Group items tagged

When the Senate Intelligence Committee passed the Cybersecurity Information Sharing Act by a vote of 14 to 1, committee chairman Senator Richard Burr argued that it successfully balanced security and privacy. Fifteen new amendments to the bill, he said, were designed to protect internet users’ personal information while enabling new ways for companies and federal agencies to coordinate responses to cyberattacks. But critics within the security and privacy communities still have two fundamental problems with the legislation: First, they say, the proposed cybersecurity act won’t actually boost security. And second, the “information sharing” it describes sounds more than ever like a backchannel for surveillance.

On Tuesday the bill’s authors released the full, updated text of the CISA legislation passed last week, and critics say the changes have done little to assuage their fears about wanton sharing of Americans’ private data. In fact, legal analysts say the changes actually widen the backdoor leading from private firms to intelligence agencies. “It’s a complete failure to strengthen the privacy protections of the bill,” says Robyn Greene, a policy lawyer for the Open Technology Institute, which joined a coalition of dozens of non-profits and cybersecurity experts criticizing the bill in an open letter earlier this month. “None of the [privacy-related] points we raised in our coalition letter to the committee was effectively addressed.” The central concern of that letter was how the same data sharing meant to bolster cybersecurity for companies and the government opens massive surveillance loopholes. The bill, as worded, lets a private company share with the Department of Homeland Security any information construed as a cybersecurity threat “notwithstanding any other provision of law.” That means CISA trumps privacy laws like the Electronic Communication Privacy Act of 1986 and the Privacy Act of 1974, which restrict eavesdropping and sharing of users’ communications. And once the DHS obtains the information, it would automatically be shared with the NSA, the Department of Defense (including Cyber Command), and the Office of the Director of National Intelligence.

In a statement posted to his website yesterday, Senator Burr wrote that “Information sharing is purely voluntary and companies can only share cyber-threat information and the government may only use shared data for cybersecurity purposes.” But in fact, the bill’s data sharing isn’t limited to cybersecurity “threat indicators”—warnings of incoming hacker attacks, which is the central data CISA is meant to disseminate among companies and three-letter agencies. OTI’s Greene says it also gives companies a mandate to share with the government any data related to imminent terrorist attacks, weapons of mass destruction, or even other information related to violent crimes like robbery and carjacking. 

Lawmakers on the House Oversight Committee sent letters Monday to the heads of 24 federal agencies seeking answers about the use of a controversial surveillance technology.The devices, known by the brand name “StingRay,” simulate a cell phone tower and are able to collect information on mobile phones and their users. Lawmakers say they are trying to create a comprehensive record of how different federal agencies use the devices. The scrutiny comes after the Department of Justice and the Department of Homeland Security adopted new policies for how their employees may deploy the technology.ADVERTISEMENT“As it was with DOJ and DHS before those agencies issued department-wide policies governing use of the devices, the Committee is concerned that other federal agencies may be governed by a patchwork of policies,” the letters said. “Those policies may permit the use of cell-site simulators devices through a lower standard than a search warrant obtained after a showing probable cause."The letters, signed by Oversight Chairman Jason Chaffetz (R-Utah) and ranking member Elijah Cummings (D-Md.) as well as Rep. Will Hurd (R-Texas) and Rep. Robin Kelly (D-Ill.), were sent to 24 federal agencies in total, including many not traditionally viewed as having law enforcement functions, like the Social Security Administration and the National Science Foundation.Lawmakers have asked the agencies for documents and information related to their potential use of the devices.

An anonymous hacker claims to have breached CIA Director John Brennan's personal email account and has posted documents online, including a list of email addresses purportedly from Brennan's contact file. The CIA said it referred the matter to the proper authorities, but would not comment further. The hacker spoke to the New York Post, which described him in an article published Sunday as "a stoner high school student," motivated by his opposition to U.S. foreign policy and support for Palestinians. His Twitter account, @phphax, includes links to files that he says are Brennan's contact list, a log of phone calls by then-CIA deputy director Avril Haines, and other documents.

The hacker also claimed to have breached a Comcast account belonging to Homeland Security Secretary Jeh Johnson, and released what appeared to be personal information. One document purporting to come from Brennan's AOL email account contains a spreadsheet of people, including senior intelligence officials, along with their Social Security numbers, although the hacker redacted the numbers in the version he posted on Twitter. It's unclear why Brennan would have stored such a document in his private email account. Based on the titles, the document appears to date from 2009 or before. When people visit the White House and other secure facilities, they are required to supply their Social Security numbers. Brennan could have been forwarding a list of invitees to the White House when he was President Barack Obama's counter terrorism adviser, the job he held before he became CIA director in 2013.

The hacker told the Post he had obtained a 47-page version of Brennan's application for a security clearance, known as an SF86. That document — millions of which were stolen from the federal personnel office last year by hackers linked to China — contains detailed information about past jobs, foreign contacts, finances and other sensitive personal details. No such document appears to be posted on the hacker's Twitter account, but it's not clear whether the hacker posted it elsewhere.