The Cyber Intelligence Sharing and Protection Act (CISPA) is a cybersecurity bill that that House is to vote on next week. CISPA is a different creature than SOPA, the Stop Online Piracy Act that the tech and online community rallied against in January due to how it would have given digital-rights holders far-reaching powers to shut down websites that were deemed to “enable or facilitate” copyright infringement. As Timothy B. Lee writes on Ars Technica, while both bills seek in some way to limit the rights of internet users, their focus is different.
CISPA Is Not SOPA, But…
SOPA was concerned with intellectual property rights and an early version of CISPA made mention of such. As Will Oremus writes on Slate, CISPA’a bill’s bipartisan sponsors, Reps. Mike Rogers of Michigan and Dutch Ruppersberger of Maryland, removed such a phrase last week. CISPA’s focus is privacy rights: The legislation is intended to protect websites and the government from hackers by giving internet companies the authority to reveal confidential records and other communications. The government and private companies would be able to share information about possible security threats, such as a malware attacks.
But as Lee points out,
Network administrators and security researchers at private firms have shared threat information with one another for decades. And the law also allows information sharing between private firms and the government in many circumstances. For example, a private company is already free to notify the FBI if it detects an attempt to hack into its network.
Laws such as the 1986 Electronic Communications Privacy Act do regulate how and when network providers can reveal the contents of users’ electronic communications; other laws protect the privacy of health care records, financial information, educational records, video rentals and more. Lee argues that CISPA remains too broad and not sufficiently precise about what would be regulated as a potential cybersecurity threat. In its current incarnation, CISPA also does not provide for any judicial oversight to ensure that any definition of cybersecurity is followed.
Oremus lists some additional ways in which CISPA is just unclear about what kinds of materials it could authorize the government and companies to collect if they were judged threats to cybersecurity:
The bill’s current language authorizes the sharing of “information pertaining directly to a vulnerability of, or threat to, a system or network of a government or private entity.” Could that information include users’ names, addresses, and credit card numbers? Records of other sites they’ve visited? The bill doesn’t say. How does a company decide whether there’s enough reasonable suspicion to justify sharing a given user’s data? It doesn’t explain that either.
Who Supports CISPA: Some Companies You May Know
Supporters of CISPA include over two dozen trade associations who have lauded the “greater sharing of information” CISPA would provide in a letter to Congress (PDF). Cordell Carter, VP of the Business Roundtable, claims that CISPA enables a “sharing of cybersecurity information between the government and the private sector in a manner that is effective but not overly intrusive” (suggesting that this “sharing” is still somewhat intrusive). While the tech community made a concerted effort to defeat SOPA,the House Intelligence committee has letters of support from the likes of Facebook, Microsoft, Oracle, Symantec, Verizon, AT&T and Intel.In addition, Google has “reportedly been working behind closed doors to make the bill palatable to Silicon Valley,” says Oremus on Slate. Facebook has basically said “trust us” when criticized about its support for the bill.
White House Issues Concerns About CISPA
As of Tuesday, the White House has added its voice to those concerned about how CISPA might infringe on “privacy and civil liberties.” While the Obama administration is not wielding a veto threat, Caitlin Hayden, spokesperson for the National Security Council, said that “information sharing alone” will not be enough to address “nation’s critical infrastructure cyber vulnerabilities.” Moreover, she emphasized that
…while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation without new authorities to address our nation’s critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation’s urgent needs,” she said, without explicitly mentioning CISPA.
A cybersecurity bill by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) has received the White House’s endorsement. According The Hill, this bill would grant the Homeland Security Department the “power to enforce cybersecurity standards for critical systems” and contains more privacy protections than CISPA: Under the Lieberman-Collins legislation, companies would have to “strip out personally identifiable information from the data they turn over to the government.”
Critics of this bill have said that it will “impose unnecessary and burdensome regulations on businesses” — that is, on many of those who are supporting CISPA, a bill which would grant corporate Silicon Valley, other companies and the government quite a bit more freedom to intrude on the privacy of users.
Related Care2 Coverage
Photo by Defence Images