Concerns Mount Over Unresolved Privacy Issues in CISPA
Written by Greg Nojeim
This morning, CBS News reported that “[o]pposition from the Obama administration – which stopped short of a veto threat – could imperil the Cyber Intelligence Sharing and Protection Act,” otherwise known as CISPA.
In a statement to The Hill last night, National Security Council spokeswoman Caitlin Hayden said:
“[W]hile information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation … that would sacrifice the privacy of our citizens in the name of security, will not meet our nation’s urgent needs.
This is what CDT has been arguing from the start. We see a need for cybersecurity legislation that makes information sharing easier – however, we want to see this legislation enacted in a way that doesn’t imperil Internet users’ privacy rights.
Last Friday, Facebook made the same case. Joel Kaplan, Vice President for U.S. Public Policy for Facebook, wrote:
“[W]e recognize that a number of privacy and civil liberties groups have raised concerns about [CISPA] – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government.
“The overriding goal of any cybersecurity bill should be to protect the security of networks and private data, and we take any concerns about how legislation might negatively impact Internet users’ privacy seriously. As a result, we’ve been engaging directly with key lawmakers as well as industry and consumer groups about potential changes to the bill to help address privacy concerns.
On Monday, Robert Holleyman, President of the Business Software Alliance (BSA), which represents Apple, Microsoft, and many other companies, made a similar statement:
“Information sharing is a critical step in bolstering cyber readiness. Legislation to promote the kind of sharing we need certainly can be crafted in a way that safeguards people’s civil liberties.
“Today [BSA and CDT] discussed several important elements in the Cyber Intelligence Sharing and Protection Act [CISPA], which has been sponsored in the House by Reps. Mike Rogers and Dutch Ruppersberger. We agreed that the definition of what constitutes cyber threat information could benefit from sharpening.
On Tuesday, The Hill also reported that Google has been working with CISPA sponsor Rep. Mike Rogers (R-MI) “to find the right language in the bill” to protect consumers’ privacy and prevent Internet regulation.
In the same article, Chairman Rogers said that there has been “huge progress” made in addressing the concerns of the privacy community. We see it differently. Our discussions have been in good faith, and some progress has been made, but it is not “huge.” While the Committee has issued a number of draft amendments to CISPA, none of the major concerns of the privacy community has been fully addressed. Some of our concerns have been rejected outright so far.
Specifically, there are four areas that should be fixed before CISPA goes to a floor vote:
- CISPA has an almost unlimited definition of what user information can be shared with the government. This definition should be narrowed.
- CISPA would allow companies to share Internet users’ information directly with the National Security Agency. Instead, information should go to the Department of Homeland Security, a civilian agency that will provide more accountability to the public for failure or abuse.
- CISPA would allow information shared with the government to be used for purposes unrelated to cybersecurity.
- The bill includes vague language authorizing ISPs and others, “notwithstanding any other provision of law,” to use “cybersecurity systems” to identify and obtain cyberthreat information. We are concerned that this is an authorization for use deep within private networks of the EINSTEIN system developed by DHS with NSA help. We think it I better to state clearly and simply that ISPs and other systems operators are authorized to monitor their own systems to protect their rights and property and those of their customers.
We are still hopeful that these problems will be addressed before CISPA is voted on, but if they aren’t, we will urge Internet users and Congress to oppose the bill.