Let's tell private businesses in America that they should share consumer data with the federal government to help stop vague cyberthreats, and in exchange immunize them from liability for any possible violations of users' privacy. What could possibly go wrong?
Looks like we are close to finding out. The Cybersecurity Information Sharing Act (CISA) passed the Senate today by a vote of 74 to 21. A different version passed the House earlier in the year, so they're going to have to conference to hammer out differences. Retail business interests supported the legislation. Major Internet and tech firms like Google, Apple, Yahoo, and Twitter (essentially the same companies who have been resisting the National Security Agency's mass metadata collection) opposed it.
Wired summarizes the concerns about version the Senate passed:
CISA is designed to stem the rising tide of corporate data breaches by allowing companies to share cybersecurity threat data with the Department of Homeland Security, who could then pass it on to other agencies like the FBI and NSA, who would in theory use it to defend the target company and others facing similar attacks. That landslide vote was no doubt fueled in part by a year of massive hacks that hit targets including the health insurer Anthem, Sony, and the Office of Personnel Management.
But privacy advocates and civil liberties groups see CISA as a free pass that allows companies to monitor users and share their information with the government without a warrant, while offering a backdoor that circumvents any laws that might protect users' privacy. "The incentive and the framework it creates is for companies to quickly and massively collect user information and ship it to the government," says Mark Jaycox, a legislative analyst for the civil liberties group the Electronic Frontier Foundation. "As soon as you do, you obtain broad immunity, even if you've violated privacy law."
The version of CISA passed Tuesday, in fact, spells out that any broadly defined "cybersecurity threat" information gathered can be shared "notwithstanding any other provision of law." Privacy advocates consider that a vague and potentially reckless exemption in the protections of Americans' personal information. "Every law is struck down for the purposes of this information sharing: financial privacy, electronic communications privacy, health privacy, none of it would matter," says Robyn Greene, policy counsel for the Open Technology Institute. "That's a dangerous road to go down."
Attempts to add amendments to narrow the bill's focus all failed. Oh, and there's more. The Sunlight Foundation (a group devoted to government transparency) notes that CISA creates a new exemption from the Freedom of Information Act (FOIA) for the cybersecurity information sharing. They warn:
That means if they overstep and share the wrong information — as this bill seems to intend — the public won't know, and even if it did, it would have no legal recourse. Meanwhile, the minimal oversight mechanisms within the bill only require reports to be submitted to Congress — not to the public. In other words, CISA guarantees the public will have no ability to see what information is going from companies to the government.
Actual tech experts (as in, not elected political figures or government employees thirsty for data) also don't believe this sharing will actually do much to help stop cyberthreats. And given exactly what happened with the hacking of federal employee data from the Office of Personnel Management, what happens to us if all that collected data gets stolen after it's in government hands?
Andrea Castillo previously explained why CISA doesn't work as advertised here at Reason.