
Congress has added CISA to the federal budget bill - fisherjeff
http://www.theverge.com/2015/12/16/10288182/cisa-surveillance-cyber-security-budget-proposal
======
kossTKR
Why is this not getting massive attention here on Hackernews? Right now a post
about a dude hacking together a selv driving car has garnered 5X the amount of
votes on this post (not that the other post isn't interesting).

Remember that:

 _Apple, Reddit, Twitter, the Business Software Alliance, the Computer and
Communications Industry Association, and other tech firms have all publicly
opposed the bill. And a coalition of 55 civil liberties groups and security
experts all signed onto an open letter opposing the bill in April. Even the
Department of Homeland Security itself has warned in a July letter that the
bill could flood the agency with information of “dubious value” at the same
time as it “sweep[s] away privacy protections.”

[http://www.wired.com/2015/10/cisa-cybersecurity-
information-...](http://www.wired.com/2015/10/cisa-cybersecurity-information-
sharing-act-passes-senate-vote-with-privacy-flaws/)

_

Isn't this massive news?

I mean the bill in itself is horrible policy making, but the way it's being
snuck in is scandalous in its own right.

Have i misunderstood something?

~~~
tptacek
Because virtually the same bill passed the Senate with 75% support, and the
House passed the (significantly worse) PCNA back in April at approximately the
same margin.

This bill was going to become law; the only question was whether the
conference committee between the House and Senate would change it --- if it
had, _it would have changed it for the worse_ , since the House bill is worse
than the Senate bill, which is the one that's going to pass.

There's just not much of a story here.

~~~
kossTKR
That makes sense.

Although when looked through policy-making perspective this change is further
stabilizing the already dystopian trajectory of international tech laws.

The worst of the worst just keeps getting compiled and eventually voted
through. And under the guise of "war on terrorism", "war on pedophiles", "war
on hackers" etc.

I just don't see this ending anything but horribly.

Either with a monopoly driven "light-net" full of censorship, and no way of
entry for the "smaller" businesses, ngo's, dissident groups etc.

Or worse with a global pre-crime dictatorship.

------
ccvannorman
985-222-CISA

If you live in the United States, this phone number connects you with your
congresspeople and senators in order to make your voice heard.

Citizens stopped CISA before, we can do it again. Don't lie down.

~~~
ccvannorman
Edit: I've seen a few people calling BS on this because of TechDirt. I found
it from the EFF, who gave me this number to call. I feel strongly about
surveillance legislation because I don't want myself or my friends to go to
prison because [insert corp here] decided I did something illegal with their
electronic content, and I don't want my geolocation, etc. perpetually in the
hands of anyone with a security clearance.

~~~
tptacek
Sec 102.(5)(B):

 _The term cybersecurity threat does not include any action that solely
involves a violation of a consumer term of service or a consumer licensing
agreement_

~~~
forgotpwtomain
But according to recently tried cases, something as mundane as incrementing a
URL can be construed as a violation of CFAA.

~~~
tptacek
So? Your criminal liability for incrementing the URL is totally situational.
If you're reading a catalog and you tick the URL to see what the next product
is, you aren't going to be liable. If you see a URL used for XHR in the
frontend for your bank and you increment it to see other people's bank
accounts, you will be.

We don't have a law against "hacking" in the US; we have a law against
"unauthorized access", particularly when that access has consequences.

According to _one_ recently tried case, by the way, and one where the sentence
was ultimately vacated.

And finally: CISA has almost nothing to do with criminal law (it defines no
new offenses does not change CFAA or its sentencing). If you want to have a
discussion about how totally broken CFAA's sentencing is, I'm right there with
you.

~~~
forgotpwtomain
All I'm suggesting is that since CFAA has a history of been construed to be
applicable in extremely broad-terms by prosecution and (although I have not
done a close reading of the entire act it contains provisions such as the
following in it's definition of CYBER THREAT INDICATOR):

> (D) a method of causing a user with legitimate access to an information
> system or information that is stored on, processed by, or transiting an
> information system to unwittingly enable the defeat of a security control or
> exploitation of a security vulnerability;

That OP's second concern:

> and I don't want my geolocation, etc. perpetually in the hands of anyone
> with a security clearance.

Regarding being under surveillance for what they may consider to be their
normal or otherwise professional activities is quite valid.

------
disposition2
Looks like it is actually worse than CISA...

[https://www.techdirt.com/articles/20151215/06470133083/congr...](https://www.techdirt.com/articles/20151215/06470133083/congress-
drops-all-pretense-quietly-turns-cisa-into-full-surveillance-bill.shtml)

