A controversial cybersecurity bill, known as the Cybersecurity Information Sharing Act (CISA), has sparked outrage because of its potential to violate user privacy. The bill could come to a vote some time this week.
CISA requires that technology and manufacturing companies send cybersecurity threats to the federal government. That, in theory, doesn’t sound like a bad idea. But opponents argue that the bill is written in such a way that it allows the federal government to collect private, unnecessary information from users without address security breaches and hacks.
Mark Jaycox, a legislative analyst for the nonprofit Electronic Frontier Foundation, said the bill is so broad that any malware link that appears in a messaging thread could be seen as a cybersecurity threat and sent to the government.
This is problematic, considering malware links are accidentally sent and received frequently in group chats, and could serve as enough to turn entire messaging threads over to the federal government.
Messaging threads wouldn’t be reviewed by individuals either — an automated system would scan for anything that could potentially be malware.
“You could be discussing dinner and the company thinks that link you just sent is a virus not wanted on a network, then the company grabs it and sends it to the government,” Jaycox said. “Almost anything under the bill could be considered a threat.”
This means any messaging platform — from iMessage to email to Facebook message — could be privy to government review if CISA passes.
“It unduly burdens people’s privacy and there’s already enough of that going on,” he added.
CISA surfaced in July 2014 and was tabled, but a vote could be dealt out as soon as tomorrow.
The bill is meant to respond “to the massive and growing threat to national and economic security from cyber intrusion and attack, and seeks to improve the security of public and private computer networks by increasing awareness of threats and defences.”
But Jaycox argues that even if the bill passes, it won’t address the threats it says it will.
For example, the 2014 J.P. Morgan breach occurred because a server wasn’t updated, Jaycox said. The Office of Personnel Management (OPM) breach that occurred this summer, which stole 5.6 million fingerprints of the government, occurred because the hackers were able to compromise their old computer architecture.
And a lot of the blame of the Anthem health insurance hack can be placed on them not encrypting their information, he added.
“It’s dubious seeing CISA presented as a silver bullet for these problems,” Jaycox said. “The Bill is presented as a solution for a problem that doesn’t exist.”
Rather than sharing user information to protect against these breaches, which won’t work, more companies should practice smart security measures, Jaycox explained. A lot of companies have yet to install two-step identification or encrypt their files.
Major tech companies have taken a stand against the bill. The
Computer and Communications Industry Association, a trade group that includes Google, Yahoo, and Facebook, have voiced opposition to the bill. Twitter and Reddit have also taken a public stance against the bill.
— reddit (@reddit) October 15, 2015
Apple CEO Tim Cook hinted at his opposition to the bill, claiming at The Wall Street Journal’s WSJD Live conference that no one should have to choose between privacy and security.
“No one should have to decide privacy or security,” he said. “We should be smart enough to do both.”
— CCIA (@ccianet) October 15, 2015
Business Insider Emails & Alerts
Site highlights each day to your inbox.