Privacy group calls for a boycott of tech companies supporting CISA

An activist group is on a quixotic campaign to punish tech companies who support the controversial information-sharing bill

Privacy advocates are stepping up their lobbying efforts against the controversial cyber threat information sharing bill currently in Congress after several tech giants indicated their support.

Activist group Fight for the Future criticized Salesforce for supporting legislation which would "grant blanket immunity for American companies to participate in government mass surveillance programs like PRISM, without meaningfully addressing any of the fundamental cyber security problems we face in the U.S." Accordingly, Fight for the Future said it will abandon the Heroku cloud application platform within the next 90 days and encourages others to follow suit. The letter to Salesforce CEO Marc Benioff was posted on the site YouBetrayedUs.org.

Fight for the Future is calling for Web developers and organizations "to boycott Heroku/Salesforce due to their support for this bad bill," Evan Greer, the group's CTO, said in an email. 

The bill in question is the Cybersecurity Information Sharing Act (CISA), which has been the subject of intense lobbying by privacy groups and security experts over the past few months. Co-sponsored by Sens. Dianne Feinstein (D-Calif.) and Richard Burr (R-N.C.), the bipartisan bill is meant to improve public and private sector cyber security by creating incentives for businesses to share threats information with each other and with government agencies. A voluntary program, the bill sets up incentives for businesses to share threat information with each other and with government agencies, which would eventually result in tools and data to protect business and government networks.

The lawmakers may be calling the bill an information-sharing bill, but a government surveillance bill by any other name is just as dangerous. The Center for Democracy and Technology has said the bill's "broad use permissions suggest that the legislation is as much about surveillance as it is about cyber security."

The draft bill has pitted privacy advocates and security professionals against businesses. Privacy advocates say the bill could result in companies improperly sharing individuals' sensitive personal information with the government -- including law enforcement and surveillance agencies. Businesses, on the other hand, support the bill as it includes liability protections for those participating in the voluntary information sharing program.

Last week, 13 tech companies and the BSA | Software Alliance, a consortium of software companies, sent a letter to Congress asking lawmakers to act on cyber security legislation which "will have an immediate positive action on the digital economy."

CISA "will promote cyber security and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat, thus enabling the development of better solutions faster," the letter said. It was signed by executives from Adobe, Altium, Apple, Autodesk, CA Technologies, DataStax, IBM, Microsoft, Minitab, Oracle, Salesforce, Siemens, and Symantec, along with the president and CEO of BSA. Although Google and Facebook have voiced support for CISA in the past, they were not part of this letter.

On the surface, the bill seems like a good idea, as it encourages cooperation between government agencies and private tech companies, but privacy groups and security experts were concerned about the bill's broad language, which would allow companies to collect as much data as possible from users in the name of cyber security and share it with the Department of Homeland Security. (A proposed amendment would extend the sharing to include the Federal Bureau of Investigation and the Secret Service.) The bill also gives the federal government broad latitude to share the data with other federal agencies. Security experts have said there are other alternatives which are better than CISA.

While companies may benefit from the liability protection provided under CISA, supporting the law "is short-sighted," Greer said. It also shows these organizations are backing away from the promises they made in their own privacy policies.

If CISA becomes law, it would be "impossible for us to guarantee our own privacy policy with our users, because Heroku may broadly violate their privacy agreement with us to share information about our users with the government," Greer wrote in his letter to Benioff. 

Fight for the Future is asking Internet users to call Congress to oppose the bill, and also to "create a massive public backlash and make sure that no other companies are willing to betray their users so publicly."

The effort seems a little lopsided, as most of the letter's signatories provide enterprise software. Oracle's customers, no matter how passionate they may be about Internet privacy and security, aren't going to shut down production environments and applications because of the database giant's support for the law. The same goes for Autodesk, Salesforce, Siemens, and Microsoft.

The current campaign echoes the 2012 protests against Stop Online Piracy Act (SOPA). Privacy activists successfully blocked passage of the law because tech companies also opposed the bill. In this case, other than individual Web developers and small startups, large enterprise customers are unlikely to take part in the kind of backlash Fight for the Future is hoping for.

Fight for the Future have been lobbying against the bill for months, alongside other privacy groups such as the CDT and the Electronic Frontier Foundation. Back in July, the activist group programmed eight separate phone lines to convert emails sent to FaxBigBrother.com and tweets with the hashtag #faxbigbrother to individual faxes which were then sent to all 100 Senators. The fax campaign is still ongoing.

In the end, CISA may not pass, not because of lobbying against the bill, but because Congress ran out of time. The Senate still has to debate CISA's 22 amendments before it can vote on the bill itself. And the clock is ticking, and it's not in CISA's favor.

Join the CSO newsletter!

Error: Please check your email address.

More about AltiumAppleBSACA TechnologiesCDTElectronic Frontier FoundationFacebookFederal Bureau of InvestigationGoogleMicrosoftMinitabOracleSiemensSymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place