The Senate just passed a cybersecurity bill that won’t do shit to prevent hacks. What it will do is help the government spy on its citizens.
The Cybersecurity Information Sharing Act (CISA) passed Senate today with a vote of 74-21. All five amendments proposed to water down the bill’s broad language and spying permissions failed, and the Senate also passed a motion to prevent filibusters.
If CISA sounds familiar, it should: Like a horny zombie looking to skullfuck the nation’s privacy, it’s similar to CISPA, an older cybersecurity bill that would let private companies turn over personal data to the government, as long as the information fell under a broad definition of relevance.
This is why you should care about it.
CISA is designed to help companies like Google or Facebook share information about possible cyberattacks with the government. And by information, I mean user data. If two ISIS bros are obviously plotting 9/11 pt. 2 via Twitter DM, CISA is theoretically supposed to make it easier to get that information to the right people.
Cybersecurity in the US is a mess right now. The problem isn’t the general idea of information-sharing—it’s the execution. The language in the bill is so broad that it could undermine existing privacy laws. Even the Department of Homeland Security said CISA could undermine the Stored Communications Act, which protects personal data from undue government prying.
Aside from screwing with existing privacy laws, CISA has no safeguards to prevent companies from sharing irrelevant personal information, just vague wording about the need for a “cyber threat indicator” to give up the digital goods.
Companies won’t need to redact any personal signifying information in the data they send, unless they have proof that it the personal data is NOT related to the “threat.” Since CISA protects companies from legal liability for the data they pass along, there isn’t any incentive to redact anything.
“The sponsors set up a test that virtually guarantees there won’t be any serious effort to weed out unrelated information,” Sen. Ron Wyden (D-Ore.) told me. Wyden is a vocal opponent of CISA, and he’s not done fighting it, despite today’s vote. Wyden spearheaded the campaign against SOPA and PIPA, and he’s hoping for a similar rallying moment online.
If CISA becomes law, the Department of Homeland Security will share the data it funnels from tech companies with the National Security Agency as soon as it comes in. Wyden calls this a “direct pipeline to the NSA.”
The DHS will also immediately share all the data with the Department of Defense, and the Office of the Director of National Intelligence, so any information companies pass along will be fair game to get pored over by multiple government agencies.
High-profile hacks like the OPM breach have Congress scared, and eager to pass any bill with “cybersecurity” in the title. But creating a centralized portal for the information of millions of people is a dangerous game.
“I think that handing over this personal information is something that foreign hackers are going to pay attention to,” Wyden said.
CISA gives tech companies free reign to pass data along, but most major tech companies hate this bill because they have the foresight to realize it’s a privacy shitshow. “We don’t support the current CISA proposal,” Apple said in a statement last week. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”
It’s not just tech companies that hate the bill. Privacy activists are pissed about it. Here are some reactions from prominent groups:
“This vote will go down in history as the moment that lawmakers decided not only what sort of Internet our children and our children’s children will have, but what sort of world they will live in. Every Senator who voted for CISA has voted for a world without freedom of expression, a world without true democracy, a world without basic human rights.” - Fight the Future
“This bill will make our digital lives both less secure and less private. It will funnel an enormous amount of sensitive information into government hands, where it can be used in cases that have nothing to do with cybersecurity. The government will be able to use this private data for programs that look exactly like the mass NSA surveillance revealed over the past several years. We thank those senators who sought to improve the bill, and especially those who opposed it outright, but this is a bad day for civil liberties.” - Gabe Rottman, legislative counsel in the ACLU Washington Legislative Office
“The Senate voted for a bill that could allow companies to transfer vast amounts of private citizens’ personal data to government databases. That’s a cybersecurity problem, not a cybersecurity solution. This bill places our privacy at needless risk while ignoring the basic security measures technologists have long advocated, such as strong encryption. When will Congress get serious about protecting our privacy and security?” Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice
I’ve written about CISA before, and what I said then bears repeating. Public outcry helped get rid of CISPA twice, along with SOPA and PIPA. Batting down these careless bills can feel like state-sponsored Whack-A-Mole, but the other option is just accepting them.
The only way to prevent one from eventually passing is to keep caring and letting Congress know these bills are unacceptable each time one is introduced.