Cyber Security Concerns Clash with Privacy Protections; the Latest Battle Will Play Out in the U.S. Senate
By CHHS Research Assistant Laura Merkey
On June 17, 2014, California Senator and Senate Intelligence Committee Chairman Dianne Feinstein released a draft of the Cybersecurity Information Sharing Act (CISA), drafted in collaboration with Committee Vice Chairman Saxby Chambliss. As Senator Feinstein’s website explains, the bill is aimed at creating incentives for sharing information about potential cybersecurity threats between the private and public sectors. CISA accomplishes this in part by relaxing laws creating liability for this type of information sharing, authorizing companies to monitor their networks, and directing the federal government to share information with the private sector at both the classified and unclassified levels.
While these objectives may seem all well and good, many major privacy, tech, and civil liberties groups are seriously alarmed by prospect of the bill passing and warn of the numerous potentially disastrous consequences of passing CISA. The White House has even threatened to veto the bill as a result of the possible privacy concerns.
CISA is seen by many as the ugly stepchild of Cyber Intelligence Sharing and Protection act (CISPA), which was introduced three years ago and passed in the US House of Representatives but subsequently died in the Senate. CISA was drafted in response to the failure of CISPA and also reflects the recent slew of cyber threats that have plagued both the government and the private sector. For example, the highly-publicized, massive breach of Target’s customer credit card data has created fear and garnered public support for stricter cybersecurity laws.
However, in a post-Snowden era, sacrificing any ground relating to an individual’s privacy rights is seen by many as a slippery slope. The chief complaint seems to be CISA’s staggering breadth – language and key terms in the bill are so vaguely defined that it would allow the government to approach private companies to collect personal information, including internet communications, personal data and other electronic monitoring without suspicion of criminal activity. Case in point, the term “cyber threat” as defined by the bill, could be construed to apply to the streaming service Netflix, and could even possibly allow Internet Service Providers (ISPs) to legally restrict the company’s service to customers.
Another concern voiced by opponents to CISA is that it appears to target government whistleblowers, because the bill allows information collected in its permissible cybersecurity investigations to be used for the prosecution of other crimes, such as economic espionage and trade secret violations. Others argue that the bill would be a major blow to net neutrality, the principle that all data on the Internet should be treated equally, and not be discriminated against on the basis of user, content, site, platform, application, or mode of communication. Unlike CIPSA, which contained a clause declaring that the any obligations required by the bill could not be interpreted to conflict with any Federal Communications Commission regulations, CISA has no comparable protection.
Despite its weaknesses, CISA has gained the support of the Senate Intelligence Committee – the bill was passed by a substantial 12-3 margin in July, 2014. The Senate will likely vote on the bill before the August recess, at which point CISA will face a House vote and need to gain the support of the White House. This is no small feat, and there is a very good chance that CISA will not make the long journey to the oval office.
It is unclear whether the post-Snowden privacy concerns or post-Target cybersecurity troubles will win out in guiding future legislation in this arena. Like its predecessors, CISA has many serious kinks that will need to be worked out, and hopefully the Senate Intelligence Committee will be up to this massive task before it meets the same fate as CISPA – an abrupt death on the Senate Floor.