The U.S. Senate voted to pass the Cybersecurity Information Sharing Act (CISA), which most tech companies and civil liberties organizations, including Senator Ron Wyden (D-Oregon) from the Senate Intelligence Committee, have criticized for being a surveillance bill in disguise.
The fact that it's a surveillance bill by another name was also indicated by the Senate's rejection of all the amendments that would have improved the privacy protections in the bill. For instance, Senator Wyden's amendment to require the removal of personal identifying information (PII) from the data being shared with the government was voted down 55 to 41.
Senator Dean Heller (R-Nevada) had another amendment that would have required the DHS, which gets the threat data first from the companies, to strip down the PII before sending it to the NSA or other agencies. This one was also shot down in a closer 51 to 49 vote.
Senator Al Franken (D-Minnesota) also had an amendment that would have narrowed down the definition of cybersecurity threats to them being "reasonably likely" to cause damage as opposed to the existing "may" cause damage standard. The amendment was rejected in a 60 to 35 vote.
The latest version of the bill, created by Senators Richard Burr (R-North Carolina) and Dianne Feinstein (D-California), also make it much less likely for Congress to discover whether CISA is indeed used for cybersecurity purposes or for surveillance of Americans. Senator Patrick Leahy (D-Vermont) wanted to remove the FOIA exemption from the bill, but that amendment was also voted down 59 to 37.
CISA also gives immunity to companies to share that data with the government. Legal immunity makes little sense when the companies are supposed to just follow the law being passed. If they follow it, then they wouldn't be doing anything wrong in the first place, making the immunity at the very least unnecessary.
Therefore, it's strange that this provision to give them immunity from lawsuits would be included, similarly to how wireless carriers got retroactive immunity in 2008 through Section 802 of the FISA Amendments Act for sharing data with the NSA. This sort of immunity incentivizes companies to do things beyond even what the law allows, as long as the government requests it.
Companies that were against CISA include Twitter, Google, Apple, Microsoft, DuckDuckGo, Mozilla and Wikipedia, while on the other side supporting CISA was Comcast, Verizon, AT&T, T-Mobile, HP, Intel, IBM, as well as Facebook, according to the Fight for the Future civil liberties organization. Facebook has denied it has publicly or privately supported the bill. However, it also refused to take a stance on CISA before the vote.
The bill will now have to go to the House, where it will merge with two previous bills passed there: the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA). After that, President Obama is expected to sign the bill into law by the end of the year. The law has an expiration date of ten years, which was agreed upon after an initial proposal of six years.
Despite the fact that many tech companies, security experts and cyberlaw professors have opposed the bill because it does little to live up to its name of a "cybersecurity bill," most in Congress seem to believe it will help protect the U.S. against hacks.
The question now remains what Congress will do, if even after this bill becomes law, we continue to see Target, Home Depot and Experian-style hacks where data of tens of millions of people is exposed in data breaches. Will the CISA law be repealed then for being ineffective, or will it be kept intact with all of the surveillance loopholes?
Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.