Provision In Congress-Approved Spending Bill Worries Privacy Advocates

Dec 19, 2015
Originally published on December 19, 2015 9:51 pm

A cybersecurity measure was one of many provisions lawmakers tucked into the massive $1.1 trillion federal spending bill that Congress approved on Friday. It's aimed at fighting the theft of data held by big companies, by allowing those companies to share information with each other and with the government. But it has privacy advocates very worried.

Congress has been wrestling with the cybersecurity issue for years, and after each big data breach from health insurance companies, retail stores and the government, the pressure on lawmakers to act only increased.

The measure they came up with allows companies that have been hacked to share with other companies the details of the hack or virus, without fear of running afoul of antitrust laws. The bill would also shield them from being sued by their customers for turning data over to the government. That allows federal agencies to work with companies to ward off cyber attacks. Supporters call it a "Team America" approach.

But opponents, including Democratic Sen. Ron Wyden of Oregon are not convinced. Wyden says, "Any legislation that lacks adequate protections for Americans' privacy is not a cybersecurity bill. It is a surveillance bill by another name."

Wyden and privacy advocates say the measure is flawed because, while it stipulates that companies turn their data over to the civilian Department of Homeland Security, the data could still wind up with the National Security Agency or law enforcement agencies like the FBI, if Homeland Security decides it's necessary.

Democratic Congressman Adam Schiff of California, who supports the measure, says sharing the data on cyber attacks within the government is crucial, "and it doesn't make sense to say we're not going to let the Department of Homeland Security tell the NSA what the malicious code looks like."

Schiff, who is the top democrat on the House Intelligence Committee, says "that was a problem we had pre 9-11, when our intelligence agencies and our law enforcement agencies weren't allowed to talk to one another."

And, he says, the measure does include privacy protections. Companies are supposed to scrub the data they turn over to the government of personal identifiable information.

"It well balances the need to share this information and protect ourselves from these hacks, which are the biggest invasion of our privacy, while making sure the information that's shared is not abused," he says.

Schiff concedes that some data could be turned over to law enforcement if it contains information about a possible criminal action or could help prosecute hackers.

Wyden however, contends the measure fails to provide either privacy protection or much protection from cyber criminals.

"We live in a very, very dangerous world, that is not what's in question," he says. "What we need are policies that protect both our security and our liberty, and I'm increasingly concerned that these so called feel good bills are going to give us less of both."

As expected, the cybersecurity measure has passed as part of the spending bill. And the Obama administration has indicated it supports the provision.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.