Last week the US Senate passed the much debated and controversial Cybersecurity Information Sharing Act (CISA) 74 to 21, with the bill now moving forward to a conference committee.
The bill, if it becomes law, will allow authorities greater reach into companies’ data say opponents.
Drafted to combat the wave of cyber-attacks and data breaches, the law would allow for companies to share their data with the Department of Homeland Security, which could in turn share that data with the NSA or FBI. Proponents say the sharing is voluntary but this has been questioned by opponents. Just how voluntary will it be?
Many civil rights and digital rights groups including the Electronic Frontier Foundation (EFF) have stood firmly against CISA over the last few months. Several major tech companies, such as Twitter, Apple, and reddit, have all voiced their concerns over the law.
On the other side, the American Banking Association and the Telecommunications Industry Association have backed CISA while Facebook has denied allegations that it has secretly lobbied for the bill.
In the lead up to the vote, opponents had campaigned hard for a number of amendments to be made to stem any possible overreach by authorities but their efforts proved to be fruitless in the end.
A group of academics from Princeton’s Center for Information Technology Policy sent an open letter to the Senate criticizing the bill ahead of its vote too. While CISA is presented as a cybersecurity protection bill, the letter’s authors say it will do very little for preventing cyber threats as it fails to encourage companies to bolster their own protections and instead, just offload the data.
Image courtesy of Getty Images. Photo by Nicholas Kamm.
Mark Jaycox from EFF has described CISA as “fundamentally flawed” and a framework that allows companies to collect large amounts of data on users and customers and freely hand that data over to the government with little regard for privacy. These exchanges, opponents fear, would go unnoticed and would not be subject to Freedom of Information requests.
Executive director of the Freedom of the Press Foundation, Trevor Timm, further excoriated the bill. “Try asking the bill’s sponsors how the bill will prevent cyber-attacks or force companies and governments to improve their defenses,” he wrote. “They can’t answer.”
Furthermore, opponents have pointed to the recent OPM data breach and the hacking of CIA director John Brennan as evidence that the authorities have a poor record in safeguarding private data.
A few days removed from the vote, opponents are pushing for changes to be made to the bill at the forthcoming committee stage while companies big and small are gathering their thoughts on what the future will look like for data and their customers’ privacy.
Elissa Shevinsky, CEO of Jekudo Privacy Company, a cybersecurity start-up, wrote in an op-ed that CISA, if passed into law, would gut user confidence in privacy policies as they would be rendered meaningless if companies had the option to collaborate with the government on increased data sharing.
Shevinksy adds that CISA will have implications internationally, noting that colleagues have left the country due to concerns over weak privacy laws. The integrity of data is under the limelight more than it has ever been with the recent scrapping of Safe Harbor, which allowed the transfer of data between the EU and the US meanwhile Microsoft continues to contest a US search warrant for data held overseas.
Experts and reporters now continue to disseminate the finer points of the bill. A Guardian report last week revealed that if passed the bill would give authorities greater opportunities to pursue foreign cybercriminals if the crime involves an American company.
“[I]f a French national hacks a Spanish national’s MasterCard, she could be subject to 10 years in US prison under laws changed by the bill,” said the report.
“[The Senate] chose to do the wrong thing,” said Jaycox, who added that the EFF has not given up on its campaign against CISA and will continue to fight it over its next few steps.