks or is recoverable every session.
      With CISA entire private sector networks can become an part of "collect it all" portal for the US gov/mil at a telco or brand level.
      No more privacy protections, US court limitations, que
  • by Anonymous Coward on Saturday December 19, 2015 @11:09AM (#51149927)

    Completely unrelated laws "riding" on other bills... There should be a law against that.

    • by Anonymous Coward

      Either the senate's rules should be changed to disallow riders, or we should reconsider the line item veto (43 states have it, according to Wikipedia). I think the former makes a ton more sense.

    • by Anonymous Coward

      Someone should ride that law onto one of these bills.
      The irony would be incredible.

    • Re: (Score:3, Insightful)

      by KGIII ( 973947 )

      We'll have to tack it onto the next budget.

      I wish I were kidding.

    • Many countries HAVE a law against that.

      • by Anonymous Coward

        The US tried it, several ways. The problem is that the Congress is given authority to write bills however it wants (with a very few restrictions) by the Constitution. So no law or rule of Congress can prevent Congress from doing whatever it pleases with bills.
        The Line-Item Veto was a different attempt to rein in the Congress, but that too was unconstitutional, because it expanded veto powers beyond the clearly spelled out limits.

        If you want rules like one-topic-per-bill, or line item veto, then it has to

        • by lgw ( 121541 )

          If you want rules like one-topic-per-bill, or line item veto, then it has to be a Constitutional Amendment. And not enough states, much less Congressmen, are willing to lose that much power.

          The line-item veto gives an insane amount of power to the president's party. Think about how it can be gamed. Imagine this had gone a better way, and CISA was tacked on, then the GOP (this is imaginary) had further amended it to make CISA less crazy and that bill passed. Obama could then line-item veto the specific fixes to CISA leaving the original as the bill, because of the way bills evolve as a series of amendments amending amendments.

          One topic per bill is what we need especially for budget bills. B

          • by Cederic ( 9623 )

            What the fuck is wrong with having the bill, and amendments to the bill.

            Vote on the amendments first - e.g. 'motion to strike CISA from this bill'
            Then vote on the amended bill.

            That's how it works in the UK, and it does work. Sure, bad laws get passed, but even worse laws get amended.

    • Exactly, these things should be broken down into essential parts and voted upon individually. Like *nix do one thing and do it well.

    • They allow it so that they can feign incompetence and that they were "forced" or "tricked" into passing the unpopular law that they've been itching to pass.

    • There should be a constitutional amendment against it.
  • The act clearly states on page 1740 that personal information needs to be removed from data that is shared. The act also states that any violation of this will require notification of the person if this is not followed. The act also states that privacy and civil liberties factors are included. Before people need to read the and attempt to understand before jumping to conclusions.
    • Indeed, I wouldn't have voted for CISA, threat information is -already- shared without the immunity of CISA, so it's not needed. But it's also not that bad, if implemented as written. There are a few major companies that provide security services to other companies. Each has thousands of clients, and they already pool the relevant data to see trends.

      Although the new law probably is not required, it also doesn't actually much more than what already happens, and should be happening. It's not that bad, assu

    • by Anonymous Coward

      That's like the 'meta data is anonymous' claim, its false. There is no way to strip user info from that data, as AOL found when they released their user searches. But in this case its simply cover. Each record is individual and has an id in it to make it a trivial cross join to pull up the details.

      Read the admission from the UK spooks, on their bulk anonymous surveillance, this is much closer to the truth of the situation:


    • The act clearly states on page 1740 that personal information needs to be removed from data that is shared. The act also states that any violation of this will require notification of the person if this is not followed.

      Only information which is (A) personally identifiable, AND (B) not relevant to the investigation. Guess who decides relevance?

      Meanwhile, we also know for a fact that it's rather easy to mine personal identifications out of aggregate "depersonalized" data, since there's a story on Slashdot every couple of weeks where someone has done it in order to get their Masters degree.

    • The act clearly states on page 1740 that personal information needs to be removed from data that is shared.

      You misunderstand the context. This is for sharing of data already in possession of the government with non government consumers. The point many people find objectionable /w CISA is summary transport of their data to the government with no legal recourse... This does not address that. It only addresses retransmission outside of the government domain.

      act also states that any violation of this will require notification of the person if this is not followed.

      You mean this:

      "any United States person whose personal information is known or determined to have been shared by a Federal entity"

      This is a continuation of t

    • by AHuxley ( 892839 )
      All the privacy protections got removed. Sharing of all data back with the US gov is the entire point. What use is a US gov portal deep into the US private sector with data missing, logs altered, randomized... timestamps or ip's removed or text strings redacted ?
      A protection might stay in place not to leak, talk about, keep in plain text, the data to a 3rd party and store in a correct way until the US gov needs the data.
      ie the data is kept safe for the US gov and not talked about or findable in any way
  • These all-in-one compromise bills are what it's best at. The people get the short straw every time. They pay for their own enslavement.

  • by Anonymous Coward on Saturday December 19, 2015 @11:25AM (#51149993)

    So basically any private data can be *sold* to NSA etc. for political, commercial and 'terrorist' surveillance as long as the company self declares it 'for cyber attack analysis'.

    Ask yourselve a simple question, why would a vague minor 'cyber threat' data exchange get pushed through in a budget measure if it was so innocuous? Obviously it was what we thought it was, a cover to legalize all the bulk mass warrantless surveillance shit that is still going on.