~~~
tptacek
Someone asked me about this last night. Is there sourcing for this beyond
"Techdirt says so"? Because on matters of law, Techdirt is extraordinarily
untrustworthy.

I'd love to see the amendments or revisions that are purported to be doing
this to the bill.

(I don't support CISA, but if you asked me which I'd rather get rid of, CISA
or Techdirt, I'd have to think about it.)

 _update_ :

No. See:
[https://news.ycombinator.com/edit?id=10747359](https://news.ycombinator.com/edit?id=10747359)

~~~
yuhong
[https://www.techdirt.com/articles/20151216/05514933094/as-
pr...](https://www.techdirt.com/articles/20151216/05514933094/as-predicted-
congress-turned-cisa-into-clear-surveillance-bill-put-it-into-must-pass-govt-
funding-bill.shtml) has an embedded document and a link.

~~~
tptacek
Thanks. Here's a sane version of that link, I think:

[http://docs.house.gov/billsthisweek/20151214/CPRT-114-HPRT-R...](http://docs.house.gov/billsthisweek/20151214/CPRT-114-HPRT-
RU00-SAHR2029-AMNT1final.pdf)

~~~
jqm
That's 2000 pages! "Sane" isn't a word I'd use to describe it either.

~~~
tptacek
I meant "sane" as in "not a web-based PDF viewer".

It's a whole bunch of bills crammed into one document. CISA starts around page
1730.

~~~
jqm
I didn't read the techdirt article but did read the relevant section of the
bill.

It sounds on the whole fairly reasonable. Here is my understanding...

Companies can monitor their own systems or the systems of clients for
cyberthreats and share this information with the government and with each
other. They must redact personal information of non-involved parties. The
capabilities and scope of the monitoring system are to be disclosed publicly.
All sounds fine. Where it appears to go a bit off the rails is page 1765-1766
(section A). Here the purpose seems to expand beyond "cybersecurity" and
deviate into monitoring non-cyber criminal behavior. Preventing threat of
death, terrorist attacks, harm to minors (yes.. think of the children), and...
_serious economic harm_ (what exactly is that and to who?). So... it is more
than a cybersecurity bill but this little bit is buried in a small few lines
40 pages into the section after mentioning "cybersecurity" probably 70 times
previously as the purpose of the bill. Seems a little bait and switch.

For the record I don't disagree (in total) with monitoring for these types of
serious criminal activities.. I've always assumed it was done and assume it
will continue to be done. Just don't call it "cybersecurity" when it is really
flat out mass surveillance for non-cyber related threats.

Also, it seems that the bottom line is a committee to talk about a committee
in some far off period of time. Typical.

But overall I agree... bureaucratic silliness. Bait and switch dishonesty.
Think of the children nonsense. In short, typical Washington DC behavior. But
not the end of the free internet.

------
CM30
Probably a silly question, but is there a reason all these 'additions' are
being snuck into bills and what not? Why does the system allow members of
congress to add unrelated extras to bills in the first place?

Wouldn't a simple fix for things like this be 'only allow a new law proposal
to be about a single topic and nothing else'?

~~~
Kalium
> Wouldn't a simple fix for things like this be 'only allow a new law proposal
> to be about a single topic and nothing else'?

How do you define "a single topic"? Who gets to decide what is and isn't
topical? Who gets to enforce it? Can you see how this definition might be
abused for political gain?

