back to article US Senate approves CISA cyber-spy-law, axes privacy safeguards

The US Senate has passed the Cybersecurity Information Sharing Act (CISA) by 74 to 21 votes, with five abstentions. "This landmark bill finally better secures Americans' private information from foreign hackers," said Senator Richard Burr (R-NC), one of the bill's sponsors. "This legislation gives the government and US …

  1. elDog

    Bend over, citizens

    And spread your cheeks.

    I can't wait until some of the clueless U.S.of.A legislators (mainly republican) get caught up in their own dragnet. They always seem to be the ones who rail against perverts but end up being the ones with naughty bits out there.

    In any case, none of this will make any difference. The "legal" and "security" parts of government have always done what they have wanted and freely shared with the megacorps. Sweet dreams, everyone.

    1. g e

      El Reg opportunity?

      For a roundup any any non-US-based internet services/sites which people may wish to evaluate?

      (Or did El Reg do this already and I was sleeping at the wheel?)

      1. NoneSuch Silver badge
        Big Brother

        Simple solution

        Do not use American OS's.

        Do not use "approved" American encryption.

        Do not buy American hardware.

        Store nothing online you don't want them to know.

        Vote with your wallet and let them wither on the vine. They're 18 trillion in debt now and pissing off the world. Let's see how that works out for them.

        1. amanfromMars 1 Silver badge

          Re: Simple solution ... @NoneSuch

          Vote with your wallet and let them wither on the vine. They're 18 trillion in debt now and pissing off the world. Let's see how that works out for them. .... NoneSuch

          These two clocks, NoneSuch …. http://www.usdebtclock.org and http://www.usdebtclock.org/world-debt-clock.html ….. tell a fundamentally sad and quite mad tale of systemic western malfeasance and surely continuing bankrupt insolvent activity, for Uncle Sam is not alone in the lunatic asylum, is he? John Bull also skulks in there spinning viral nonsense via Parliamentary proxies to the masses.

    2. DropBear

      Re: Bend over, citizens

      "In any case, none of this will make any difference."

      I beg to differ. It will indeed make no difference whatsoever to current actual practice regarding these matters - snoopers will continue to snoop exactly as before; however, what this does is push further the perception that snooping is an ok (or even virtuous) thing to do, both in political circles and in public view. Granted, the post-Snowden public is not exactly receptive to being snooped on but the general opinion is slowly swaying towards less and less expected privacy already - just compare what millennials think is acceptable to what we old farts think is...

  2. Shadow Systems

    Welcome to 1984.

    I am ashamed, bushwhacked, concerned, Depressed, & disgusted at what this nation has become. I'm afraid that the only way to fix this bowel clenching, gut churning, abysmal cluster fuck will involve an Armed Revolution, the slaughtering of those in power, & the complete & utter replacement with people willing to stand up against the corporations, corruption, & bullshit that's been forced down our throats. This is NOT what the Founding Fathers wanted when they established us, and if they were alive today they'd probably be gathering the forces required to march on the places of power.

    The Tree of Liberty is in dire need of watering, and it may take copious amounts of bloodshed to fix what the politicians have made bitter & fetid.

    I weep.

    1. Grikath

      Re: Welcome to 1984.

      well yeah... It's ...disturbing.. to see that the US government currently manages to make the old Soviets like *good guys* ...

      1. CrazyOldCatMan Silver badge

        Re: Welcome to 1984.

        > .disturbing.. to see that the US government currently manages to make the old Soviets

        > like *good guys*

        When I worked at a Motorola tentacle I got in trouble for having a poster with a US flag and a Soviet flag with the tagline of "two evil empires, one down, one to go..".

        Apparently, a recently-imported[1] redneck manager[2] didn't approve of it.

        [1] MotRot had a policy of never making a manager above a certain grade redundant - instead they just shipped them off to anywhere with spare headcount/budget. Even if they had to create an utterly un-needed management post for them. And reduced the budget for actual, needed headcount.

