Last month the controversial Cyber Intelligence Sharing and Protection Act (CISPA) was resurrected in the House by Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.).
Following a closed-door meeting, the bill was voted out of the House Intelligence Committee Wednesday afternoon by a vote of 18-to-2 and privacy experts are up in arms over the lack of privacy protection that were stripped from the bill. Only two Democrats voted against the bi;;, Rep. Jan Schakowsky (D-IL) and Rep. Adam Schiff (D-CA).
Stopping short of a veto threat, the White House said it was unlikely to support the bill
by Leigh Beadon, Techdirt
Here’s the full text of the statement from {Caitlin Hayden, a National Security Council spokeswoman):
“We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections. The Administration seeks to build upon the productive dialogue with Chairman Rogers and Ranking Member Ruppersberger over the last several months, and the Administration looks forward to continuing to work with them to ensure that any cybersecurity legislation reflects these principles. Further,
we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the Administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities
.”
Where have we heard this before? FISA? The Patriot Act?
CISPA Amendment Proves Everyone’s Fears Were Justified While Failing To Assuage Them
Just this week, Rep. Rogers flatly stated this is not a surveillance bill. Still, in an attempt to placate the opposition, they backed an amendment (pdf and embedded below) from Rep. Hines replacing that paragraph, which passed in the markup phase. Here’s the new text:
PRIVACY AND CIVIL LIBERTIES.-
(A) POLICIES AND PROCEDURES.-The Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, shall establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government in accordance with paragraph (1). Such policies and procedures shall, consistent with the need to protect systems and networks from cyber threats and mitigate cyber threats in a timely manner-
(i) minimize the impact on privacy and civil liberties;
(ii) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner;
(iii) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition;
(iv) protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable; and
(v) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.
It seems to me they are hoping that by making the section longer and more complicated, people will miss the fact that very little has changed. But what’s truly astonishing is that this new text reads like a confession that CISPA does involve all the stuff that they’ve been insisting it has nothing to do with.
The big thing, of course, is that this oversight now involves civilian agencies, which is really the only meaningful change – and its impact has been rather minimized. Rather than putting the DHS or another agency in between the public and military agencies like the NSA, they’ve simply given them some input – and it’s hard to say how meaningful that input will be.
The Privacy Risks of CISPA
by Michelle Richardson, Legislative Counsel, ACLU Washington Legislative Office
Reports of significant data breaches make headlines ever more frequently, but lost in the cloak and dagger stories of cyberespionage is the impact proposed cybersecurity programs can have on privacy. The same Internet that terrorists, spies and criminals exploit for nefarious purposes is the same Internet we all use daily for intensely private but totally innocuous purposes.
Unfortunately, in their pursuit to protect America’s critical infrastructure and trade secrets, some lawmakers are pushing a dangerous bill that would threaten Americans’ privacy while immunizing companies from any liability should that cyberinformation-sharing cause harm. [..]
Here’s what needs to happen. First, CISPA needs to be amended to clarify that civilians are in charge of information collection for cybersecurity purposes, period. Anything short of that is a fundamental failure. Second, the bill needs to narrow the definition of what can be shared specifically to say that companies can only share information necessary to address cyberthreats after making reasonable efforts to strip personally identifiable information. Industry witnesses before the House Intelligence and Homeland Security committees testified this year that this is workable, and such information isn’t even necessary to combat cyberthreats. Third, after sharing, CISPA information should be used only by government and corporate actors for cybersecurity purposes. As a corollary to that, there should be strict and aggressive minimization procedures to protect any sensitive data that slips through.
The ACLU and the Electronic Freedom Foundation (EFF) have banded together to Stop CISPA. The petitions with over 100,000 signatures has been delivered to the White House. Now we need to get to the phones.
The White House switchboard is 202-456-1414.
The comments line is 202-456-1111.
Numbers for the Senate are here.
Numbers for the House are here.
The late internet activist Aaron Swartz called CISPA the “The Patriot Act of the Internet”. Call the White House and your representatives to protect your privacy rights.
Recent Comments