CISPA, the cyberspying bill, is back in Congress and plagued with many of the same problems as last year—vague definitions and the grim government access loophole to name just a few. The bill also grants broad immunity to companies as long as a company acts in "good faith." One section of the immunity clause even grants immunity for any "decision made" based on information about a perceived threat. The clause opens up a wide door for abuse and is yet another reason why we urge users to stop CISPA.
Immunity Should Not Cover Any Decisions Made
The most dangerous section grants immunity for any "decision" a company makes based on information it learns about a perceived network threat. The clause is yet another example of why the bill must be killed. A company could use this section to act against a perceived threat believing it was immune from any legal liability as long as the decision was based on information about a threat. The immunity could cover decisions to violate other laws, like computer crime laws or privacy laws intended to protect users. Companies should not be given carte blanche immunity to violate long-standing computer crime and privacy law.
The requirement that companies act in good faith is an ineffective check on CISPA power grant. It is notoriously hard to prove that a company acted in bad faith, in the few circumstances where you would actually find out your privacy had been violated.
It also opens the door for government abuse. If the government asks for your information, and only tells the company it's needed for secret cybersecurity reasons, the company could claim to rely, in good faith, on the government’s unverified tale. Voila! Immunity from lawsuits.
This was precisely the problem with the FISA Amendment Act (FAA), which granted retroactive immunity to telecoms for the NSA warrantless wiretapping program. Tragically, the FAA allowed immunity for disclosures just on the government's say-so. Let's not make the same mistake again.
Immunity For Sharing is Unnecessary and Overly Broad
According to its authors, the immunity sections in CISPA are necessary for companies to share information about cyberthreats with the government. But the immunity granted by CISPA is overly broad because it does more than just encourage the sharing of information. Companies don't need immunity to share technical information about threats. As an example, the recent Executive Order encourages such sharing without providing immunity to companies. Further, companies are already openly sharing information to protect against threats. In 2010 Google alerted human rights activists and companies that were targeted and infected by malware. Earlier this month, Facebook shared the signature and forensic data of a recent attack with other companies, and was also willing to speak openly about its sharing activities. And just two weeks ago, Mandiant's report on Chinese hacking included a treasure trove of information about suspected threats, the methods they used, and other technical information. These actions underline just how much information companies and security providers can share in order to protect against threats.
There Should Be No Immunity for Hack Back
CISPA's immunity clause allows companies to use "cybersecurity systems." As discussed in our CISPA FAQ, the definition is critical to the bill yet littered with problems. It appears to be intended to protect a company's automated response to a network attack—a widely used action by network administrators. But the definition a "cybersecurity system" is broad enough to include aggressive countermeasures that some would consider offensive actions.
The immunity for any "decision made" based on a cyber threat when combined with the ambiguously defined "cybersecurity systems" sets the stage for abuse. Companies shouldn't possess such expansive protections. That's why we ask you to email your representative and tell them to stop CISPA.