Fight for the Future has published this open letter to the CEO of Salesforce and Heroku following their endorsement of the Cybersecurity Information Sharing Act (CISA). These groups have joined us in committing to boycott Heroku and any hosting company that supports surveillance legislation:

September 22, 2015

Marc Benioff

CEO of Salesforce / Heroku

The Landmark @ One Market, Suite 300

San Francisco, CA 94105

Re: Boycott of Heroku and Salesforce services

Dear Mr. Benioff,

I was disappointed to learn that Salesforce joined Apple, Microsoft, and other tech giants last week in endorsing the Cybersecurity Information Sharing Act of 2015 (CISA). This legislation would grant blanket immunity for American companies to participate in government mass surveillance programs like PRISM, without meaningfully addressing any of the fundamental cybersecurity problems we face in the U.S. Your support for this legislation is a short-sighted move that will decrease consumer confidence in American tech companies, both domestically and internationally, and, if CISA passes, will create broad new risks for every user of US-based cloud services. Accordingly, we will be abandoning your Heroku service within the next 90 days, and are encouraging others to do the same.

As a former security professional and the CTO of Fight for the Future, an organization that fights for security and privacy, I strongly believe that national security and civil rights are not mutually exclusive. It's possible to craft meaningful cybersecurity legislation that protects peoples' rights by encouraging strong encryption standards and responsible security research.

Unfortunately, CISA does none of these things, and your endorsement of it reflects badly on Heroku and your other subsidiaries. Heroku has been an exceptionally convenient web hosting service, but in order to use it, we need to trust you with our supporters' personal data. Salesforce is actively supporting a bill that would undermine that trust. If CISA passes, it will be impossible for us to guarantee our own privacy policy with our users, because Heroku may broadly violate their privacy agreement with us to share information about our users with the government.

CISA provides enormous leeway for companies to share Personally Identifiable Information (PII) with government agencies like the NSA and the FBI, granting companies blanket civil and criminal immunity from any existing privacy law in the process. This blanket immunity might seem desirable to a tech industry that has been forced to participate in PRISM-style mass surveillance programs for years, since constitutional challenges to this surveillance may soon prove that the government and companies have been violating U.S. privacy laws all along. You may benefit from liability protection, but supporting it is short sighted.

By supporting CISA, Salesforce is effectively lobbying to make their privacy policies null and void when it comes to sharing data with the government. You want to just give them the data and be done with it—a remarkably irresponsible approach. The meager benefit of immunity from privacy laws will be eclipsed by the long-term cost to the tech industry as consumers lose confidence in American cloud services and abandon them for international or open-source options. Companies like Cisco have already had their revenue wiped out from the perceived threat of U.S. government surveillance. If CISA passes, billions of dollars could be erased from the greater U.S. tech economy, causing catastrophic damage to the same companies that endorsed it.

In addition to being bad for business, CISA fails as a cybersecurity bill. Regardless of whether you believe the so-called safeguards written into CISA are adequate to protect people from government abuse and warrantless mass surveillance, it is incontrovertible that CISA will put more private data in the hands of a staggeringly wide array of government agencies. Agencies like the Department of Commerce, the Department of Energy, or the IRS are not equipped to safeguard this data—in fact, both the IRS and DoE were recently breached. How would giving more private sector data to the U.S. government protect our cybersecurity when these government agencies can't even protect the data they already have?

If it's not clear already, Fight for the Future believes that CISA is not a cybersecurity bill; rather it's a mass surveillance bill disguised as a cybersecurity bill. We hope you will reconsider your company's short-sighted support of this legislation. In the meantime, we will be migrating our tech infrastructure off Heroku. There are many alternatives, and we will be encouraging others to join us in moving to platforms that don't endorse government surveillance of their customers.

Sincerely,

Jeff Lyon

Chief Technical Officer

Fight for the Future

https://www.fightforthefuture.org