The Senate Intelligence Committee today approved a cybersecurity bill that would encourage companies to share information about threats with each other and the federal government. The Senate group voted 12 to 3 to advance the bill. It should see a full vote this year.
The Cybersecurity Information Sharing Act (CISA) came under staunch criticism from privacy advocacy groups following its introduction in June. Complaint stemmed from the bill’s broad definitions that could be open to abuse, lack of Department of Homeland Security oversight and immature — at best — minimization techniques to protect the privacy of American citizens. They also question the sharing of information with not only the National Security Agency (NSA), but also layers of government that would have wide purview to use the shared information for non-cybersecurity purposes.
The above fears are compounded in the light of former government contractor Edward Snowden’s revelations, which showed the executive branch’s willingness to use loopholes and more to pervert law to better collect the data and communications of U.S. citizens.
“In the year since Edward Snowden revealed the existence of sweeping surveillance programs, authorized in secret and under classified and flawed legal reasoning, Americans have overwhelmingly asked for meaningful privacy reform and a roll back of the surveillance state created since passage of the Patriot Act,” the privacy groups wrote in a letter. “The bill would do exactly the opposite.”
The bill would take down existing legal barriers so the private sector would be free to hand over data relating to cyber threats to other companies and the government to improve security. The bill, however, as the ACLU and others have pointed out, would not do an even decent job at curtailing the collected information for that purpose.
So the incentives in place could be used, under the broad definitions that it sets out with regards to cyber threats and response thereof, to garner data not specifically for cybersecurity purposes. The data could then be shared broadly within the government because the bill would provide few controls regarding its use.
The bill would also give government agencies wide range for disclosure, retention and use of the cyber threat information they are provided by private companies. The bill would allow the data to then be used for prosecution of a wide range of crimes, including those under the Espionage Act.
Sen. Dianne Feinstein, D-CA, said the bill “provides important protections” to prevent privacy violations when she announced the legislation. The bill would require companies sharing information to remove personally identifying information of “known” United States persons. It isn’t hard to understand that private corporations are not choice arbiters of citizenship. Given the wide use of online pseudonyms and the like, it could become difficult to determine and decide who is in fact a citizen, and who is not.
Under the current language, privacy advocates worry the government is not taking any steps to filter this information. The Department of Homeland Security (DHS) would act as a portal for information collected under the purview of the proposed law. DHS would then automatically share the information with other agencies, including the NSA. The Center for Democracy and Technology noted the bill “fails to address recently disclosed cybersecurity-related conduct of the NSA.”
Thus, often, unminimized communications and other data of American citizens could be shared with the United States government by a corporation shielded by law from any legal response from the parties impacted. If this doesn’t sound brilliant to you, join the rising chorus.
The bill would also exempt itself from its feeble protections for American information when the issue at hand relates “directly” to “a cybersecurity threat.” The irony sings.
Privacy advocates worry the government could use cybersecurity information in pedestrian criminal proceedings because the bill does not expressly prevents the government from doing that. The language is almost humorous:
So the government can use the provided information for cybersecurity, imminent death, or whatever the hell else it wants.
Privacy groups are also worried that the definition of “cybersecurity threat” that the bill contains could be exploited to include whistleblowers. The broader the language, the more actions it can endorse and legally support. And when few protections are in place to guard against abuse, you have a toxic mix.