With Healthcare.gov plagued by technical difficulties, the Obama administration is bringing in heavyweight coders and private companies like Verizon to fix the federal health exchange, pronto. But web security experts say the Obamacare tech team should add another pressing cyber issue to its to-do list: eliminating a security flaw that could make sensitive user information, including Social Security numbers, vulnerable to hackers.
According to several online security experts, Healthcare.gov, the portal where consumers in 35 states are being directed to obtain affordable health coverage, has a coding problem that could allow hackers to deploy a technique called "clickjacking," where invisible links are planted on a legitimate web page. Using this scheme, hackers could trick users into giving up personal data as they enter it into the web site, potentially placing Americans at risk of identity theft or allowing fraudsters to file bogus health care claims. And it's not just the federal exchange that has security problems. Some of the 15 states that have established their own online exchanges aren't using standard encryption throughout their Obamacare websites—leaving user information at risk.
Senators Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.)
Update, July 8, 2014: On Tuesday, Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.) announced committee approval of the Cybersecurity Information Sharing Act (CISA). The vote was 12-3.
Update, April 30, 2014:On Wednesday, Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.) announced that they have drafted legislation referred to as a "cybersecurity information sharing bill." According to the senators, the bill, "allows companies to monitor their computer networks for cyber attacks, promotes sharing of cyber threat information and provides liability protection for companies who share that information." But privacy advocates say the bill—whose language is not yet finalized—has many of the same problems as the earlier versions of the Cyber Intelligence Sharing and Protection Act (CISPA.)
"This is definitely a step back," Gabe Rottman, legislative counsel and policy adviser for the American Civil Liberties Union, told the Washington Post. "The problem is the definitions of what can be shared and who it can be shared with are too broad. In this draft, companies can share data with the military and the NSA. Given the past revelations, I think it’s important to keep this information in civilian hands."Tech Dirt notes, "It appears as though no one involved has learned anything from CISPA's two troubled trips through the House, not to mention the new concerns prompted by leaked NSA documents."
"I am working with Senator Saxby Chambliss (R-Ga.) on bipartisan legislation to facilitate the sharing of cyber related information among companies and with the government and to provide protection from liability," Sen. Dianne Feinstein (D-Calif.) told Mother Jones in a statement. "The legislation will...still maintain necessary privacy protections." NSA's Alexander threw his weight behind this kind of bill in September: "If we can't work with industry, if we can't share information with them, we can't stop [cyber attacks]" he told the Washington Post.
Privacy advocates aren't happy to see that the "zombie bill" is returning—it's been killed and resurrected twice since it was originally introduced by Rep. Mike Rogers (R-Mich.) in 2011. "This summer has confirmed that any information that goes into the NSA will be shrouded by secrecy and there will be no oversight," says Michelle Richardson, a legislative counsel with the ACLU. "Since this is a domestic issue, the NSA is more likely to get involved...and companies haven't provided concrete examples that they even need this legislation, especially when it's this broad."
The way CISPA was written earlier this year, it would have given US companies the legal protection to share cyberattack incidents with the government, which could then help companies better defend sensitive information, such as the design for the F-35 Joint Strike Fighter and US electrical grids. The way the law stands now, cyber attack information is only supposed to be shared in emergencies, otherwise it can be a violation of laws like the Electronic Communications Privacy Act (ECPA) and the Wiretap Act. Tech companies, including Google and Facebook, have quietly supported CISPA in the past—possibly because, according to Snowden, they were already being forced to share user information with the US government, anyway, and CISPA would protect them from lawsuits.
Privacy advocates and many Senate Democrats took issue with the bill's broad language, which set no limits on what the government could do with the personal information it obtained as long as it fell under the national security umbrella. "CISPA would've allowed NSA to get its hands on even more private and sensitive data," says Mark Jaycox, a policy analyst for the Electronic Frontier Foundation, noting that he hasn't seen the latest draft of the bill so can't comment on it.
Feinstein's office told Mother Jones that the new version of the bill will have "tight limitation on what kind of information is shared" and "the goal is to allow and encourage the sharing only of information related to identifying and protecting against cyber threats, and not the communications and commerce of Americans." She also said that she believes "the lead responsibility within the federal government should be with a civilian department or agency"—not the Department of Defense.
However, Brian Weiss, a spokesman for Feinstein, could not confirm that two of the biggest privacy problems raised in the House version of CISPA—that personally identifiable information would be shared and the NSA could get it—had been written out of the new bill. There is "no final language" yet, he said. Richardson from the ACLU notes that "some of the Republican's proposals have been very anti-privacy, and there's been a pretty big gap between the Senate Republican approach and [Feinstein's.]" (Chambliss's office confirmed they were working on the bill, but did not provide any additional details.)
Even if the bill makes it to the floor, it could still be a tough sell—Obama threatened to veto the House version of CISPA earlier this year and almost 400 websites staged an online blackout in protest in April. "I think it will be very difficult to move information-sharing legislation forward given the events of the last several months," says Richard Bejtlich, the chief security officer at Mandiant, a company that offers cybersecurity services for Fortune 100 companies. He also notes that his firm's big report on China's secret-hacking unit was effective without listing personally identifiable information.
"It would have been complicated to pass a bill before the leak and nows it's even harder," Richardson agrees. "That being said, I think we need to keep a very careful eye on it to make sure a deal isn't struck in the Senate. Sometimes these things suddenly start moving."
The just-concluded government shutdown and debt ceiling crisis revealed a deep and profound split within Republican ranks, as tea party crusaders pushed for brinkmanship to thwart Obamacare and establishment-minded GOPers freaked out over the historic hit their party was receiving in public opinion polls. Even after the conflict was settled (at least for a few months)—with the congressional Republicans essentially waving a white flag—the civil war within GOP and conservative circles continued unabated. Once the deal went down, mainstream GOPers immediately blamed the "suicide caucus" for harming the party and pledged to block future shenanigans of this sort, and tea partiers in and out of Congress dismissed the "surrender caucus" and vowed to continue the fight as the next D-Days approach (January 15 for funding the government, and February 7 for the debt ceiling).
This ugly episode hasn't resolved the tensions within the GOP and the conservative movement—it has exacerbated them. Here is a list of post-deal quotes from key players in this civil war that show the internecine battle is not likely to end soon.
Update: TPM reports that Sen. Ted Cruz (R-Texas) has "no objections" to the Senate voting on the bill today, and will not attempt to block or delay it. He added, "There's nothing to be gained from delaying this vote one day or two days."
Update 2: Politico reports that the Senate will be voting first on the bill, sometime Wednesday afternoon or early evening.
Senate leaders have forged an 11th-hour deal to end the government shutdown and raise the debt ceiling, and House Speaker John Boehner is expected to bring the bill up for a vote, Politico and other media outlets reported Wednesday morning. If the bill passes and arrives on President Obama's desk by the October 17 deadline, the US government will reopen until January 15, and the debt ceiling will be raised until February 7, delaying the budgetary and debt ceiling crises and leaving President Obama's signature health care bill largely intact.
Many concessions that tea partiers attempted to extract from the Obama administration in exchange for reopening the government and raising the debt ceiling are not expected to be included in the bill. Conservative Republicans had, over the course of the budget fight, demanded a one-year delay to Obamacare, a delay or repeal of the act's tax on medical-device manufacturers, and a "conscience clause," which would have allowed employers to block their employees from buying health insurance that covers birth control. None of those measures are expected to appear in the Senate's bill. The only concession Republicans seem to have won is a slightly stricter set of rules for verifying the incomes of Americans who are receiving subsidized health insurance under Obamacare.
According to the Wall Street Journal, the final bill won't include a GOP proposal that would stop the Treasury Department from using extraordinary measures to raise the debt ceiling. But it will include back pay for federal employees who missed paychecks during the shutdown and establish a committee tasked with working out a longer deal ahead of the new January 15 and February 7 deadlines. The bill also reportedly includes a provision that could make it harder to use the debt ceiling as a bargaining chip: At the next deadline, Congress would be required to pass a bill if it wants to block the ceiling from increasing. Otherwise, the ceiling would go up automatically.
The House is expected to vote on the proposed bill first, which would allow the Senate to skip some of its cumbersome procedures and quickly move to a final vote. Politico calls this "an extraordinarily risky play" because the majority of House Republicans are expected to oppose the bill. However, Robert Costa of the National Review reported that Boehner has agreed to pass the bill with mainly Democratic votes. There's still a chance that Sen. Ted Cruz (R-Texas) could go rogue and filibuster the bill in the Senate, dragging out the debate past the October 17 deadline, but his office has not said whether or not he will do so, according to the Wall Street Journal.
If you went into Starbucks for a soy latte this week, you might have noticed something a little unusual. In response to the debt ceiling and budgetary crisis, the coffee chain urged Americans to sign petitions asking Congress to fix these problems—without specifically proposing how. This isn't the first time that Starbucks has dipped its corporate toe into politics. The company's CEO, Howard Schultz, openly supported President Obama in 2012, and over the last few years, the company has turned its attention to voting rights, election donations, and sequestration—with mixed results. Occasionally, Starbucks takes a political stand that packs the same punch as a cup of strong coffee, like when it resolutely offered health care benefits to same-sex couples, filed a petition in support of overturning the Defense of Marriage Act, and progressively refused to cut worker hours or benefits ahead of Obamacare. But just as often, the company is criticized for running kumbaya political campaigns that mainly exist for Starbucks' bottom line.
"One of the enduring fantasies of the pundit class…is that all we need to fix our economic problems is to get the great and the good together and bypass those pesky elected officials," Paul Krugman wrote of Starbucks' 2012 debt ceiling campaign. "But the reality is that the business leaders intervening in our economic debate are, for the most part, either predatory or hopelessly confused…Howard Schultz, the CEO of Starbucks, exemplifies the hopeless confusion factor." Zack Hutson, a spokesman for Starbucks, tells Mother Jones that "Starbucks is not a policymaker…but we do believe we can bring people together to make their voices heard."