        [2] Our IT director (herself a citizen of leftpondia) was somewhat amused by it..

      2. Solmyr ibn Wali Barad

        Re: Welcome to 1984.

        manages to make the old Soviets [look] like *good guys*

        Depends on the era. Stagnated and formerly-known-as-evil society of 1984 is easily achievable. Just unite two dominating political parties into one.

        Reaching the horror of 1950 requires a dictator-demigod. But the current executive branch seems already strong enough for the job, so the stage is set.

    2. Mark 85

      Re: Welcome to 1984.

      I quite agree. We're screwed and we didn't even get kissed.

      I believe this is another step towards isolationism and some form of totalitarianism. The Constitution has become less than toilet paper, or so it would seem. I would like to think that the isolationism will come from outside the country... our businesses will be padlocked and ran out of any other country on rail and justifiably so since the infinitely wise Congress didn't bother to protect "non-citizens" at least.. When the corporates get hit in the bottom line maybe they might have a chance of turning this around via the "lobby". Or, they'll probably screw us worse and get the rest of the world to join in this steaming pile.

      Wishful thinking on my part... At some point, the military should, but won't, rise up to their oath to defend the Constitution. I took that oath 50 years ago and according the papers I signed then, I'm still bound by it. Just really too damn old to head to head with US Army.

      This is a sad day indeed.

    3. Anonymous Coward
      Anonymous Coward

      Re: Welcome to 1984. @Shadow Systems

      >Armed Revolution, etc...

      Isn't one of the arguments put out by the whackos that the right to bear arms is to protect the people from government. So what are you all waiting for?

      1. Destroy All Monsters Silver badge
        Holmes

        "Give Me Liberty" by Frank Miller

        > So what are you all waiting for?

        These things are like stockmarket crashes, or avalanches. It is unclear when or why, but then...

        But i can't go too far; a breakdown of the ultra-optimized / just-in-time delivery system that makes modern society hum will cause havoc in a VERY short time. It's like an explosive collar...

        The sad thing is that after a removal operation driven by idealism, mythology and anger which survives the forces of the status quo (in this case, well-militarized police forces, the private armies managed by some very dubious individuals and the professional armies), it is a fact of history that fascism comes in even harder as the sociopathic ruthless and charismatic rise to the top even more unfettered by the appearance of law than before.

        Well, historians sure will be busy.

      2. g e

        Re: Welcome to 1984. @Shadow Systems

        Europe will PPV if the uprising is televised. Popcorn!

      3. The Dude
        Black Helicopters

        Re: Welcome to 1984. @Shadow Systems

        "...So what are you all waiting for?"

        if I'm not mistaken, the Magna Carta requires Brits to "join with the barons" and do pretty much the same thing. What are you waiting for?

        1. Anonymous Coward
          Anonymous Coward

          Re: Welcome to 1984. @Shadow Systems

          Dude, yes you are mistaken.

  3. Duncan Macdonald
    Mushroom

    Goodbye Cloud

    When this bill is signed into law, it will be impossible for any company (or government) in the EU to legally allow ANY processing of personal data to be done in the US or on a computer system owned by a US company. (If "Safe Harbor" was still in effect then this would be enough to kill it !!!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Goodbye Cloud

      Also cloudy software...with Safe Harbour gone it'll technically be illegal to use Win10 and Office 365; Facebook etc for anything that isn't personal use. Dropbox, Skype, WhatsApp and so on. The moment you enter any data that isn't yours (someone else's phone number, say) it's illegal.

      1. bazza Silver badge

        Re: Goodbye Cloud

        On the face of it it's not this that makes Windows 10 and Office 365 dodgy. It's the ongoing warrant court case that's threatening that. If Microsoft win that court case then they can continue to serve their European customers out of their data centre in Ireland. No one has yet said that this new legislation short circuits that court case, but I guess there may be something in there. We shall see what happens next.

        It certainly is the case that this new legislation will make it more difficult for American companies to have European data in America.

        The situation is evolving very quickly. For American companies to continue to operate in Europe and the rest of the world they may have to relocate outside of America. Arranging their businesses so that they are independent of the United States will take quite some time, time they have not got.

        However this situation is partly of the companies' own making. They have built up their businesses on the assumption that it is okay to harvest, process and exploit customers' private data. They have done this without a suitable legislative framework being put in place first. Now that the legislative frameworks are being put in place, and that they are turning out to be very incompatible, it is going to be impossible for their businesses to continue in their current form.

        Ironically there is growing recognition across European governments that cyber security is a threat to their own national security. Bad guys do use online services for communicating and planning terrorist plots. Various countries in Europe are passing some fairly draconian data access laws in the name of national security. You also have to remember that in some countries in Europe (e.g. France) it is possible to have a secret law that the public are unaware of.

        [For example in France the French president has the power to censor media and newspapers. It is illegal to report that the president has that power. And French presidents do use that power to cover up things they do not want reported. That doesn't stop these matters been reported in the British press! This power was used by Jacques Chirac to pardon a political colleague who had been convicted of corruption. This resulted in this colleague serving his "time in prison" whilst actually residing in a very nice villa in the south of France keeping a low profile]

        How these national laws end up interacting with European laws remains to be seen. There is a grave risk that national and European and American laws all end up being mutually incompatible. The end result maybe mass fragmentation of online services as it may become impossible to offer an online service across national boundaries. This would clearly be totally fucking ridiculous.

        1. Nigel 11

          Re: Goodbye Cloud

          The end result maybe mass fragmentation of online services as it may become impossible to offer an online service across national boundaries. This would clearly be totally fucking ridiculous.

          Why, and why?

          It may become impossible to store personal data submitted in one country, on computer systems in another. Except for very small countries like Monaco, why is this a problem? At worst it would result in the creation of a quantity of one-nation cloud providers "cloud.uk" "cloud.de" etc. to replace Amazon, Microsoft etc. If this is the result, it will be a consequence of the US government's overrreach, in making it impossible for any US corporation to operate an EU subsidiary (f.ex Microsoft Ireland) under EU (Irish) law. Bullet, meet foot.

          This won't mean that you can't operate a business across international boundaries. Just that if you want to store your customers personal data for longer than is necessary to satisfy their request, or if you wish to acquire more data than is strictly necessary to satisfy their request, you will need to make sure it's stored in their country, not in some jurisdiction which allows for the leaking -- or theft -- of their data without their consent and without the sanction of their own nation's laws. If you don't have the scale to justify multiple datacentres of your own, there will be national clouds for you to use.

          Do any readers have enough knowledge of Switzerland to tell us how it works there? Switzerland seems to be the developed economy country that values data privacy and security most highly.

          1. Doctor Syntax Silver badge

            Re: Goodbye Cloud

            There are ownCloud and Kolab services hosted there: https://owncloud.org/providers/ and https://kolabnow.com/

      2. SolidSquid

        Re: Goodbye Cloud

        Not quite, there's still the question mark over what happens with non-US hosted systems owned by US companies. I believe there's currently a court case with Microsoft over whether they have to hand over data from an Irish data centre which will probably decide this (Microsoft is understandably fighting it tooth and nail), and if it goes in favour of "companies are required to provide the data" then the EU will not be able to use *any* US company's services. Hell, even companies offering co-location like Rackspace might run into issues with this since the data is in their data centre and they have access to it

        1. Doctor Syntax Silver badge

          Re: Goodbye Cloud

          "there's still the question mark over what happens with non-US hosted systems owned by US companies."

          I think the solution there would be to arrange for EU owned and managed companies to run these as franchises with strict hands-off franchise contracts under EU law.

    2. Gordon 10
      Unhappy

      Re: Goodbye Cloud

      Not really most of this bill is about voluntary compliance. It's fairly toothless, you just make damn sure there is a clause in your contract with a us company that you would regard any sharing under this act as a breach of contract, and make sure your contract is with a non USIan part of the company.

