All Your Privacy Are Belong to Us
The U.S. Congress is poised to enhance citizens’ privacy and cybersecurity protections... with a new law that blows gaping holes in existing privacy and cybersecurity protection laws. Yes, you read that right. Now read on to learn more about CISA -- the Cybersecurity Information Sharing Act…
CISA: Less Security and Privacy?
If the Cybersecurity Information Sharing Act (CISA) becomes law, private-sector companies would be allowed – even pressured - to share customers’ data with the Department of Homeland Security without requiring a search warrant or court order.
CISA is a reaction to the rising number of data breaches and other attacks that hackers have been launching in recent years. Its ostensible purpose is to encourage private companies to share data about such attacks and threats of attacks with law enforcement agencies, using the DHS as a clearinghouse.
DHS would receive the data, then distribute it to appropriate federal, state, and local law enforcement agencies who are supposed to defend companies against cyberattacks. The House and Senate versions of CISA also permit data collected by DHS to be used in investigations of violent crimes like robbery and carjacking.
CISA declares that any “cybersecurity threat” information that companies gather may be shared with DHS “notwithstanding any other provision of law.” The bill does not clearly define what “cybersecurity threat information” is, so opponents argue it could include anything: financial transaction data, health information, e-mails, private pictures or videos, you name it.
“The incentive and the framework (CISA) creates is for companies to quickly and massively collect user information and ship it to the government,” said Mark Jaycox, a legislative analyst for the Electronic Frontier Foundation, in an interview with Wired magazine. “As soon as you do, you obtain broad immunity, even if you’ve violated privacy law.”
Your Tax Dollars At Work
The Senate version of CISA was passed by a 74-21 vote on October 27; it closely mirrors a bill passed by the House earlier this year. Minor differences need to be ironed out in conference before the bill goes to the President, who has indicated he will sign it.
Five amendments were offered in the Senate to tighten the definition of “cybersecurity threat information” and require companies to scrub data of personal identifiers before turning it over to DHS (unless personal data is necessary to identify the threat). All of the proposed safeguards were defeated.
The House version of CISA is slightly better than the Senate’s. The former contains a provision that requires companies to search for and strip personally identifying information of persons unrelated to a cybersecurity threat from data before sharing data with the government, if the companies “reasonably believe” the data contains such irrelevant and personal data.
The Senate version only requires a company to strip irrelevant personal data that it “knows at the time of sharing” is in the dataset that it intends to share. A company can easily choose not to know too much about what’s in the data it intends to share, lest it be forced to do the work of protecting personal data.
Even these very weak provisions can be circumvented, argues Robyn Greene, policy counsel for the Open Technology Institute. “If I’m one of a million victims of a botnet, and an internet service provider is sending the government all the ‘threat indicators’ associated with that botnet, that could include information about every one of those victims,” she says. “That personal information, once shared with the government isn’t just used for identifying the source of the threat. It can also be used to investigate a myriad of crimes that have nothing to do with cybersecurity.”
But It's All Voluntary!
CISA’s proponents claim that sharing data is entirely voluntary under the bill’s provisions (except for the users, who aren’t asked if they want their data shared with DHS). But opponents say that companies could be required to share data routinely in order to receive help from the government when they face an imminent threat. Another incentive to share data is the competitive intelligence that would flow back to participants in the form of threat trend reports issued by the government. Shareholders and liability insurers might also pressure companies to share data in order to reduce risks.
Security experts object that CISA’s information-sharing does nothing to effectively stop cyberattacks. Tech firms argue that CISA will diminish users’ trust in sharing private information with companies (probably a good thing, in general). A coalition of 55 privacy groups has opposed CISA. Even the Department of Homeland Security has warned, in a July letter to Congress, that the bill could inundate DHS with data of “dubious value” while it “sweep(s) away privacy protections.”
The beneficiaries of CISA are most likely to be the “fishermen” of law enforcement, who will get a vast new ocean of data to trawl through in search of something to investigate and prosecute. CISA will not keep determined hackers out of retailers’ customer databases.
UPDATE: This bill was passed, having been quietly snuck into a "must pass" budget bill. An article published on Dec 18th by Engadget said this:
"..if anything, the version of CISA that was quietly slipped into this budget plays with privacy even faster and looser than the original. For one, a previously held prohibition against sharing information with the NSA has been removed, meaning America's best surveillance agency can receive pertinent data without it being handled by Homeland Security first. More importantly, the provision that required personal information to be scrubbed from cybersecurity reports also seems to have gone missing, leaving that task up to the discretion of which ever agency gets their hands on it.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 3 Nov 2015
|For Fun: Buy Bob a Snickers.|
Geekly Update - 04 November 2015
The Top Twenty
GRANTED: Permission to Tinker, Copy and Explore
There's more reader feedback... See all 29 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- All Your Privacy Are Belong to Us (Posted: 3 Nov 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved