After a closed door markup, CISPA emerged from the House Intelligence Committee with some new amendments. Rep. Mike Rogers, the author of the bill, said the amendments would address concerns from civil liberty groups. Those same groups could not be in more disagreement as they are still saying that CISPA needs to be changed, or just ditched altogether.
The Electronic Frontier Foundation alongside 33 other civil liberty groups, including the ACLU and Fight for the Future, have sent an open letter Congress urging members of the House to reject CISPA during its vote this week.
Earlier this year, many of our organizations wrote to state our opposition to H.R. 624, the Cyber Intelligence Sharing and Protection Act of 2013 (CISPA). We write today to express our continued opposition to this bill following its markup by the House Permanent Select Committee on Intelligence (HPSCI). Although some amendments were adopted in markup to improve the bill’s privacy safeguards, these amendments were woefully inadequate to cure the civil liberties threats posed by this bill. In particular, we remain gravely concerned that despite the amendments, this bill will allow companies that hold very sensitive and personal information to liberally share it with the government, including with military agencies.
It's the idea of sharing information with military agencies that has these groups so concerned. They feel that CISPA would be much more effective if any information sharing was narrowly defined as between companies and civilian agencies:
CISPA creates an exception to all privacy laws to permit companies to share our information with each other and with the government in the name of cybersecurity. Although a carefully-crafted information sharing program that strictly limits the information to be shared and includes robust privacy safeguards could be an effective approach to cybersecurity, CISPA lacks such protections for individual rights. CISPA’s information sharing regime allows the transfer of vast amounts of data, including sensitive information like Internet records or the content of emails to any agency in the government including military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command.
Finally, the letter questions the need for CISPA at all after President Obama's cybersecurity executive order, and other laws already on the books, do what CISPA does minus the massive privacy infringement:
Developments over the last year make CISPA’s approach even more questionable than before. First, the President recently signed Executive Order 13636, which will increase information sharing from the government to the private sector. Information sharing in this direction is often cited as a substantial justification for CISPA and will proceed without legislation. Second, the cybersecurity legislation the Senate considered last year, S. 3414, included privacy protections for information sharing that are entirely absent from CISPA, and the Obama administration, including the intelligence community, has confirmed that those protections would not inhibit cybersecurity programs. These included provisions to ensure that private companies send cyber threat information only to civilian agencies, and a requirement that companies make “reasonable efforts” to remove personal information that is unrelated to the cyber threat when sharing data with the government. Finally, witnesses at a hearing before the House Permanent Select Committee on Intelligence confirmed earlier this year that companies can strip out personally identifiably information that is not necessary to address cyber threats, and CISPA omits any requirement that reasonable efforts be undertaken to do so.
These groups represent a pretty formidable opposition, but they have their work cut out for them. TechDirt reported on Monday that IBM will be sending 200 executives to Washington as part of a lobbying effort to see CISPA passed. Why does IBM want to see CISPA passed so badly? The official line is that it wants information sharing between corporations and government to be easier, but the company's president has also flat out admitted that he wants to be able to send personal information to the NSA because the agency "know[s] the most" about cyber threats.
IBM and other companies that are pushing for CISPA could have nothing but admirable intentions, but it's hard to believe that when they're all pushing for a law that would give them complete immunity when sharing your private information with the government.
We'll continue to follow CISPA as it heads to the House floor for a vote later this week. Don't get your hopes up though - it passed the House with flying colors last year. We can only assume that the House will do so again this year.