CISPA returns as CISA -- and it's just as terrible for privacy

Defeated twice before, rebranded Cybersecurity Information Sharing Act is as vague, broad, and detrimental as the original bill

Leave it to Congress to keep recycling the same old, rejected ideas. A year after Edward Snowden's revelations about overreaching government spying and amid calls by tech companies to reform surveillance practices, CISPA is once again rearing its ugly head.

You remember the Cyber Intelligence Sharing and Protection Act: introduced in 2011 but failed to pass the Senate, then reintroduced in 2013 only to be beaten back a second time. This go-around, Senators Dianne Feinstein (D-Calif.) and Saxby Chambliss (R.-Ga.) have stripped out the mention of "protection" and rechristened their draft bill the Cybersecurity Information Sharing Act.

CISA purports to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes" (emphasis added). According to a press release from Feinstein's office, "the bill incentivizes the sharing of cybersecurity threat information between the private sector and the government and among private sector entities" by providing companies with immunity from liability. In other words, companies like Facebook, Google, and cellphone providers could share your information, so long as it's framed as a security threat -- and there's nothing you could do about it.

Senators, unlike weatherman Phil in "Groundhog Day," seemingly learn nothing from past experience. CISA suffers from the same vague, overly broad language that opponents criticized in CISPA. The words InfoWorld's Robert X. Cringely used to describe CISPA apply equally to the draft CISA:

The problem with CISPA is that in its current form it's still vague and ripe for abuse. It absolves corporations of being responsible for what happens to the data they've collected. It allows data sharing with the entire federal government, not just the parts responsible for ensuring our safety. It circumvents other laws designed to limit governmental access to private information. And it can be deployed for a wide range of perceived threats that have nothing to do with attacks on our nation's infrastructure. In that it is very much like the Patriot Act, which was allegedly written to combat terrorists but ended up being used primarily against run-of-the-mill drug dealers, money launderers, tree-huggers, and vegetarians (yes, really).

If CISA seems out of step with the pushback against government surveillance, keep in mind that while threatening to veto CISPA last year for not adequately preventing the sharing of irrelevant personal information, President Barack Obama has also championed the idea of increased data sharing between government and the private sector. As a sop to those privacy concerns, CISA requires companies to strip users' identifying information, but as Motherboard writes, that provision is waived if someone is even tangentially related to a "cyber threat" -- by being on a spam email list, for instance -- a loophole Amie Stepanovich, an attorney with civil liberties group Access, called "large enough to drive a semi truck through."

"I can't believe this is coming out now. Congress can't pass a law to limit NSA surveillance, but they seem to be actively working to increase the amount of surveillance," Stepanovich told Motherboard.

InfoWorld's Bill Snyder and Serdar Yegulalp have written how NSA surveillance is hurting U.S. cloud providers. And execs from Cisco Systems, Microsoft, and Hewlett-Packard are warning of a loss of trust in U.S. products and cloud services as a result of the government's surveillance. But the same concerns that CISPA could kill the cloud apply equally to the rebranded CISA:

[The legislation] could deter any privacy-conscious organization from using cloud- and Internet-based services altogether. Why risk letting Microsoft or Google monitor and protect your business's email, or Amazon or Rackspace protect your data, or Salesforce.com protect your customer data, knowing that on any given day someone might pass your sensitive data to the feds and other entities -- some of whom might even be your competitors -- in the name of security? Even if 95 percent of the admins exercise discretion, there's always a chance someone with a bad case of paranoia or an itchy trigger finger or some odd vendetta could decide your organization's data poses a security threat and should be passed along.

The battle against this legislation with nine lives continues. Cue the chorus of "Everything Old Is New Again."

This story, "CISPA returns as CISA -- and it's just as terrible for privacy," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies