I am a bit confused about the arguments against CISA, the Cybersecurity Information Sharing Act. As I understand, faxbigbrother.com
opposes CISA because (a) it grants "sweeping immunity" to corporations, and (b) it permits release of personal information without the consent of the user.
But both these statements appear to be incorrect to me, as does the broad tone adopted by the website when it says "it appears that Congress didn't bother consulting with anyone who knew about cybersecurity when drafting this bill" or that corporations that haven't expressed their stance on CISA "definitely don't care about your privacy".
First, the bill [https://www.congress.gov/bill/114th-congress/senate-bill/754/text
] does not seem to grant "sweeping immunity". Section 4(e)(1) reads "Except as provided in section 8(e), it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes under this Act.", where 8(e) is explicitly centered around preventing price-fixing, monopolizing, or related actions. In fact, the bill is not just a one-way contract. It explicitly does not protect corporations from liability if they are found to engage "in gross negligence or willful misconduct in the course of conducting activities authorized by this Act" or undermining otherwise common law.
Second, as I understand, the bill does not permit arbitrary release of private information. In fact, the bill states that the guidelines set by the Attorney General shall limit the exposure of private information (see Section 5(b)(3)).
Finally, I also find some of the claims of the letter [https://cyberlaw.stanford.edu/files/blogs/technologists_info_sharing_bills_letter_w_exhibit.pdf
] drafted by some fairly prominent security researchers, to be misinformed. Sure, preventing the spread of malware and recognizing the compromise of software systems does not require review of personal information. However, review of personal information may
be required for preventing, say, terrorist plots.
Sure, transferring personal information to authorities (without prior review) is certainly a problem. But the CISA appears to include steps that prevent large-scale privacy breaches. While much depends on the Attorney General's recommendations, it appears to me that it is too soon to fight against the bill (at least when we barely know the recommendations that the Attorney General will make).
But most importantly, please, please don't make sweeping statements for they may mislead the public.