A controversial bill that aims to thwart hacking highlights the tension between the need for security and the desire for privacy.
Which matters more to you: curbing the onslaught of daily cyberattacks or protecting your online privacy?
That will be the crux of the debate Tuesday as the US Senate prepares to vote on the latest version of a controversial cybersecurity bill.
The aim of the Cybersecurity Information Sharing Act (CISA) seems straightforward. The bill’s backers say it will create a system that lets companies share evidence of hackers’ footprints with one another and the US government, without the risk of being sued for breaking privacy-protection or antitrust laws.
Proponents say CISA will make it easier for the government to coordinate threat responses among the banks, retailers, service providers and tech giants that are most often under attack, proponents say. That makes sense, given that security experts for decades have been urging companies to share information about hack attacks.
Opponents, including more than 20 of the biggest companies in the tech industry, argue that the bill doesn’t do enough to protect the privacy of individuals and could lead to mass government surveillance. The Computer and Communications Industry Association trade group, which represents Amazon, Google and Microsoft among others, wrote an open letter earlier this month saying the bill doesn’t do enough to limit the government’s “permissible uses of information shared.” It could even “cause collateral harm,” the CCIA said.
Apple and file-sharing service Dropbox added their voices to the dissent last week. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy,” Apple said in a statement to the Washington Post. Security collaboration “should not come at the expense of users’ privacy,” Dropbox’s head of global public policy also told the newspaper. The two companies declined to comment further.
The sharing debate
It’s not like agencies and companies aren’t already alerting each other to attacks. The Department of Homeland Security detailed its current data-sharing practices in a letter to the Senate earlier this year, saying it has sophisticated and speedy processes for companies to share information on cyberthreats. Facebook this year launched ThreatExchange, a forum for member companies to share cybersecurity threats they see on their websites and databases. Companies in the financial and retail sectors have their own forums as well.
“When the government says it wants us to get better at sharing information, it really means that it wants us to provide information to the government that we are not already sharing,” said Andrew Conway, a researcher at Cloudmark, which analyzes cybersecurity information shared by its customers and also participates in ThreatExchange. “However, there is a downside to doing that: the potential loss of trust in American companies,” Conway said.
There’s plenty of evidence to support the concerns on both sides of the debate. This year alone, hackers grabbed the Social Security numbers of 21.5 million current and previous federal employees, and swept up United Airlines’ flight manifests. They broke into Anthem, the No. 2 health insurer in the US,compromising personal data of up to 80 million current and former members and employees. They also leaked the identities of 30 million users of adultery website Ashley Madison.
Privacy advocates only need mention Edward Snowden to make their point. The former National Security Agency contractor has leaked tens of thousands of documents revealing massive government surveillance of US citizens.
The conflict over CISA centers on whether it could give the government even greater license to spy on Americans. Advocates say it won’t.
“It is not an intelligence collection bill,” CISA co-sponsor Sen. Dianne Feinstein (D-Calif.) wrote in an opinion piece last year in the San Jose Mercury News. Companies must remove personal information before sending it, and the government can incur “strong penalties for abuses,” she said.
Randy Sabett, a former NSA cryptography engineer who now specializes in privacy and data protection at law firm Cooley, said the bill makes it clear that any information gathered can only be used for six specific cybersecurity-related purposes. This is designed to prevent it from becoming a dragnet for personal information.
“Having a skeptical view of the government is a healthy attitude to have,” Sabett said. But that’s not the same thing as saying “every time a company shares your personal information with the government, the government does bad things,” he said.
Don’t believe it, said Mark Jaycox, legislative analyst at Electronic Frontier Foundation, a digital-rights advocate. “The bill eviscerates privacy law and protections in current law, and expands the amount and type of information that can be shared,” he said.
Even senior staff of the Department of Homeland Security agree. Giving information directly to law enforcement and intelligence organizations “could sweep away important privacy protections,” Deputy Secretary Alejandro Mayorkas wrote in a letter to Sen. Al Franken (D-Minn.). The bill as written “raises privacy and civil liberties concerns,” Mayorkas noted.
In other words, the CISA vote will be marked by heated debate.
Jen Ellis, vice president at cybersecurity company Rapid7, said a law that sets guidelines for information sharing could avoid a loss of trust if it were written carefully and included strong civil liberties protections. She doesn’t believe CISA is that bill. What’s more, privacy advocates and tech companies will likely never be comfortable with a bill that wipes out liability for companies that share customer information, she said. That provision might appeal to retailers and banks, but not the Apples and Dropboxes of the world.
“Tech companies have a totally different pressure,” Ellis said. “Their pressure is the justified paranoia that their customer base has that they’re going to get into bed with the government.”
That takes us to Tuesday’s debate. CISA’s final wording will depend in large part on whether the Senate thinks you care more about security or privacy.