On December 18, Congress passed the 2016 Omnibus spending package, a 2,242 page piece of legislation apportioning the $1.1 trillion budget funds—and forsaking American web security.
The Cybersecurity Information Sharing Act (CISA) was passed as a combination of the two drafts from the House of Representatives: the National Cybersecurity Protection Advancement Act and Protecting Cyber Networks Act, and one from the Senate (also called CISA) in an attempt to address cyberattacks on American companies faster. The intelligence committees of both chambers envisioned a platform for participating businesses to share information directly with government agencies should they be hacked or breached. However, the final result seems far from auspicious.
Earlier versions of the bill included security provisions that simply didn’t make it to the final draft. First of all, all data was to be sent to the Department of Homeland Security (DHS) and distributed from there, but CISA as it exists now allows data to flow straight from private companies to various government agencies, including the Federal Bureau of Investigation (FBI) and National Security Agency (NSA), without a warrant or need for probable cause.
The other safeguard of consumer information would have allowed the DHS to erase personal information of customers before releasing any data to other agencies. The final draft of CISA contains a loophole that allows agencies to undo this censorship and thereby access the original information.
In the fall of last year, Senator Ron Wyden (D-Ore.) proposed an amendment that would only allow companies to pass on information that was definitely relevant to a specific threat, rather than sending a whole package of potentially relevant data, but Congress rejected this security measure before the final version of the bill. After the bill passed, Wyden wrote, “Americans deserve policies that protect both their security and their liberty, and this bill fails on both counts.”
Wyden is not alone in his sentiment; a coalition of tech companies (including Facebook, Apple, Google, and Amazon) and privacy advocates have protested the bill since its conception. The Open Technology Institute’s press release denounced the omnibus bill’s passage, stating that Congress “took a bad bill and made it worse,” and added it to a budget bill that was all but guaranteed to pass.
CISA’s effects remain to be seen, but it has the potential to become an indirect surveillance network that, if upheld, would jeopardize the security of technology consumers throughout the United States. Besides withdrawing business from participating companies, there seems little for consumers to do to protect themselves. Erasing cookies and web history periodically, as well as email and text encryption, can limit the amount of information that these companies collect about individuals, but the majority of Americans don’t and won’t bother. Consumers, especially social media users, should remain mindful of the information they share online as its role in security becomes more convoluted.