Privacy experts have been warning all along that the Cybersecurity Information Sharing Act (CISA) wasn't even trading citizen privacy for security. The legislation would give private companies legal immunity for sharing customer data with the feds in order to fight cybersecurity threats, hackers, et cetera. The justification was that more information and more sharing would lead to better cybersecurity.
But cybersecurity and privacy experts insisted this was simply not the case. As Andrea Castillo explained at Reason back in May, the federal government has a poor reputation when it comes to properly sharing information and are often the target of hackers themselves (and this was written weeks before the massive hack of federal personnel data was revealed).
It turns out there is some agreement from a surprising source: the Department of Homeland Security. A government agency responsible for all sorts of prying into citizens' personal lives does have some limits. They responded to a request for information by Sen. Al Franken (D-Minn.) with a letter detailing their concerns. Franken released the letter today. Via National Journal:
In releasing the DHS letter, Franken said Monday that CISA is not yet ready for a vote. "The Department of Homeland Security's letter makes it overwhelmingly clear that, if the Senate moves forward with this cybersecurity information-sharing bill, we are at risk of sweeping away important privacy protections and civil liberties, and we would actually increase the difficulty and complexity of information sharing, undermining our nation's cybersecurity objectives," he said in a statement.
Franken, an outspoken privacy advocate in the Senate, asked DHS last month to set out any concerns it may have with the bill's privacy, effectiveness, and efficiency. The agency identified a number of issues with the bill, including a provision that would make it difficult for the agency to anonymize incoming data and preserve Americans' privacy, and a worry that the sheer volume of information that would be shared under the law would be overpowering.
DHS has been intimately involved in cyberinformation-sharing ever since recent legislation created the National Cybersecurity and Communications Integration Center cyberthreat clearinghouse within the agency. A number of federal agencies and over a hundred private-sector companies participate in DHS's information-sharing program.
Read more here. There is a little bit of agency jurisdiction policing here. The DHS wants to make sure it remains the hub for a cybersecurity information sharing program.