Cybersecurity Measure Heads to House Floor Despite Privacy Fears

Photo: deltaMike/Flickr

The House is scheduled as early as Thursday to begin debating cybersecurity legislation that privacy groups warn is a threat to civil liberties.

The Cyber Intelligence Sharing and Protection Act, or CISPA, is sponsored by Reps. Mike Rogers (R-Michigan) and Dutch Ruppersberger (D-Maryland). Its stated goal is a more secure internet, but privacy groups fear the measure breaches Americans’ privacy along the way. The White House weighed in on Wednesday, threatening a veto unless there were significant changes to increase consumer privacy.

The measure, which some are decrying as the Son of SOPA, allows internet service providers to share information with the government — the Internal Revenue Service, Department of Homeland Security and the National Security Agency — about cybersecurity threats it detects on the internet. An ISP is not required to shield any personally identifying data of its customers when it believes it has detected threats, which include attack signatures, malicious code, phishing sites or botnets.

In short, the measure seeks to undo privacy laws that generally forbid ISPs from disclosing customer communications with anybody else unless with a court order.

The proposal immunizes ISPs from privacy lawsuits for voluntarily disclosing customer information thought to be a security threat. Internet companies are also granted anti-trust protection to immunize them against allegations of colluding on cybersecurity issues. And the data handed to the government is not subject to the Freedom of Information Act.

The measure is not solely limited to cybersecurity, and includes the catchall phrase “national security.” CISPA also allows ISPs to bypass privacy laws and share data with fellow ISPs in a bid to promptly extinguish a cyberattack.

The bill’s supporters include Microsoft, Facebook, AT&T, Verizon, Oracle and many others.

Security researcher Dan Kaminisky and Stewart Baker, the former general counsel of the National Security Agency, support it as well. The two objected to the Stop Online Piracy Act because of its proposed method of filtering the internet of copyrighted material. Their concerns were instrumental in forcing Congress to abandon SOPA altogether.

But CISPA is a reasonable measure, the two argue. “Without security, no network offers privacy,” they wrote in an Politico editorial Wednesday.

“Chances are that sometime in the future someone will use our vulnerability not to steal secrets but to cause harm. Maybe they’ll bring down the power grid, maybe they’ll sabotage key military technology or maybe they’ll just wreak havoc in our financial system,” they wrote.

But the American Civil Liberties Union, the Center for Democracy and Technology and the Electronic Frontier Foundation say the measure goes too far. For starters, any information-sharing with the government should not include the NSA, they say.

“The NSA at core is a spy agency. It’s military. It is far less transparent than DHS in terms of knowing how the information is being used, if the program is effective,” Jim Dempsey, a CDT staff attorney, said in a telephone interview. “What can that data be used for. The information should be used and retained only for cybersecurity purposes. The bill says ‘other national security purposes.’ That’s a major problem.”

Rogers said in a statement that the legislation is “designed to help protect American companies from advanced foreign cyber threats, like those posed by the Chinese government. It has always been my desire to do that in a manner that doesn’t sacrifice the privacy and civil liberties of Americans, and I am confident that we have achieved that goal.”

About three dozen amendments to H.R. 3523, many of which the ACLU said “aren’t substantive,” are expected to be debated beginning Thursday on the House floor.

Michelle Richardson, an ACLU staff attorney, agrees with the bill’s goals, but not its language.

She said ISPs could share information on viruses and bad attachments, for example, but withhold personally identifiable information of which accounts they came from. She said under CISPA, an ISP could provide the government with a customer’s internet search history,  medical records, e-mail and, among other things, financial records “without warrants or subpoenas or any sort of process.”

In a telephone interview, she said the civil liberties group fears that the government would use CISPA “as an opportunity to expand their powers and go too far.”