Here are six Starbucks campaigns that failed to live up to the hype:
1. The Pay It Forward Campaign
Last week, if you bought the customer behind you a cup of coffee, Starbucks might have given you a free cup, as part of its three-day long "Pay it Forward" campaign. This was intended to help solve the debt ceiling and budget crisis by sparking a "connection that helps bring us all a little closer at a time when showing our unity is so important." Starbucks also placed petitions in 11,000 US stores, asking Congress to reopen the federal government, avoid default, and "pass a bipartisan and comprehensive long-term budget deal." Hutson says the company is not offering a specific solution as to how those things should be accomplished, noting that Starbucks wants to "work through our elected leaders [and] encourage the kindness and civility we want our elected leaders to model." The petitions will be delivered to Congress and the President today.
Marshal Cohen, chief retail analyst at the NPD Group, which does consumer market research, told the Associated Press that the Starbucks campaign doesn't have any demands attached to it, like impeachment, so it's unlikely to make any difference. "Will it work on the political level? No. Won't make a dent. Will it work on the commercial end? Absolutely."
Starbucks directed customers to learn more about the issue by visiting "Fix the Debt," a group that, according to the Washington Post, pushed for "higher tax revenue, lower government spending, and cuts to Social Security and Medicare and was criticized for masking its conservative backing and attempting to drive money to the 1 percent." Hutson says that Starbucks wasn't "advocating for a specific policy solution with Fix the Debt" but notes that "we are supportive of the campaign's aspirations for a meaningful, long-term, bipartisan solution."
3. The "Leading Through Uncertain Times" Campaign
Long before the government shutdown crisis, and the 2013 debt ceiling crisis, and the sequestration crisis, there was the 2011 debt ceiling crisis. That was the first time Republicans threatened President Obama with default if he did not make budgetary concessions. In response, Starbucks went ahead with a campaign to get business leaders to pledge not to donate to any political campaigns until Washington came up with a long-term deficit deal, garnering support from over 100 business leaders. Some saw it as a galvanizing step in the right direction, but critics pointed out that the campaign didn't explicitly bar donations to super-PACs, which is where a lot of the big money comes from, and Starbucks employees and shareholders (excluding Schultz) didn't abide by the pledge. Starbucks investors also rejected a shareholder proposal to stop the company from making political contributions, forming its own political PAC in the future, and donating money to lobbying industry groups.
"This was an awareness building campaign, since we have 70 million customers a week coming through our stores," says Hutson. But Starbucks has no plan on establishing a super-PAC in the future, and, he says, "as a company we rarely make political campaign donations." After the campaign, Congress failed to come up with a long-term budget deal, setting the stage for the 2013 crisis.
4. The Anti-Gun Stance
This was less a campaign, and more a political intervention. Following severalincidents where customers brought guns into Starbucks and accidentally discharged the weapons—as well as pressure from gun control groups like the Brady Campaign to Prevent Gun Violence—Starbucks decided to take a stand on gun control. Sort of. This fall, Starbucks changed its official policy to one that asks customers to leave guns at home, even in states with open carry laws. However, Schultz told the New York Times that Starbucks was not going to actually ask gun-toting customers to leave, nor post signs in the store explaining the new policy. "I don't think we need to post signs. The respectful request has been made clear and people are abiding," Hutson says, but he admits there's also no way to measure for sure whether more people are leaving their guns at home.
"We appreciate the fact that Starbucks realizes the problem that armed patrons present to the safety of other customers in their stores, but do not believe that their initial steps of discouraging guns in their stores goes far enough," says Robyn Thomas, executive director for the Law Center to Prevent Gun Violence. "Starbucks could easily ban guns in their stores by simply posting a sign which lets customers know that guns are not allowed and then enforcing that rule as do other chains like Peet's Coffee and Tea, California Pizza Kitchen, and Disney."
5. The Free Coffee for Voting Campaign
Before the 2008 election, Starbucks released this ad, with the slogan, "If you care enough to vote, we care enough to give you a free cup of coffee," set over a sweeping piano score. The offer was redeemable on November 4. Starbucks was hardly the only store making the offer; Krispy Kreme, Chick-fil-A, and Ben & Jerry's offered free swag too. But Starbucks revoked its offer after reports surfaced that the deal could violate election laws, deciding instead to give out a free tall brewed coffee to anyone who asked for it. Those pesky election laws didn't stop other companies from offering free stuff to Americans who flashed an "I Voted" sticker. That's probably because, as Slate pointed out, the Department of Justice was unlikely to do any prosecution.
6. The Way I See It Campaign
In 2005, Starbucks launched "The Way I See It" campaign, printing quotes on its coffee cups from notable figures. Some of them were politically controversial:
The quotes drew ire from conservative groups, but some atheist groups were also peeved with one cup's anti-evolution message. Starbucks spokeswoman Audrey Lincoff told the Seattle Times that the campaign did not set out to take a political stand, and it didn't matter whether the people quoted on the cups were Democrats or Republicans. Starbucks considered the campaign "successful" but quietly disbanded it after two years, because "we redesigned our logo and subsequently the cups," says Hutson. Today, there's scant evidence on its website that "The Way I See It" ever existed.