The Cybersecurity Information Sharing Act (CISA) has passed the US Senate with 74 to 21 votes in favour of the controversial legislation.
On Tuesday a vast majority of the Senate passed new legislation allowing corporations to share users’ personal data with federal agencies based on the exchange of data for regulatory immunity. The bill drew widespread concern from tech and industry experts, as well as charities and groups campaigning for civil liberties and better privacy laws.
What is CISA?
CISA was introduced to the public arena a week ago to bipartisan support. Among other things, the legislation offers companies immunity from external and federal regulators and from Freedom of Information Act requests in exchange for a share in users’ personal information.
The legislation was drawn up in private with the only consistent support coming from outside the Senate – the corporate lobbying group The US Chamber of Commerce. Media support has come from both the Washington Post and the Wall Street Journal, both publishing articles supporting CISA yesterday.
The legislation will give the government access to sensitive data from millions of American citizens, including information concerning finance and health. The mined data will come from the private industry, which currently includes masses of sensitive data such as credit card statements and drug prescription receipts, which many argue will lead to user-targeted advertising.
Those pushing through the bill intend to establish a program at the Department of Homeland Security (DHS) where corporations can share mass data with various government agencies.
In defence of a wave of criticism, proponents have said that collected data would be ‘anonymized’, therefore protecting citizen data.
Senate members and co-sponsors Dianne Feinstein and Richard Burr defended the bill, arguing that mitigating amendments were unnecessary, including an amendment detailing the right for a citizen to be notified when his/her data is retained. In total four Senate members put forward amendments, though all were rejected, including senator Ron Wyden’s, which only lost by a slim margin.
Those members who voted against the bill include democratic presidential candidate Bernie Sanders and the Republican contender Lindsey Graham. Another Republican candidate, Rand Paul, was not present at the time to vote, despite championing freedom from online surveillance in his electoral campaign.
Now that CISA has passed the Senate it must now pass the House of Representatives, a process that many deem easy in contrast to the opposition faced by senators. The bill will then face a final negotiation by the House and the Senate until it makes its way to the White House.
Since CISA was announced last week it has garnered widespread criticism from government sources, corporations, civil rights groups, and individuals. NSA whistleblower Edward Snowden warned that it would allow the government to collect sensitive personal data at will. In a tweet posted yesterday, he said:
— Edward Snowden (@Snowden) October 27, 2015
Tech blogger Brian Krebs also criticised the bill in a post on his blog, Krebs on Security, arguing that CISA will be detrimental to national security because the federal IT network is spread too thinly and requires major upgrading.
Several large tech corporations, including Apple, Facebook, Google, and Yahoo, have said that CISA will damage user privacy. Though privacy advocates have accused Facebook of quietly supporting the legislation. In a statement issued last Thursday, the Computer and Communications Industry Association (CCIA), which represents the corporations mentioned, said that CISA could lead to ‘collateral harm’ to ‘innocent third parties’. Several of the corporations have also released individual statements criticising the bill.
Apple made its opposition clear last week when a spokesperson said: “We don’t support the current CISA proposal”. They added, “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.” Dropbox, Reddit, Wikimedia, and Salesforce delivered similar statements.
A cohort of specialists in tech legislation, including many University professors from the Princeton Center for Information Technology Policy, sent an open letter to the Senate on Monday, arguing that CISA effectively nullifies the Freedom of Information Act (FOIA). In it, they argue that CISA would allow ‘voluntary’ sharing of heretofore private information with the government, allowing secret and ad hoc privacy intrusions in place of meaningful consideration of the privacy concerns of all Americans’.
A handful of organizations have welcomed CISA, including the American Banking Association and the Telecommunications Industry Association (TIA). In a recent statement, TIA said: “The legislation passed by the Senate today bolsters our cyber defenses by providing the liability protections needed to encourage the voluntary sharing of cyber threat information,” adding, “We applaud the Senate for moving this important bill and urge Congressional leaders to act quickly to send this bill to the president’s desk.”
Some argue that because Facebook and other tech corporations already operate their own cyber-threat-sharing programs and CISA will be little use to them, but the immunity on offer could prove attractive.
Others believe that CISA reflects concern registered separately by government and corporations about external cyber-attacks, particularly in light of recent mass data breaches. Robyn Greene from the New America Foundation called CISA a ‘do-something’ bill, adding that “The Sony hack really changed the conversation,” and “You can see that in the way the administration approached cybersecurity – they stopped saying “This is something that has to get done right’ and started saying ‘This is something that has to get done now.””