After adopting several privacy amendments in a closed door meeting last week, the Senate Intelligence Committee has publicly released the Cybersecurity Information Sharing Act (CISA). The bill would permit companies in the private sector to share information about their users’ Internet activity with the federal government. The Center for Democracy & Technology (CDT) welcomes many of the amendments, but still opposes the legislation.
“We are troubled that the bill continues to authorize companies to share communications information directly with the National Security Agency, and to require that information shared with one federal agency be immediately shared throughout the government, including with the NSA,” said Greg Nojeim, the Director of the Freedom, Security and Technology Project at CDT. “Information sharing is an important element of cybersecurity policy, but it must be approached carefully because the information that would be shared is derived directly from individual users’ activity online,” Nojeim added.
“This bill seems as much about surveillance as it is about cybersecurity: Everything a company shares with the government under the cybersecurity umbrella can be used for law enforcement purposes that present no imminent threat and are completely unrelated to cybersecurity,” Nojeim said. The scope of authorized law enforcement uses is broad, including ID fraud, ID theft, espionage, serious assaults, carjacking with intent to injure, extortion, arson, crimes involving firearms use or possession, bank robberies, drug robberies and many other crimes.
“Information shared for cybersecurity reasons should only be used for cybersecurity,” he concluded.
Referring to amendments that the Senate Intelligence Committee adopted, Nojeim said, “Some of the changes the Intelligence Committee made to address privacy and civil liberties concerns are substantial and welcome. For example, private entities will not be authorized to use countermeasures that destroy data on somebody else’s computer, regardless of the intent of the party operating the countermeasure. However, such countermeasures can be used to gain unauthorized access to users’ data, as well as impair authorized access and cause harm to data, so long as the harm is not ‘substantial.’”
CISA as reported can be found here.
CDT’s analysis of a draft of CISA can be found here.
A letter from security experts and civil society opposing the CISA draft can be found here.