18 Oct 2015 Internet giants say no to US cybersecurity act
A trade group representing Facebook, Google, Yahoo and other technology big names on 15 October spoke out against a proposed legislation in the United States aimed at promoting information sharing for cyber security between the companies and government.
The Cybersecurity Information Sharing Act (CISA) is set to be voted on the US senate later this month. According the congress website, the act is “to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.”
The draft says it:
Allows entities to share and receive indicators and defensive measures with other entities or the federal government.
And vice versa.
The House of Representatives passed the measure with a vote of 307 to 116 this April and it is now due for consideration in the senate.
However, the Computer and Communications Industry Association (CCIA), an international tech advocacy group, released a blog post this week to announce that it is “unable to support CISA as it is currently written” for privacy concern.
CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.
The post is written by Bijan Madhani, the group’s public policy and regulatory counsel. The world’s leading internet companies including Amazon, Facebook, Google, Yahoo and ebay are all members of CCIA.
Indeed, the draft has included the clauses to protect personal information. For example, it regulates that companies shall identify personal information and remove them before sharing:
Implement and utilize a technical capability configured to remove any information contained within such indicator that the entity knows at the time of sharing to be personal information of or identifying a specific person not directly related to a cybersecurity threat.
But experts are still worried about the privacy issue. The Guardian reports that simply putting multiple corporate data sets in the same place could be used to create comprehensive profiles containing personally identifying information.
It is the second time that the bill has been introduced to the US congress. The bill was first introduced on 10 July 2014, but failed to reach a senate vote before the end of last congressional session. As of now, both the White House and the majority of the congress support the act, though it has been criticised by internet rights advocacy group, such as the Fight for the Future and the Electronic Frontier Foundation.