Dear Congress: Ignore distractions and pass USA FREEDOM

With limited time left in the legislative calendar for this Congress, it is time for an assessment of priorities. To start, we need to reign in the NSA’s privacy-violating surveillance programs. The USA FREEDOM Act would limit, instead of expand, the government’s intake of user information. It should be a priority for the outgoing Congress. And yet, priorities seems to be elsewhere.

When entering office, U.S. Senators take an oath starting, “I do solemnly swear that I will support and defend the Constitution. . . .” The oath begins with the Constitution because its protections are paramount. And yet, a number of senators are focusing on the much-maligned Cybersecurity Information Sharing Act (CISA), which would increase the amount of private user information obtained by the government.

With CISA, Congress is taking its eye off the ball. Instead, it should prioritize the passage of the USA FREEDOM Act, which would bring government surveillance in conformity with the privacy protections of the Fourth Amendment to the Constitution. The Director of National Intelligence James Clapper and Attorney General Eric Holder have both endorsed it as a bill that would protect human rights. Privacy groups have also endorsed it as the most reasonable NSA reform bill, one that would restore public faith the government’s surveillance restraint. Access urges the U.S Congress to use its remaining time to pass the USA FREEDOM Act and not focus on sideshows like CISA.

The Senate version of the USA FREEDOM Act, brokered by Senator Patrick Leahy, would limit the government’s authority to collect information in bulk. In other words, the NSA would have to shut down the program where it collects the cell phone metadata of all U.S. persons. The bill does so by modifying Section 215 of the Patriot Act. The change would require collection be tied to a “specific selection term” which could not be an entire geographic region or service provider.

The bill would further limit the scope of investigations under Section 215. Investigations would have to relate to international terrorism. No longer would foreignness alone be adequate justification for surveillance. Also, a new Special Advocate program would be created to add a dissenting voice to the government’s requests for approval in the secretive Foreign Intelligence Surveillance Court.

The Senate Intelligence Committee Chairwoman Dianne Feinstein and Vice-Chairman Saxby Chambliss have not yet supported USA FREEDOM. In fact, at an October 29 cybersecurity summit, they said surveillance reform can wait. Instead, they advocated for the passage of CISA, a privacy-invasive bill that focuses on corporate-to-government (and vice versa) information sharing at the expense of the user. Expanding on the push for CISA, NSA Director Admiral Michael Rogers said at the same summit, “[w]e do not want privacy information. That will slow us down. That is not what the focus of cybersecurity is.” If that’s the case, it is unclear why laws like CISA and its companion in the House of Representatives, CISPA, both allow user information to be sent to the government, and protect companies for doing so (even when they act recklessly).

The bill creates an information-sharing regime between the public and private sectors and provides legal immunity for corporations that share data. It would, therefore, increase the government’s ability to conduct surveillance as businesses would be much more likely pass on personally identifiable information (PII) to the government, particularly under the broad liability shield the bill provides. Not only does the bill prioritize business interests over privacy rights, it fails to provide many of the needed cybersecurity reforms. As Access has pointed out a number of times, CISA is also detrimental to government transparency and it retains military leadership of cyber efforts. Instead, an independent civilian agency should oversee cyber efforts to avoid a conflict where the same agency is in charge of both protecting and weakening systems.

In reaction to discussions over CISA and USA FREEDOM, Senator Feinstein accused the public of wanting “more, more, more” privacy protections. But should she be surprised? In the past fifteen years, Congress has enabled more surveillance by passing the Patriot and FISA Amendments Acts, and now some members are asking for a sacrifice of more of our privacy through CISA. In the same timeframe, Congress has rejected attempts at restoring privacy.

After passage the USA FREEDOM Act this term, Congress should next focus on additional surveillance protections, particularly for non-U.S. persons. It should also focus on cybersecurity legislation which prioritizes user security. After all, people must be the real focus of cybersecurity. A focus on user security will lead to a reduction in private data sacrificed in breaches and prepare for a future in which our health is closely connected with the security of our systems. One way to do so would be to promote security by design. More specifically, companies should consider security and privacy when they first begin the design process, not only after a major data breach leads to a betrayal of user trust. A cybersecurity bill must also provide public resources to educate users, companies, and other actors on cybersecurity best practices, including knowledge of encryption, and its importance to the personal security of users.

Reforming the U.S. government’s overbroad, unaccountable surveillance programs cannot wait until next year. It can’t wait at all. Access urges Congress to act now to pass the USA FREEDOM Act.