To stop hackers from violating your privacy, the government wants help from big business. Specifically, it wants more information about their vast customer databases, and in return, it promises to keep quiet about what it finds out.
That’s the upshot of the Cybersecurity Information Sharing Act (CISA), a law pending in Congress that supporters say will help stop massive data breaches like the recent theft of sensitive info on 4 million current and former federal employees.
To civil liberties advocates, CISA is less about stopping hackers and more about bolstering the government’s ability to spy on its people.
The act would encourage private companies to share what they know about data security threats, just like neighborhood block captains who spot crime and report it to the cops.
To ensure the cooperation of big banks and other data collectors, the bill would shield them from lawsuits and clamp down on any public access to that shared data, including the first new exemption to the Freedom of Information Act in more than 40 years.
Whether to pass CISA is part of a debate now raging in Washington, one that doesn’t follow the typical partisan split.
It’s about how much the government can be trusted to safeguard privacy, and how much the public has to safeguard itself from government.
The CISA bill passed out of the Senate Intelligence Committee in March on a bipartisan 14-1 vote.
On June 11, Senate Majority Leader Mitch McConnell, R-Ky., tried to attach it to a must-pass military spending bill.
It fell four votes short of the 60 needed to cut off debate. The outcome prompted the Senate Intelligence Committee chairman, Sen. Richard Burr, R-N.C., to issue a statement accusing those opposing the bill of enabling “foreign adversaries and international criminals to continue to steal Americans’ personal information and intrude on their privacy.”
Minnesota’s two Democratic senators were on opposite sides of the vote.
Sen. Amy Klobuchar voted to advance the bill. Sen. Al Franken voted against it.
In an interview, Klobuchar predicted that many of those mainly Democratic senators who voted no will eventually come to support the bill when it resurfaces. The massive thefts of data from Target and other companies demonstrate the perils of the status quo, and the need to join forces against hackers, she said.
“We are in a very scary situation right now,” Klobuchar said.
Klobuchar said the bill requires that “personal information must be removed” before businesses share any information. She acknowledged that the “details are being worked out” about privacy protections, and expressed some concern about the bill’s exemption from public disclosure.
Franken disagrees. “This isn’t a privacy bill,” he said in an interview. “I don’t know how you can make that argument.”
Franken said his principal objection is that CISA does not prohibit the collection of “personally identifiable information,” which in his view the government already has too much of.
Franken, one of the Senate’s leading privacy watchdogs, said he has just as many concerns about corporations stockpiling data on people. While he wants the government to stop these data breaches, he doesn’t want companies to hand over personal information on their customers for the government “to use in questionable ways.”
Wearing a disguise?
Franken’s concerns are shared by civil liberties and open-government advocacy groups. Most agree that corporations should be able to provide information on security vulnerabilities with a promise of confidentiality. But they say existing laws already guarantee that.
“The bill, taken as a whole, is intended to keep people inside the government from letting the public know about overreach and vulnerabilities,” said Patrice McDermott of OpenTheGovernment.org, a Washington-based transparency group. It’s loaded with potential penalties for leaking information.
McDermott attributes these measures to effective lobbying by corporations, who don’t want any of their company secrets getting out through a FOIA-friendly court.
“They always want everything nailed down, stitched up and closed off,” she said.
It’s difficult to see how this bill could have prevented the thefts at the Office of Personnel Management, which was long known to have weak defenses against data breaches. McDermott, who used to work at the National Archives, said she’s probably one of those people whose personal information is now in the hands of some hacker.
In his statement, Burr criticized the bill’s opponents by saying “Perhaps when senators have their own information stolen by North Korean hackers they’ll react differently.”
When asked Franken if he had ever been the victim of a data privacy breach, Franken deadpanned: “That’s a private matter.”
“I actually haven’t,” he continued. “That I know of.”
Contact James Eli Shiffer at firstname.lastname@example.org or 612-673-4116. Read his blog at startribune.com/fulldisclosure.