Resurgent CISPA Aims to Attack Civil Liberties Firewalls

Nadia Kayyali

The Cyber Information and Sharing Act (CISPA) was first introduced last year by Representatives Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD). It received widespread opposition, including a veto threat from President Obama, in addition to a petition with over 800,000 signatures, and a widespread online campaign dubbed “Stop Cyber Spying week.”

Support for the bill came mainly from big corporations such as Facebook, whose VP for Public Policy, Joel Kaplan, stated in a letter to the House Intelligence Committee and the bill’s sponsors:

Your legislation removes burdensome rules that currently can inhibit protection of the cyber ecosystem.

The rules that Facebook interprets as burdensome are some of the few civil liberties firewalls remaining between government surveillance and private companies. Under CISPA, these “burdensome rules” even include the company’s already weak terms of service. Concerns about the civil liberties implications ultimately led to the rejection of the bill.

It was clear after the bill’s defeat, however, that it would be back. CISPA was reintroduced in the House on February 13th, by the same sponsors as last year. Currently, there are letters of support from companies like AT&T and IBM, but opposition among civil liberties advocates remains strong.

In a press release, Rep. Rogers claims that the bill is needed because:

This is clearly not a theoretical threat – the recent spike in advanced cyber attacks against the banks and newspapers makes that crystal clear.  American businesses are under siege. We need to provide American companies the information they need to better protect their networks from these dangerous cyber threats.

The bills’ sponsors argue that CISPA contains strong civil liberties and privacy protections while streamlining response to the threat of “cybercrime,” but it is this very streamlining that leads to civil liberties concerns. The bill would create an unprecedented information sharing regime between private corporations and government agencies, such as the Department of Homeland Security or National Security Agency, all under the authority of the Director of National Intelligence.

Specifically, the bill allows “elements of the intelligence community to share cyber threat information with private-sector entities and to encourage the sharing of such intelligence.” Private entities can be “certified” and receive privacy clearance to allow them to receive such information. They can also share that information with other certified entities. One particularly concerning facet of the bill is that it:

allows companies to choose which government agency to share the information with, including the National Security Agency or other element of the Department of Defense.

These are military agencies that do not normally operate on US soil. What would perhaps be shocking to most people is that all of this can happen without without regard for any privacy agreements or terms of service that a user may have seen. That’s because the law also provides immunity from lawsuits and criminal prosecution for so called “good faith” use of:

cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section or….for decisions made based on cyber threat information identified, obtained, or shared under this section.

In addition to broad concerns about the ever-growing surveillance state, this type of information sharing raises major concerns about consumer privacy, as emphasized by groups like the Entertainment Consumers Assocation. While CISPA does contain some limits on the use of cyberthreat information by the government, it provides only that the information:

may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information.

That language means that entities can use the information they receive for reasons completely unrelated to cybersecurity, including  commercial purposes, as long as they are not doing it to the detriment of the entity that shared the information.

To make matters worse, the law also erodes transparency. It contains a blanket Freedom of Information Act (FOIA) exemption, meaning any information shared with the federal government would be exempt from disclosure under FOIA, even if it contained no personally identifying information or did not fall under any other exemption.

Fortunately, these provisions are not yet law. CISPA may have been briefly revived, but advocates at hard at work opposing it. Contact your representative today to share any concerns you have about CISPA.

Originally appeared on the Bill of Rights Defense Committee's People's Blog for the Constitution.