April 24, 2012 | By Lee Tien

How The Expansive Immunity Clauses in CISPA Will Facilitate Abuse of User Privacy

Rep. Rogers is adamant that the Cyber Intelligence Sharing and Protection Act (CISPA) is an informationsharingbill. But despite the bills title and Rep. Rogers' assurances, the bill is also a surveillance bill. Its broad definitions allow private companies to monitor network traffic and stored dataincluding private emailand transfer such private data to the government or others with virtually no oversight or legal accountability. This lack of oversight and accountability stems from the sweeping immunities provided to companies, which bypass long-standing privacy law.

Copious Content and Communications

Under CISPA, private companies may spy on user communications, whether stored or in transit, and freely pass personal information to the government as long as they claim a vague "cybersecurity" exception. In a press call, Rep. Rogers stated that the bill "does not provide any authority for the government to monitor private networks or read private email," yet the bill allows private companies to use vaguely definedcybersecurity systemsto "identify and obtain" information on any relevant cyber threat and then send the communications (without de-identifying the data) to the government. As long as companies act in "good faith" and the collection is for a "cybersecurity purpose"a purpose as vague as protecting or securing any network from degradation or disruptionthere are no limits on what type of information can be intercepted and shared. In short, surveillance would be outsourced to private companies that are not governed by the Fourth Amendment.

The bill also creates expansive legal immunity that makes companies and the government largely unaccountable to users. The bill providesgood faithimmunity for usingcybersecurity systemsto obtain information, for not acting on information that a company learns, and for making any decisions based on the information they learn. If a company learns about a security flaw, fails to fix it, and users' information is misused or stolen, companies cannot be held liable as long as the company actedin good faithaccording to CISPA. Companiesacting in good faithare also excused from all liability for engaging in potential countermeasures, even if they hurt innocent parties.

What constitutesgood faithis unclear on the face of CISPA, given its overall vaguenesswhich is likely to make difficult any attempt at litigating against companies. CISPA grants surveillance power to private entities[n]otwithstanding any other provision of law,which may nullify existing rights to sue under laws such as the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. Combined with the bills broadgood faithimmunity, this scheme attacks our long-held legal traditions that create checks and balances through independent judicial oversight. If CISPA passes, companies lose any legally based incentive to protect user privacy, such as federal or state privacy laws that stop companies from sharing sensitive personal information like health records and personal financial information.

Government Liability?

Another proposed amendment would allow lawsuits against the federal government if it violates some restrictions on the use of data provided by private entities, but in practice this amendment is meaningless. First, the proposed amendment only permits such a lawsuit if it is brought within two years of the date of the violationnot the date of the discovery of the violation. Yet CISPA exempts all data received by the government from private entities from the Freedom of Information Act, and bars disclosure to any non-federal entity without the consent of the sending entity. Most likely, users wont find out about violations of their privacy (if ever) for years, and it will be too late given the statute of limitations.

Further, if an individual sues the government, the government could invoke privileges like the state secrets privilege. Litigation involving classified information or the state secrets privilege is difficult, expensive, and time consuming. EFF has been involved for years in a lawsuit claiming Fourth Amendment and statutory violations stemming from the warrantless wiretapping program run by the National Security Agencya likely recipient ofcyber threat information.The government's ability to invoke these broad privileges along with the short statute of limitations means weak protections for citizens at best.

The immunity exemptions and weak federal liability combine to create a bill that allows for spying on users who are unable to hold companies and the government accountable. Its important that you tell Congress to stop this bill. Help us beat back this legislationsend an email to Congress and use our Congressional Twitter handle detection tool to tweet at Congress.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

South Africa is planning a cybercrime law that would endanger legitimate security researchers: https://www.eff.org/deeplinks...

Dec 1 @ 10:02am

This #CyberMonday, give the cyber gift of cyber membership with the nonprofit dedicated to your cyber rights: https://supporters.eff.org/sh...

Nov 30 @ 5:06pm

Pakistan's new electronic crimes bill has been called the worst cyber-crime law in the world. Here's why: https://www.eff.org/deeplinks...

Nov 30 @ 4:39pm
JavaScript license information