The definition of insanity is trying the same thing over and over expecting different results. That's a cliche, but politicians often follow the hoariest routes, and attempting to enact change by doing the same thing repeatedly is one of them. When word broke last week that the Cyber Intelligence Sharing and Protection Act, the twice-defeated bill known as CISPA, was being re-revived by Rep. Dutch Ruppersberger (D-Md.), it wasn't clear if the zombie legislation would be updated to address the myriad concerns with previous versions. We combed through the full text of the bill and, nope, it's exactly the same, word for word for overly broad data-scooping power-granting word.
The reintroduced CISPA (HR 234) is identical to HR 624, the CISPA bill that passed the House in 2013 and stalled out in the Senate. Never mind that the Senate already refused to vote on an identical bill. Perhaps there is some unspoken Beetlejuice rule among Congressmen where Ruppersberger is hoping to invoke to a vote by saying the same damn thing three times.
Like the Patriot Act, which conferred massively broad powers in response to security threats, CISPA employs vague language to grant the government an enormous amount of wiggle room when it comes to justifying privacy violations.
To recap it for you, under CISPA, no warrants or subpoenas are required for collecting and sharing personal data, as long as the action falls under the so-broad-as-to-be-essentially-meaningless umbrella of "to protect the national security of the United States." The data siphoned and disseminated by the government would be exempt from the Freedom of Information Act.
CISPA's information-sharing goal is not inherently malicious or anti-privacy. Of course the government wants whatever powers necessary to prevent, assess, and shut down cybersecurity threats. But the bill as it is written is an unambiguous threat to privacy.
The bill only grants powers to share data when a cyber threat is imminent. It defines a cyber threat as either "efforts to degrade, disrupt, or destroy such system or network" or "theft or misappropriation of private or government information, intellectual property, or personally identifiable information." This definition would make any instance of cybercrime an opportunity to collect and disseminate data. And if the NSA's track record is any indication (which, come on, it is) this would make anyone even remotely connected to an instance of cybercrime vulnerable to government and corporate data-siphoning.
One troubling aspect comes from the lack of limitations on how corporations can use the data they receive. CISPA encourages companies to share data with personal identifying information with government agencies, and with other companies if it relates to a threat.
The bill gives companies that are sharing information immunity, as long as they act "in good faith":
No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith
What is "good faith" exactly? The bill defines it by its opposite, "a lack of good faith" which includes "any act or omission taken with intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility." This sort of language lacks the specificity required to go after companies that abuse their newly-bloomed access to data.
Once that information is shared, federal government agencies are limited in the ways the can use the data (with very vague language). However, the companies on the receiving end are not explicitly barred from repurposing this data.
As the ACLU pointed out, this could be fixed by amending the bill to circumscribe repurposing. That no such amendment was added before the bill hit the floor for the third time is a disturbing indication that this sort of personal information protection is not a priority.
President Obama promised to veto HR 624. That doesn't mean he is opposed to new cybersecurity laws. In the wake of the Sony hack, the White House is keen to introduce legislation to make it easier for private entities and companies to share information about cyber threats with government agencies. That's why Obama announced a legislative proposal about cybersecurity this week that covers much of the same ground as CISPA. There are key differences: The White House proposal insists that companies remove personal identification information from data before they share it with government agencies, a move designed to protect the privacy of the people whose data is part of the perceived threat.
That's a good thing, but it's also likely to become a point of contention with CISPA supporters, who could argue that eliminating personal identifiers would be too difficult to do while racing the clock against a security threat. It's probably not a coincidence that the president announced his proposals on the heels of the new CISPA legislation; it could be a way to divert support from the more-contentious CISPA.
You can read the full text of HR234 below: Picture: Shutterstock