Myself, I see it only making things worse.

~~~
ars
> How do you define "a single topic"? Who gets to decide what is and isn't
> topical?

Easy. If 1/3 of Congress votes for something to be split, then it's split.
(Kind of the opposite of the 2/3 super majority rule.)

As simple as that. Let the people actually voting decide if something is a
single topic.

Yes, this could lead to nonsense where people split things to insane levels
just to disrupt things, but I suspect it would not come to that because they
would be ridiculed, and it would be just a waste of time for them since
splitting something doesn't mean it doesn't get voted on in the end.

~~~
Kalium
I hate to break it to you, but you have a bunch of people in Congress right
now gaining politically by being disruptive. So your failure scenario is
occurring _now_ without your mechanism.

~~~
filoeleven
If the failure mode of this proposal (excessive splitting of bills) is less
disruptive than the current situation (attaching bill-killing, shutdown-
threatening riders), then it seems to me we would still be better off with
this implemented than without.

In addition, as long as the votes for this are public, it seems like it would
be harder to defend capricious action for political gain, since anyone could
see that _this_ group of senators all voted to split legislation that clearly
should not have been split and then take them to task for it. It could even be
mandatory that a proposal to split a bill must be accompanied by an
explanation (also publicly available) of why it should be split that way. It's
one thing in my opinion to put something controversial into an unrelated bill
--there will always be people who are in favor of that, so it is politically
defensible and can score points--but it is another thing entirely to try to
(literally) rationalize the frivolous division of a cohesive bill.

It actually strikes me as quite an elegant solution to the problem of riders
and sprawling legislation.

~~~
Kalium
You believe that by increasing transparency and granularity, voters will
punish or reward Congresscritters more effectively and efficiently.

I disagree strongly. I submit that most voters do not follow the legislative
process very closely and vote accordingly. Rather, I submit that most voters
make decisions emotionally using far less than the totality of the relevant
information currently available to them. At this very moment, we have a batch
of Congresscritters who gain the support of their constituents by obstructing
their opposition by any means possible. Questions of frivolousness or caprice
are not considered. This is the situation here, today, and now.

I think your notion fails because it adds extra information that voters will
disregard. Because this information will be disregarded, it will not
significantly impact the behavior of voters. The net result is likely to be an
increased legislative overhead, more procedural tools to be wielded as
partisan weapons, and voter behavior not shifting significantly. As a result,
the failure mode of this proposal is everything wrong with the current
(attaching bill-killing, shutdown-threatening riders) PLUS excessive bill-
splitting for the sake of obstruction.

Might I suggest that your solutions should not hinge on sudden and dramatic
shifts of voter behavior at a scale of many millions?

------
dude3
This is interesting too

TEMPORARY H-1B VISA FEE INCREASE.—Not- withstanding section 281 of the
Immigration and Nation-ality Act (8 U.S.C. 1351) or any other provision of
law, during the period beginning on the date of the enactment of this section
and ending on September 30, 2025, the combined filing fee and fraud prevention
and detection fee required to be submitted with an application for admission
as a nonimmigrant under section 101(a)(15)(H)(i)(b) of the Immigration and
Nationality Act (8 U.S.C. 1101(a)(15)(H)(i)(b)), including an application for
an extension of such status, shall be increased by $4,000 for applicants that
employ 50 or more employees in the United States if more than 50 percent of
the applicant’s employees are nonimmigrants described in section 101(a)(15)(L)
of such Act.

~~~
ones_and_zeros
I'd be really interested to know what businesses in the United States have
more than half of its employees here on H-1B visas.

~~~
falsestprophet
Companies like Infosys, Tata Consultancy Services, and Wipro who provide our
country with tens of thousands of the world's greatest minds to maintain
enterprise applications for about $70,000 a year.

------
MrQuincle
Welcome to the rest of the world. We're being eavesdropped legally by your
congress for ages. :-)

------
tmaly
it would be great if we could have all these bill changes in a git repo with
commits from the representatives that added them. open source gov.

~~~
fapjacks
But then they could be held accountable for their shitty actions, and if
there's one thing they _don 't_ want, it's that!

~~~
ionforce
There should be an automatic ban against anyone who attempts to shirk
responsibility.

------
DanielBMarkham
As I understand it, by slipping it in on an Omnibus budget bill, leaders get
to add in bullshit that nobody in their right mind could defend on the floor
and then expect an up-down, yes-no vote on the entire budget, including the
add-in, by the membership.

