Tech companies are claiming the letter sent to Congress earlier this month urging lawmakers to resume work on cyber security legislation did not endorse any specific bill.
A privacy group launched an online protest, YouBetrayedUs, after the BSA Software Alliance, a consortium of software companies, sent a letter earlier this month to Congress that seemed to endorse the controversial Cybersecurity Information Sharing Act (CISA). The group, Fight for the Future, called out the BSA and the 13 tech companies that signed the letter for ignoring user privacy and urged supporters to boycott the companies.
The BSA issued a statement Friday clarifying that the letter’s purpose was to identify five key areas where Congress can pass legislation to strengthen the policy environment around digital commerce. The five areas covered reforming the Email Privacy Act, modernizing the Mutual Legal Assistance Treaty, and passing legislation for cyber threat information sharing, the Judicial Redress Act, and the Law Enforcement Access to Data Stored Abroad (LEADS) Act. The BSA said it does not support any of the three information sharing bills currently pending before Congress: CISA, the Protecting Cyber Networks Act (PCNA), and the National Cybersecurity Protection Advancement Act (NCPAA).
“The letter did not endorse any specific legislation in its current form,” the BSA said in its statement.
The Sept. 14 letter, an “appeal for urgent action by Congress on five pending legislative efforts that will have an immediate positive impact on the digital economy,” was signed by executives from Adobe, Altium, Apple, Autodesk, CA Technologies, DataStax, IBM, Microsoft, Minitab, Oracle, Salesforce, Siemens, and Symantec, along with the president and CEO of BSA.
Salesforce CEO Marc Benioff also took to Twitter Friday to explain to outraged customers that Salesforce did not endorse CISA. “The letter clearly was a mistake and doesn't imply CISA support. We need to clarify. I'm against it,” Benioff wrote on Twitter. He denied the company was backpedaling, saying the letter’s original intent had been misconstrued.
BSA -- and by extension, the other companies who signed the letter -- reaffirmed its focus on user privacy and said the bills need strong privacy protections before they can become law. Congress needs to focus on a program of real-time sharing of cyber threat information with protection for privacy and civil liberties, modernizing the public-private partnership protecting the critical cyber infrastructure without putting undue regulatory burdens on industry, supporting research and development efforts with more resources, giving federal IT staff authority and responsibility for handling vulnerabilities in government IT systems, and increasing the tools available to law enforcement, it said. The BSA also wants a uniform national data breach notification standard to inform customers when their personal data has been compromised.
“We will not support any information sharing legislation that does not include appropriate privacy safeguards,” the BSA said in the statement.
Currently circulating in the Senate, CISA has been the subject of intense lobbying by privacy groups and security experts over the past few months. Privacy advocates and security experts were concerned about the broad language regarding information sharing and the liability protections would result in companies handing over user data without any legal repercussions. The problems with the broad use permissions led the the Center for Democracy and Technology to claim the bill “is as much about surveillance as it is about cyber security."
The House passed NCPAA and PCNA, complementary information-sharing bills, back in April. NCPAA would provide liability protections for companies sharing cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). NCPPA includes provisions to limit the privacy impact of information sharing, including a prohibition on federal use of shared information to engage in surveillance for the purpose of tracking individuals’ personally identifiable information.
Like NCPAA, PCNA is designed to encourage companies to share information cyber security risks, but with civilian agencies instead of DHS. PCNA will also allow the federal government to share cyber threat information with private entities, nonfederal government agencies, and state, tribal, and local governments.
The two bills are expected to be combined and sent to the Senate, awaiting the results of the CISA vote. At this point, it’s not clear when the Senate will pick up CISA and its 22 amendments.
"At Salesforce, trust is our No. 1 value and nothing is more important to our company than the privacy of our customers' data," Burke Norton, chief legal officer of Salesforce (and the signer of the original letter), said in a statement.