More like this

Security

Google, Facebook, Microsoft and buddies stick a bomb under hated CISA cyber-law

Proposed data-sharing rules risk to revenue, er, privacy

Kindle Big Brother

Some of the biggest names in the tech industry have issued a public protest against the proposed Cybersecurity Information Sharing Act (CISA) working through US Congress.

An open letter protesting the bill was sent by the Computer and Communications Industry Association (CCIA), an industry body whose members include Microsoft, Google, Facebook, Amazon, Nvidia, eBay, and Yahoo!

The CCIA says that the legislation, as written, will have dire consequences for the American IT industry. (And, we presume, great news for non-US tech companies.)

"CISA's prescribed mechanism for sharing of cyber threat information does not sufficiently protect users' privacy or appropriately limit the permissible uses of information shared with the government," it reads. "In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties."

CISA would allow the government and companies to share people's private information that federal investigators can analyze and look at for linkages to crime and terrorism. In return for sharing data, the companies receive indemnity against lawsuits for privacy and antitrust laws from customers.

Although lawsuits might be difficult. The bill's language specifically excludes the government from having to reveal what information it is harvesting to freedom-of-information requests, so you'll never know if your browsing habits or online messages are being viewed by government investigators.

The bill is a rewritten version of CISPA, which you may remember from protests in 2013 that saw over 400 websites go dark. That killed the bill, but a year later it was back, minus a digit, in a slightly amended form.

"While appropriately constructed cybersecurity information sharing legislation can provide a more efficient regime for the voluntary sharing of appropriately limited information between the private sector and government, it is not the only means through which information sharing can occur," the CCIA letter notes.

"Current legal authorities permit companies to share cyber threat indicators with the government where necessary to protect their rights and the rights of their users, and should not be discounted as useful existing mechanisms."

Supporters of the bill say that privacy safeguards exist and that users' personal information can be protected. But the bill has raised the hackles of many in the technology space, and even some government agencies.

Rather bizarrely, the Department of Homeland Security came out against the bill in August. The DHS is concerned that all this internet data is going to federal agencies directly, rather than funneling it through a central database run by, for example, the Department of Homeland Security.

The CCIA's opposition will be a welcome fillip to opponents of the bill, and comes as Congress is currently considering the new legislation. In the Senate, CISA has already galvanized politicians to oppose the legislation, led by Senator Ron Wyden (D-OR) and presidential candidates Bernie Sanders (I-VT) and Rand Paul (R-KY). ®

Sponsored: Global DDoS threat landscape report