In addition, because it's a budget bill, regular conference committee rules
don't apply. The idea was that having conference committees dicker over each
line item would be a great way to prevent both houses from agreeing. So the
"fix" they made for money bills can be used for cyber-surveillance bills too.

I may have missed the details. Apologies if that's the case. If this was added
to the Omnibus, the reason why was obscurity. My misunderstanding of the
details is a prime example of voters not being able to track who's
responsible. That's the point.

------
j_s
Any specifics on which congress-people are responsible for this?

~~~
flubert
In the larger sense, aren't all the representatives responsible? Certainly the
ones who voted for it. I know it is controversial, but they should be reading
the bills before passing legislation. And the ones who didn't vote? What are
we paying you for, if you aren't even showing up for your job? And even those
who may have voted no seen to bear some responsibility, why didn't you raise
an alarm? You should still be reading bills that have a high likely hodd of
passing, even if your intention is to vote no.

~~~
ChuckMcM
Of course, but some representative made the motion to include the text of the
CISA bill part of the Omnibus bill, that should be on the record somewhere.

~~~
chishaku
Anyone have more clarity on this? I think since this is just a single bill,
figuring out who included which part of the final text is a non-trivial task.
However, since senior leadership of both parties are mostly responsible for
getting this bill through, I think they ultimately are responsible for
allowing the CISA portion to be included.

------
Zikes
So now they're legally allowed to do what they've already been doing without
oversight anyways, which they were legally never allowed to do in the first
place and still aren't legally allowed to do due to Constitutional restraints.

I don't like to sound defeatist, but honestly what does this change?

------
tptacek
Since it's linked upthread: Techdirt is one of the least trustworthy sources
on the Internet for information about Internet law.

 _(Here 's a summary of CISA I wrote a few months ago on HN:
[https://news.ycombinator.com/item?id=10454172](https://news.ycombinator.com/item?id=10454172)
)_

Today (and yesterday), Techdirt claims the following changes to CISA:

1\. _Removes the prohibition on information being shared with the NSA,
allowing it to be shared directly with NSA (and DOD), rather than first having
to go through DHS._

2\. _Directly removes the restrictions on using this information for
"surveillance" activities._

3\. _Removes limitations that government can only use this information for
cybersecurity purposes and allows it to be used to go after any other criminal
activity as well._

4\. _Removes the requirement to "scrub" personal information unrelated to a
cybersecurity threat before sharing that information._

'yuhong helpfully posted a link to the revised bill attached to the budget
bill.[1] I compared it clause for clause to the version that passed the house.
That is 10 minutes of my life I will never get back. Unsurprisingly, only one
of Techdirt's claims is true (but worded misleadingly). The other three are
simply false.

Here's the breakdown:

<strike>1\. The "CERTIFICATION OF CAPABILITY AND PROCESS" part of Section 107
now allows the President, after CISA has been started by DHS, and after
publicly notifying Congress, to delegate to any federal agency, including NSA,
the authority to run the process described by the rest of the bill. The
previous version required DHS to run the entire process. Techdirt isn't wrong
about that change. Techdirt is wrong to be confused about why NSA would be a
designated coordinator for threat indicators under CISA (NSA houses virtually
all of the USG's threat intelligence capability; no other department has
comparable expertise coordinating vulnerability information).</strike>

 _I was wrong about this; the new bill_ specifically disallows DoD or NSA
_from running the CISA portal._

2\. The bill doesn't change the authorized usage of cyber threat indicators at
all (nor does it change any of the definitions of threat indicators,
vulnerabilities, and so on). The few places I found changes at all actually
improved the bill (for instance: Section 105 5(A) no longer allows threat
indicators to be shared to investigate "foreign adversaries").

3\. CISA has _always_ allowed the USG to use cyber threat information in law
enforcement pertaining to a specific list of crimes --- that is one of the
ways CISA is significantly worse than CISPA. But Techdirt suggests that CISA
can be used by the DEA to investigate drug crimes. _You cannot have read the
bill and believe that to be an illustrative example_ , because drug crimes
aren't among the listed crimes: fraud/identity theft, espionage, and
protection of trade secrets. It should not surprise you that the list of
applicable crimes has not changed in the budget bill version.

4\. The new CISA act retains all the "specific person" and "technical
capability configured to remove any information" language regarding personally
identifiable information in "cyber threat indicators". The "scrub", by the
way, _has always applied to private entities_ (Techdirt may have tripped over
themselves to write this bullet point, because the new bill clarifies
"entity", "federal entity", and "non-federal entity", and so the scrubbing
language now reads "non-Federal entity" \--- but the original bill defined
"entity" as "private entity"!)

[1]:
[http://docs.house.gov/billsthisweek/20151214/CPRT-114-HPRT-R...](http://docs.house.gov/billsthisweek/20151214/CPRT-114-HPRT-
RU00-SAHR2029-AMNT1final.pdf)

