A fine line exists between privacy and security. The ways of the world today have changed so much over the past few decades that we now must consider how much our personal privacy really is worth. When faced with the pervasive threats of terrorists near and far, it seems that the time has come to trade some of our own privacy for a little added protection from these ever-present dangers. At least that’s what we’re being told.
President Barack Obama signed The Cybersecurity Information Sharing Act (CISA) into law on December 18, 2015, packaging it as a part of a consolidated spending bill. The original goal of the act was to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.”
But what are those “other purposes”? Perhaps that’s what’s got much of America’s tech community up in arms.
CISA passed just over six months ago, although that wasn’t its first appearance. The Cybersecurity Information Sharing Act garnered interest when it was first introduced in the summer of 2014, but at the time, it did not reach a full senate vote. The bill returned for review in March of last year and finally passed in the Senate on October 27, 2015.
According to the Guardian, 22 major tech firms openly opposed the act, including Apple, Facebook, Google, Twitter, and Wikipedia, among others. Still, other companies in the tech didn’t have quite the same bad vibe about the bill, with some like Verizon, Comcast, and HP supporting it or at least holding their silence.
What Was CISA Designed to Do
CISA’s main objective was to permit companies to share information on cyber attacks and other threats— as well as private citizens’ information —with various branches of the government, including the Department of Homeland Security. The act facilitates the transfer of personal information from companies to the government, with particular interest in detecting cyber security threats.
The bill does afford special care over personally identifiable information and details that are irrelevant to cyber security with provisions designed to prevent sharing of this type of data. The data that does get passed along as cyber threat indicators may be put to use in prosecution of cyber crimes or as evidence for violent crimes like carjacking or robbery. An update to the bill also allows for companies to share not just information regarding cyber threats and violent crimes, but also anything in relation to “serious economic harm.”
Terms are vague and borders are blurred. Critics are concerned CISA is more of a surveillance bill than a security one.
Why it’s a Potential Problem
Even the best intentions can go to hell in a handbasket. CISA aims to protect citizens by monitoring traffic and reviewing potential threats, but it also transfers the responsibility over innumerable private citizens’ personal data points from businesses to seven different branches of the government. Some information gets passed along to the NSA and local police for investigation and further action. Will the information be stored and protected as vigilantly as it would without being transferred to numerous other organizations and systems? It’s hard to say, and that may be a key piece of what bothers people.
The silver lining is that the bill allows rather than requires companies to provide this information. Still, the concern is that well-intentioned companies may take to the convenient select-all, copy-paste convenience in their effort to do their part for national security, thus sharing over plenty of irrelevant yet very personal information.
Your own stance on privacy and your current feelings about potential threats in the world today are most likely to color your perspective of The Cybersecurity Information Sharing Act. Is it really as bad as some make it out to be? Are we as Americans truly losing too much of our privacy? Are we better off by nipping potential threats in the bud? The jury’s still out, but the law’s already been signed. Now all we can do is wait and see.