A bill that received overwhelming support from the House and Senate as well as a signature from the President on December 18, has been criticized as a vehicle for government surveillance under the guise of enhancing Internet security.
Numerous civil liberties organizations and businesses have taken positions against the bill, staging protests and sharing petitions, while others back it, saying something must be done to prevent future attacks.
The Cybersecurity Information Sharing Act (CISA) authorizes the sharing of information about “cybersecurity threats” or “security vulnerabilities,” between companies, networks and federal and state agencies of the United States Government in order to improve cybersecurity.
Critics say the federal bill is too vague about what may be shared and fear it will give companies immunity from violating privacy rights, while giving the government access to private personal information.
“CISA is more than just a bad solution to a serious problem,” said a statement released by the American Civil Liberties Union while the bill was being debated. “It would actually make cybersecurity worse while compromising basic democratic protections for personal privacy. The Senate must reject this surveillance bill.”
The Computer and Communications Industry Association, which represents companies including Amazon, Google, Facebook, Ebay, Microsoft, Pandora, PayPal and Yahoo, opposed the bill. Websites Twitter and Reddit stood against it along with Fight for the Future, a digital rights advocacy non-profit.
“It’s clear now that this bill was never intended to prevent cyber attacks,” wrote Fight for the Future Campaign Director Evan Greer on the organization’s Tumblr page. “It’s a disingenuous attempt to quietly expand the U.S. government’s surveillance programs, and it will inevitably lead to law enforcement agencies using the data they collect from companies through this program to investigate, prosecute, and incarcerate more people, deepening injustices in our society while failing to improve security.”
Supporters believe a law like this is necessary to help secure networks by allowing companies to share data with the Department of Homeland Security without violating privacy laws. Then, DHS can advise administrators of other companies of perceived threats.
“This landmark bill finally better secures Americans’ private information from foreign hackers,” said Sen. Richard Burr (R-NC), who chairs the Select Committee on Intelligence (SSCI). “American businesses and government agencies face cyber-attacks on a daily basis. We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information as we saw in the Office of Personnel Management, Target, and Sony hacks.”
“This legislation gives the government and U.S. companies new voluntary collaborative tools so that they can work together against hackers that have been all too successful at stealing the personal information of millions of Americans for years.”
Most agree that something should be done to improve cybersecurity in light of recent attacks and the use of social media by ISIS. The debate pivots on the point that perhaps, by releasing a broad range of information to the government, companies may be compromising their clients’ privacy more than protecting it.
Companies have a real concern about keeping customer information private, said Dr. R. Andrew Dunn, communications law professor and communication department head at East Tennessee State University. Dunn said companies have no reason to fear the government is going to steal all their consumers’ credit cards, but, he added, if their customers’ privacy was invaded, the company would take the blow. For many networks, stopping that one hacker would be worth it, Dunn said.
“In a way, a lot of these laws are a leap of faith that the government is there to protect and not to spy on its own citizens, but you also have to have faith that a company is only going to share what it’s supposed to,” said Dunn. “There is a real reason to be concerned about cyberterrorism, but critics don’t think this is the way to do it.”
The law says entities are only supposed to give cybersecurity threat information, the definition of which Dunn described as “nebulous.” He said this immunity given to companies to share client information is “widening the net” for law enforcement to gain intelligence.
“The ultimate concern for critics is that private companies aren’t really going to understand what to share or not to share, so they may just share everything,” he continued. “The law also says to remove private information, but if people don’t do that —it leads to the concern that private entities are just going to throw everything at the government that they can.”
Dunn reminds that the bill does not require companies to participate, but only makes it possible by creating a sort of loophole to previous privacy laws, whereas in the past, this sort of data collection would have required a warrant.
Just ten days before CISA was signed into law, the SSCI introduced a separate act, the Required Reporting of Online Terrorist Activity Act, which SSCI Vice Chair Dianne Feinstein (R-CA) said would not require companies to take any additional action to discover terrorist activity, but “merely requires them to report such activity to law enforcement when they came across it.”
Within three days, she and Burr received a letter endorsed by nine notable Internet and technology associations in opposition. These include CCIA, Internet Association, and Application Developers Alliance among others.
The letter states, “Companies will err on the side of over-reporting because they will be liable if they fail to report content, which is exacerbated by the requirement to report facts and circumstances connected to a vague concept of ‘terrorist activity.’ This would also potentially raise First Amendment and privacy concerns for the user who posted the item.”
The letter criticized the breadth of territory that would be subject to reporting including public and private information like data in cloud storage.
It also noted that a section of the Intelligence Authorization Bill was removed this year resulting from opposition to language that posed similar concerns.
While some fear that the passing of CISA is just a step towards unconstitutional citizen surveillance, to be followed by a number of other acts, watchdog groups and technology associations are on their toes to protect first amendment privacy rights. Dunn said that the support of House, Senate and President show that people really are concerned, despite there being no easy answer.
Companies also have a responsibility to their clients, Dunn pointed out, because they have privacy agreements and the trust of their clients to protect. He said companies have been gathering data for a long time, and those efforts have not always been successful before at preventing data breaches.
“We don’t know yet how effective this is going to be,” said Dunn. “A lot of critics point out that people with advanced knowledge of hacking don’t use traditional means of acquiring information, so the idea of catching an advanced hacker by the way that companies monitor its data — it’s probably unlikely,” said Dunn. “Hackers are well-trained in how not to be detected, so that poses another question.”
Regardless of peoples’ opinions on the law as it stands, it currently poses no requirement for any entity to divulge information to DHS.