CISA Bill: Private Data Sharing Passed by Senate

Michael In the News

With so many steps in the right direction in the way of privacy and freedom on the internet, those in the US were overdue for a setback. Over the past several months awareness about the threat against public privacy by way of government surveillance has paid off. From the lapsing of the USA PATRIOT Act and the subsequent passing of the USA FREEDOM Act, to the appointment of the first FISA Court (read: secret court) amicus curiae, to the net neutrality win in America– and the mixed win in the European Union version– Internet privacy has been on the (slow) rise.

The setback comes in the form of the CISA bill or Cybersecurity Information Sharing Act. A bill that has been fought hard by activist groups, privacy minded individuals, as well as a myriad of big names in the technology industry. After being passed by the House of Representatives in April, the Senate passed a version of the bill just in time to give you an early Halloween scare.


The most frightening part of the CISA bill is what it takes right out of Canada’s so called C-51 law. In a nutshell, both pieces of legislation, among other things, create a path for information to be shared from private companies to their respective governments. Both bills then completely abolish any and all barriers preventing government agencies from sharing information with each other. And finally, these pieces of legislation give both governments a wide array of reasons to use said information.

In an effort to slow the tide of data hacks and other digital breaches the CISA bill creates a bubble of immunity for companies to willingly give up sensitive information regarding their users and customers to the government. Even if companies (that are already mining all of your private data for profit, mind you) only did this if they realize a legitimate cybersecurity threat before it happens, (although that is unlikely) it still creates a privacy concern for their users.

This is because in the bill it states that excluding, “gross negligence or willful misconduct” companies that share information with the government can not be sued by those whose information was shared- regardless of the consequences. The immunity clause extends to “decisions made based on” any information “directly pertaining” to a security threat- which itself is weakly defined in the CISA bill. All of this happens in a cloud of secrecy: the public won’t ever know that their sensitive data is being shared because this information is exempt from the Freedom of Information Act (FOIA).

Even though information shared by companies will be postmarked for the DHS (Department of Homeland Security). The CISA bill also mandates that information be sent simultaneously to the NSA. Once it arrives, the information is then free game for any federal agency; even the US Fish and Wildlife Service can make inquires. This again raises eyebrows. If the purpose of the CISA bill is indeed cybersecurity then why would the need to share with any and all agencies arise? This format is just begging for abuse.

One co-author of the bill, Democratic Senator Dianne Feinstein, argues that this bill is not about surveillance, and that sensitive private data will not be shared. However, even in her own explanation she points out several times that the amount of information given to the government is dependent on the company. There is no real oversight to protect against expansive information sharing.

CISA Bill Gives Green Light for Corporate Cyber Offensive

Like I said before, not only do companies not have to tell what or if they shared information with the government. They can also relish in blanket immunity from potential lawsuits for sharing their customers information. If this seems familiar that’s because it should be. The all-encompassing immunity is not all that different than the immunity that was retroactively granted for telecommunication companies in the FISA Amendments Act of 2008. Actually, the only difference being that the government learned their lesson and is granting immunity before things get messy.

Shockingly enough, this isn’t the only immunity that is granted to the companies who share information with the government. They also get a green light to go on the offensive with cybersecurity. The CISA bill includes immunity for negligent damages, and “depriving private entities of legal recourse.” The bill also precludes companies from portions of the Wiretap Act, Stored Communications Act, and the Computer Fraud and Abuse Act

Even after all the power given to the government to share information and the massive amount of immunity given to companies it’s unlikely that this bill will have a positive effect on cybersecurity. Many of those at the forefront of information technology, cybersecurity, and privacy say that the CISA bill does not target the right areas. The government as well as private companies are notoriously late when it comes to discovering hackers. And as the EFF (Electronic Frontier Foundation) points out, “the bill does not address problems that caused the recent highly publicized computer data breaches like unencrypted filespoor computer architectureun-updated servers, and employees (or contractors) clicking malware links.”


Feature image courtesy of OhLizz via Flickr.

If you take your privacy as seriously as we do, then you should follow @LiquidVPN

You can follow the author @FreelanceTony

Sharing is Caring