How The Expansive Immunity Clauses in CISPA Will Facilitate Abuse of User Privacy
Rep. Rogers is adamant that the Cyber Intelligence Sharing and Protection Act (CISPA) is an information “sharing” bill. But despite the bill’s title and Rep. Rogers' assurances, the bill is also a surveillance bill. Its broad definitions allow private companies to monitor network traffic and stored data—including private email—and transfer such private data to the government or others with virtually no oversight or legal accountability. This lack of oversight and accountability stems from the sweeping immunities provided to companies, which bypass long-standing privacy law.
Copious Content and Communications
Under CISPA, private companies may spy on user communications, whether stored or in transit, and freely pass personal information to the government as long as they claim a vague "cybersecurity" exception. In a press call, Rep. Rogers stated that the bill "does not provide any authority for the government to monitor private networks or read private e‑mail," yet the bill allows private companies to use vaguely defined “cybersecurity systems” to "identify and obtain" information on any relevant cyber threat and then send the communications (without de-identifying the data) to the government. As long as companies act in "good faith" and the collection is for a "cybersecurity purpose"—a purpose as vague as protecting or securing any network from degradation or disruption—there are no limits on what type of information can be intercepted and shared. In short, surveillance would be outsourced to private companies that are not governed by the Fourth Amendment.
The bill also creates expansive legal immunity that makes companies and the government largely unaccountable to users. The bill provides “good faith” immunity for using “cybersecurity systems” to obtain information, for not acting on information that a company learns, and for making any decisions based on the information they learn. If a company learns about a security flaw, fails to fix it, and users' information is misused or stolen, companies cannot be held liable as long as the company acted “in good faith” according to CISPA. Companies “acting in good faith” are also excused from all liability for engaging in potential countermeasures, even if they hurt innocent parties.
What constitutes “good faith” is unclear on the face of CISPA, given its overall vagueness—which is likely to make difficult any attempt at litigating against companies. CISPA grants surveillance power to private entities “[n]otwithstanding any other provision of law,” which may nullify existing rights to sue under laws such as the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. Combined with the bill’s broad “good faith” immunity, this scheme attacks our long-held legal traditions that create checks and balances through independent judicial oversight. If CISPA passes, companies lose any legally based incentive to protect user privacy, such as federal or state privacy laws that stop companies from sharing sensitive personal information like health records and personal financial information.
Another proposed amendment would allow lawsuits against the federal government if it violates some restrictions on the use of data provided by private entities, but in practice this amendment is meaningless. First, the proposed amendment only permits such a lawsuit if it is brought within two years of the date of the violation—not the date of the discovery of the violation. Yet CISPA exempts all data received by the government from private entities from the Freedom of Information Act, and bars disclosure to any non-federal entity without the consent of the sending entity. Most likely, users won’t find out about violations of their privacy (if ever) for years, and it will be too late given the statute of limitations.
Further, if an individual sues the government, the government could invoke privileges like the state secrets privilege. Litigation involving classified information or the state secrets privilege is difficult, expensive, and time consuming. EFF has been involved for years in a lawsuit claiming Fourth Amendment and statutory violations stemming from the warrantless wiretapping program run by the National Security Agency—a likely recipient of “cyber threat information.” The government's ability to invoke these broad privileges along with the short statute of limitations means weak protections for citizens at best.
The immunity exemptions and weak federal liability combine to create a bill that allows for spying on users who are unable to hold companies and the government accountable. It’s important that you tell Congress to stop this bill. Help us beat back this legislation—send an email to Congress and use our Congressional Twitter handle detection tool to tweet at Congress.