As everybody knows now, CISPA passed the House. The ACLU likes to think the 248 to 168 vote was close enough to declare that CISPA might not make it through the Senate. They feel that the Senate’s own cybersecurity act, CSA, will be the bill they take up.
CSA, or Cybersecurity Act of 2012, has been around since January, but has received little to no coverage from the media. It makes sense since CISPA is a pretty awful bill that threatens privacy in every paragraph. CSA is a lot less dangerous, but the ACLU feels that there is still cause for concern.
They feel that CSA creates a number of privacy concerns that need to be addressed before the Senate takes up the debate in June. The bill itself is wide ranging and covers almost every facet of cybersecurity. It’s title VII that should get the most attention, however, as it deals with information sharing.
As the ACLU points out, CSA also contains the same awful wording that CISPA contains – “Notwithstanding any provision of law.” That means that CSA can sidestep current privacy laws to help facilitate the sharing of “cyber threat indicators.” What constitutes a cyber threat indicator? It doesn’t say, but the fear is that corporations or governmental bodies will use that wording to get information on American citizens. The one good thing about the wording in this specific section is that it says companies must make an effort to remove information about people unrelated to the threat.
The information that is collected under CSA can be shared with a variety of government agencies. The problem is that this information can be shared with military agencies like the NSA. The wording once again stokes fear that the NSA is building a giant domestic spying center that will intercept communications not from terrorists, but from regular U.S. citizens.
CSA has another similarity to CISPA in that after the government has had its share of your information, it can be spread around to local law enforcement. Its uses can be applied to things totally unrelated to cybersecurity which kind of betrays the fact that the bill is supposed to only deal with cybersecurity.
What may be the worst part about the bill is that it calls for the creation of The Privacy and Civil Liberties Oversight Board. Why is that a bad thing? It doesn’t exist yet, and its annual report to Congress won’t be made public. It’s like throwing a ball for your dog, but keeping it in your hand the entire time. The American citizen goes about looking for his or her privacy protections that do not exist.
There are some good ideas in CSA that definitely make it a better alternative to CISPA. The only problem is that there is no accountability to make sure these ideas are implemented. If you feel threatened by CSA, you can contact your senator with ACLU’s Web form.