The Senate Is Officially Considering a CISPA Clone

The Senate Intelligence Committee is moving forward with its Cybersecurity Information Sharing Act—a problematic, potentially civil liberties-killing piece of legislation that looks just like the CISPA bill the internet fought so hard to kill last year—and the year before that.

CISA, written by Senate Intelligence Chair Dianne Feinstein (D-Calif.) and Sen. Saxby Chambliss (R-Ga.) will be considered by the committee next week, according to Feinstein.

"The bill incentivizes the sharing of cybersecurity threat information between the private sector and the government and among private sector entities," Feinstein's team suggested in a press release. "It responds to the massive and growing threat to national and economic security from cyber intrusion and attack, and seeks to improve the security of public and private computer networks by increasing awareness of threats and defenses."

It does some of that, but, as I noted back in April when a draft of the bill leaked (the one released by Feinstein today is virtually identical), the problems with CISA are almost as numerous as the ones with CISPA. The bill looks to do essentially the same thing—allow the federal government to trade classified "cyber threat" information with private companies in exchange for companies' "voluntarily" doing the same with its users' data. Feinstein has been one of the NSA's biggest supporters in Congress.

The way CISA is worded, local police agencies could use companies "voluntary" information sharing to create backdoor, warrantless wiretaps, according to civil liberties experts I spoke with.

The bill allows companies to share user data with local, state, and federal law enforcement that pertains to any sort of criminal activity, a move that would allow the police to forgo the court system to set up a wiretap.

"This very broad criminal purpose creates the possibility that cybersecurity information sharing becomes a backdoor wiretap, because law enforcement would be receiving information it otherwise would not get unless it showed probable cause," Greg Nojeim, an attorney at the Center for Democracy and Technology, told me back in April. "You don’t want a world where very robust cybersecurity information sharing turns into a law enforcement tool that’s used to prosecute people for completely unrelated crime."

CISA would, in general, require companies to strip users' identifying information. But if someone even tangentially related to a "cyber threat," that provision is waved, a loophole that Amie Stepanovich, an attorney with the civil liberties group ACCESS, told me is a "loophole large enough to drive a semi-truck through."

"A 'cyber threat' could mean you're just on a spam email list,"and are liable to having your data "voluntarily" shared with the government, she said.

And, just like CISPA, companies who share too much information with the government about their users will face legal immunity. In other words, if your information is illegally shared by Facebook with the federal government, you can't do anything about it.

As is par for the course these days, the bill was drafted in private with little to no input from civil liberties groups.