Feeds

Cyber-Senate's cyber-security cyber-law cyber-scares cyber-rights cyber-fighters

Proposed rules put private data into hands of Uncle Sam

Beginner's guide to SSL certificates

On Tuesday the US Senate will meet in a closed-door session to mark up the forthcoming Cybersecurity Information Sharing Act of 2014 (CISA) – and the proposed new rules on data sharing between big biz and government have privacy groups seriously worried.

CISA is an offshoot of the proposed Cyber Intelligence Sharing and Protection Act (CISPA), which was introduced nearly three years ago and has had a rocky road. The ostensible reason for the new law is to formalize information sharing between the US government and companies on ongoing security threats – provided firms hand over users' information to the government to help identify new attack vectors.

CISPA passed a vote in the US House of Representatives, but went no further. CISA is the Senate's response to CISPA, and was cowritten by NSA-friendly Dianne Feinstein (D-CA), chairwoman of the Senate Select Committee on Intelligence.

The new bill is somewhat broader in scope than CISPA and the language used so far has led more than 30 groups, from both sides of the political spectrum, to issue an open letter on its failings.

"In the year since Edward Snowden revealed the existence of sweeping surveillance programs, authorized in secret and under classified and flawed legal reasoning, Americans have overwhelmingly asked for meaningful privacy reform and a roll back of the surveillance state created since passage of the Patriot Act. This bill would do exactly the opposite," the open letter [PDF] warns.

Under the terms of the new legislation, the government would be allowed to collect people's data from firms not just for cyber threats to infrastructure, but also for terms of service violations, the prosecution of identity theft, aiding prosecutions under the Espionage Act, or even to find the identity of whistleblowers.

The data that companies hand over should be stripped of personally identifiable information, but according to the new bill this only applies if the supplying firm has evidence that the user is a US citizen and if the information isn't directly related to a "cybersecurity threat."

In addition, companies that take part in such information sharing are exempt from public disclosure laws that would require them to tell users what is going on. Government agencies using that data also get broad liability protection and have very limited oversight.

"We do not discount the legitimate dangers posed by cyber threats, both from domestic criminals and hostile foreign powers," concludes the letter writers – which include the likes of the EFF, the ACLU and the National Latino Farmers and Ranchers Trade Association.

"But, as with all national security authorities, we need not sacrifice crucial civil liberties and privacy safeguards, and especially whistleblower protections, in order to effectively address such dangers. We urge the committee and Congress to carefully reconsider CISA as drafted, and to bring it in line with our law, our Constitution and our national values."

The White House has shown concern over the overarching scope of the CISPA/CISA legislation and sort-of threatened to veto the laws as they stand – but we all know how jellylike President Obama's promises can be. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.