A bill in the U.S. Congress designed to encourage private companies and government agencies to share cyberthreat information with each other still allows the sharing of vast swaths of private communications, even after sponsors offered to make changes, critics said Tuesday.
The U.S. House of Representatives could vote on the Cyber Intelligence Sharing and Protection Act, or CISPA, next week, but the bill still raises privacy and civil liberties concerns, officials with the Center for Democracy and Technology, the American Civil Liberties Union and the Constitution Project said.
The bill would allow private companies such as Internet service providers to share customer communications with government agencies with few restrictions, the groups said. The bill, sponsored by Representative Mike Rogers, a Michigan Republican, would allow private companies to share the information with any agency, including the U.S. National Security Agency, and allow agencies to use the shared information for a wide range of purposes, as long as there’s also a “significant” cybersecurity or national security purpose for sharing the information, the critics said.
It will be easy for the government to find some cybersecurity or national security reason to request information, said James Robertson, a former judge with the Federal Intelligence Surveillance Court. “The government will then have everything, and your history and mine will be history,” Robertson said during a briefing before congressional staffers.
Although a draft amendment to the bill requires a significant cybersecurity or national security purpose for sharing the information, those requirements would be a “little speed bump” for aggressive government agencies, said Greg Nojeim, senior counsel at CDT.
In recent days, Rogers and co-sponsor C.A. “Dutch” Ruppersberger, a Maryland Democrat, have circulated a draft amendment to the bill that would put some limits on information that can be shared, but the changes still allow private companies to share nearly all private communications if there’s a significant cybersecurity or national security concern attached to the information, representatives of the three civil liberties groups said.
The bill’s sponsors have defended the legislation, saying it does not require private companies to share cyberthreat information with government agencies. The bill allows private companies to better protect themselves by sharing information about malicious code and cyberattacks, Rogers said during a press briefing a week ago.
Rogers has called the bill limited in scope. More than 100 lawmakers have co-sponsored the bill, which also has support from Microsoft, Facebook, the U.S. Chamber of Commerce and trade group TechAmerica.
“Every day U.S. businesses are targeted by nation-state actors like China for cyber exploitation and theft,” Rogers said last month in a statement. “This consistent and extensive cyber looting results in huge losses of valuable intellectual property, sensitive information, and American jobs.”
But the bill remains too broad, representatives of the ACLU, CDT and the Constitution Project said. The bill would allow private companies to share private information with defense and intelligence agencies, including the NSA, with no restrictions on how that information is used once the NSA has it, said Michelle Richardson, legislative counsel with the ACLU.
“It’s an American value that the military does not operate on American soil against Americans,” she said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant’s e-mail address is grant_gross@idg.com.