For months, privacy advocates have asked Congress to kill or reform the Cybersecurity Information Sharing Act, a bill that they say hides new government surveillance mechanisms in the guise of security protections. Now the Senate has shot down a series of attempts to change the legislation’s most controversial measures, and then passed it with those privacy-invasive features fully intact.
On Tuesday afternoon, the Senate voted 74 to 21 to pass a version of CISA that roughly mirrors legislation passed in the House earlier this year, paving the way for some combined version of the security bill to become law. CISA is designed to stem the rising tide of corporate data breaches by allowing companies to share cybersecurity threat data with the Department of Homeland Security, who could then pass it on to other agencies like the FBI and NSA, who would in theory use it to defend the target company and others facing similar attacks. That landslide vote was no doubt fueled in part by a year of massive hacks that hit targets including the health insurer Anthem, Sony, and the Office of Personal Management.
But privacy advocates and civil liberties groups see CISA as a free pass that allows companies to monitor users and share their information with the government without a warrant, while offering a backdoor that circumvents any laws that might protect users’ privacy. “The incentive and the framework it creates is for companies to quickly and massively collect user information and ship it to the government,” says Mark Jaycox, a legislative analyst for the civil liberties group the Electronic Frontier Foundation. “As soon as you do, you obtain broad immunity, even if you’ve violated privacy law.”
The version of CISA passed Tuesday, in fact, spells out that any broadly defined “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.” Privacy advocates consider that a vague and potentially reckless exemption in the protections of Americans’ personal information. “Every law is struck down for the purposes of this information sharing: financial privacy, electronic communications privacy, health privacy, none of it would matter,” says Robyn Greene, policy counsel for the Open Technology Institute. “That’s a dangerous road to go down.”
Before passing the bill Tuesday afternoon, Senators first voted on a series of amendments that sought to reform the bill’s privacy protections. They ultimately rejected all of them. One of those now-tossed amendments put forward by Senator Al Franken would have narrowed the definition of “cybersecurity threat” and “threat indicators” covered by the bill. Franken’s amendment lost by a vote of 35 to 60. Another amendment from Senator Ron Wyden required companies to remove personal data from those cyber threat “indicators” before sharing them unless that personal information is necessary to describe or identify the threat. It lost by a vote of 41 to 60.
CISA’s supporters argue that critics’ privacy concerns are misunderstandings. Senate Intelligence Committee chair Richard Burr last week released a list of “myths” about CISA, including its enabling of surveillance. The statement points out that CISA’s corporate information sharing is voluntary, and that companies are required to strip out personally identifiable information from any data before sharing.
“I still say today to those folks in this institution and outside this institution that are concerned with privacy, I think [Senator Dianne Feinstein] and I have bent over backwards to accommodate concerns,” Burr said on the Senate floor Tuesday morning. “Some concerns still exist. We don’t believe they’re necessarily accurate, and only by utilizing this system will we understand if we’ve been deficient anywhere.”
But privacy advocates have countered this argument about CISA’s voluntary nature by pointing out that companies could be required to participate in its data collection to receive help from the government, creating strong incentives to share data. “Not to comply might actually harm their corporate interests and put their customers at risk,” wrote Amie Stepanovich of the digital civil liberties group Access Now in an op-ed for WIRED. “A world where a company is forced to betray its users in order to protect them is backward indeed.”
And when it comes to removing users’ personal information from data before sharing it, the latest form of CISA is less privacy-protective than even the version of the bill known as the Protecting Cyber Networks Act that passed the House Intelligence Committee in March. That version of the legislation required that companies not share information that they “reasonably believe” to contain information that personal identifies users. But the same protection in the Senate bill stipulates that companies not give up information that they “know at the time of sharing” to contain that sensitive information. That lower bar means companies who don’t fully examine data they share could nonetheless pass it on to the government and plead ignorance of any users’ personal information it contains.
CISA still faces some hurdles to becoming law. Congressional leaders will need to resolve remaining differences between the bills passed in the Senate and the House. The Open Technology Institute’s Robyn Greene argues that the relatively close votes that rejected privacy-protecting amendments like Wyden’s and Franken’s show that there could still be strong debate over the details of the bill in that process. She points to the 41 votes in favor of Wyden’s amendment as a sign that the bill could even be filibustered to delay its ultimate passing into law. “There’s power in that and leverage to negotiate that Americans’ privacy is better protected,” Greene says. “There are Senators who will take a stand on this, and won’t accept a bill that doesn’t adequately safeguard privacy.”
President Obama could also still veto CISA, though that’s unlikely: The White House endorsed the bill in August, an about-face from an earlier attempt at cybersecurity information sharing legislation known as CISPA that the White House shut down with a veto threat in 2013.
CISA has faced opposition from the security community, which has largely objected to claims that information-sharing effectively stops cyberattacks. Tech firms also oppose the bills, arguing it will diminish their users’ trust in sharing private information with companies. Apple, Reddit, Twitter, the Business Software Alliance, the Computer and Communications Industry Association, and other tech firms have all publicly opposed the bill. And a coalition of 55 civil liberties groups and security experts all signed onto an open letter opposing the bill in April. Even the Department of Homeland Security itself has warned in a July letter that the bill could flood the agency with information of “dubious value” at the same time as it “sweep[s] away privacy protections.”
None of that was enough to sway the Senate against CISA. “You had computer security researchers against this bill, much of Silicon Valley against this bill, privacy advocates and civil society groups against this bill,” says the EFF’s Jaycox. “Our biggest takeaway is disappointment.”