~~~
dsp1234
Note that Techdirt didn't have the final text of the bill (and couldn't have)
since it wasn't finalized at the time. They were commenting on the proposed
changes, which they acknowledge didn't all make it in to the bill[0].

So you may be commenting on old information (note that I don't see those 4
items on their current article[1]), and they specifically acknowledge the
changes from yesterday's proposal to today's complete text.

They could still be wrong in their analysis, but it would be more helpful to
do a breakdown of their current stance on the final bill, rather than doing a
breakdown on their analysis of proposed changes with data you have from the
final bill text that they didn't have access to.

[0] - [https://www.techdirt.com/articles/20151216/05514933094/as-
pr...](https://www.techdirt.com/articles/20151216/05514933094/as-predicted-
congress-turned-cisa-into-clear-surveillance-bill-put-it-into-must-pass-govt-
funding-bill.shtml)

[1] - "a few of the absolutely worst ideas didn't make it into the final
bill,"

~~~
tptacek
Nope. Not even a deeply cynical misreading of the bill gets you there. Here's
Techdirt's current claims:

 _While the reports yesterday indicated that the bill would directly allow its
use in "surveillance," the list of approved uses was changed slightly to
effectively hide this fact. Specifically it says that the information via CISA
can be used to investigate a variety of crimes -- and doesn't say
"surveillance." But, obviously, surveillance isn't a "crime" that the
government will be investigating. It's just the method that the government
will use to investigate crimes... which is now allowed under CISA._

Every version of CISA has included this language, and the "variety of crimes"
hasn't changed and remains microscopic. The list of approved uses wasn't
"changed slightly to effectively hide this fact"; in fact, the only change in
the approved list of uses is _the removal of an approved use_.

 _Also, yesterday we noted that the proposed change would "remove" the privacy
scrub requirements. The final bill didn't completely do that, but basically
changed the standard to pretend that it's in there. Rather than demanding a
full privacy scrub, the bill lets the Attorney General determine if DHS is
doing a reasonable job with its privacy scrub._

"Privacy scrub" is language that Techdirt is using, but the bill never has.
The CISA requirements to remove personally identifying information --- which
have always applied to private entities --- is unchanged.

------
ccvannorman
News flash, privacy is going to (keep) getting worse before it grts better.
This is why the instant someone invents a totally secure and private way for
me to exist online, I'm going to dump a truckload of money down their coffers.

~~~
ljk
> _This is why the instant someone invents a totally secure and private way
> for me to exist online_

isn't that impossible due to all the backdoors in software, hardware, and even
in the encryption?

~~~
akerro
Are you watching the watchers? What if they didn't implement _the_ backdoors?

~~~
rfreytag
Unless the software-firmware-hardware stack is totally secure then someone,
and it needn't be a government, will implement backdoors where there is value
in doing so.

------
ck2
I don't know the origin of the word "scumbags" but it seems to fit perfectly
here.

Can you imagine sitting across from someone you are negotiating with and you
are about to sign and they slip a sheet of paper inbetween the document,
making you agree to it?

Of course not. But what you'd never do to a fellow american in person,
congress is more than okay with doing to you without you being there or
realizing what is going on.