      In practice apart from a few companies being dicks I don't expect this to make a big difference compared to the current slurpage plus the failure of safe harbour.

      This is really just about the junior law enforcement arms not having to ask the NSA for sloppy seconds.

      1. Schultz

        "most of this bill is about voluntary compliance"

        No, the bill is about protecting the a**es who (il-) legally hand over data to the 3-letter agencies. Now they are not liable for breaking the law.

    3. MacroRodent

      Re: Goodbye Cloud

      it will be impossible for any company (or government) in the EU to legally allow ANY processing of personal data to be done in the US or on a computer system owned by a US company.

      So now it would be a very good time to start an European-only cloud business! Not that it will really help very much to safeguard privacy, since various EU governements will want to snoop too, but it would help EU companies use cloudiness and still obey EU laws.

  4. Anonymous Coward
    Big Brother

    Land of the free...

    ...home of the [insert your comment here].

    1. Anonymous Coward
      Anonymous Coward

      Re: Land of the free...

      Populations get the government they vote for...

      1. Kevin Johnston

        Re: Land of the free...

        To an extent...My understanding of the US voting system (which may be totally wrong, please feel free to correct) is that while there is the possibility to have a 'write in' candidate, essentially you can only vote for the people that the parties decide to put forward. This means the deck is stacked to meet various agendas and without a massive co-ordinated effort by the population at large, they have no true choice in who gets into power.

        1. Anonymous Coward
          Anonymous Coward

          Re: Land of the free...

          To paraphrase

          To an extent...My understanding of the US voting system (which may be totally wrong, please feel free to correct) is that the winner is the one with the most money behind them.

      2. Jason Bloomberg Silver badge
        Big Brother

        Re: Land of the free...

        Populations get the government they vote for...

        In a multi-party first past the post so-called democracy they often get a government the majority of voters did not vote for.

        Even in a two party system there are electoral college effects which deliver results other than what the electorate would collective like.

        1. Irony Deficient

          Re: Land of the free…

          Jason, the US electoral college is (for 48 of the 50 states) precisely FPTP — it’s possible for a minority of popular votes to select sufficient Electors to elect the president and vice-president, which happened in the 1876 election.

          1. Anonymous Coward
            Anonymous Coward

            Re: Land of the free…

            The fact that someone can win with a slight minority of the popular vote isn't a big deal. Democracy's fatal flaw is that the voters' choices are predetermined by powermongers. This is true of every system from the US two-party machine all the way down to small-group consensus. The people with busy lives always get overruled by the 'organizers' and such.

  5. tom dial Silver badge

    In reading the full text of the bill several days ago, I did not see that it required any private entity to share anything whatever with any government agency. I did see explicit requirements that personal data should be scrubbed by a company that elected to submit information unless the information was necessary to properly describe the threat. And I saw that companies that elected to submit information could not be held liable for breaching their privacy policies so long as they complied with the requirements of the law.

    If that has changed, it would be helpful if the article or one or another comment pointed out where. The only suggestion is the bit where a receiving agency need not scrub the data further for personal information if they are in a hurry, which should not be a very large problem if the original submitter complied.

    Without reasonable doubt the law is imperfect, as most laws are, and can be improved, but based on what went into the grinder last week hardly seems likely to bring about the end of liberty and privacy.

    1. This post has been deleted by its author

    2. Destroy All Monsters Silver badge
      Holmes

      It's about the Security State, nothing else.

      We shall wait for more analysis ... and actual case law. If someone whistle-blows, that is.

      Of course, if this law is harmless, imperfect or worse ... why even have it? And make case application secret? Some people want it badly under a smokescreen. The White House is as usual horse-trading and having a spine-bending quid-pro-quo with somebody else. The package cannot even be sold on its own merits, of which there are none. For the public, at least.

    3. 404

      Lessee... Tom Dial... Naughty List...

      ... 'Enabler of additional gray area for Feds to "Oops", "Rogue Operator", and "I'll Take the 5th for $1m parachute, Alex" as Federal legal shenanigans abound'.

