CISA: Here We Go Again

August 5, 2015

SOPA, PIPA, CISPA, and now CISA, there has been no shortage of battles between those seeking to preserve the privacy historically associated with the internet and those worried about potential abuses of such anonymity. Members of the second group typically are concerned either with IP pirates’ use of the internet to more easily violate the intellectual property rights of others or with terrorists’ use of the internet to coordinate or carry out acts of terrorism. Most advocates for CISA fall in the latter category.
CISA is short for the Cybersecurity Information Sharing Act, and as its name would suggest the bill largely has to do with the sharing of information between one company and another and between one company and myriad government agencies. More specifically, the bill allows the sharing of “cyberthreat” data, ostensibly to prevent acts of cybercrime. However, opponents of the bill argue, among other things, that the information that the bill authorizes companies to disclose is too broad and would be too easy for government agencies to abuse, and they even point out that the
Department of Homeland Security itself has warned that the bill might go too far in eroding online privacy protections. They argue that the language of the bill should be amended to afford greater privacy protections to internet users.
Rather than directly authorizing government surveillance, CISA creates a voluntary framework for companies to hand over cybersecurity threat information to government agencies (and in some cases other companies) and, in doing so, grants the companies protections from liability for privacy violations. Even if a company breached a person’s privacy by handing over information that it shouldn’t have, the bill grants immunity from liability provided the mistake was made in good faith. Civil liberties groups are worried because companies will not necessarily be required to remove impertinent personal information that is incidentally included within any cyberthreat data. Such personal information could include credit card histories, lists of goods purchased, and healthcare records. Given the plethora of personal information already available to government agencies, many are worried that CISA will further erode personal privacy.
Moreover, many opponents are concerned in particular with one section of the bill that requires “real-time ‘instasharing’ with the NSA once data is handed over to the government.”

This means that any cyberthreat data handed to any government agency under CISA must be forwarded to the NSA as soon as possible.

Understandably, the bill’s opponents doubt the NSA’s ability to responsibly use such power in light of the information released by whistleblower Edward Snowden.
Finally, civil liberties groups are troubled by a provision which excludes information collected under the bill from FOIA (Freedom of Information Act) requests. With such an exception, the ways in which the powers granted by CISA are used day to day are likely to remain hidden and cannot be uncovered by requests for transparency by concerned citizens. With such a protection in place, abuses of power could take decades to unearth or worse may go entirely unnoticed.
CISA passed through the Senate Intelligence Committee 14-1 in March and should be debated on the Senate floor—and possibly voted on—later this week.