In February of 2013, the Cyber Intelligence Sharing and Protection Act (CISPA) was reintroduced in the House for renewed debate. An older version of CISPA had already passed in the House in April 2012 but was not passed by the Senate.
The House Intelligence Committee will be debating the bill in closed sessions due to the possible discussion of classified information. But in an open letter to the House Intelligence Committee, the ACLU and several other privacy organizations urged the Committee to hold an open markup of the bill and post any considered amendments online for the public to read.
CISPA aims to defend US computer networks against hacking and cyber-attacks both foreign and domestic. The base bill, H.R. 624, states its goal as improving the sharing of information about cybersecurity between the intelligence community and cybersecurity entities and encouraging the sharing of such information to improve defenses to potential attacks and response time in the event of an attack. The term “cybersecurity entities” is not defined under the bill, but it has been taken to mean internet and telecommunications providers, social media and email providers, as well as other entities that provide security and services for computing networks.
Several privacy groups are up in arms about the bill and are requesting that the House amend the bill to better protect privacy and limit government uses of information collected under CISPA. Many groups in the tech industry argued when the bill originally passed in the House that it was too far-reaching — it protected from prosecution or lawsuit any cybersecurity provider who provided information to the government for cybersecurity purposes. It also listed protection of intellectual property as one of the ways the federal government could use information it gained access to under the law. Privacy advocates worried that the bill would authorize cybersecurity providers to remove content, block individuals’ access to certain sites or block their accounts entirely based on the information gained under the law.
In response to these privacy concerns, the newest version of the bill has changed in some significant ways. First, the new bill removes all reference to “intellectual property” in the bill. Importantly, this distinguishes the bill from SOPA and allays the fear that the law could be used to strengthen anti-piracy laws without anyone noticing. However, the bill still includes “investigation of cybersecurity crimes,” which are not defined in the bill. That phrase seems broad enough to cover piracy without a specific limitation excluding it.
Second, a new amendment has been proposed that would permit lawsuits to be brought against the federal government for any violation of restrictions placed on the government’s use of information shared under the act. Proponents of the amendment claim that this will allow individuals recourse if their information is misused. However, there are two immediate problems with this solution. First, the amendment does not clarify who may bring a suit; is it the cybersecurity providers who may sue if the government uses the information they provide in a manner inconsistent with the law, or the individuals whose information was actually released? Second, an amendment allowing lawsuits for money damages against the government does not really create a strong enough deterrent if the government wants to access an individual’s information. Additionally, the bill still offers immunity from suit to providers who share information with the government under the law. This is a worrisome issue because it means that users of services such as Gmail could have no recourse if Google decided to give their information to the government, as long as the government did not subsequently misuse that information.
Because the law is set up as a voluntary information-sharing program, private companies can decide whether and how much of their customers’ information to share with the government. But this kind of privacy information-sharing is not currently illegal, so why do we need new legislation to “encourage” it? This version of CISPA may be an improvement over the older version, but it still has several provisions that could be used to harm private security interests.