CISA, or the Cybersecurity Information Sharing Act, was passed by the U.S. Senate despite a long list of tech companies, protection groups, and individuals voicing their protest. The bill passed in a 74 to 21 vote on Tuesday, bringing what many see as little more than a broad sweeping surveillance scheme another step closer to becoming law.
Senate passes CISA bill, chips away at privacy
The bill, which closely mimics similar legislation the House of Representatives already passed, lets companies share cybersecurity threat information with the Department of Homeland Security, who then can pass the data on to the NSA, FBI, CIA, and other agencies. The idea is that the collective data will help prevent future tech-related attacks on U.S. businesses.
The idea seems good on first glance, but the very companies the bill is designed to protect are speaking out against it over concerns that it strips away the privacy of their customers. Companies such as Twitter, Dropbox, reddit, Yelp, and Salesforce oppose the bill.
Most recently, Apple voiced its opposition, too. The company issued a statement saying, "The trust of our customers means everything to us and we don't believe security should come at the expense of their privacy."
Electronic Frontier Foundation Legislative Analyst Mark Jaycox said,
The passage of CISA reflects the misunderstanding many lawmakers have about technology and security. Computer security engineers were against it. Academics were against it. Technology companies, including some of Silicon Valley's biggest like Twitter and Salesforce, were against it. Civil society organizations were against it. And constituents sent over 1 million faxes opposing CISA to Senators.
He said both the House and Senate bills are so flawed that they don't do anything to address the issues which led to the massive data breaches they propose to prevent.
The bill's wording gives companies an easy out for handing over personal information about their customers, and any concerns over privacy violations are moot thanks to the broad protections it includes. The bill says companies can share data about cybersecurity threats—a term that's vaguely defined in a way that could include almost any information—with the government "notwithstanding any other provision of law." In other words, all privacy protections for email, phone calls, financial information, health data, and more are essentially wiped away.
The bill is so poorly worded that even the Department of Homeland Security is concerned despite the fact that it would have nearly unlimited access to our personal data. DHS representatives told the Senate (PDF) the collected data would be of little value, and that it "sweeps away privacy protections."
When the Department of Homeland Security says you've gone too far, it's time to listen.
CISA now faces a joint committee composed of Senate and House members who will work out the differences between their versions of the bill. The combined version will eventually go to the President where it could face a veto, although that isn't likely since the White House has already come out in support of the legislation.
Still, it's a rare day when the DHS and EFF are on the same page. Mr. Jaycox echoed DHS concerns saying, "The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities."
Despite unwavering opposition, the House of Representatives and Senate seem hellbent on pushing CISA into law. Once that happens, citizens and companies will have lost even more privacy protections, the Department of Homeland Security will be overrun with data it says has "dubious value," and our trust in the government will have eroded a little more. There are no winners here, not even the legislators working to make CISA law.