Congress easily passed a thinly disguised surveillance provision—the final version of the Cybersecurity Information Sharing Act, or CISA— on Friday, shoehorned into a must-pass budget bill to prevent a government shutdown before the holidays.
Born of a climate of fear combined with a sense of urgency, the bill claims to do one thing—help companies share information with the government to heed off cyber attacks—and does entirely another—increases the U.S. government’s spying powers while letting companies with poor cyber hygiene off the hook. It’s likely to spawn unintended consequences.
By Neema Singh Guliani, ACLU Legislative Counsel DECEMBER 18, 2015 | 3:45 PM
[. . .]Here is what the bill means for your privacy:
Companies can now share your private information with the government, preempting all other privacy laws.
The bill allows companies to share “cyber threat indicators” with DHS, the FBI, and other federal agencies. “Cyber threat indicators” are broadly defined and could include private information, such as your IP address (indicating location), email attachments, other personal identifying information, even your private communications. By default, there is no requirement that companies strip all personally identifying information before sharing this information with the government. Though there are several laws on the books that prevent companies from sharing certain types of private information, these laws are explicitly preempted by the provisions.
Companies will face no liability for sharing your personal information with DHS — even if there are negative consequences.
Companies face no liability — even when bad things happen — for information that is shared with DHS or potentially other agencies designated by the president (which could include the FBI). So, consumers have little opportunity for redress in cases where their private information is shared without consent or even notice.
Given that the liability provisions amount to a virtual blank check for companies that decide to share private consumer information with the government, it is no surprise that the some business groups, such as the U.S. Chamber of Commerce, strongly supported the cyber-surveillance provisions.
Any information shared also goes to the NSA and FBI.
Any information that is provided to agencies will be automatically sent to law enforcement and intelligence agencies, such as the NSA and FBI. By default, all personal identifying information does not have to be stripped before these agencies get this information.
Private information shared can be used to prosecute you for crimes that have nothing to do with cybersecurity.
The bill allows the FBI and other agencies to use information they receive to investigate and to prosecute crimes that have nothing do with cybersecurity. Under the bill, this information can be used for crimes relating to protection of trade secrets, fraud and identify theft, or the Espionage Act, which has been used to target whistleblowers.