A computer forensic examiner looks for evidence on hard drives at the Department of Defense Cyber Crime Center in Linthicum, Md., on Aug. 11, 2011. (AP/Cliff Owen)
This explainer was originally published on ProPublica.
The Cyber Intelligence Sharing and Protection Act, up for debate in the House of Representatives today, has privacy activists, tech companies, security wonks and the Obama administration all jousting about what it means — not only for security but Internet privacy and intellectual property. Backers expect CISPA to pass, unlike SOPA, the Stop Online Piracy Act that melted down amid controversy earlier this year.
Here’s a rundown on the debate and what CISPA could mean for Internet users.
What exactly is CISPA?
The act, sponsored Rep. Mike Rogers, R-Mich., and Rep. Dutch Ruppersberger, D-Md., would make it easier for private corporations and U.S. agencies, including military and intelligence, to share information related to “cyber threats.” In theory, this would enable the government and companies to keep up-to-date on security risks and protect themselves more efficiently. CISPA would amend the National Security Act of 1947, which currently contains no reference to cyber security. Companies wouldn’t be required to share any data. They would just be allowed to do so.
Why should I care?
CISPA could enable companies like Facebook and Twitter, as well as Internet service providers, to share your personal information with the National Security Agency and the CIA, as long as that information is deemed to pertain to a cyber threat or to national security.
How does the bill define “cyber threat”?
The bill itself defines it as information “pertaining to a vulnerability of” a system or network a definition that opponents have criticized as too broad. The bill gained support after sponsors agreed to allow votes on several amendments they said would make concessions to privacy activists; one aims to narrow the definition of “cyber threat.”
When can data be shared?
Rogers said the amended version of the bill would only enable companies and intelligence agencies to share information related to 1) cyber security purposes; 2) investigation and prosecution of cyber security crimes; 3) protection of individuals from death and bodily harm; 4) child pornography; or 5) protection of the national security of the United States.
Why are privacy activists upset about CISPA?
Privacy activists like the American Civil Liberties Union and the Electronic Frontier Foundation contend CISPA isn’t specific enough about just what constitutes a “cyber threat.” They say it enables Internet companies and service providers to hand over sensitive user information to intelligence agencies without enough oversight from the civilian side of government. Finally, they say it does not explicitly require Internet companies to remove identifying information about users before sharing. Opponents contend, for instance, that Facebook or Twitter could share user messages with the NSA or FBI without redacting the user’s name or personal details.
CISPA also protects the private sector from liability even if they share private user information, as long as that information is deemed to have been shared for cybersecurity or national security purposes. Even though sharing is voluntary and not required under the law, privacy activists say the legal immunity CISPA provides would make it easy for the government to pressure Internet companies to give up user data.
What kind of information can be shared?
Private companies and government agencies can share any information that pertains to a “cyber threat” or that would endanger national security. That could include user information, emails, and direct messages. Companies would be allowed to share with each other as well as the government. The government is not allowed to proactively search company-provided information for purposes unrelated to cyber security, but opponents say this would be tough to enforce. The bill does not place any explicit limit on how long that information can be kept. Several proposed amendments would limit the amount and kinds of information that can be shared, but it remains to be seen which — if any — will be adopted.
Is CISPA basically SOPA 2.0?
No, it’s very different.
SOPA was about intellectual property; CISPA is about cyber security, but opponents believe both bills have the potential to trample constitutional rights. The comparisons to SOPA stem from language in an earlier version of CISPA that referenced intellectual property. That wording was removed early on in response to mounting criticism. SOPA would have strengthened copyright laws, barring search engines and other websites from linking to sites that violated intellectual property regulations. That prompted a First Amendment concern from critics that it would give government the power to block websites wholesale, trampling free speech. CISPA’s liability shield, on the other hand, has sparked a concern based on the Fourth Amendment, which protects against unreasonable search and seizure. Opponents contend the law would make it too easy for private companies and the intelligence community to spy on users in the name of cyber security.
Why are some of the tech companies that protested SOPA, like Facebook and Microsoft, now supporting this bill?
CISPA gives Internet companies the ability to share threat information with intelligence agencies and receive information back from them, an ability they say would enable them to deal with cyber threats more effectively. It does not compel them to protect users’ privacy (though a variety of proposed amendments aim to add more stringent privacy protections). Companies could not be held liable for divulging a user’s identity or data to the government if the information relates to a “cyber threat.”
What’s the Obama administration’s take?
The White House is backing a Senate bill proposed by Homeland Security and Governmental Affairs Committee Chairman Sen. Joe Lieberman, I-Conn., and has threatened to veto CISPA. Officials cite a lack of personal privacy protections. They say CISPA would enable military and intelligence agencies to take on a policing role on the internet, which the administration points out is a civilian sphere.
What is CISPA’s path forward in Congress?
A vote is set for Friday. CISPA has accumulated more than 100 cosponsors and will most likely pass the House. “This isn’t about scrambling to meet 218 votes, we are well past that,” co-sponsor Rogers said during a conference call with reporters. But the Senate is a different story — there, it must compete with the Lieberman cyber security bill and one from Sen. John McCain, R-Ariz.
Would CISPA really make us more secure?
It’s unclear.
Some cyber security specialists note that neither CISPA nor other cyber security bills in Congress would compel companies to update software, hire outside specialists or take other measures to preemptively secure themselves against hackers and other threats. CISPA’s backers respond that the bill would forestall a “digital Pearl Harbor,” allowing a freer flow of information for a quicker and more effective response to hackers by both the government and the private sector.
