The Senate just passed a cybersecurity bill six-years in the making. But it may not be what we’ve been waiting for.

The Cybersecurity Information Sharing Act (CISA) made it through the Senate on Tuesday with a 74-21 vote in favor. Though the bill is much different from either of the House bills on cybersecurity, and will require some negotiating on the final legislative language, the White House has already endorsed CISA. Once the bill makes it to the President’s desk (sometime next year) it’s likely to be passed. But not everyone wants it to be.

Photo Credit: Yu. Samoilov  cc
Photo Credit: Yu. Samoilov cc

No one is arguing that a cybersecurity bill is unnecessary. With a number of high-profile and costly attacks in just the last year, the landslide for CISA shows that cybersecurity is weighing on the minds of Congress as much as it is the rest of us. At its face, CISA seeks to curb such prominent cyber attacks by allowing companies to monitor and share cyber threat data with the other companies and the Department of Homeland Security. From there, DHS can pass it along to the FBI or NSA, who will in theory use the information to help defend companies malicious cyber attacks.

But privacy advocates and tech companies aren’t on board. As Joseph J. Lazzarotti writes for the Workplace Privacy, Data Management & Security Report:

Privacy advocates and others reject [the sharing of cyber threat indicators would help], arguing in essence that this move toward greater data security jettisons privacy protections. That is, under the guise of security, companies would be free to monitor and share personal data with the federal government, enabling more expansive data collection and surveillance and without regard to privacy protections under other laws.

…Privacy advocates argue that this language leaves open the possibility that entities sharing cyber threat indicators might not “know” if the indicator contains personal information, thus weakening the privacy protection for personal information under this provision. However, Senate Select Committee on Intelligence (SSCI) Chairman Richard Burr (R-NC), sponsor of CISA, points to these provisions and others to refute the privacy concerns raised by opponents of the bill. In a press release, “Debunking Myths about Cybersecurity Information Sharing Act,” Sen. Burr argues, among other things, that under CISA:

The cyber threat information sharing is completely voluntary. Companies have the choice as to whether they want to participate in CISA’s cyber threat information sharing process, but all privacy protections are mandatory.

But while supporters of CISA see a voluntary system that will help pool efforts to fight malicious hacking, critics see a incentive for companies to share information in order to receive help from the government.

Essentially, CISA-critics are afraid that the bill simply offers government agencies a workaround to warrants or laws that would protect users’ privacy. In fact, the version of the law passed on Tuesday allows for any broadly defined “cybersecurity threat” information to be shared even “notwithstanding any other provision of law.” Any amendments to CISA that were proposed—that critics say would tighten up broadness in language—were rejected.

“The incentive and the framework it creates is for companies to quickly and massively collect user information and ship it to the government,” says Mark Jaycox, a legislative analyst for the civil liberties group the Electronic Frontier Foundation told Wired. “As soon as you do, you obtain broad immunity, even if you’ve violated privacy law.”

Additionally, no one’s sure the government is the one who should be charged with protecting all this data. The Office of Personnel Management itself was hacked twice in the past year, and the federal government hasn’t done much to suggest they’ve figured out the err their cybersecurity ways.  

Like the EU’s new net neutrality rules also voted in on Tuesday, critics are primarily concerned that the broad language leaves a lot of room for workarounds and abuse. With any luck the long road ahead for the bill will mean some reining in of dangerous loopholes. Because as anybody that’s been hacked can tell you, we can’t afford to play around with our data.