Now to those that would say, so what. This means that if you use ANY online or offline service that collects data about you, it can be shared to ANYONE without your permission. Privacy and data usage policies would no longer matter. They can pass it around under the blanket of cybersecurity. You have no legal recourse on this as they would be protected by law. There would be no need for warrants, or for any other procedure to gain access to your personal information. It is a massive hit in the war for personal privacy.
What makes this even more of a farce are the claims that this bill will help protect systems through this sharing process. They further claim that businesses do not want to share this information out of fear that privacy groups will go after them. To put an end to that claim, there is already an effort to share information about breaches and vectors used in attacks. These are being done though groups that are not part of the government and have never been something that privacy advocates have wanted to stop. If anything privacy advocates want corporations (and the government) to improve their security and stop the breaches.
Exposing the methods used in an attack to help others avoid them does not require sharing customer data. You can share the exploit, IP addresses used and even the method of lateral movement all without sharing a single bit of customer data. This is all part of the “threat indicators” that the bill is supposed to be about. Threat indicators do not need to, nor should they, include any personally identifying information: to claim otherwise is a lie, pure and simple.
This bill is nothing more than a way to allow open sharing of personal information without any fear. It creates a massive backdoor intelligence gathering option for the NSA, FBI and others. There is no need to follow due process now, just ask and companies will hand it over. The proof of this was the rejection of a review policy that would force companies to remove personally identifying information from the data submitted. The new bill also blocks many FOI (Freedom of Information) request about the type and amount of data shared.
Instead of the blatant PII sharing how about we support companies that are already working to share threat indicators and indications of compromise that are out there. This type of sharing is much more productive and allows for more uptake by corporations than involving the Department of Homeland Security, the NSA or the FBI. After all the last time I checked the gateways, flow monitors and vulnerability scanners were not getting updates from DHS, but from much more open sources.
Let’s hope this one does not get past the next step or things could get much uglier out there on the net when it comes to protecting personal data.