CISPA sponsors narrow bill

Privacy and civil liberties concerns remain

Co-sponsors of Cyber Intelligence Sharing and Protection Act have circulated a draft substitute amendment that would place some limitations on the government's ability to use shared cybersecurity data for other purposes and eliminate intellectual property theft from the definition of cyber threat information.

The bill (H.R. 3523), sponsored by Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), is more commonly known by its acronym, CISPA, and has garnered increasing opposition from privacy and civil liberties groups. It is one of a slew of bills under active consideration that would foster cyber threat data exchanges between the private- and federal- sectors and is likely to come up for consideration on the full House floor later this month.  

The draft amendment (.pdf) adds language that would permit federal agencies to further distribute information obtained from the private sector for purposes other than cybersecurity so long as the information "is not for a regulatory purpose," and if "at least one significant purpose of the use of such information is…the protection of the national security of the United States."

The original bill, approved by the House Intelligence Committee (of which Rogers and Ruppersberger are the chairman and ranking member, respectively) on Dec. 1, included no such restriction. But, said Greg Nojeim, senior counsel at the Center for Democracy & Technology in Washington, D.C., the draft amendment still "lacks a meaningful use restrictions on recipients of the information shared." 

"The most significant privacy problems with the bill are the same as they were when the bill was introduced, the same as they are after mark up, and the same as they would be under the draft manager's amendment," he said in an April 15 email. Among other things, he said, the draft amendment doesn't address the issue of limiting what information private sector companies share with the government. Currently, companies would be almost unlimited in the information they turn over to the government, he added.

The draft amendment would permit a federal agency to place prohibitions on information sharing with another if the agency that first received it determines that sharing "will undermine the purpose for which such information is shared."

It also removes efforts to steal intellectual property from the definition of information that may be exchanged under the rubric of cybersecurity threat data-sharing.

Inclusion of intellectual property in the bill in particular helped spark online opposition to it since activists perceived it as an attempt to shoehorn in an anti-online piracy measure similar to the recently shelved Stop Online Piracy Act (H.R. 3261) bill.

"The language is so vague that an ISP could use it to monitor communications of subscribers for potential infringement of intellectual property," the Electronic Frontier Foundation said in a March 8 statement.

Other substitute amendment changes include a requirement that federal agencies that receive cyber threat information from the public sector automatically share it with the Homeland Security Department and that DHS approve requests to further distribute that information.

The draft substitute amendment also changes the liability protection afforded to private sector participants in cyber threat information exchange. In the original bill, a firm would be covered by liability exemption if they were "acting in good faith," whereas under the substitute amendment, they could be sued in the plaintiff could demonstrate that a firm was engaging in "willful misconduct in sharing of such information and such willful misconduct proximately causes injury." It also adds language making the federal government subject to civil suit if an agency willfully violates the restrictions on information sharing.

In addition, the draft substitute amendment would add a prohibition against federal agencies requiring private sector firms to share information with the government, or condition their sharing of threat information on the receipt of it from a company.

For more:
- download the draft substitute amendment (.pdf)
- go to the THOMAS page for H.R. 3523

Related Articles:
Cybersecurity bills raise privacy and civil liberties concerns 
Cybersecurity legislation roundup, 2012 edition 
ISPs: Cybersecurity can't be handled through regulation