      Filed under That Depends On What The Meaning of Is, Is.

      - Santa Xmas, North Pole, Neptune.

    4. Old Handle
      WTF?

      Yes it's voluntary. It gives companies the right voluntarily violate their users' privacy and lie to them about it with impunity. You think this is a good thing... or at least an OK thing... why exactly?

      1. tom dial Silver badge

        "gives companies the right voluntarily violate their users' privacy and lie to them about it with impunity"

        The proposed law does not do that. Paragraphs (A) and (B) of Section 104(d)(2) require removal of information that identifies a specific person before submission to the federal government. Nothing in the bill permits a company that chooses to share information to lie to any of its customers.

        There also is no requirement to share with customers whose personally identifying information was included in a submission under the proposed law, although in most known breaches companies have done so and often have paid for mitigations like credit monitoring.

  6. auburnman
    Black Helicopters

    Anti-competitive

    The way I read it government is trading commercial protection for the existing (co-operative) Oligopolies for the rights to trawl their data.

    Think about it: this makes it impossible for companies to compete on a platform of privacy and non-cooperation with the spying agencies because immunity from prosecution for doing so makes any privacy clauses in contracts worthless.

    I wonder if any of the big corporations has the balls to try and get this struck down for preventing them from freely contracting with their customers?

    1. Warm Braw

      Re: Anti-competitive

      >I wonder if any of the big corporations has the balls to try and get this struck down for preventing them from freely contracting with their customers?

      "Freely contracting" is not a term I'd apply to most of the click-through agreements these big corporations impose on their customers. If they could strike down this kind of interference in their "free" contracting, then they could get consumer protection legislation struck down just as easily - and I know which one they'd be keenest on.

      1. auburnman

        Re: Anti-competitive

        I don't think this interference and consumer protection are comparable here, specifically because immunity from prosecution is mentioned in the spying scenario. That's a super dangerous precedent to set that could practically legalise straight-up lying to customers in contracts (way beyond current weasel wording.)

    2. tom dial Silver badge

      Re: Anti-competitive

      Even the most cursory reading of the bill would disclose that participation by any company is voluntary. The government already has ample means, in the form of court orders or warrants, to compel production of data.

  7. scrubber

    Panopticon

    I know the internet was conceived as a way for people to share data but come on...

  8. amanfromMars 1 Silver badge

    AI Leading Question[s]

    Is the UK following the US, with a clone of the operation, or has it been leading the US with its own spooky systems already in place and working?

    And what are the chances of things working badly rather than effectively?

    1. Anonymous Coward
      Anonymous Coward

      Re: AI Leading Question[s]

      Is the UK following the US,

      I think they are in close lockstep, with little to choose. In both countries over-powerful and thoroughly entrenched elites are bent on universal surveillance. The recent UK decision that the stasi could legally dragnet MPs data is a temporary setback for the UK elite (who don't expect the laws they pass to apply to them), but to an extent it only mirrors the US situation where the NSA and CIA not only spied on senators and congressmen, but even interfered with the data.

      And what are the chances of things working badly rather than effectively?

      We already know that, with local government using powers supposedly passed to protect people from the supposedly omnipresent terror threat against people dropping litter or failing to pick up their dog's mess, and the interference with Congressional investigations.

  9. Anonymous Coward
    Anonymous Coward

    Fortunately the Senate and Congress are controlled by the Republicans who are strongly opposed to big government... oh.

  10. Mark 85

    This is more about getting around "due process" is seems

    For a long time, those in power have been finding ways around the Constitution. This is just another way. It's not about business, or money, it's about power and it's been happening for a long time.

    In the not so distant past, everyone was appalled that J. Edgar Hoover's FBI had files on a significant portion of the population. It took the Freedom of Information Act to make people aware. The information was collected very quietly and in many times, the info was wrong. But, the collection still went on and errors weren't corrected.

