The little-loved Cybersecurity Information Sharing Act (CISA) will likely become law this week, and in a form far worse than first thought.
After passing the House of Representatives and the Senate, CISA has been marked up in congressional sessions in a way that has removed most of its privacy protections. CISA has also been tacked onto an omnibus bill that the White House is unlikely to veto.
"It looks like a done deal," EFF legislative analyst Mark Jaycox told The Register. "It's what we've been saying about CISA from the start – this has been couched as a security bill but it's not."
Under the original CISA legislation, companies would share their users' information with federal government departments once it had been anonymized. The government could then analyze it for online threats, while the companies received legal immunity from prosecution for breaking existing privacy agreements.
But as the bill was amended, the privacy parts of the proposed law have been stripped away. Now companies don't have to anonymize data before handing it over. In addition, the government can use it for surveillance and for activities outside cybercrime. And in addition, companies don't have to report security failings even if they spot them.
"This 'cybersecurity' bill was a bad bill when it passed the Senate and it is an even worse bill today," said Senator Ron Wyden (D-OR). "Americans deserve policies that protect both their security and their liberty. This bill fails on both counts. Cybersecurity experts say CISA will do little to prevent major hacks and privacy advocates know that this bill lacks real, meaningful privacy protections."
The chance to question those changes before it becoming law has also been limited thanks to the bill being folded into an omnibus bill containing a whole host of unrelated budgetary and business matters. It's highly unlikely the White House would veto the legislation for this one matter as there is too much riding on the overall bill passing.
While it may seem the battle is lost, Jaycox said there was still work to be done, both in amending CISA (assuming it is passed) and in working to prevent similarly flawed legislation being signed off by legislators.
"We need to work on the further education of Congress; this isn't the be-all and end-all security bill – there will be others," he said. "CISA also has to be implemented by departments, notably the Department of Homeland Security, and we'll be watching how this is done."
The traditional way of overcoming bad law is in the US courts. As with encryption in the 1990s, the judiciary can be a very effective in bringing sense to badly framed legislation.
But there is a problem with this approach when it comes to CISA. Under the language of the legislation, all data handed over is immune from freedom of information requests. That will make it difficult for individuals to act and protect their privacy from government intrusion. ®