Although there remain a few hurdles before CISA becomes law, it is unlikely that these will now pose any serious threat to the legislation coming into force, which will allow technology companies to share data about their customers with other companies, and with government agencies such as the NSA, with no further oversight. As Senator Ron Wyden, who has been one of the few dissenting voices against the Bill, observed,
“Any information-sharing legislation that lacks adequate privacy protections is not simply a cybersecurity bill, but a surveillance bill by another name.”
All that is required is for this information to contain “cyber threat indicators”, but as this distressingly vague phrase lacks any meaningful definition, it can be interpreted to mean just about anything.
— Edward Snowden (@Snowden) October 26, 2015
For the NSA, whose stated mission is to “collect it all,” CISA will provide a wealth of new data with which to spy on citizens. Nathan White, a lawyer with the civil liberties group Access, told Motherboard,
“CISA is a nightmare dressed as a daydream; a surveillance bill masquerading as a cybersecurity bill. CISA is a backdoor to surveillance, giving the NSA access to more personal information for its expansive databases. CISA is fundamentally flawed because of its broad immunity clauses for companies, vague definitions, and aggressive spying powers.”
Interestingly, a Federal judicial ruling last week against the Wikimedia Foundation (the parent organization behind Wikipedia) effectively makes it impossible challenge NSA spying. This is because it is impossible to prove that any spying actually occurred, despite Wikimedia arguing (quite reasonably) that with over 1 trillion “annual communications”, it was fair to assume that the NSA has spied on Wikipedia!
The Bill faced widespread opposition from many tech companies, civil liberties groups, consumer advocates, and Cyberlaw professors and professionals, but a number of big-player tech companies such as Facebook have raised eyebrows by their refusal to condemn the bill. The American Banking Association and the Telecommunications Industry Association (TIA) even went so far as to applaud the Senate for its actions,
“The legislation passed by the Senate today bolsters our cyber defenses by providing the liability protections needed to encourage the voluntary sharing of cyber threat information. We applaud the Senate for moving this important bill and urge Congressional leaders to act quickly to send this bill to the president’s desk.”
In addition the passing CISA, the Senate rejected (although sometimes narrowly) some important amendments that would have provided at least some basic protections for US citizens’ privacy, most notably amendments that would have:
- required companies to remove personally identifiable information before it was handed over to the government
- prevented CISA from introducing new exceptions to the Freedom of Information Act (FOIA) that prevent the media (and others) from making FOIA requests to discover what kind of information is being handed over
- limited CISA’s definitions of “cybersecurity threat” and “cyber threat indicator” to actions that are “likely to” cause harm rather than “may” cause harm, and which cause actual rather than “potential” harm respectively.
Before it becomes law, CISA must undergo some legal wrangling to square the Bill passed by Senate with the Bill passed by Congress, must be voted for by Congress again (where it enjoys overwhelming support) and be signed by President Obama (who has endorsed the Bill.) Basically, despite an ongoing campaign by Fight for the Future, CISA is almost certain to become law.
— Fight for the Future (@fightfortheftr) October 27, 2015
For those citizens interested in knowing which Senators just sold out their privacy, Motherboard has named and shamed those responsible.