Faced with a barrage of hacks against companies like Sony, Target, Home Depot, and others lawmakers in Washington have proposed new cybersecurity legislation that would allow businesses and the government to share information about possible threats without the fear of lawsuits. But Apple, Twitter, and a number of other tech titans have come out swinging against it.
The Cybersecurity Information Sharing Act (CISA) would permit technology companies like Google, Facebook, and Microsoft to combat cyberattacks by voluntarily offering identity-stripped information about their customers to the government without legal liability. It would also establish a central cybersecurity hub within the Department of Homeland Security where threat information would be collected and shared. Currently being debated in the U.S. Senate, the bill's companion legislation in the House of Representatives passed with bipartisan support earlier this year.
On the Senate floor Wednesday, California Democrat Dianne Feinstein described the bill as a vital tool to curb the onslaught of data breaches and the deterioration of security in the digital age. She outlined several amendments to the law, which she believes address the privacy concerns of the bill's critics, including limiting the information sharing to cyber-related crime and enhancing Homeland Security's oversight role in how the threat data is shared.
But a growing faction of technology companies remain unconvinced. On Tuesday, Apple and Dropbox voiced their opposition to CISA, joining Yelp, Reddit, and Salesforce. "The trust of our customers means everything to us and we don't believe security should come at the expense of their privacy," Apple said in a statement. Dropbox acknowledged the importance of sharing data on emerging threats, but also explicitly noted "that [this] type of collaboration should not come at the expense of users' privacy." The Computer and Communications Industry Association, a technology advocacy group representing Google, Facebook, and Microsoft, is publicly opposing CISA as well. Last week the tech group said the bill does not limit the permissible uses of the information the government intends to collect, failing to protect consumer privacy.
Sen. Feinstein, along with another main supporter of the bill, Sen. Richard Burr, a Republican from North Carolina, have responded to Silicon Valley's complaints with dismay and disappointment. On Tuesday, Sen. Burr likened the threat-sharing program to a neighborhood watch, suggesting that opposition to the proposal would rob the entire country of increased security. "If you don't like the bill, you don't have to do it," Sen. Feinstein said on the Senate floor Wednesday, emphasizing that web companies are not required to share cyberthreat information, but should be able to do so voluntarily, without legal liability.
Within the Senate, the loudest voice of dissent belongs to Ron Wyden, a Democrat from Oregon. "This bill allows companies to hand over a large amount of private and personal information with this very cursory review," he told BuzzFeed News. Sen. Wyden would like to see additional responsibilities put on both tech companies and with Homeland Security to filter out unrelated personal information when data is shared about consumers.
"Remember, the sponsors of the bill kept saying that this is a voluntary bill. It is not voluntary for the customer. It is mandatory for the customer," he said, rejecting the characterization that CISA is merely an opt-in security program.
Wyden said that CISA, were it to pass in its current form, might jeopardize delicate negotiations between the U.S. and the European Union over international surveillance — talks that have grown more urgent in light of the Safe Harbor ruling, where the EU's highest court ruled American data protection standards inadequate.
Said Wyden, "For millions of Americans, when they hear about information sharing without the privacy safeguards that I and others are pushing, those Americans are going to say, This isn't a cybersecurity bill, this is another surveillance bill."