The cybersecurity bill leaves tech companies wondering, where is the line between privacy and surveillance?

The Cybersecurity Information Sharing Act, CISA, advanced in the Senate by a vote of 83-14 early this week. The Senate has decided the time for debate regarding any additional amendments is over, and a final vote is expected next week.

The Cybersecurity bill would strengthen the relationship between tech companies and the government, making it easier for government agencies to gather information to prevent large-scale hacks and cyber threats. Tech companies are worried the bill would establish a precedent for data overreach and surveillance, making it harder to guarantee user data protection.  The bill also puts tech companies and individuals at risk if personal data collected by the government is breached.

Cybersecurity experts warned in a paper before a Senate Judicary Hearing regarding the bill in July:

“Political and law enforcement leaders in the United States and the United Kingdom have called for Internet systems to be redesigned to ensure government access to information — even encrypted information. They argue that the growing use of encryption will neutralize their investigative capabilities. They propose that data storage and communications systems must be designed for exceptional access by law enforcement agencies. These proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”

The bill is vague in addressing how exactly individual personal privacy will be upheld. Apple said in a statement, “We don’t support the current CISA proposal. The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.” It is unlikely experts’ and companies’ positions will affect the bill’s passage through the Senate next week.

The idea behind the Cybersecurity bill is somewhat convoluted. The bill never explicitly suggests any precautionary measure to protect user privacy; making it apparent the purpose of the bill is less about cybersecurity and more about surveillance. Tech companies, immune from any legal backlash, will be able to share user data without the knowledge or consent of customers. Supporters of CISA assert that participation is voluntary and lawmakers say the purpose of the bill is to help tech companies decipher data that may help identify a threat. 



CISA opposition remains skeptical. It is unclear if CISA will prompt additional explicit government surveillance legislation that will grant the government furthur authority to regulate the entire data collection process. This adds fire to the already hostile relationship between tech companies advocating for privacy protection and the government pushing to regulate the way internet, tech and mobile companies handle user data.

Senator Rand Paul (R-KY) said he opposes the bill because it would “transform websites into government spies” and infringe upon personal privacy protections granted under the 4th Amendment. Paul also adds the information is exempt from disclosure under the Freedom of Information Act.