As if “national security” weren’t enough, now Congress is trying to use “cybersecurity” as an excuse to chip away at our right to privacy—and it’s riding on the coattails of incidents like the Experian and OPM breaches. Once again for continuity, it bears repeating that the Cybersecurity Information Sharing Act (CISA) would not have stopped the recent high-profile security breaches.
We’re not falling for it, and fortunately neither are industry trade groups Computer and Communications Industry Association (CCIA) and the Business Software Alliance (BSA).
CCIA and BSA’s public opposition to the legislation is significant because it shows that tech companies are feeling the pressure to oppose the inept legislative effort, which bears striking resemblance to NSA’s ‘collect it all’ intelligence doctrine.
BSA came out in opposition to CISA after it sent a “data agenda policy letter” that seemed to indicate that it supported CISA. The organization was slammed with emails in a campaign coordinated by Fight for the Future. Shortly afterwards, the BSA issued a statement making it clear that the trade organization opposes CISA. It stated
BSA has consistently advocated for strong privacy protections in all information sharing bills currently pending before the Congress.
We will continue to work with the Congress, others in industry and the privacy community to advance legislation that effectively deals with cyber threats, while protecting individual privacy.
The CCIA also presciently recognized the important individual privacy concerns in CISA. In its opposition, the group said
CCIA is unable to support CISA as it is currently written. CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.>
CCIA recognizes the goal of seeking to develop a more robust system through which the government and private sector can readily share data about emerging threats. But such a system should not come at the expense of users’ privacy, need not be used for purposes unrelated to cybersecurity, and must not enable activities that might actively destabilize the infrastructure the bill aims to protect.
As Congress is currently debating the bill, and wants to pass it in a “matter of days,” the trade groups’ opposition to the bill is crucial.
Salesforce, reddit, Yelp, Twitter, and Apple Lead the Way
Although BSA and CCIA have now made public statements against CISA, most of their members haven’t. BSA includes Adobe, Autodesk, Dell, IBM, Microsoft, Oracle, and Symantec. CCIA’s counts Amazon, CloudFlare, Facebook, Google, Netflix, T-Mobile, and Yahoo! among its members. The only major companies that have publicly opposed CISA are Salesforce, reddit, Yelp, Twitter, and Apple.
After concerned activists questioned Salesforce for seemingly supporting CISA, the company came out unequivocally against the legislation. Burke Norton, the company’s Chief Legal Officer said
At Salesforce, trust is our number one value and nothing is more important to our company than the privacy of our customers' data. Contrary to reports, Salesforce does not support CISA and has never supported CISA.
In its opposition, reddit stated:
Reddit has opposed bad "cybersecurity" bills that undermine user privacy for years. We
Yelp is against the bill and warned:
Congress is trying to pass a "cyber security" bill that threatens your privacy. Join us & others to oppose.
Twitter opposes the bill because:
Security+privacy are both priorities for us and therefore we can't support #CISA as written. We hope to see positive changes going forward.
Apple issued a statement today that says:
We don't support the current CISA proposal. The trust of our customers means everything to us and we don't believe security should come at the expense of their privacy.
CISA is Not the Panacea, Other Companies Should Speak Up
CISA is fundamentally flawed in its approach to cybersecurity. Its information sharing regime wouldn’t even fix the most recent public breaches, since it doesn't address basic problems, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.
Instead, CISA provides broad immunities for companies to share personal information with the federal government, vague definitions that do not define what information can and cannot be shared, information can be used for purposes unrelated to cybersecurity, and has the potential to be used as another tool to conduct surveillance.
It’s time for other tech companies to follow Salesforce, reddit, Yelp, Twitter, and Apple’s lead, especially those that claim to stand up for user privacy, to speak out in opposition to CISA.
In the meantime, you can take action and call your senator now to vote against CISA.