The Cyber Intelligence Sharing and Protection Act (CISPA), aimed at investigating cyber-threats, just passed in the House. Digital-rights activist Mark Jaycox outlines the precise effects of the bill in its current form:
Companies have new rights to monitor user actions and share data – including potentially sensitive user data – with the government without a warrant. Cispa overrides existing privacy law, and grants broad immunities to participating companies.
Andrea Peterson explains the rationale of the bill’s proponents:
[U]nderneath the problems of scope and privacy, the goal of CISPA is to create a functional structure for coordinating information about cybersecurity vulnerabilities and threats so intelligence can be shared. This would allow the government to share information about the tactics of adversaries with victims, or send up a warning flare about an emerging threat. Consider the report released earlier this year by cybersecurity firm Mandiant about a group of hackers engaging in corporate espionage likely affiliated with the Chinese military: It came along with a cache of threat intelligence indicators that could help identify other attacks by the group in the future, such as domain names, IP addresses, encryption certificates, detailed descriptions of over 40 families of malware they use.
The Electronic Frontier Foundation (EFF) is marshalling opposition:
The Fourth Amendment limits the government’s ability to use CISPA powers, but there would still be constitutionally dangerous implications: the government would also be granted broad legal immunity for any “decisions based on” cyber threat information, and CISPA’s “notwithstanding” clause could override government privacy laws like the Privacy Act (which protects personal information in government records) and the Computer Matching and Privacy Protection Act (which limits the use of automated matching of government records).
As it stands, CISPA is dangerously vague, and should not allow for any expansion of government powers through a series of poorly worded definitions. If the drafters intend to give new powers to the government’s already extensive capacity to examine your private information, they should propose clear and specific language so we can have a real debate.
Paul Tassi explains why the Internet hasn’t protested the CISPA the same way it did SOPA:
Pitched as a cybersecurity bill and not an anti-piracy measure, most will think it doesn’t affect them the way SOPA could have. Additionally, there’s probably some level of fatigue from the first protest, as there are probably always going to be bills like these floating around, and major websites can’t really black themselves out multiple times a year in protest.
Dana Liebelson adds that big corporations won’t be coming to the rescue either:
The Obama administration last week declared that it “remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities.” But privacy concerns may not be enough to stop the bill. CISPA supporters spent 140 times more money on lobbying for the bill [than] its opponents, according to the Sunlight Foundation. Big-name companies that openly support CISPA include AT&T, Intel, IBM, Time Warner Cable, and Verizon, and other tech giants are quietly on board, including Google and Facebook[.]