Two years after CISPA, the controversial bill allowing govt access to corporate customer data, was defeated its new incarnation hit the senate. Critics say CISA lost not only one letter in the name but also the privacy safeguards of its predecessor.
The draft legislation coauthored by Senate Intelligence Committee Chairman Dianne Feinstein and Senate Intelligence Committee Vice Chairman Saxby Chambliss as approved by closed session committee.
The bill allows companies to voluntary share information on cyber-threats with government and exempts them from liability for harm done to their customers in doing so.
Opponents of the bill say in many regards it’s worse than its predecessor and are mounting a public resistance campaign, hoping it will send the draft into CISPA-like oblivion.
CISPA would allow companies share information with the government with the specific goal of fighting cybercrimes. CISA goes on to include investigation and prosecution of ID theft, economic espionage, theft of trade secrets and even violation of Espionage Act. The WW1 law the Obama Administration has used more than all previous administrations combined.
Fear CISA would become a new tool for the government to go after whistleblowers and investigative journalists reporting on leaks come as no surprise.
Data volunteered by companies under CISA would go to the Dept of Homeland Security, which in turn would be obliged to share it with the Defense Dept and coordinate countermeasures with the military.
Opponents of the bill are not thrilled to see the NSA involved in domestic cybersecurity given its Pentagon roots and its enormous surveillance reach. They say the bill actually puts the military in charge of domestic operations, a move hardly in line with the spirit of the US Constitution.
— Fight for the Future (@fightfortheftr) July 10, 2014
Not only does the bill take a catchall approach to what kind of data is regarded as “cybersecurity info” that can be given to government with impunity, it also puts little restraint on how the government would be allowed to act on it.
In theory, it allows the government to act on a website terms of service violation or infect a person’s computer with malware on suspicion of possible cybercrime.
The bill protects companies handing over customer data so broadly that merely stating that they acted on good faith seems to shield them from any legal action, whether or not violations of the Wiretap Act or other privacy protection legislation are involved.
— JamesFromTheInternet (@JamesFTInternet) July 10, 2014
Both CISPA and CISA require that the company wipes information they share from personally identifiable information. But where the former required that the company took reasonable effort to do it, the latter says it must be done only if the company knows the information is personal, if the person is a US citizen and if the information is not directly related to a cybersecurity threat.
This attempt at protecting privacy is inadequate for bill critics.
Data sharing will be shielded from public and government oversight under CISA, which excepts it from local sunshine laws and FoI requests. Removing legal means to prevent misuse of the legislation would be a major blow to transparency, the critics say.
— Access (@accessnow) July 10, 2014
Critics believe that the bill not only gives the govt too much power at the expense of public privacy protection, but also does so at a time when lawmakers should address public concerns sparked by Edward Snowden’s revelations.
The bill fails to do so and seems to protect some of the practices, like NSA’s stockpiling software vulnerabilities for espionage purposes.