CISA: Six months later and none the better for the wear

Six months after the U.S. Congress slipped the Cybersecurity Information Sharing Act (CISA) into a critical spending bill — its final, successful, attempt to pass the notorious privacy-harming legislation that lets companies transfer private user data among themselves and to the government without legal risk — we now have greater insight into the law’s inadequacies and the ways it risks user privacy.

This week, the U.S. House of Representatives held a hearing on the “Oversight of the Cybersecurity Act of 2015.” Notably, not a single privacy advocate was invited to testify at the hearing. Alongside the hearing, the U.S. Department of Homeland Security (DHS) also published a series of guidance documents, including Non-Federal Entity Sharing Guidance and Privacy and Civil Liberties Final Guidelines. These are guidelines for how the agency expects the law to work and they include important information about the kinds of personal information that can and will be sacrificed under the law’s provisions.

Before the bill was passed, Access Now explained its deficiencies at length. We warned that CISA:

  • Allows companies to share unnecessary personal and identifiable information with the government or other private entities;
  • Undermines civilian control of domestic cybersecurity by authorizing information to be shared directly with or mandating that it be automatically disseminated to the National Security Agency (NSA);
  • Fails to establish meaningful use limitations and allows law enforcement to investigate non-cyber related crimes with information it receives;
  • Threatens internet security by authorizing companies to retaliate against perceived cyber threats.

Both this week’s testimony and the documents released make clear that Access Now was correct to warn against many of CISA’s provisions.

As the DHS guidance documents show, under CISA, personal information like IP addresses and email contents may be turned over to the government without informing the person to whom the information pertains — for example, the victim of a botnet. To inform the individual, DHS argued, would be “counter to the utility” of the program. While the hearing barely touched on the privacy implications of cybersecurity information sharing, the witnesses did specifically object to the U.S. Federal Communications Commission’s (FCC) proposed broadband privacy rules. In a submission to the FCC in support of the rules, Access Now explained that CISA’s failure to adequately protect privacy made these regulatory protections even more critical. Without protections for user information, the cybersecurity measures will only cause further harm to those who have already been victimized.

In addition, the testimony of industry representatives helped to demonstrate how CISA will protect well-resourced corporations as they further bloat government databases with potentially sensitive user information. As Ola Sage of e-Management testified, “CISA is new and though it applies to any size organization, today it is largely an interest of larger companies that have the infrastructure and resources to act.” While Ms. Sage emphasized that CISA has  limited utility for small businesses, the law does even less for individuals, mostly failing to protect their privacy.

The limited privacy protections that do exist are mostly focused on U.S. persons. That’s particularly short-sighted given the ongoing discussions over a new data transfer agreement between the U.S. and E.U., which was necessitated by the failure of U.S. companies and government agencies to provide adequate privacy protection for the data of E.U. persons. The guidance instructs the U.S. government to notify users whose information has been shared in violation of the CISA — but only U.S. persons get notice, even though U.S.-based companies transfer and control a significant quantity of global data.

At Access Now, we have called for cybersecurity protections that extend to people everywhere around the world. In a recent submission to the National Telecommunications and Information Administration on the Internet of Things, we called for stronger privacy protections in sharing information, improved support for encryption, and increased funding for innovative cybersecurity approaches. It’s clear that CISA, and any similar approaches, fail in that regard.

It should come as no surprise that other new proposals, such as the changes to Rule 41 now before Congress, disregard internet users’ rights. We’ve seen high-profile stories of corporate data loss, but instances where grandmothers lose access to their family photos because of a ransomware attack don’t make the headlines. Yet cybersecurity laws and policies like CISA place internet users globally at significant risk. One thing is clear: further limitations on privacy protections won’t help anyone.

As countries continue to examine policies to address cybersecurity risks, the example of CISA should show that policies that undermine users’ rights are not the right choice.