Why the CISA amendment further erodes our right to privacy

US Senate

A much-debated amendment to the 'Cybersecurity Information Sharing Act' (CISA) is splitting US authorities and the country's technology giants.

Last night the amendment passed through the first stages of a US Senate voteby 83 to 14, and if it passes a full Senate vote next week it will allow US courts to pursue foreign nationals accused of cybercrimes, even if they were perpetrated against other foreign citizens.

In other words, it considerably lowers the barriers for prosecuting cybercrime committed abroad, and means the US could prosecute anyone who steals data from anyone or any entity, regardless of where that crime occurs or whether a US entity is involved.

Extradition treaties mean that those accused of such crimes could then be brought back to the US to stand trial and face possible jail time.

For many people, including politicians from both sides of the house and a broad sweep of the business community, the amendment is a positive, strengthening IT security.

Within the technology sector, however, the likes of Apple, Dropbox, Facebook, Google, Twitter and the Wikimedia Foundation have revolted against it, citing privacy concerns.

Not all tech companies are convinced that the amendment to CISA will actually improve security and many are concerned about the privacy implications it poses.

Here's the thing - while the internet means we all live in an ever-shrinking world, that does not translate into expanding the scope of national law enforcement and justice. Different countries have widely varying views on what is and isn't suitable punishment to fit a given crime.

This is why it's important to put this US attempt at becoming the world's cyberpolice and cybercourts into perspective: should a German national living in France who hacks the credit card of an Italian citizen be subject to the laws of the US and face prison time there? Most people, I suspect, would think not. People should be prosecuted for their crimes, but the justice they face should be home-grown and not outsourced to another country.

The message from the dissenting tech giants is clear - the sharing of threat data is important but should not be at the expense of users' privacy. The mantra for all companies should be if you can't protect it, don't collect it'.

However, proposed legislation such as CISA in the US and the Snooper's Charter here in the UK move the protection goalposts somewhat. You have to ask yourself the question of who companies be protecting our data from. It's increasingly clear that it's not just the cybercriminals, but governments as well who want our data.

Ironically, given the IT security record of government agencies in the US over the last couple of years, once that information has been passed to them it's probably at greater risk of being hacked.

When it comes to privacy there is little room for much confusion or doubt. This part of the CISA bill should worry anyone: "Cyber threat indicators and defensive measures provided to the Federal Government under this Act shall be deemed voluntarily shared information and exempt from disclosure".

Yep, the Freedom of Information Act would not give anyone the right to know what data had been disclosed or by whom. Few corporates will actually take on 'the powers that be' when push comes to shove, which means that ultimately we can trust nobody but ourselves to protect our data from the grip of government surveillance.

At the end of the day my trust in both government and big business is already at a low, but this bill just drops it further down.

I am always being told whenever I rally against such moves as this that done nothing wrong, nothing to fear'. Well, I prefer to think in terms of done nothing wrong, deserve the right to a little privacy'...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.