Internet activists are sounding the alarms on the Cyber Intelligence Sharing and Protection Act, or CISPA, a bill that’s headed for a vote in the U.S. House of Representatives.
CISPA would give private companies new ways to share information about cyber-threats with the U.S. government, and vice versa. Although its purpose is quite different from SOPA and PIPA–the anti-piracy bills that were protested out of Congressional consideration last January–CISPA has angered many of the same opponents due to its promise of broad new powers for the government. (The use of a catchy acronym probably helps, too.)
But is CISPA really as bad as its detractors are claiming? Read on for a full explanation
The Basics on CISPA
CISPA would allow the U.S. government and private companies to communicate more freely about cyber-security threat information. The intelligence community would be allowed to share threat details with private companies, and companies would be encouraged to share their own knowledge, though doing so would not be mandatory.
Private companies would only be allowed to use information to protect themselves and their customers–not to gain a competitive advantage–and, in doing so, would be protected from lawsuits. The information shared would be exempted from public disclosure.
Arguments Against CISPA
Groups like the Electronic Frontier Foundation and the American Civil Liberties Union argue that CISPA is too broad. By using vague language, the EFF argues that companies could use the bill to filter content, monitor e-mails, and block access to websites. And, although the bill has little to do with SOPA and PIPA, it does define intellectual property theft as a type of cyberattack, raising concerns that content owners could use the bill to censor websites.
Critics also worry that the bill doesn’t limit the type of information that can be shared. “We just want people to know that Congress is on the verge of giving the government incredible new authorities to collect sensitive and personal Internet information and emails,” Michelle Richardson, a legislative counsel for the ACLU, told Politico.
The Sunlight Foundation notes that shared data between the government and businesses would be exempt from the Freedom of Information Act. “The FOIA is, in many ways, the fundamental safeguard for public oversight of government’s activities. CISPA dismisses it entirely, for the core activities of the newly proposed powers under the bill,” The Sunlight Foundation wrote in a blog post
In Defense of CISPA
The bill’s sponsors, Reps. Mike Rogers, R-Michigan and Dutch Ruppersberger, D-Maryland, argue that the government wants to help companies fend off cyberattacks from foreign countries and hackers, but lacks the legal means to do so. CISPA would allow the government and businesses to communicate more freely.
The sponsors insist that the bill protects privacy by requiring that information only be used to address cyberattacks. Companies won’t be required to share any information with the government, either.
Still, in response to criticism, Rogers and Ruppersberger have offered an amendment to the bill, which requires the government to only use its information for cybersecurity and states that companies don’t have to participate. The amendment also says the government can’t make quid-pro-quo deals, where companies only get information if they share back. Another amendment calls for an annual review of information sharing by the Inspector General of the Intelligence Community. These amendments are under consideration.
Who Supports CISPA?
The bill has more than 100 sponsors in Congress, with support from Democrats and Republicans alike. Outside of Congress, CISPA has the support of more than 800 companies–if you count trade groups like the Business Software Alliance and CTIA. Individual sponsors include AT&T, Facebook, Intel, Microsoft, and Verizon.
Facebook’s support, in particular, has drawn the ire of the bill’s critics. In a blog post, Facebook’s Vice President of U.S. Public Policy, Joel Kaplan, defended the company, saying Facebook will continue to safeguard users’ private information and has no intention of sharing users’ sensitive personal information.
TechDirt’s Leigh Beadon countered that a promise not to abuse the bill’s gray areas isn’t good enough, because Facebook can’t control what the government does with shared information. Besides, just because Facebook vows to protect private information doesn’t mean other companies will, Masnick said.
Where CISPA Stands Now
The bill will be up for a vote in the U.S. House of Representatives the week of April 23. Unlike SOPA and PIPA, CISPA has no close relative in the U.S. Senate. Two larger cybersecurity bills, S.2151 and S.2105, have been proposed, but haven’t made it out of committee.