    And I say 'Sold', because several companies lobied for it, which suggest to me they've been promised money in exchange for the data. A hidden subsidy into US corps to buy their complicity in the surveillance.

    And the solution? Well don't buy USA made kit. It kinda sucks and don't use USA services where possible. Americans don't have a lot of choice, but the rest of the world has.

    In other news, we find out that UK has its own version of 'Parallel Construction', MI5 GCHQ not only spied on brits they briefed police in secret to arrest people and fake evidence trails. Now we know why they said "we briefed the police if people were innocent to let them go"... to explain all the meetings between spooks and police!

    • by AHuxley ( 892839 )
      Nations will just do more in house, protect their own nations networks, tack on national interest clauses when offering once global tenders.
      Having all data hosted in another nation that shares data with another gov in direct competition by default is not best practice.
      Domestic brands and local staff will then get the wealth of their own nations spending regardless of staff skill, cpu costs, processing power, cooling costs.
      Any "cloud" product is now a huge security risk for any other nation's data sets.
  • In fact, both of my Senators, Sessions and Shelby, AND my Representative voted against. I don't think the CISA part of it was the reason they did, though. They're as much in favor of big government surveillance as most Congresscritters.

    We live in strange times when Republican Senators from Alabama and Bernie Sanders vote the same on anything, albeit for different reasons.
  • by Chas ( 5144 ) on Saturday December 19, 2015 @12:02PM (#51150121) Homepage Journal

    Land of the free-ish.
    Home of the "fuck you peon scum!"

  • Cut and paste line numbers (unfortunately) included.

    1740 section E: . .. include procedures that require a Fed-5
    eral entity, prior to the sharing of a cyber 6
    threat indicatorâ" 7
    (i) to review such cyber threat indi-8
    cator to assess whether such cyber threat 9
    indicator contains any information not di-10
    rectly related to a cybersecurity threat that 11
    such Federal entity knows at the time of 12
    sharing to be personal information of a 13
    specific individual or information that 14
    identifies a specific individ

    • Section 1741 F:

      (F) include procedures for notifying, in a timely manner, any United States person whose
      personal information is known or determined to have been shared by a Federal entity in viola-
      tion of this title.

      • 1746 (2)
        TION.â"A non-Federal entity sharing a cyber threat 10
        indicator pursuant to this title shall, prior to such 11
        sharingâ" 12
        (A) review such cyber threat indicator to 13
        assess whether such cyber threat indicator con-14
        tains any information not directly related to a 15
        cybersecurity threat that the non-Federal entity 16
        knows at the time of sharing to be personal in-17
        formation of a specific individual or information 18
        that identifies a specific individual and

        • Section 1754:
          (A) shall include guidance on the fol-1
          lowing: 2
          (i) Identification of types of informa-3
          tion that would qualify as a cyber threat 4
          indicator under this title that would be un-5
          likely to include information thatâ" 6
          (I) is not directly related to a 7
          cybersecurity threat; and 8
          (II) is personal information of a 9
          specific individual or information that 10
          identifies a specific individual. 11
          (ii) Identification of types of informa-12
          tion protected under otherwise applicable 13
          privacy laws that ar

          • 1756 (3) (longish one)
            consistent with the 12
            need to protect information systems from 13
            cybersecurity threats and mitigate cybersecurity 14
            threatsâ" 15
            (A) limit the effect on privacy and civil lib-16
            erties of activities by the Federal Government 17
            under this title; 18
            (B) limit the receipt, retention, use, and 19
            dissemination of cyber threat indicators con-20
            taining personal information of specific individ-21
            uals or information that identifies specific indi-22
            viduals, including by establishingâ" 23

  • 1768 c (ii)

    in a manner that protects from 1
    unauthorized use or disclosure any cyber 2
    threat indicators that may containâ" 3
    (I) personal information of a spe-4
    cific individual; or 5
    (II) information that identifies a 6
    specific individual; and 7
    (iii) in a manner that protects the 8
    confidentiality of cyber threat indicators 9
    containingâ" 10
    (I) personal information of a spe-11
    cific individual; or 12
    (II) information that identifies a 13
    specific individual.

  • OK so there are a few more mentions of PI in the bill reagarding he govt's duty to report to the public the number of times cyberthreat info was shared and how many times PI was shared but it doens't seem to be the privacy disaster it's being made out to be by some. Maybe I need the bill explained to me by someone who understands its implications better.

  • Sorry still dont' get what is so bad. It doesn't compel sharing. THe objection I read here:

    http://www.wired.com/2015/03/c... [wired.com]

    is that only info "known at the time it was shared to be innocent PI" must be stripped . This is supposedly some sort of gigantic loophole. Well it's a true fact (damn those!) that in a DDOS the vicitm has small chance of sorting out the innocent from the guilty, so they therefore can't share that information? Makes no sense.

    The working assumption is the NSA will use this is some cynic

  • To the president that is. That or he liked the whole package, considered it "a job well done."

  • Ron Wyden should then introduce a bill that repeals CISA...or hope that the Italian lock maker intervenes due to trademark infraction.

FORTUNE'S FUN FACTS TO KNOW AND TELL: A giant panda bear is really a member of the racoon family.