Yesterday, we reported on the Cyber Intelligence Sharing and Protection Act, or CISPA, and the debate it has inspired about the privacy of your Internet data and security. The underlying bill allows Internet providers, software companies and other private firms to share information about “cybersecurity” with the federal government — and protects them from legal liability.
The bill’s sponsors touted a handful of amendments they said addressed privacy and civil liberties concerns, but privacy activists say the amendments still don’t go far enough. The House had been set to vote on the bill today but instead passed it last night, 248-168, with some changes:
How “cyber threat” information can be used: Rep. Ben Quayle, R-Ariz., proposed an amendment that limits the use of shared cyber threat information to five purposes: protecting cybersecurity, investigating cybersecurity crimes, protecting people from death or injury, protecting minors from harm, and protecting U.S. national security.
What kind of information can be shared: An amendment by Rep. Bob Goodlatte, R-Va., specifies the kind of information that can be shared, saying it must be “directly pertaining to” a threat, vulnerability, attack or unauthorized access. It also makes clear that violating a website’s terms of service — that’s the form on which you check “agree” when registering at a site like Facebook or Gmail — doesn’t constitute a cyber threat.
A second look: An amendment proposed by Rep. Mick Mulvaney, R-S.C., states that five years after the bill is enacted, Congress would have to re-examine and reauthorize it, providing an opportunity to address changes in technology or unintended consequences.
Addressing civil liberties: An amendment proposed by Mulvaney and Rep. Norman Dicks, D-Wash., says that in sharing information, the federal government should take “reasonable efforts” to limit the impact on privacy and civil liberties, consistent with the need to protect cyber threats.
Personal records: Put forth by Rep. Justin Amash, R-Mich., the amendment says the government can’t make use of educational, medical, firearms or tax return records that it receives from private companies through CISPA.
Why privacy activists are unhappy
The American Civil Liberties Union, the Electronic Frontier Foundation and other pro-privacy groups continue to argue that the bill would enable commercial interests and intelligence agencies to misuse personal information under the guise of preventing cybercrimes. The pro-privacy groups say the amendments represent an improvement but don’t offer sufficient safeguards. CISPA allows private companies to hand information directly to military and intelligence agencies, such as the National Security Agency. Privacy activists backed amendments by Democrats to give the Department of Homeland Security authority to devise privacy protections. None made it to the floor in the GOP-controlled House.
Under the amended bill, shared information can be used for the protection of national security, not just cybersecurity. Some opponents say this is too broad and fear it would be easy for the government to justify collecting private data even when unrelated to hacking or Internet security.
What’s next
CISPA faces a hard road in the Democrat-controlled Senate, where it must duke it out with cybersecurity bills backed by Sen. Joe Lieberman, I-Conn., and Sen. John McCain, R-Ariz. The White House said this week that advisers would recommend that President Obama veto CISPA if it ever reaches his desk.