CISPA passes the House

Yesterday evening, the House — acting a day earlier than scheduled — passed the Cyber Intelligence Sharing and Protection Act (CISPA) in the face of opposition from the White House and a skeptical Internet community:

The House on Thursday approved cybersecurity legislation that privacy groups have decried as a threat to civil liberties.

The Cyber Intelligence Sharing and Protection Act, or CISPA, sponsored by Reps. Mike Rogers (R-Michigan) and Dutch Ruppersberger (D-Maryland), passed on a vote of 248 to 168.

Its goal is a more secure internet, but privacy groups fear the measure breaches Americans’ privacy along the way. The White House had weighed in on Wednesday, threatening a veto unless there were significant changes to increase consumer privacy. The bill was amended to provide more privacy protections, but it was not immediately clear whether the Senate or the White House would give the amended bill its blessing.

The measure, which some are calling the Son of SOPA, allows internet service providers to share information with the government, including the Department of Homeland Security and the National Security Agency, about cybersecurity threats it detects on the internet. An ISP is not required to shield any personally identifying data of its customers when it believes it has detected threats, which include attack signatures, malicious code, phishing sites or botnets. In short, the measure seeks to undo privacy laws that generally forbid ISPs from disclosing customer communications with anybody else unless with a court order.

The bill immunizes ISPs from privacy lawsuits for voluntarily disclosing customer information thought to be a security threat. Internet companies are also granted anti-trust protection to immunize them against allegations of colluding on cybersecurity issues. The measure is not solely limited to cybersecurity, and includes the catchall phrase “national security” as a valid reason for turning over the data.

CISPA also allows ISPs to bypass privacy laws and share data with fellow ISPs in a bid to promptly extinguish a cyberattack.
Some last-minute amendments included making non-national-security data subject to the Freedom of Information Act, sunsetting the measure after five years and barring the government (.pdf) from reviewing library, firearms, tax and medical records.

While I’ve been skeptical about CISPA, though I didn’t believe at first that it was as bad as the Stop Online Piracy Act (SOPA), TechDirt explains why this new legislation that Congress is seemingly trying to shove down our throats is just as bad as other controversial cyber legislation:

Up until this afternoon, the final vote on CISPA was supposed to be tomorrow. Then, abruptly, it was moved up today—and the House voted in favor of its passage with a vote of 248-168. But that’s not even the worst part.

The vote followed the debate on amendments, several of which were passed. Among them was an absolutely terrible change (pdf and embedded below—scroll to amendment #6) to the definition of what the government can do with shared information, put forth by Rep. Quayle. Astonishingly, it was described as limiting the government’s power, even though it in fact expands it by adding more items to the list of acceptable purposes for which shared information can be used. Even more astonishingly, it passed with a near-unanimous vote. The CISPA that was just approved by the House is much worse than the CISPA being discussed as recently as this morning.

Previously, CISPA allowed the government to use information for “cybersecurity” or “national security” purposes. Those purposes have not been limited or removed. Instead, three more valid uses have been added: investigation and prosecution of cybersecurity crime, protection of individuals, and protection of children. Cybersecurity crime is defined as any crime involving network disruption or hacking, plus any violation of the CFAA.

Basically this means CISPA can no longer be called a cybersecurity bill at all. The government would be able to search information it collects under CISPA for the purposes of investigating American citizens with complete immunity from all privacy protections as long as they can claim someone committed a “cybersecurity crime”. Basically it says the 4th Amendment does not apply online, at all. Moreover, the government could do whatever it wants with the data as long as it can claim that someone was in danger of bodily harm, or that children were somehow threatened—again, notwithstanding absolutely any other law that would normally limit the government’s power.

Somehow, incredibly, this was described as limiting CISPA, but it accomplishes the exact opposite. This is very, very bad.

Julian Sanchez, who writes frequently about privacy and tech-related issues, also agrees that CISPA is the wrong way to go about cybersecurity. Sanchez also notes that, while the White House has issued a veto threat over the proposed law, it isn’t because it overreaches; it’s because it doesn’t overreach enough:

The White House has issued a threat to veto the Cyber Intelligence Information Sharing Protection Act (CISPA) in its current form, despite recent amendments aimed at assuaging the concerns of privacy and civil liberties advocates:

H.R. 3523 fails to provide authorities to ensure that the Nation’s core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards.  For example, the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information.  Moreover, such sharing should be accomplished in a way that permits appropriate sharing within the Government without undue restrictions imposed by private sector companies that share information.

The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes.  Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately.  The Government, rather than establishing a new antitrust exemption under this bill, should ensure that information is not shared for anti-competitive purposes.

Unfortunately, as Paul Rosenzweig notes, the other main reason for the administration’s opposition is that the bill doesn’t grant the government enough regulatory power over “critical infrastructure” computer networks. Still, this seems like an opportunity to pause and consider what an acceptable cybersecurity information sharing bill might look like. Because notwithstanding all the hype, there are genuine risks and vulnerabilities that might be mitigated by better information sharing—and that may indeed require Congressional action. But a narrowly tailored approach that respects privacy and civil liberties will look very different from CISPA.

It certainly seems that CISPA is a recipe for disaster for the Internet, personal privacy, and the Fourth Amendment. Unfortunately, the uproar of opposition that we saw over SOPA hasn’t been nearly as loud over this proposed law. For me, at least, the push for the law came quickly and I hadn’t really had a chance to dive into the details like I did over SOPA and NDAA.

We may have only a short time to beat back this law, so I would encourage you to contact your Senators and make your voice heard.

The views and opinions expressed by individual authors are not necessarily those of other authors, advertisers, developers or editors at United Liberty.