Privacy groups are raising alarms in response to the Senate Intelligence Committee’s Introduction of a new cybersecurity bill: the Cybersecurity Information Sharing Act of 2015 (“CISA”). The text of the current bill has been made available for viewing at this link.
According to a National Journal report discussing the proposed legislation, the bill “is intended to help forestall cyberattacks like the one that crippled Sony Pictures last year.” The two key features of the bill are data sharing with regard to cybersecurity and liability protections for companies that participate.
As you might expect, the opposition to this bill already being raised is that it imposes new surveillance pressures on companies and provides virtually no protection to the individual. The Electronic Frontier Foundation (“EFF”) has already posted a scathing statement of opposition to this bill on its website, arguing that the bill grants to companies very broad powers to protect information systems with the sole restriction that no “substantial” harm arises from the action, and that it also authorizes companies to the broad powers to conduct monitoring on information systems which can broadly be used to conduct surveillance of individuals. The EFF’s position is as follows:
This fatally flawed bill must be stopped. It’s not cybersecurity, but a surveillance bill.
Wired reports that the concern of other privacy advocates is that the bill would permit the sharing of personal data that goes beyond just stopping cybersecurity threats, but to also allow sharing for the stated purpose of preventing terrorism, the imminent threat of death or serious bodily harm, and even the investigation of crimes having nothing to do with cybersecurity.
After reviewing the text of the proposed bill myself, I would agree with the vocal opposition on this bill that there is a reason that the Senate Intelligence Committee is proposing this type of legislation that has little to do with preventing cyber attacks: to increase the surveillance powers of the federal government and to encourage broader corporate cooperation and participation in these surveillance activities. I would also argue that this type of legislation, if enacted, has the potential to disproportionately affect cloud-based software and Internet companies, co-opting them into providing enhanced governmental surveillance of their customers.
I can understand why Silicon Valley’s tech community might be hesitant to take a position in opposition to a bill that California’s own Senator Diane Feinstein has been supporting, but I would argue that this is an issue that the software industry, and particularly, the cloud industry, should step up to the plate on and strongly oppose, given the fact that data collection is such an integral part of the online software business and revenue model. This type of legislation, if passed, has the potential to put such companies in the undesirable position of conducting what amounts to surveillance activities on its customers on behalf of the government, which is not a position that most Silicon Valley companies would probably like to find themselves in. It takes the surveillance gathering that has been going on since 9/11 to an entirely new level.
The Silicon Valley Software Law Blog will keep you posted on developments with this legislation as they arise.