While some lawmakers claim that a threat information-sharing bill, called CISA, was amended with substantial privacy provisions – privacy experts worry that that the bill still lacks enough protections.
Last Thursday, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act (CISA) in a 14 to 1 vote (that followed a closed door session where several amendments were added to the bill).
The legislation, which is said to advocate information-sharing between private companies and government to thwart cyberattacks like the one's striking Sony and Anthem, was strongly contested by the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF), and other privacy rights groups and security experts earlier this month, who said that the bill lacked ample privacy protections in its drafted form.
Now that the text of the newly amended bill is available (PDF), grievances remain for some concerning the process through which companies would share information with the government.
In a Thursday interview, Gabe Rottman, legislative counsel for the ACLU, told SCMagazine.com that “it's not clear that there would be adequate privacy protections on the front-end when the information is shared with the government.”
“Once that information is shared, it can flow through the government, including to the Department of Defense, which includes the NSA,” he explained.
Notably, Sen. Ron Wyden, the sole lawmaker to vote against the bill last week, said in a statement that, “If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill – it's a surveillance bill by another name.”
In his interview with SCMagazine, ACLU's Rottman added that the scope of surveillance programs revealed by Edward Snowden have shown the government's “tendency to stretch the law as far as it will go,” to further surveillance.
“Here, the information would go to DHS, but it could be shared it in real-time without a privacy sweep, including with the National Security Agency,” Rottman said.
In Thursday email correspondence with SCMagazine.com, Mark Jaycox, a policy analyst and legislative assistant at EFF, also addressed concerns that threat information shared by private companies could ultimately end up in NSA's domain.
“The bill adds a new authority for companies to monitor information systems to protect an entity's hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called ‘cyber threat indicators,' freely with government agencies like the NSA,” Jaycox wrote.
He added that the bill also authorizes companies to launch countermeasures (or “defensive measures,” in the bill) for a “cybersecurity purpose” against a “cybersecurity threat” – but that the term “cybersecurity purpose” is too broadly defined along with “cybersecurity threat.”
In a rebuttal to mounting criticism of the bill, Sen. Dianne Feinstein, D-Calif., issued a press release Wednesday on the approved version of CISA.
In an effort to clarify “common misconceptions” about the bill, the release assured the public that the legislation contained “no surveillance authority,” and that the definition of “cyber threat indicator” was written to “prevent the government from receiving information outside of cyber threats,” as part of the sharing process.
Regarding the bill's authorization of “defensive measures” for companies, Feinstein's office said that the bill “makes clear [that] this authorization does not extend to actions taken to harm computer networks.”
“The bill also does not include liability protection of the use of defensive measures,” the release said.
