On Tuesday the US Senate will meet in a closed-door session to mark
up the forthcoming Cybersecurity Information Sharing Act of 2014 (CISA) –
and the proposed new rules on data sharing between big biz and
government have privacy groups seriously worried.
CISA is an offshoot of the proposed Cyber Intelligence Sharing and Protection Act (CISPA), which was
introduced nearly three years ago and has had a
rocky road.
The ostensible reason for the new law is to formalize information
sharing between the US government and companies on ongoing security
threats – provided firms hand over users' information to the government
to help identify new attack vectors.
CISPA
passed a vote in the US House of Representatives, but went no further. CISA is the Senate's
response to CISPA, and was cowritten by NSA-friendly Dianne Feinstein (D-CA), chairwoman of the Senate Select Committee on Intelligence.
The
new bill is somewhat broader in scope than CISPA and the language used
so far has led more than 30 groups, from both sides of the political
spectrum, to issue an open letter on its failings.
"In the year
since Edward Snowden revealed the existence of sweeping surveillance
programs, authorized in secret and under classified and flawed legal
reasoning, Americans have overwhelmingly asked for meaningful privacy
reform and a roll back of the surveillance state created since passage
of the Patriot Act. This bill would do exactly the opposite,"
the open letter [PDF] warns.
Under
the terms of the new legislation, the government would be allowed to
collect people's data from firms not just for cyber threats to
infrastructure, but also for terms of service violations, the
prosecution of identity theft, aiding prosecutions under the Espionage
Act, or even to find the identity of whistleblowers.
The data that
companies hand over should be stripped of personally identifiable
information, but according to the new bill this only applies if the
supplying firm has evidence that the user is a US citizen and if the
information isn't directly related to a "cybersecurity threat."
In
addition, companies that take part in such information sharing are
exempt from public disclosure laws that would require them to tell users
what is going on. Government agencies using that data also get broad
liability protection and have very limited oversight.
"We do not
discount the legitimate dangers posed by cyber threats, both from
domestic criminals and hostile foreign powers," concludes the letter
writers – which include the likes of the EFF, the ACLU and the National
Latino Farmers and Ranchers Trade Association.
"But, as with all
national security authorities, we need not sacrifice crucial civil
liberties and privacy safeguards, and especially whistleblower
protections, in order to effectively address such dangers. We urge the
committee and Congress to carefully reconsider CISA as drafted, and to
bring it in line with our law, our Constitution and our national
values."
The White House has shown concern over the overarching scope of the CISPA/CISA legislation and
sort-of threatened to veto the laws as they stand – but we all know how jellylike President Obama's promises can be.