The US Senate has passed the Cybersecurity Information Sharing Act (CISA) by 74 to 21 votes, with five abstentions.
"This landmark bill finally better secures Americans' private information from foreign hackers," said Senator Richard Burr (R-NC), one of the bill's sponsors.
"This legislation gives the government and US companies new voluntary collaborative tools so that they can work together against hackers that have been all too successful at stealing the personal information of millions of Americans for years."
The bill encourages tech giants and other companies to disregard existing privacy agreements and share citizens' personal information with the federal government in exchange for immunity from prosecution by angry customers.
This will allow agents to pick out signs of criminality from the volunteered data, and use it to catch online crooks. In return, companies will get some advance intelligence on security vulnerabilities and upcoming cyberattacks.
Opponents of the bill fear CISA will give the government a license to snoop on citizens under the broad umbrella of cybersecurity, and the immunity provisions will encourage companies to hand over people's private records. There are concerns that the bill would make it much harder to reach a data sharing agreement with Europe after the collapse of the safe harbor agreement.
"Just as the EU makes it clear that the ease with which security agencies gain access to commercially held personal data is a serious problem, the US Government makes it even easier for this snooping to happen," said Mike Weston, CEO of data science consultancy Profusion.
"The Cybersecurity Information Sharing Act will make it significantly harder for the US and Europe to agree on a replacement for the collapsed Safe Harbor provisions. Without assurances that European citizens' personal data is protected, it's hard to see how such an agreement might be reached, putting the 'thriving transatlantic digital economy' at risk of stuttering, or worse."
The Senate spent much of Tuesday morning debating amendments that were designed to enhance the privacy protections of the bill. These included requiring the US Department of Homeland Security to scrub more personal information before forwarding data to other agencies, and to remove the provision that makes sharing people's records under CISA immune from freedom of information requests.
"The fight to secure Americans' private, personal data has just begun," said Senator Ron Wyden (D-OR), who voted against the legislation and tried for an amendment to increase the privacy protections in CISA.
"As even the sponsors have acknowledged, this bill will do little to protect Americans from sophisticated hacks. At the same time, it will allow large volumes of Americans' personal data to be unnecessarily shared with government agencies from the NSA to the FBI."
Some amendments did pass, however. A cosponsor of the bill, Senator Jeff Flake (R-AZ) inserted an amendment to extend the life of the legislation from six years to 10, and an amendment last week allows federal agencies that need the data in a hurry to get it without personal information being stripped out.
In other words, the law will now stand for a decade (unless repealed), and the Feds can demand raw sensitive information immediately, or anonymized information if they are not pushed for time.
The House of Representatives passed legislation similar to CISA earlier in the year and the bill will now go into a committee stage while the differences between the two are ironed out. The White House has already said President Obama will sign it into law, once a few changes have been made.
Obama's position on CISA is very curious, EFF legislative analyst Mark Jaycox told The Register. The White House came out against earlier CISPA legislation, on which CISA is based, but seems strongly in favor of the new bill.
"The White House has pulled a 180-degree spin on this bill," Jaycox said. "I'd guess the White House has realized it may have to do something on security, even if it is a horrible cybersecurity bill." ®
Psst: If you're not an American citizen, none of this applies to you – the US government and its intelligence agents consider you completely fair game for surveillance, anyway.