Lowest of the low.

~~~
delecti
In addition to it's modern usage, which I agree appropriately describes these
congresspeople, the word "scumbag" refers to condoms.

~~~
AnimalMuppet
More specifically, to used ones.

------
beatpanda
P.S., the reason you don't see as much wrangling or dramatic threats to shut
down the government over this budget bill is _because a bunch of stuff like
this was loaded into it._ Because Congress is under enormous pressure by law
enforcement and intelligence agencies to undermine computer security in the
name of "safety", but they can't be _seen_ doing it because it's extremely
unpopular.

What will be interesting is if all the riders on this budget bill are so
unpopular that the voting public _demands_ a government shutdown.

Personally, I think everyone here is better off spending time writing software
to make surveillance less practical. Even if the U.S. government is nominally
constrained by laws (they aren't in practice), there are plenty of other
actors in the world that aren't governed by any constraints and will monitor
all electronic communications up to their technical capacity to do so.

If you care about privacy and information security you need to be working on
tools to make it impossible for surveillance to occur, not petitioning a
Congress that is dead-set on screwing you.

------
newman314
So can someone please help explain to me how this is permissible?

Taking this to extremes, why would politicians not sneak every crazy wild idea
that they have onto this bill if it's a must-pass bill?

~~~
dragonwriter
> Taking this to extremes, why would politicians not sneak every crazy wild
> idea that they have onto this bill if it's a must-pass bill?

They try; there are various constraints:

(1) Individual members can't just stick a rider onto a bill, riders are
amendments, and are voted on.

(2) Riders are, in effect, a strong-arm negotiation tactic between one house
of Congress and the other, or between Congress and the executive -- a gamble
that the _other_ side sees the other provisions of the bill as "must pass"
enough to accept the added conditions. But those gambles can be wrong,
resulting in neither the main bill or the added provision getting passed. So,
the biggest incentive to add non-germane riders is to a bill you are _less_
concerned with passing than those you are trying to get to accept the rider as
a precondition for the rest of the bill, where them rejecting the rider is
more unattractive to them that it is to you. If you _really_ think its a "must
pass" bill (rather than just wanting _others_ to think that so that they'll
accept the rider), you won't want to risk causing it to fail somewhere in the
process because the rider you attached was unacceptable.

~~~
retbull
Unless you want the political fodder to say the other party is also willing to
shut the government down. If you don't care about shutting everything down you
can put horrible things in a must pass bill.

~~~
dragonwriter
If you don't care about shutting everything down, there is no such thing as a
"must-pass" bill; at least, the fact that not passing a bill would lead to a
shutdown doesn't make it must-pass if you don't care about shutting everything
down.

But I think you are agreeing with what I said, that its more attractive to
attach riders to something you think your _counterparty_ sees as "must pass",
but you do not.

------
profeta
and the people that did that will go largely unpunished in any way and
continue to receive the same votes as always.

------
pnathan
Rolling in a little late here, I am actually wondering what substantive
rationale exists here. There _are_ super competent people in the government,
and they do percolate information out to Congress. So I don't think it's fully
appropriate to call the Congress-critters chumps (although it's a national
pastime), and I do also wonder what the effective means of altering policy
are(No, I don't think the EFF is being effective).

------
micwawa
So if I delete my YikYak account today will I still be employable in the
future?

~~~
an0nym1ty
I don't understand the connection here. Could you elaborate for me?

~~~
micwawa
The article says "The bill would make it easier for private sector companies
to share user information with ... other companies". Taking this at face
value, any potential employer could conceivably access everything I've ever
said on YikYak, just, to you know, compare with their own notes and make sure
I'm not a criminal. This wasn't really supposed to be that serious of a
comment, as haven't said anything too horrible.

------
collin123
:( ugh not again

------
dang
There have been close to a dozen posts about this. We merged the threads that
had comments.

If another article is significantly more substantive, let us know and we can
change the URL.

------
imglorp
"So this is how liberty dies...with thunderous applause."

------
MrZongle2
Don't you get it, America? _Your masters want this._ Why can't you have the
good grace to let yourselves be observed and controlled without raising such a
ruckus?

/s

