In a statement, the group said CISA, even after some final amendments, “remains a fundamentally flawed bill, which already suffers from broad immunity clauses, vague definitions and aggressive spying authorities.”
And Robyn Green, policy counsel at New America's Open Technology Institute, has regularly called it, “train wreck for privacy and security.”
One might argue that the PII (personally identifiable information) of U.S. citizens is already in government hands – it is the government that issues or keeps records of identifiers like Social Security numbers, drivers licenses, property deeds, passports etc.
But Harvey said the privacy risk is not about basic PII. “This is about the metadata, and data, of our online activities,” he said. “Enterprises and the government will decide what is classified as an indicator, and if that happens to be all of your browsing history, unencrypted – possibly even encrypted – communications, clear-text emails and so on, it is allowed under the bill. “
Proponents say this exaggerates the privacy threat. They note that the portal through which threat indicators are shared will not be run by military or intelligence agencies, but by the civilian DHS.
Susan Hennessey, general counsel of the Lawfare Institute and managing editor of the Lawfare blog, wrote in a recent post that the DHS information sharing portal, called the Automated Indicator Sharing (AIS) system, “has been up and running for months,” in response to President Obama’s Presidential Policy Directive 21 and Executive Order 163636.
And she said DHS has designed the portal to eliminate personal information. “If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS,” she wrote. “Think of an online form for, say, making a flight reservation: If you try to enter your favorite animal in the credit card field, it just doesn’t work.”
That, she said, minimizes, “the risk of ingesting PII that is not itself a component of the threat indicator.”
Opponents remain unconvinced. Stripping out some PII before it is shared with other agencies is “fruitless,” Williamson said. “Once it is enriched with other public and private data, it will give government agencies nearly boundless information about its citizenry.”
Desjardins agreed. “The differences between surveillance and threat monitoring are really shades of gray,” he said. “The vague language of what would be classified as cyber-threat indicators rightly has privacy advocates concerned that this is a wide-open path to sharing everything in the hopes of finding something deemed relevant.”
Williamson said his biggest concern is how future governments will use the powers granted by CISA. “The FBI and other security organizations quickly classified the Occupy Wall Street movement as a terrorist organization,” he said. “Who may tomorrow’s ‘terrorists’ be? The left? The right? People who vote out the current government? The IRS investigated the Tea Party in 2014. Who might be unpopular in the future?”
Sign up for Computerworld eNewsletters.