Critics say Cyber Information Sharing Act could violate privacy and be unproductive
by Larry Magid
A controversial cybersecurity bill working its way through Congress has raised concerns not just of civil liberties groups but also of some leading scientists and security experts who worry that it could be counterproductive.
The Cyber Information Sharing Act, or CISA, encourages private companies to share information with the federal government and local law enforcement. The bill, according to its co-author, U.S. Sen. Dianne Feinstein, D-San Francisco, would remove legal barriers for companies to share, receive and use cyber threat information and cyber countermeasures “on a purely voluntary basis,” while also providing liability protection if user or customer data is shared.
Both the House and Senate intelligence committees support the bill and it is also supported by several technology organizations including the National Cable Telecommunications Association, CTIA — The Wireless Association, and the United States Telecom Association. In a letter last year to Senate leaders, the CEOs of these associations wrote “today’s legal uncertainties prevent the private and public members of the Internet ecosystem from sharing critical cyber threat information in real-time,” as they emphasized “the importance of removing those legal uncertainties while, at the same time, providing important privacy and civil liberties protections.”
But the bill has its critics. An open letter signed by 68 organizations and security researchers urged senators to oppose the bill arguing that “CISA would significantly increase the National Security Agency’s (NSA) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity.”
The letter alleges that the bill “fails to provide both strong privacy protections and adequate clarity about what actions can be taken, what information can be shared, and how that information may be used by the government. Signers included a number of well-known organizations including the Center for Democracy and Technology, American Civil Liberties Union, American Library Association, Human Rights Watch and Electronic Frontier Foundation. They were joined by leading security experts including Ronald Rivest of MIT and prominent cryptographers Bruce Schneier and Jon Callas.
Senate Intelligence Committee Chair Richard Burr (R-N.C.) of course disagrees.
“The bill includes a number of significant modifications from previous versions,” he said in a statement. “These changes address a range of concerns, notably those raised by privacy advocates.” He was echoed by Feinstein who asserted that “there has been misinformation about this bill,” and that “the goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats — not personal information.”
Passing on personal information to government
Drew Mitnick, policy council at digital rights group Access, worries that the bill could still allow companies to pass on personal information, despite its authors insistence that such data would not be collected.
“This is a bill that would grant companies pretty exhaustive immunity from lawsuits for transferring information to the government and that information would often contain personally identifiable information,” he said. He noted that it places “only a narrow requirement on companies to actually remove private information.”
One of the problems, said Evan Greer, campaign director of Fight For the Future, an advocacy group that is helping to lead the fight against CISA, is that “the bill is based on fundamentally flawed logic. The problem with the OPM (Office of Personnel Management) data theft wasn’t with information sharing, it was that government was not using basic security practices. Essentially they weren’t locking their front door.” The same can be said for the Sony data breach and many other well-known attacks where systems’ technology was vulnerable or employees failed to practice basic security precautions.
Greer and some other critics of the bill argue that the real purpose is to give the NSA and other government agencies more power to gather information on ordinary people. Greer said that “the bill would allow exactly the type of surveillance that Edward Snowden revealed.” He said that the information would be made available to the Department of Defense, which includes the NSA.
In fairness, the bill does have a provision requiring private companies to “assess whether a cyber threat indicator contains any information that the entity knows at the time for sharing to be personal information” and to remove that data, but there is also a clause that protects companies from liability if personal information is shared. So there do not appear to be any consequences other than a big “oops” if a company winds up accidentally turning over personal information to the government. And, given the scale at which these companies operate, such accidental disclosures are almost inevitable.
For me, taking a position on a security bill is hard because I don’t have an independent way to get all the facts. Both sides, of course, make compelling arguments. It’s hard to argue against government officials who say that they need better information to protect us against cyber attacks or threats to our national security and personal safety. But it’s also hard to argue against well-respected civil liberties advocates, legal scholars and some of the world’s leading authorities on cybersecurity, when they say that this legislation is both unnecessary and potentially threatening to our privacy and the security of our personal information.
While I have no quarrel with government and private companies sharing information on best practices and collaborating on finding strategies to thwart attacks, I am bothered by the idea of private companies being encouraged to turn over data to the government that could include information about their users or customers.