CISA sneaks through Congress, leaving privacy groups scrambling

Opponents of the controversial Cybersecurity Information Sharing Act are divided on how to proceed, after Congress on Friday approved the measure, which encourages U.S. businesses to share customer information with government agencies.

Some privacy and digital-rights groups called on President Barack Obama to veto the $1.15 trillion, 2,000-page spending bill that CISA was tacked on to this week, even though a veto could lead to a government shutdown. Others said they will try to engage in some CISA oversight processes and monitor information sharing for potential privacy violations.

President Obama signed the spending bill and CISA into law on Friday afternoon.

President Obama “is not going to veto the bill.” — Greg Nojeim, senior counsel at the Center for Democracy and Technology

CISA protects businesses that share cyberthreat information with one another and with government agencies from customer lawsuits. Supporters say it’s necessary to help the United States fight cyberattacks.

“Millions of personal records, and hundreds of billions of dollars, fall victim to cyberattacks every year, and we’ve done little to stem the tide,” CISA sponsor Sen. Dianne Feinstein (D-Calif.) said this fall. “This information-sharing bill, while not a silver bullet, is an important step to shore up our cybersecurity.”

CISA sponsors and congressional leaders did not immediately respond to messages asking questions about the process.

Digital-rights groups Access Now and Fight for the Future said they plan to deliver 110,000 signatures on petitions they sponsored that call for Obama to veto the bill.

The congressional intelligence committees “are pulling a fast one on Congress and the American people,” said Nathan White, senior legislative manager at Access Now.

But a veto isn’t worth speculating about, said Greg Nojeim, senior counsel at the Center for Democracy and Technology. Obama “is not going to veto the bill,” he said. Instead, CDT will monitor the information sharing that happens, Nojeim said.

More on CISA

The bill requires the Department of Justice to issue information-sharing guidelines within 180 days, and privacy groups may get a chance to participate, he said. A year from now, government agencies collecting cyberthreat information must also issue detailed reports about the program, including the number of times personal information was shared illegally.

If these assessments find that a significant amount of unnecessary personal information is shared, and the government doesn’t fix the problem, “more companies will hesitate to participate,” Nojeim said.

The bill also requires agencies to notify U.S. residents, if their information was shared improperly. “If a lot of those notices go out, expect some fireworks,” Nojeim said.

CISA: Surveillance in disguise?

In addition to appending CISA to a critical spending bill, lawmakers stripped out several privacy provisions in secret negotiations to resolve the differences between the Senate-passed CISA and two similar House bills.

House and Senate negotiators, when looking at differences in the privacy provisions in the three bills, generally “went with the less protective approach,” Nojeim said.

The final version of the legislation allows the shared information to go to the National Security Agency and the Department of Defense, even though some lawmakers pushed for a civilian sharing program.

The bill also allows agencies to use the information that businesses share to investigate crimes unrelated to cyberthreats.

The final language also includes only “weak” requirements for companies to remove personal information, CDT said. The final bill “merely requires governmental and private entities to remove information they know to be personal information not ‘directly related’ to a cybersecurity threat,” the group said in a blog post. “Such language will encourage entities to err on the side of sharing sensitive information, when in doubt.”

Updated Saturday, Dec. 19 to reflect that President Obama signed CISA into law.