On Tuesday, the U.S. Senate overwhelmingly passed the Cybersecurity Information Sharing Act (CISA) 74-21 despite widely held privacy concerns regarding its provisions.
The legislation is intended to provide private businesses with legal immunity in the event of a hack or breach as long as they cooperate with the U.S. Department of Homeland Security (DHS). This collaboration involves sharing customers’ data with the DHS, an agency which can then pass along the information to the National Security Agency and the Federal Bureau of Investigations.
Supporters of the bill have alleged that under CISA’s information-sharing framework, all customer data will be “anonymized”. However, as reported by WIRED, the legislation in its current form broadly defines that any “cybersecurity threat” intelligence can be shared “notwithstanding any other provision of law”, a feature which privacy advocates argue does not adequately protect users’ personally identifiable information.
To counter these concerns, a number of tech giants and other privacy activists spent the time leading up to Tuesday’s vote lobbying for five pro-privacy amendments, including one that would require user information to be removed prior to it being shared with the U.S. government. But the Senate struck all of them down, with Sen. Dianne Feinstein (D-CA), who sponsored the bill in 2014, stating the amendments would have undone “the careful compromises we made on this bill.”
Meanwhile, the White House has strongly opposed any amendments that would expand exceptions under CISA’s current form.
Sen. Ron Wyden (D-Oregon), who voted against the bill, feels that CISA’s passage marks another episode in a long battle to protect Americans’ privacy online.
“The fight to secure Americans’ private, personal data has just begun,” said Wyden, as reported by Ars Technica. “Today’s vote is simply an early, flawed step in what is sure to be a long debate over how the US can best defend itself against cyber threats. As even the sponsors have acknowledged, this bill will do little to protect Americans from sophisticated hacks. At the same time, it will allow large volumes of Americans’ personal data to be unnecessarily shared with government agencies from the NSA to the FBI.”
The Electronic Frontier Foundation (EFF), a strong advocate of users’ rights, was similarly disappointed by the Senate’s vote, though it has vowed to continue to push for pro-privacy language to be incorporated into the legislation.
“With security breaches like T-mobile, Target, and OPM becoming the norm, Congress knows it needs to do something about cybersecurity,” a statement published by the EFF reads. “It chose to do the wrong thing.”
The bill must now pass the U.S. House of Representatives before going on to be officially adopted by Congress.