So much for congressional gridlock. On Tuesday, the US Senate voted on the Cybersecurity Information Sharing Act (CISA), a bill to help protect our digital data. It passed 74 to 21 — not even close.
But the nation’s top tech companies, including Amazon, Google, Microsoft, Twitter, and plenty more, are all against it, because so many of their users think the new bill will give the US government easy access to their personal data.
“CISA is not a cyber-security bill at all. It’s a surveillance bill,” said Evan Greer, campaign director at Fight for the Future, a Boston-based Internet activism group that’s been battling the bill for months.
CISA will encourage companies hit by online criminals to share data with the US government, federal investigators, in order to devise better defenses. But it could also deliver sensitive data on millions of Americans to the same intelligence agencies that for years have secretly tracked our cellphone calls and monitored our Google searches.
In the aftermath of a hack attack, companies scour through their stored data looking for the criminals’ digital fingerprints. They search corrupted files, questionable e-mails, buggy software, suspicious Internet addresses — anything that might offer a clue. But since the bad guys often attack multiple targets, they might be easier to track if all the victims share their data with the Internet cops.
It’s not a new idea. There are already many private- and public-sector data-sharing programs. And given the frequency of big-time hack attacks, it’s not clear that they’re doing much good.
But security maven Bruce Schneier, a fellow at the Berkman Center for Internet & Society at Harvard University, said data sharing could pay off in the long run. “It might help prevent the next attack,” Schneier said. “It’s all about learning from the present to protect the future.”
CISA would exempt companies from the usual federal privacy protections when they share data about hacking episodes with US cybersecurity agents. No worries, we’re told, since CISA has a privacy clause of its own. Too bad that it’s so weak.
Under CISA, companies must delete personal information from the files they give the government but only if they know that the information is not relevant to an investigation. How can a company know this in advance? The safe and simple solution is for the company to hand over everything. And thanks to CISA, they can do just that, without fear of being sued for violating their customers’ privacy.
Personal data rarely matter to cybersecurity experts. They’re looking for bugs and malware, not names and addresses. So CISA would be just as effective if it required companies to delete all personal stuff before handing over the rest. But an amendment to that effect was voted down.
To be sure, CISA doesn’t let the government fish randomly through corporate databases in search of hackers. Companies must share the data voluntarily. But with the nation’s largest enterprises under constant attack, they’ll always have a reason to hand over more and more.
And they’re handing it to the same federal government whose Office of Personnel Management suffered one of the biggest data ripoffs ever, after hackers stole the personal files of 22 million people. The Postal Service, the IRS, and the White House have been hit recently as well.
Information collected under CISA will be shared with at least seven federal departments — Commerce, Defense, Energy, Homeland Security, Justice, Treasury, and the Office of the Director of National Intelligence, home of the National Security Agency and Central Intelligence Agency. That’s seven bites at the apple for would-be data thieves.
Some rubbish in the original bill has been tidied up. Cops would have been allowed to use the data to investigate many different kinds of non-digital crimes, such as armed robbery and bank fraud. These have been narrowed to a mere handful of offenses. Also, an early version of the law would have let companies launch online counterattacks against hackers, which might have harmed other companies’ computer systems. The final version explicitly bans such foolishness.
Still, the personal information loophole could make CISA as much of a threat to privacy as any gang of hackers. A couple of years ago, I’d have shrugged off such concerns as mere paranoia. But the revelations of NSA turncoat Edward Snowden leave no doubt that in its quest for ever more of our data, the US government will use every loophole the law allows. CISA creates a big one.
But there’s still hope. CISA now goes to a House-Senate conference committee, which will try to create a final version for the president’s signature. Let’s hope they plug in an airtight privacy clause. Or come down with a really bad case of gridlock.