The Senate this week overwhelmingly passed the Cybersecurity Information Sharing Act, a surveillance bill that festered in Congress for four years masquerading as security legislation. CISA will succeed in putting a lot more personal information about citizens into the hands of government. Given the feds' poor track record in safeguarding its own systems, does that knowledge make you feel more secure?
Against the advice of security experts, major tech companies, law professors, civil rights advocates, and consumer groups, U.S. senators voted 74 to 21 in support of CISA. (Democratic presidential candidate Bernie Sanders voted against the bill, while Republican candidates Marc Rubio, Ted Cruz, and Rand Paul were all absent.)
They rejected commonsense privacy amendments that would have made the bill less awful. "Despite protestations that CISA was not a surveillance bill, co-sponsors Richard Burr and Dianne Feinstein discouraged their colleagues from voting for amendments to mitigate what senators called unreasonable invasions of privacy, including one notifying citizens that their data was being examined," said The Guardian.
The new treasure trove of shared information could include everything from emails to financial information like credit card statements to health care data like prescription drug purchases, all of which the Department of Homeland Security will share with other government agencies. In exchange, companies will receive immunity from liability and from Freedom of Information Act requests relating to the data they share.
You heard that right: Under CISA, you aren't even entitled to use FOIA to find out what information is being shared about you or with whom.
This was not an oversight. Senators ignored the explicit warning in an open letter from a group of professors specializing in tech law. "The Freedom of Information Act would be neutralized, while a cornucopia of federal agencies could have access to the public's heretofore private-held information with little fear that such sharing would ever be known to those whose information was shared," the letter says.
The professors called CISA a classic example of "let's do something law" from a Congress under pressure to respond to a never-ending string of data breaches.
"CISA creates new law in the wrong places," the letter concludes. "Security threat information sharing is already quite robust. Instead, what are most needed are more robust and meaningful private efforts to prevent intrusions into networks and leaks out of them, and CISA does nothing to move us in that direction."
Intrusions, perhaps, like the one that compromised the email account of America's top spy? CIA chief John Brennan was hacked this month by a teenager, who broke into Brennan's private AOL account and started posting his emails on Twitter -- some of which contained extremely sensitive information, including the email addresses, phone numbers, Social Security numbers, and clearance levels for more than 20 CIA employees. The hacker told the New York Post that he used a very simple tactic -- social engineering -- to gain access to Brennan's account.
Electronic Frontier Foundation's Nate Cardozo tweeted, "CIA Director kept [secret and private] docs on AOL until hacked by a kid. They're making an example of … the kid."
Not embarrassing enough? Department of Homeland Security Secretary Jeh Johnson had his private Comcast account hacked by the same teenager.
Remember: These are the same people who will be entrusted with personal information shared under CISA.
Whether it was this year's OPM hack or the Experian breach that exposed T-Mobile customer data, defenders of CISA were unable to explain what security breaches the legislation would stop -- because it wouldn't have stopped any of them. That didn't prevent Senators Burr and Feinstein from citing the T-Mobile customer breach as a reason to support CISA.
"Try asking [CISA's] sponsors how the bill will prevent cyber attacks or force companies and governments to improve their defenses. They can't answer," says Trevor Timm, co-founder of the Freedom of the Press Foundation. "They will use buzzwords like ‘info-sharing' yet will conveniently ignore the fact that companies and the government can already share information with each other."
By taking away liability from companies that share info, this information sharing bill attempts to decrease incentives for companies to protect users' privacy. It's a big carrot -- but will it be followed up by a stick?
"At least on its face, [CISA] will be voluntary and participation will offer litigation protections; under this argument, proponents would argue the legislation will act as a shield for companies rather than a sword for the government," says Brenda Sharton, co-chair of law firm Goodwin Procter's global Privacy & Data Security Practice. "But how it shakes out could be very different depending on the pressures to participate and how the government uses the information."
Senator Feinstein insists that CISA is voluntary. But we've all seen how tenaciously the government goes after companies that are unwilling to play ball when it comes to sharing customers' information.
Following on Microsoft's continuing fight to keep emails stored overseas out of government hands, Apple is currently fighting in federal court to keep the data on customers' iPhones private.
Government attorneys argue that Apple's EULA agreement trumps users' rights to protect their information. Because people don't actually own the software that powers their iPhones, the government says Apple can be compelled to break in and get data off users' devices. Apple has responded that being forced to comply "could threaten the trust between Apple and its customers and substantially tarnish the Apple brand."
Apple lawyer Marc Zwillinger said, "... right now Apple is aware that customer data is under siege from a variety of different directions.”
The latest threat could be from the very program that Congress is setting up under CISA. It would have done better to fund measures that actually beef up security.
"The government has to do a better job than it's currently doing," said Jasper Graham, formerly a technical director at the NSA. "The best way to do that is to get bipartisan funding."