Wednesday, the House Permanent Select Committee on Intelligence marked up the Cyber Intelligence Sharing and Protection Act (CISPA), the misguided “cybersecurity” bill that would create a gaping exception to existing privacy law while doing little to address palpable and pressing online security issues. The markup was held entirely behind closed doors—even though the issues being considered will have serious effects on the liberty of Internet users—and was passed out of the committee.
This means the bill can go to the floor and be voted on at anytime. Please tell your Representative now to vote no on CISPA. We probably have only a few days left before the floor vote.
Here’s our analysis of the amendments and why they don’t go nearly far enough in fixing the serious problems with the bill.
Amendments That Helped—Barely.
The amendments that passed only chipped away at the edges of CISPA, without addressing the core civil liberties concerns. Here’s an overview of some of the most important changes in the bill:
Using Information for "National Security" Purposes
This amendment (PDF) would narrow how information can be used by the government after it is shared by companies. Before, the government could use information collected under CISPA for any "national security" purpose—a catch-all term we've long complained about that could basically mean anything. This amendment stops the government from using the information collected for any "national security" purpose. However, information collected under CISPA can still be used for a wide range of poorly defined purposes, like for a "cybersecurity purpose." Under the current language of the bill, "cybersecurity purpose" is defined extremely broadly—leaving the door wide open for the government to claim its use of the data were for wide-ranging actions. Another amendment (PDF) imposes the same limits: companies can only use the information they learn under CISPA for a "cybersecurity purpose." But to really address the issue of how information collected under CISPA is used, Congress would need to narrow the definition of "cybersecurity purpose."
Companies "Hacking Back"
Another amendment (PDF) approved by the committee attempts to clarify whether or not a company can "hack back" at a suspected online threat. But just like the previous amendment, its intent is far different than its actual impact.
The amendment limits companies from acting beyond their own computer networks to gather threat information; however, it ignores another section of the bill that allows wide ranging acts in response to the perceived threat. The immunity section of CISPA covers any "decision made" based on information a company learns so long as it acts in good faith.
This is a huge loophole. A company could still use aggressive countermeasures outside of its own network as long as it believed the countermeasures were necessary for protection. This section could have been fixed by limiting the broad legal immunity given to companies. But it wasn't. So the amendment still leaves the door open to abuse. A user's only recourse is to prove a company didn't act in "good faith," which is notoriously hard.
New Privacy Reports and Guidelines
The amendment (PDF) by Rep. Thompson requires that the Inspector General and the Privacy and Civil Liberties Oversight Board report on how CISPA impacts privacy and civil liberties in the government. While this is certainly nice, it leaves a big gap: it produces a report on government activity, but doesn’t address the corporate side. There’s no assessment of whether companies over-collect or over-share sensitive information. The potential for companies to improperly share sensitive or personal identifiable information is a fundamental problem with the bill.
Amendments That Didn’t Pass—But Should Have
The most important amendment the committee considered was Rep. Adam Schiff’s amendment (PDF). It created a new requirement that companies take “reasonable efforts” to remove unnecessary personal information of users before passing data to the government. While this wouldn’t fix everything that’s wrong with CISPA, it would do one vital thing: help minimize how much personal information of users actually flowed to the government without a warrant.
In a hearing on CISPA, industry representatives who testified in support of CISPA said it was possible for them to take reasonable efforts to minimize personal user information before sending it to the government. However, the committee voted for an amendment that would only force the government to minimize personal information after the information is alrady in the government's hands. The amendment doesn't fix the fundamental problem that companies are collecting and then sharing sensitive personal information to the government.
Rep. Schiff's amendment was accompanied by good pro-privacy amendments from Rep. Jan Schakowsky. One of Rep. Schakowsky's amendment sought to tackle the overly broad immunity given to companies who share data with the government. The immunity is yet another major problem in CISPA. It allows companies to bypass privacy laws that prevent companies from inappropriately sharing your private information, including the content of your emails. These laws also expressly allow lawsuits against companies that go too far in divulging your private information. Companies should be held accountable if they break these laws. Rep. Schakowsky's amendment would've narrowed the overly broad immunity granted to companies.
And as we mentioned above, another one of our major complaints with CISPA was that companies can directly give sensitive personal information to the National Security Agency. One proposed amendment (PDF), championed by Rep. Schakowsky (the only Representative to vote against CISPA in committee last year), would have mandated companies only report information about computer and network security threats to civilian agencies. Unfortunately, this amendment was defeated.
CISPA Still Possesses Core Problems
Rep. Rogers has framed the amendments to CISPA as "pro-privacy," but they don't fix core problems with the bill. The government should not need to minimize data because companies should not be freely sharing it in the first place. And the "national security fix" still doesn't solve the problem of users' personal information being collected by private companies and then shared with the government. Lastly, the broad legal immunity leaves users with little privacy protections or recourse if a company improperly shares their data. The immunity could even be used by companies to justify acts against threats outside of their own network. These problems must be fixed.
After the bill passed out of committee, the White House issued a statement that concurred with our privacy and civil liberties concerns. The statement noted:
information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections ... Further, we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities.