U.S. Senate Passes 'CISA' Bill With Weak Privacy Protections

By Lucian Armasu
published

Sen. Feinstein

The U.S. Senate voted to pass the Cybersecurity Information Sharing Act (CISA), which most tech companies and civil liberties organizations, including Senator Ron Wyden (D-Oregon) from the Senate Intelligence Committee, have criticized for being a surveillance bill in disguise.

The fact that it's a surveillance bill by another name was also indicated by the Senate's rejection of all the amendments that would have improved the privacy protections in the bill. For instance, Senator Wyden's amendment to require the removal of personal identifying information (PII) from the data being shared with the government was voted down 55 to 41.

Senator Dean Heller (R-Nevada) had another amendment that would have required the DHS, which gets the threat data first from the companies, to strip down the PII before sending it to the NSA or other agencies. This one was also shot down in a closer 51 to 49 vote.

Senator Al Franken (D-Minnesota) also had an amendment that would have narrowed down the definition of cybersecurity threats to them being "reasonably likely" to cause damage as opposed to the existing "may" cause damage standard. The amendment was rejected in a 60 to 35 vote.

The latest version of the bill, created by Senators Richard Burr (R-North Carolina) and Dianne Feinstein (D-California), also make it much less likely for Congress to discover whether CISA is indeed used for cybersecurity purposes or for surveillance of Americans. Senator Patrick Leahy (D-Vermont) wanted to remove the FOIA exemption from the bill, but that amendment was also voted down 59 to 37.

CISA also gives immunity to companies to share that data with the government. Legal immunity makes little sense when the companies are supposed to just follow the law being passed. If they follow it, then they wouldn't be doing anything wrong in the first place, making the immunity at the very least unnecessary.

Therefore, it's strange that this provision to give them immunity from lawsuits would be included, similarly to how wireless carriers got retroactive immunity in 2008 through Section 802 of the FISA Amendments Act for sharing data with the NSA. This sort of immunity incentivizes companies to do things beyond even what the law allows, as long as the government requests it.

Companies that were against CISA include Twitter, Google, Apple, Microsoft, DuckDuckGo, Mozilla and Wikipedia, while on the other side supporting CISA was Comcast, Verizon, AT&T, T-Mobile, HP, Intel, IBM, as well as Facebook, according to the Fight for the Future civil liberties organization. Facebook has denied it has publicly or privately supported the bill. However, it also refused to take a stance on CISA before the vote.

The bill will now have to go to the House, where it will merge with two previous bills passed there: the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA). After that, President Obama is expected to sign the bill into law by the end of the year. The law has an expiration date of ten years, which was agreed upon after an initial proposal of six years.

Despite the fact that many tech companies, security experts and cyberlaw professors have opposed the bill because it does little to live up to its name of a "cybersecurity bill," most in Congress seem to believe it will help protect the U.S. against hacks.

The question now remains what Congress will do, if even after this bill becomes law, we continue to see Target, Home Depot and Experian-style hacks where data of tens of millions of people is exposed in data breaches. Will the CISA law be repealed then for being ineffective, or will it be kept intact with all of the surveillance loopholes?

______________________________________________________________________

Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
14 Comments Comment from the forums
  • Achoo22
    Bravo for a very fine article. Mr. Armasu. This is a hot topic and I appreciate the solid reporting. That you included names to shame and praise is an especially nice touch. Thank you.
    Reply
  • humorific
    In other words, Snowden did it all for nothing. Business as usual.
    Reply
  • sykozis
    Leave it to people that barely know how to turn on a computer to pass a bill concerning "cybersecurity"..... But, as usual, it's just another movement in the wrong direction. It's not about protecting Americans from terrorists but the government trying to protect itself from Americans.
    Reply
  • thor220
    This bill isn't about cyber-security at all. When you need to grant companies immunity because they are violating the bill of rights, you know something is wrong. Shame on Intel for supporting this. They lumped themselves in with Comcast and Verizon. Oh what terrible company to keep.
    Reply
  • Supporter
    boycott the companies!
    Reply
  • jaber2
    That last part made me LOL " if even after this bill becomes law, we continue to see Target, Home Depot and Experian-style hacks where data of tens of millions of people is exposed in data breaches.", do you really think laws will stop criminals that reside outside US to stop what they are doing? I say "good luck" a the bad guy said in Taken.
    Reply
  • Meowingtons Haxx
    So why were companies such as Microsoft, Google and Apple against it when we already know they're assisting in surveillance?
    Reply
  • exnemesis
    I often wonder what exactly it will take to awaken the American population in enough numbers to actively understand their state senators motivations and then vote them out and vote in people who will not fuck them over, again and again.

    There really is a deep rot in politics that I personally believe will not ever be changed until a sleeping giant is awakened and given purpose to demand a kind of change that politicians love to use as a soundbite when getting elected but rarely actually bring about once they're in.
    Reply
  • Orumus
    Our "representatives" at work people!
    Reply
  • ssali27
    The republicans were not there for the vote? Then, the Republicans all voted for CISA. Is it any wonder that the Republican party has lost its platform? To Donald Trump and Ben Carson? Either one of these men will be for freedom, liberty, justice( even for law breakers like Hillary) and make the USA great again.
    Reply