WILLIAM BRANGHAM, PBS NEWSHOUR WEEKEND ANCHOR: The U.S. Senate has scheduled final votes next week on a bill that would permit companies to share information about hacking attacks with each other and with the government, without fear of lawsuits.
The so-called Cybersecurity Information Sharing Act or CISA has already passed the House of Representatives.
But several big tech companies like Apple and Twitter say it does too little to protect individual privacy.
Joining me now to discuss the bill is Politico reporter Tim Starks.
Help me understand this. We like to think of legislation as trying to solve a particular problem. What is the problem that CISA is trying to solve?
TIM STARKS, POLITICO: The problem here is that there is some information that’s shared now on cybersecurity threats but not enough.
The idea of this bill would be to make it so that companies could send more threat information to the government without fear of lawsuits.
It helps them solve the problem of where that threat came from, and, therefore, that — the idea is that the government has different kinds of expertise than the private sector, and the government might be able to help them better than they are able to help themselves.
WILLIAM BRANGHAM: So, is the idea that a company either gets hacked or thinks they’re being probed by hackers, and that they want to then share that with fellow companies or the government but they don’t want to get sued for that?
I mean, how big of a problem is that? Are companies being sued left and right for sharing this kind of information today?
TIM STARKS: No, they’re not, but they might be, depending on the kind of information they would share under this bill.
Certainly, the issue of business-to-business is a different kind of thing. That’s related to trade practices, for instance.
WILLIAM BRANGHAM: So, several tech companies, Apple amongst them, have raised real concerns about this, saying that there’s huge privacy concerns.
Can you explain a little bit about what it is that they don’t like about this.
TIM STARKS: There are a number of these big tech companies that do not like the bill. That’s because they’re worried about the privacy implications of it.
If you think about the kind of information that might be shared that a company might have on a threat that they’ve received or that they’re aware of, there might be some elements of that, that include what is called personally identifiable information.
They don’t like the idea of how much of that might get shared under this bill. I think they come at it from two perspectives.
One, you know, Silicon Valley is philosophically inclined toward privacy. And they are still reeling a little bit from what happened after Edward Snowden’s revelations about the extent of some of the tech companies’ cooperation with the NSA.
WILLIAM BRANGHAM: So, what is the concern people have raised?
They have said if you’re getting hacked and then you share information with the government, somehow you’re going to reveal something about my health information, my banking information.
Is that the nature of — that’s the concern here?
TIM STARKS: Yes, if ask you the privacy groups, they say it’s a very dangerous bill.
Industry groups say, no, no, no, if you look at what the cyber threat indicators are, they’re safeguards about making sure personally identifiable information is scrubbed at some point and that the bulk of this information will be information that is just about, you know, actual lines of code in some cases.
But if you look at — privacy groups say cyber threat indicators are poorly defined in the bill, not narrowly defined enough, such that if you think about what an IP address might reveal about you –this is an example they point out — it might reveal your sexuality, it might reveal certain — other kinds of indicators that they would be included, whether your gender or other sorts of information that was of a personal nature.
WILLIAM BRANGHAM: All right. Tim Starks of Politico, thank you very much.
TIM STARKS: You’re welcome.