A group representing the most powerful American tech companies announced its opposition to a major cybersecurity bill on Thursday, lending Silicon Valley credibility to the argument against the bill just days before it is expected to receive a vote.
The Computer and Communications Industry Association (CCIA), which represents Amazon, Facebook, Google, Microsoft, Yahoo, and 21 other tech companies, announced Thursday that it could not back the Cybersecurity Information Sharing Act, which the Senate is expected to take up next week.
CISA would let businesses share data about cyber threats with other businesses and government agencies, with the goal of improving cyberdefense and threat-detection work in both the private and public sectors. But privacy groups and security experts have criticized the provision requiring companies to strip customer information from the data they share, alleging that it isn’t strong enough to protect Americans’ personal information.
“CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy…”
CCIA echoed that concern in its statement, saying that “CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.”
The statement from CCIA, which includes many of the most influential U.S. tech firms, adds considerable muscle to the anti-CISA movement, which can now point to concerns from the very companies that the bill is designed to aid.
“We’re very pleased,” Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, told the Daily Dot in an email. “Not just because of politics but on the policy side. We and all the other privacy groups have repeatedly said that CISA needlessly compromises privacy and civil liberties. Now industry admits it, too.”
Sen. Ron Wyden (D-Ore.), CISA’s most vocal critic in Congress, cheered CCIA’s opposition in a statement his office provided to the Daily Dot.
“CCIA represents some of the biggest names in tech and their opposition to the current version of CISA is a shot in the arm for those of us fighting for privacy and security,” Wyden said. “These companies understand it is untenable and bad for business to enact flawed ‘cybersecurity’ policies that infringe on users’ privacy while doing little to prevent sophisticated hacks.”
“By coming out against this bill,” Wyden added, “CCIA’s members, including Google, Yahoo, and Facebook, have made the clear statement that they have their users’ backs.”
Google’s opposition could prove particularly potent. The search giant played a significant role in raising awareness of controversial copyright bills in January 2012, joining a massive protest that ultimately forced Congress to shelve the legislation. But until today, the search giant, with its army of lobbyists and the world’s most visited homepage, had declined to take a position on CISA. A Google spokeswoman declined to comment further on the bill.
Heather Greenfield, a CCIA spokeswoman, told the Daily Dot that the group checked with its members before drafting the statement. “When we do this sort of thing the members who care about the issue, whether [it’s] patent reform or cybersecurity, tend to be the ones who get back to us,” she said in an email. “That was the case here.”
CCIA did not object to information-sharing legislation more generally, saying that narrowly tailored sharing could help detect and neutralize cyberattacks. But the group also noted that bills like CISA weren’t strictly necessary.
“Current legal authorities permit companies to share cyber threat indicators with the government where necessary to protect their rights and the rights of their users, and should not be discounted as useful existing mechanisms,” CCIA said.
Evan Greer, campaign director at the Internet-rights group Fight for the Future, pointed to the CCIA statement as evidence that “nobody wants this bill.”
“Not the public, not security experts, and not even the industry it’s supposed to protect,” Greer said in a statement. “The safety of Internet users[‘] personal information is more fragile than ever, if Congress decides to make matters worse, everyone will know it was the result of ignorance and corruption.”
Microsoft, a CCIA member, and Apple, which is not part of the group, previously joined a letter from another industry group calling for some sort of information-sharing legislation, but Apple told the Daily Dot that it has concerns about CISA in its current form.
Cybersecurity has climbed the ranks of Congress’ many priorities amid a flurry of cyberattacks on government agencies and private companies, most notably the data breach at the Office of Personnel Management that exposed 22 million federal workers’ sensitive records. But information-sharing laws like CISA would not have prevented attacks like the OPM hack, where the faults were more numerous than a lack of early warning.
Tien said that the Silicon Valley companies’ opposition to CISA was particularly important in light of a recent European court ruling striking down a U.S.–E.U. data-sharing agreement based on U.S. companies’ inability to protect E.U. data from the NSA.
“A lot of that decision was about the U.S.’s failure to have good rules and safeguards over government access to personal information held by companies,” he said. “CISA exemplifies that failure, too.”
Senate Intelligence Committee Chairman Richard Burr (R-N.C.), CISA’s chief sponsor, has aggressively rebuked critics of the bill’s privacy protections. A spokeswoman for Burr declined to comment on CCIA’s opposition to the bill.
Update 12:34pm CT, Oct. 15: Added comment from Sen. Wyden.
Illustration by Max Fleishman