Under the original CISA legislation, companies would share their users’ information with federal government departments once it had been anonymized. The government could then analyze it for online threats, while the companies received legal immunity from prosecution for breaking existing privacy agreements.
But as the bill was amended, the privacy parts of the proposed law have been stripped away. Now companies don’t have to anonymize data before handing it over. In addition, the government can use it for surveillance and for activities outside cybercrime. And in addition, companies don’t have to report security failings even if they spot them.