The Cyber Security Information Act (CISA), which passed the Senate on Tuesday, allows businesses to hand over users’ information to the U.S. government when the business deems it a cyber “threat indicator.” Businesses have been reluctant to volunteer this information, fearing exposure to liability from affected users. CISA assuages that fear by granting immunity. Privacy advocates, like the EFF and Fight for the Future, are against CISA in part because it eases flow of consumer data to the Intelligence Community. More interesting is how private industry came down.
Tech giants, including Microsoft, Apple, and Twitter, publicly opposed its passage, (reversing their previous support, as discussed below). They claimed to oppose the bill out of respect for their users’ privacy. Yet under CISA, sharing is voluntary. A company can respect privacy by never sharing info that implicates a cyber threat. Opposition to the bill is more a message to consumers that they care about privacy interests in general. Some argue that sharing information about threat indicators is not, in fact, voluntary. The government has a history of attaching info-sharing requirements in roundabout ways. The competitive advantage that might come with participating in the program may also make sharing effectively necessary. That remains to be seen.
The fact that companies felt it was in their interest to voice opposition, instead of supporting a bill that would grant them greater immunity from liability, suggests that letting customers know they care about privacy is becoming better and better business. In fact, Microsoft, Apple and Salesforce previously supported CISA, and only changed positions after advocacy and consumer rights groups petitioned them to reconsider. According to Fight for the Future’s scorecard, many tech companies, including AT&T and Verizon, still support CISA. They likely weighed liability protection more heavily.
If a company wants to protect its users’ information after the passage of CISA, it can simply refrain from sharing info with the state, (according to how the bill is advertised in its current form). Yet many companies felt it necessary to show their support for privacy rights in general by opposing the bill. What’s more, they took this stance when it meant losing better liability protections. The market value of being Tough on Behalf of Privacy is increasing.