This May, Congress is expected to come together on a bill to protect private entities that secretly share user data with federal agencies. Privacy advocates say the Cybersecurity Information Sharing Act (CISA) threatens Americans' civil liberties by sanctioning yet another avenue for government surveillance. But there's another big problem as well: CISA is unlikely to meaningfully prevent cyber-attacks as proponents claim, and could ultimately weaken cybersecurity.

ITU Pictures

The stated premise behind laws like CISA (and the defeated 2013 Cyber Intelligence Sharing and Protection Act) is that cyber-attacks can be prevented if private network operators are able to quickly report and disseminate information about new threats and vulnerabilities. Proponents envision a seamless, national cybersecurity-threat system to roust the hackers, coordinated by the federal government.

Existing private and public information sharing initiatives do not go far enough, CISA advocates claim, because private companies fear lawsuits from customers who may not agree that their security is improved when spooks can surreptitiously search their personal data. To overcome this purported problem, CISA would extend legal immunity to corporations that choose to grant the Department of Defense (DOD), Department of Homeland Security (DHS), and Director of National Intelligence (DNI) access to customer data considered relevant to a "cybersecurity threat." This data could then be shared or concealed at federal agencies' discretion.

But CISA's legal remedies far exceed proponents' justifying foundations. Section 5(d) of the bill text, which governs how federal agencies can use information gleaned from the private sector, grants the government authority to "disclose, retain, and use" any data extracted under CISA for such disparate purposes as identifying terrorists, responding to threats of bodily or economic harm, preventing child exploitation, or prosecuting normal criminal offenses. Including such unrelated authorizations could distract from a primary cybersecurity mission and create dangerous incentives for officials to procure information for criminal investigations under false premises.