For months, privacy advocates have been pointing to flaws in CISA, the new reincarnation of the cybersecurity bill known as CISPA that Congress has been kicking around since 2013. But today that zombie bill lurched one step closer to becoming law.
The Senate Intelligence Committee passed the Cybersecurity Information Sharing Act, or CISA, by a vote of 14 to one Thursday afternoon. The bill, like the failed Cybersecurity Information Sharing and Protection Act that proceeded it, is designed to encourage the sharing of data between private companies and the government to prevent and respond to cybersecurity threats. But privacy critics have protested that CISA would create a legal framework for companies to more closely monitor internet users and share that data with government agencies.
After Thursday’s vote, Senator Ron Wyden—the only member of the Senate’s intelligence committee to vote against the bill—repeated those privacy concerns in a public statement. “If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill—it’s a surveillance bill by another name,” he wrote. “It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.”
Wyden’s exact concerns about the final bill aren’t yet clear: A dozen amendments to the bill were made in a closed-door session just before it was put to a vote, and those amendments haven’t yet been publicly released. In an interview on Bloomberg TV following the vote, intelligence committee chairman Richard Burr said that some of those newly adopted amendments were designed to prevent users’ information from being shared with government agencies. “We don’t want them to send personal data to the federal government, unless it’s absolutely crucial to show the cyberattack. So we bar them from providing that data to the federal government,” Burr said. “If it finds its way to the federal government, though, once we distribute it in real time and we realize there’s personal information, any company that discovers it has to remove it or minimize it in a way that it can’t be shared anywhere else.”
Looking at the most recently revealed public version of CISA, privacy advocates have pointed out that it would allow sharing of personal data that goes beyond cybersecurity threats. It also allows the sharing of private sector data with the government that could prevent “terrorism” or an “imminent threat of death or serious bodily harm.” That language, Open Technology Institute privacy counsel Robyn Greene has argued, means CISA might “facilitate investigations into garden-variety violent crimes that have nothing to do with cyber threats.”
“If that weren’t worrisome enough, the bill would also let law enforcement and other government agencies use information it receives to investigate, without a requirement for imminence or any connection to computer crime, even more crimes like carjacking, robbery, possession or use of firearms, ID fraud, and espionage,” Greene wrote in February. “While some of these are terrible crimes, and law enforcement should take reasonable steps to investigate them, they should not do so with information that was shared under the guise of enhancing cybersecurity.”
For the moment, however, it’s not clear how much of that potential for surveillance has ended up in the final, amended version of the bill. And Greene says that’s problematic too. “This bill has the potential to seriously harm Americans’ privacy rights,” she said in a phone interview following the vote Thursday, “and it wasn’t even debated in public.”
Check back here for updates as we learn more of the final bill’s contents.