Remember when everyone freaked about CISPA, the cybersecurity bill with scary privacy implications? CISA, a similarly-named cybersecurity bill, is here to take its place. Even after adding fifteen amendments, the Cybersecurity Information Sharing Act is a dangerous piece of legislation.
Sen. Ron Wyden (D-Ore.) was the only Senate Intelligence Committee member to vote against CISA, but he was unsparing with his criticism, calling it "a surveillance bill by another name." He's right.
Supporters say CISA will help companies share information about cyber threats with the government, and that the bill has been carefully worded to protect personal information. But critics say CISA will be far less effective at boosting cybersecurity than it will as a piece of loophole-happy legislation that allows for increased government surveillance.
CISA, even gussied up with its amendments, kicks open a government-snooping backdoor that'd allow private companies to give the Department of Homeland Security pretty much whatever they wanted as long as it vaguely related to a cyber-threat. It also allows for "defensive measures" against these threats, but offers scant elaboration about what those measures can be beyond noting that they shouldn't cause "substantial" harm. Uh, thanks?
The terms used are so vague that they're essentially meaningless. As long as a company could engage in rhetorical gymnastics that related its data to a "cybersecurity purpose," it'd be fair game to share.
"Given what we know of intelligence agencies willingness to stretch every privacy law to its limits, CISA could potentially authorize a staggering amount of new surveillance," Evan Greer, the campaign director for privacy advocacy group Fight for the Future, told me.
Wired's Andy Greenberg pointed out that CISA will usurp older privacy laws like the Privacy Act of 1974, making it hard to counter.
Oh, and the DHS would automatically share the information with the NSA, the Department of Defense, and the Office of the Director of National Intelligence, so your information could potentially get pored over by a wide variety of government agencies, not just one.
The NSA has whatever the opposite of a good track record is when it comes to abiding by privacy guidelines, so of course there's concern that automatic sharing with the NSA will result in the broadest possible interpretation of the already-menacingly-vague rules laid out here.
The bill doesn't require companies to strip personal information before handing it over to the government, as long as the information hasn't been proven to be disconnected from the matter at hand. And while it does encourage companies to weed out irrelevant personal data, it's much easier for the companies to err on the side of not redacting personal data or bothering to find out if shared information is related to the threat or not.
That's a problem: CISA gives a wide berth of immunity to private companies in the bill, which means they'll have zero incentive not to overshare your personal information. CISA would help companies get out of violations of the Wiretap Act, for example.
They'll also have zero incentive to be conservative when launching their "defensive attacks." Companies can launch computer network attacks as a "defensive" measure as long as they don't totally destroy a suspected thief's computer, for example. That'd be cool if we knew companies could be sure that they were attacking the right computers. But with so many ways for cybercriminals to hide their locations and push their dirty work onto zombified computers, this means there's a lot of room for damaging the computers of innocent people.
Public outcry helped kill CISPA (twice) and even though senators keep trying to revive its zombified corpse, there's pushback to block the bill again, including a veto promise from President Obama. CISA, meanwhile, is enjoying much less blowback even though it's just as privacy-corroding as CISPA.
There are plenty of reasons for people who care about privacy to be anti-CISA. But even if you're like "hell yeah bring on the NSA snooping please" this bill is trash. Most major tech companies already share information with each other and it hasn't exactly staunched the steady increase in cyber-attacks.
It's tempting to succumb to outrage fatigue here. We've already dealt with so many crappy, privacy-trampling cybersecurity bills. And there are sure to be more and more to come. But these bills keep cropping up because our government cares more about information control than it does about the privacy of its citizens. The only way to prevent one from eventually passing is to keep caring and letting Congress know these bills are unacceptable each time one is introduced.