Should the Feds See Your Private Data?

November 14, 2015, 3:00 PM UTC
Illustration by L-DOPA

At the end of October the U.S. Senate broke its characteristic state of logjam and passed by a wide margin the Cybersecurity Information Sharing Act. The bill encourages companies and federal agencies to exchange data related to computer threats (of which there are many these days) and formalizes the framework for how the two sides should interact. It’s the first piece of significant cybersecurity legislation to clear the chamber in years, though lawmakers have been attempting to pass a bill like it since at least 2012.

CISA, as it’s known, received rare bipartisan support: 74 in favor, 21 opposed. All it took to convince legislators that the public and private sectors should work together was a series of devastatingly ugly and often embarrassing cyberattacks that walloped health insurers, a movie studio, the government’s own HR department, and untold others. The enemy of one’s enemy is an ally—kudos, team.

Not everyone backs the pending law. Privacy advocates and several tech companies, such as Apple (AAPL), Twitter (TWTR), and Salesforce (CRM), condemn the bill. Banks and telecom giants, including AT&T (T), Verizon (VZ), and Comcast (CMCSK), endorse it. Google (GOOGL) and Microsoft (MSFT) remain silent, even as an industry group to which they belong disapproves of the bill in its current form.

Chalk up the schism to post-Snowden skepticism. Documents leaked by National Security Agency whistleblower Edward Snowden in 2013 revealed an uncomfortable level of cooperation between the NSA and U.S. tech companies. The revelations cast a long shadow on the industry, creating tension between Silicon Valley and Capitol Hill.

The bill’s critics say it won’t deter data breaches and will instead allow companies to quietly share people’s private information with the government sans liability. “Sharing is already a common practice,” and more laws aren’t necessary, says David Levine, a professor at Elon University who drafted a letter decrying the legislation. The proposed law, which includes a Freedom of Information Act exemption, will create a situation ripe for abuse, he says. “Here we have the collection of information from the public while simultaneously denying the public the opportunity to assure that the government is using the information the way it said it would.”

Proponents counter that the program is voluntary and asks companies to anonymize or omit private user information wherever possible. “If CISA means more comprehensive visibility into where bad actors are coming from and what they’re doing, that is pro-privacy,” says Rajesh De, a partner at the law firm Mayer Brown and former general counsel at the NSA.

Before CISA lands on the desk of President Obama, who most believe will sign the bill into law, it must first pass in the House of Representatives. There, legislators will make tweaks and merge the bill with similar legislation the House approved earlier. The true impact of CISA remains to be seen. But for once no one can say that Congress didn’t do anything. 

A version of this article appears in the December 1, 2015 issue of Fortune.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward