Privacy advocates are stepping up their lobbying efforts against the controversial cyber threat information sharing bill currently in Congress after several tech giants indicated their support.
Activist group Fight for the Future criticized Salesforce for supporting legislation which would "grant blanket immunity for American companies to participate in government mass surveillance programs like PRISM, without meaningfully addressing any of the fundamental cyber security problems we face in the U.S." Accordingly, Fight for the Future said it will abandon the Heroku cloud application platform within the next 90 days and encourages others to follow suit. The letter to Salesforce CEO Marc Benioff was posted on the site YouBetrayedUs.org.
Fight for the Future is calling for Web developers and organizations "to boycott Heroku/Salesforce due to their support for this bad bill," Evan Greer, the group's CTO, said in an email.
The bill in question is the Cybersecurity Information Sharing Act (CISA), which has been the subject of intense lobbying by privacy groups and security experts over the past few months. Co-sponsored by Sens. Dianne Feinstein (D-Calif.) and Richard Burr (R-N.C.), the bipartisan bill is meant to improve public and private sector cyber security by creating incentives for businesses to share threats information with each other and with government agencies. A voluntary program, the bill sets up incentives for businesses to share threat information with each other and with government agencies, which would eventually result in tools and data to protect business and government networks.
The lawmakers may be calling the bill an information-sharing bill, but a government surveillance bill by any other name is just as dangerous. The Center for Democracy and Technology has said the bill's "broad use permissions suggest that the legislation is as much about surveillance as it is about cyber security."
The draft bill has pitted privacy advocates and security professionals against businesses. Privacy advocates say the bill could result in companies improperly sharing individuals' sensitive personal information with the government -- including law enforcement and surveillance agencies. Businesses, on the other hand, support the bill as it includes liability protections for those participating in the voluntary information sharing program.
Last week, 13 tech companies and the BSA | Software Alliance, a consortium of software companies, sent a letter to Congress asking lawmakers to act on cyber security legislation which "will have an immediate positive action on the digital economy."
CISA "will promote cyber security and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat, thus enabling the development of better solutions faster," the letter said. It was signed by executives from Adobe, Altium, Apple, Autodesk, CA Technologies, DataStax, IBM, Microsoft, Minitab, Oracle, Salesforce, Siemens, and Symantec, along with the president and CEO of BSA. Although Google and Facebook have voiced support for CISA in the past, they were not part of this letter.
On the surface, the bill seems like a good idea, as it encourages cooperation between government agencies and private tech companies, but privacy groups and security experts were concerned about the bill's broad language, which would allow companies to collect as much data as possible from users in the name of cyber security and share it with the Department of Homeland Security. (A proposed amendment would extend the sharing to include the Federal Bureau of Investigation and the Secret Service.) The bill also gives the federal government broad latitude to share the data with other federal agencies. Security experts have said there are other alternatives which are better than CISA.
While companies may benefit from the liability protection provided under CISA, supporting the law "is short-sighted," Greer said. It also shows these organizations are backing away from the promises they made in their own privacy policies.
If CISA becomes law, it would be "impossible for us to guarantee our own privacy policy with our users, because Heroku may broadly violate their privacy agreement with us to share information about our users with the government," Greer wrote in his letter to Benioff.
Fight for the Future is asking Internet users to call Congress to oppose the bill, and also to "create a massive public backlash and make sure that no other companies are willing to betray their users so publicly."
The effort seems a little lopsided, as most of the letter's signatories provide enterprise software. Oracle's customers, no matter how passionate they may be about Internet privacy and security, aren't going to shut down production environments and applications because of the database giant's support for the law. The same goes for Autodesk, Salesforce, Siemens, and Microsoft.
The current campaign echoes the 2012 protests against Stop Online Piracy Act (SOPA). Privacy activists successfully blocked passage of the law because tech companies also opposed the bill. In this case, other than individual Web developers and small startups, large enterprise customers are unlikely to take part in the kind of backlash Fight for the Future is hoping for.
Fight for the Future have been lobbying against the bill for months, alongside other privacy groups such as the CDT and the Electronic Frontier Foundation. Back in July, the activist group programmed eight separate phone lines to convert emails sent to FaxBigBrother.com and tweets with the hashtag #faxbigbrother to individual faxes which were then sent to all 100 Senators. The fax campaign is still ongoing.
In the end, CISA may not pass, not because of lobbying against the bill, but because Congress ran out of time. The Senate still has to debate CISA's 22 amendments before it can vote on the bill itself. And the clock is ticking, and it's not in CISA's favor.