CISA, the Cybersecurity Information Sharing Act (S. 754), will allow private companies to share cyber-threat data with the federal government, including personal user data, in an effort to prevent cyberattacks, such as those on the scale of Target, Home Depot, and Sony. Companies that share data with federal agencies, including the National Security Agency (NSA), will be given legal and liability protections from lawsuits relating to data sharing.
The bill passed by 74-21. The bill will now go to conference with the House where it will be reconciled with two other measures, reports Reuters.
Critics say the bill does more to invade the privacy of ordinary Americans than protects US interests.
Sen. Ron Wyden, the only member of the intelligence committee to vote against the bill, said CISA will “have a limited impact on US cybersecurity.”
All of the five pro-privacy amendments tabled by senators ahead of the vote failed.
One of the core privacy bolstering amendments, which would require sensitive and personal data to be removed before it is shared with federal agencies, was voted down. Another, which critics argue would make it more difficult to track threat-data sharing under freedom-of-information laws, was also struck down.
Sen. Dianne Feinstein (D-CA), who sponsored the bill in 2014, said the amendments would “undo the careful compromises we made on this bill.”
Sen. Bernie Sanders (I-VT) was the only presidential candidate to vote against the bill,according to The Guardian. Sen. Lindsey Graham (R-SC), a Republican presidential candidate, voted for the bill.
Privacy and rights groups criticized the bill’s passing in the wake of the vote.
In remarks, Mark Jaycox, legislative analyst at the Electronic Frontier Foundation, called the bill “fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities.”
“The passage of CISA reflects the misunderstanding many lawmakers have about technology and security. Computer security engineers were against it. Academics were against it. Technology companies, including some of Silicon Valley’s biggest like Twitter and Salesforce, were against it,” said Jaycox.
Greg Nojeim, senior counsel at the Center for Democracy & Technology, said the bill is a “huge step backwards for privacy rights.”
“Now, more personal information will be shared with the NSA and with law enforcement agencies, and that information will certainly be used for purposes other than enhancing cybersecurity,” said Nojeim.
The bill, known as a “zombie bill” after the bill previously failed CISA, has been met by unanimous public opposition to the bill.
Apple, Dropbox, Reddit, Twitter, Wikimedia Foundation (which owns Wikipedia), and Yelp, have said they oppose the bill. A trade group representing Facebook, Google, and others said it is “unable to support CISA as it is currently written.”
But there was some fraying at the edges of the opposition.
Facebook was accused of secretly lobbying on CISA, but denied advocating “publicly or privately” for the bill. Google’s parent company Alphabet did not comment publicly on its own, but executive chairman indicated that the company may support future legislation. Speaking at an event in New York on Monday, Schmidt said he was “not an expert on the bill,” but added that there “has to be a way” to share threat data with the government.
The security industry also lobbied against the against the bill.
In a letter published earlier this year, security experts including Jacob Appelbaum, Bruce Schneier, and Black Hat keynote speaker and lawyer Jennifer Granick, said that “waiving privacy rights will not make security sharing better.”
If passed by the House, the president is not expected to veto the bill.