US Congress has passed the Cybersecurity Information Sharing Act (CISA) and it is awaiting a final vote (the House and Senate versions of the bill must be reconciled and a final vote taken). This is a bill aimed at giving American companies that disclose information "for a cybersecurity purpose" immunity from lawsuits related to violating people's privacy rights.
This legislation is largely aimed at large corporations that deal with "big data" and is being spun as a way to hasten and broaden the United State's ability to respond to cybersecurity threats. This idea is that if a company with sensitive information, such as a hospital with medical records, suffers a serious cybersecurity attack, they can share the information about the attack and the data involved with Federal government authorities and not have to worry about violating laws such as HIPAA for the health care industry. This information about how the intrusion happened could then be shared with other companies that may be vulnerable to similar threats, preventing a widespread compromise of an entire industry with similar security practices and protections.
The problem with CISA is that it is overly broad (intentionally so) so that the government can request information on any matter related to cybersecurity. This type of broad definition could legalize the mass surveillance programs that the United States is carrying out on its own citizens, illegally.
The concern is that the government could now claim that a single user of a large service did something related to cybersecurity, and as a result it can make a broad request for all of the data that this company holds under CISA. For example, if a member of Anonymous that the government was hunting had used Gmail, this would be justification for the government to request data about all Gmail users "for cybersecurity purposes". There is no protection for user privacy in this legislation, in fact, all 5 privacy additions to the bill were rejected.
The further concern is that without a risk of liability for leaking significant amounts of private data to the government, companies will have less motive to resist overly-broad data requests. If the government wants every text message sent in 2015 from Verizon, they now have zero incentive to fight that request.
These concerns have to be addressed for a bill such as this to be reasonable, as American politics has shown us how far the surveillance state will go in order to twist words and claim the authority to violate the privacy of millions of Americans. You saw it with the US Deptartment of Homeland Security declaring that the Black Lives Matter protests amounted to "low-level terrorism" which allowed them to deploy cellular phone and other surveillance against protesters.
Despite these concerns, American politicians have betrayed their constituents and are poised to make this terrible bill into law.
VikingVPNs Response to CISA is Business as Usual
We do not have network records to hand over to the US government, nor are we legally obligated to keep any records. Our zero-knowledge network policy protects our users from these types of data requests, and our warrant canary will warn our users of any impending threat from a legal dispute with the US government.
Our service is modeled around privacy and will remain that way indefinitely.