On Tuesday, a coalition of civil liberties groups and privacy-minded technology companies published an open letter urging President Obama to not only veto the controversial Cybersecurity Information Sharing Act (CISA) if it ever crosses his desk, but also to make that veto threat public immediately in an effort to halt the bill’s progress through Congress.
The group includes nonprofits like American Civil Liberties Union (ACLU), the Electronic Frontier Foundation (EFF), and Access, as well as encrypted communication provider Silent Circle and social news site Reddit.
‟CISA fails to offer a comprehensive solution to cybersecurity threats,” the letter reads. ‟Further, the bill contains inadequate protections for privacy and civil liberties. Accordingly, we request that you promptly pledge to veto CISA.”
The bill, introduced by senators Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.) as a way to facilitate the sharing of information between the government and private firms, would grant corporations that voluntarily share information about the users of their services with law enforcement officials broad immunity for doing so. Critics say this would effectively strip users of legal protections against having their personal data accessed by government officials.
Proponents of CISA paint a far different picture, arguing that corporations and government agencies need to work together to protect U.S. national security and businesses alike. This was the same argument used during Congress's consideration of the Cyber Intelligence Sharing and Protection Act (CISPA), a similar piece of legislation that drew the ire of civil liberty activists.
“What most people don’t understand is that 80 percent of the network is controlled by the private sector. It’s like being a weather forecaster and you’re watching a major hurricane go up the East Coast and you can’t warn anybody,” Rep. Dutch Ruppersberger (D-Md.), a CISA supporter and co-author of CISPA, told The Hill. “If we could’ve been able to pass the CISPA bill right away, it would have been able to help us prevent our corporations and people from cyber attacks, especially from China and to an extent Russia. An example is [the] Target [breach that compromised the credit card data of over 100 million customers late last year].”
CISPA was introduced twice, once in late 2011 and again in early 2013. The bill passed the House each time, but failed twice in the Senate.
The CISA letter charges that the bill gives government officials far greater freedom to collect data on citizens, while also reducing the public’s ability to see what those officials are doing by exempting all information the government would collect from companies under the legislation from Freedom of Information Act (FOIA) disclosure rules.
Another concern voiced by CISA opponents is that it allows companies to take ‟countermeasures” against ‟cybersecurity threats;” however, both of those terms are very loosely defined. A recent article in Vice argued that it is possible to interpret these terms to allow Internet services providers like Comcast and Verizon to throttle traffic coming from online content providers like Netflix or Youtube.
The letter calls also for the president to push Congress to create a new cybersecurity bill that would create incentives for companies to fix holes in their security, put a civilian agency in charge of managing the government's sensitive data, and provide resources to educate the public on cybersecurity threats.
In general, the groups aim to put a greater focus on securing all online systems from outside intrusion rather than removing roadblocks standing in the way of law enforcement officials attempting to track down criminals and threats to national security.
Amie Stepanovich, senior policy counsel of the group Access, which was a coordinator of the letter effort, told the Daily Dot that, while she hasn’t heard any opinions about CISA coming from the White House, the president threatening to kill the bill wouldn’t be out of character.
When CISPA, a bill that’s widely seen as the predecessor to CISA, passed out of the House of Representatives last year, progress on the bill came to a halt thanks to Obama’s vocal opposition—the second time that the president blocked a version of the legislation.
‟There are strong parallels as to the reasons why the administration threatened to veto CISPA and what’s contained in the language of CISA,” Stepanovich noted.
In an April 2013 statement outlining its CISPA opposition, the White House echoed the arguments voiced by CISA opponents:
‟The Administration ... remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable—and not granted immunity—for failing to safeguard personal information adequately.”
While CISA was approved by the 15-member Senate Intelligence Committee last week and is now headed to the Senate floor, Stepanovich says that she was heartened by the three committee members who voted against the bill.
Two of those dissenting lawmakers, Senators Ron Wyden (D–Oregon) and Mark Udall (D-Colorado), released a statement slamming CISA:
"We have seen how the federal government has exploited loopholes to collect Americans' private information in the name of security. The only way to make cybersecurity information-sharing effective and acceptable is to ensure that there are strong protections for Americans’ constitutional privacy rights. Without these protections in place, private companies will rightly see participation as bad for business.”
Read the full open letter to Obama here.
Photo via The White House (PD)