Article Lead Image

Photo by Kelly Schott/Flickr (CC BY-ND 2.0)

Privacy groups rally to block controversial cybersecurity bill

Why civil liberties groups are uniting against the Cybersecurity Information Sharing Act of 2015.


Dell Cameron


Posted on Mar 5, 2015   Updated on May 29, 2021, 9:14 am CDT

A coalition of civil liberties organizations are renewing efforts to block a controversial U.S. cybersecurity bill drafted by the Senate Intelligence Committee.

The bill, intended to make it easier for companies to share sensitive information about cyberthreats with government agencies, has raised privacy concerns among congressional Democrats and with the White House.

Supporters of the legislation, known as the Cybersecurity Information Sharing Act of 2015, argue that increasing the exchange of information about cyberattacks and vulnerabilities will improve efforts to combat identity theft, fraud, and other digital threats facing consumers.

A draft of CISA circulated last week by the committee is supported by many companies who stand to benefit from its enhanced liability protection. Under CISA, companies could disclose data to the government without a warrant. According to the bill’s text, the information would be shared in real time with military and intelligence agencies.

Critics of the bill claim it offers inadequate protections for users, whose personal information, if handed over to the government, would be automatically shared with the National Security Agency. This aspect of the bill is especially troubling for privacy advocates alarmed by the agency’s dragnet surveillance operations detailed in documentation leaked by whistleblower Edward Snowden.

There are also concerns about so-called “countermeasures” that companies would be authorized to deploy against users, which could potentially damage the networks of innocent parties. If CISA becomes law, companies that share information with the government would no longer be liable for such damage, as long as it was unintentional.

Furthermore, CISA would authorize companies to disclose to the government private information because of alleged crimes that have nothing to do with cybersecurity, and may not pose a serious threat of death or significant bodily harm.

These concerns and more were relayed to Senate Intelligence Committee members in a letter signed by 27 civil society organizations, such as the Electronic Frontier Foundation and the Center for Democracy and Technology, and 22 computer security experts.

“CISA disregards the fact that information sharing can—and to be truly effective, must—offer both security and robust privacy protections,” the letter says.  

The signatories call out the alarm raised over the NSA’s bulk metadata collection program and PRISM—which captures the content of communications for both U.S. and non-U.S. persons—both seemingly ignored by the bill.

“Congress should be working to limit the NSA’s overbroad authorities to conduct surveillance,” the letter says, “rather than passing a bill that would increase the NSA’s access to personal information and private communication.”

Further, it relays concerns about provisions that it says would open a loophole for law enforcement to warrantlessly obtain digital communication records for a wide range of crimes without first demonstrating probable cause or obtaining a warrant.  

“Cybersecurity legislation should be designed to increase digital hygiene and identify and remediate advanced threats,” the groups concluded, “not create surveillance authorities that would compromise essential privacy rights, and undermine security.”

CISA has reportedly been stalled due to infighting over which congressional panel should have jurisdiction over the bill. However, if it passes through the committee, it may face another vote on the Senate floor soon. 

Photo by Kelly Schott/Flickr (CC BY ND 2.0)

Share this article
*First Published: Mar 5, 2015, 8:20 pm CST