Is government compelling these companies to hand over data? Or is it voluntary?
If government forced me to hand over data on users, I wouldn't want to be held liable for that. So, I'm not sure why people are complaining to companies about it? Do they expect companies to break laws?
People forget that government is always the highest power of the land. You are forced to do what government decides it wants to do.
Participation in this program is voluntary. Section 8 of the bill prohibits this act from being construed to permit the federal government to require an entity to provide information to the federal government. Here's the money quote:
(i) No Liability For Non-Participation.—Nothing in this Act shall be construed to subject any entity to liability for choosing not to engage in the voluntary activities authorized in this Act.
Reading through the bill, it seems like this is a well-intentioned attempt to promote data sharing between corporations and security agencies in the event of a widespread cyberattack. There are definite use cases for a law like this. For example, if both Lockheed Martin and Boeing are hit by a cyberattack, under this bill they are allowed to coordinate and mitigate the attack using data from both parties. But the enormous flaw in this bill is that there are only vague restrictions on the type of data allowed to be shared. These restrictions are so vague that an unscrupulous company could send all their customers' private data to the government under the context of this law.
The US needs reform on its cybersecurity defense and this bill is a step towards change. But with the potential for abuse this bill is a huge step backwards. Hopefully there are other ways to improve US cybersecurity defense without compromising civil liberties.
You can find a copy of the bill, including a short summary of each section, at the link below:
Getting immunity will eventually make them as bad as the carriers once they form "relationships" with the government, or when they want to win some big fat government contracts.
Microsoft already "needs" to win multiple contracts with the government, and Apple is supposed to "win" Apple Pay integration with federal services.
If all the data requests would be legal then they shouldn't need immunity, should they? This is 90% of the way the encryption backdoor the government has been requesting. That's why it's "backing down" on that.
Much like what Microsoft has already been doing years before this [1], the NSA will get Apple, Microsoft, Adobe, Oracle and others' zero-days ~3-12 months before they are patched, as part of the "cyber-threat sharing" program. That's as good as having dozens of backdoors in tech companies' software that billions of people are using.
Michael Hayden, who formerly directed the National Security Agency and the CIA, described the attention paid to important company partners: “If I were the director and had a relationship with a company who was doing things that were not just directed by law but were also valuable to the defense of the Republic, I would go out of my way to thank them and give them a sense as to why this is necessary and useful.”
This is how they are thanking them, by giving them immunity.
Salesforce.com reserves the right to use or disclose information provided if required by law or if they reasonably believe that use or disclosure is necessary to protect their rights.
Apple may also disclose information about you if they determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.
IBM may also use or share your information to protect its rights or property.
Based on what I'm reading, they don't require sharing of the information, they just give companies sweeping immunity to do plenty of illegal things while doing so. The government sort of incentivizes this behavior. The problem is, companies are now lobbying to get this pushed through, so yeah, that's the fault of both the corporate and government players involved.
Some companies already have legal contracts with you to protect your private data. Are you implying they can break those contracts?
I need actual scenarios written out, preferably based on an actual example EULA being violated. Not "maybe something scary might possibly happen in the future."
The whole point of providing immunity is that previous contracts such as privacy policies become null and void in this context... I'm pretty sure you didn't read the link...
I literally cannot find the exact contract violating statement in the law that you are referring to.
I see an exemption for anti-trust, and I see an immunity to other laws requiring disclosure (say, FOIA), but I do not see any immunity to violate previously established EULAs.
Section 6(b): No cause of action shall lie or be maintained in any court against any entity, and such action shall be promptly dismissed, for the sharing or receipt of cyber threat indicators or defensive measures under section 4(c) if ... (you follow the sharing rules and don't do anything provably sinister)
>If government forced me to hand over data on users, I wouldn't want to be held liable for that.
Government couldn't have gotten it if you didn't collect it. Why should you be held responsible for storing data in an insecure fashion (which given the long arm of the government, translates to storing the data at all). This is especially true of data the average user isn't considering as being captured/stored, such as Microsoft's grabbing everything you do and storing it.
If government forced me to hand over data on users, I wouldn't want to be held liable for that. So, I'm not sure why people are complaining to companies about it? Do they expect companies to break laws?
People forget that government is always the highest power of the land. You are forced to do what government decides it wants to do.
Take your issues up with government, not me.