    In WWII, we interred the West Coast Japanese population under the concept of "security". I toss this in as reminder that those in power, will violate the Constitution at a moment's notice.

    Certain politicos are now preaching the benefit of this collection of information (we now call it data) and some seem to be a step away from locking up massive portions of the people. Listen to the likes of Trump. I don't think he would hesitate to ship the Hispanics or the Muslims out of the US.

    The Patriot Act (an oxymoron if I ever heard one) was/is a part of this process of getting around the "due process" clause and the Constitution in the name of security.

    CISA makes this information slurp "voluntary" and thus gets around "due process" and takes away another brick of the Constitution. For now, the handing over is "voluntary", but that can be changed by a simple amendment. Secret courts have become common.

    It's an indeed slippery slope and we're well on our way down to the bottom. The rest of the world, is either right behind us or just ahead of us on this slide and all they seem to want to do is point fingers at each other.

    It's beyond sad... it's beyond chilling where we're headed as a country and a world.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is more about getting around "due process" is seems

      I'm afraid you're right @Mark 85. I've read the bill summary and parts of the text. It looks like a bureaucratic circle jerk in which nobody outside the Federal government is forced to participate. It would be fine if Congress simply ordered NSA et al to timely report vulnerabilities they discover. But that wouldn't require this bloated legislation which creates a new class of "deemed voluntarily shared" secret data including vulns, exploits, and ANY PRIVATE INFORMATION scooped up by anyone investigating ANYTHING construed as a "cyber threat".

      Apparently it won't interfere with MY livelihood. I'm surprised and relieved. But... I don't like it... and I don't know what I can do - or refuse to do - to thwart it..... besides being paranoid as usual, not volunteering my own private info to anyone/anything that doesn't need to know, and avoiding gigs where privacy/security compliance is a big issue.

      The real danger is that we (citizens) will probably ignore CISA as long as it doesn't directly affect us. But many state/local governments and naive business managers will participate. Surveillance state front companies will certainly participate. By the time people wake up it'll be too late to undo.

  11. Anonymous Coward
    Anonymous Coward

    The ignorant leading the blind

    Your next door neighbor can listen to your phone conversations and/or read your e-mail for about $100 but the technically illiterate are concerned that authorities sharing data on criminals is an invasion of their privacy. How do you feel about your bank account being cleaned out or your auto being digitally broken into, your credit card number being skimmed or your I.D. being stolen? Unless you have something to hide, no one cares about your existence. If you're a criminal then you deserve to be prosecuted. If you listen to most in the media they will tell you the sky is falling when it's just raining outside.

    1. Schultz
      FAIL

      "Your next door neighbor can..."

      I grew up in Germany and my old next door neighbor had neither planned nor participated in the persecution and genocide of a good percentage of this countries population. But his government had.

      There is a difference in scale about what a nefarious neighbor might do and what a nefarious government might do. That's why some very smart people came up with concepts like separation of powers, and habeas corpus, and government transparency & accountability, ... Take these away and where might it lead? You can find many examples of where it might lead in the history books if you care to look.

    2. allthecoolshortnamesweretaken

      Re: The ignorant leading the blind

      If that is your opinion, why do you post it anonymously? Does not compute...

  12. amanfromMars 1 Silver badge

    What's Good for the Goose is Good for the Gander. A Golden Rule in Great IT Gamesplay Circles.

    Psst: If you're not an American citizen, none of this applies to you – the US government and its intelligence agents consider you completely fair game for surveillance, anyway. .... Iain Thomson [El Reg]

    It is madness confirmed whenever America and Western allies cannot accept that other governments and intelligence agencies consider them fair game for surveillance and secret treasure trove capture.

  13. Anonymous Coward
    Anonymous Coward

    Check out this article by the New York Times, and if you're impatient, you can simply skip to the last 2 lines of the article for the summary...

    http://www.nytimes.com/2015/10/29/nyregion/fast-boat-tiny-flag-governments-high-flying-rationale-for-a-drug-seizure.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon