CISPA: Cybersecurity or internet privacy killer?

Tech companies support Uncle Sam's personal data grab


Recent cyber-attacks on large U.S. companies have brought the issue of cybersecurity back into the House of Representatives.

The Cyber Intelligence Sharing and Protection Act (CISPA) was reintroduced in February. CISPA's aim is to help American businesses better protect their computer networks and corporate trade secrets from cyber attacks.

The Act attempts to achieve that by making it easier for businesses to share cybersecurity information -- including personal consumer data -- with the government.

It has become quite a controversial bill, one that's drawing a lot of attention from privacy advocates.

Controversy with the bill

Supporters of the bill -- AT&T, Comcast, IBM and other major tech companies -- claim that information sharing is necessary, and that cybersecurity threats require the cooperation of the entire Internet ecosystem.

Opponents say that the bill is an invasion of privacy, allowing companies to identify potential cyber threats by looking at private consumer information -- like email records and internet history -- and sharing it with the government.

"The concern with CISPA," says Michelle Richardson, Legislative Counsel for the American Civil Liberties Union, "is that it's incredibly broad." 

Currently, well-established laws provide judicial oversight and privacy protections that prevent companies from sharing private consumer information. 

CISPA would override those privacy laws.

 "Companies can share cyber security information with each other or with the government, and they are not affirmatively required to take efforts to remove personally identifiable information," she says.

One of the biggest concerns of the ACLU is that this information will go to military agencies like the NSA or DOD.

The ACLU prefers that personal information go to a civilian-controlled agency, according to Richardson.

"We have a long history of not allowing the military to operate against its own citizens in the United States, and that should continue in the cybersecurity realm," says Richardson. 

How it will affect individuals  

If CISPA is passed, once guarded personal data will be fair game for companies to share if they deem it as cybersecurity information.

"The concern is that companies will broadly share electronic information with the government and that it will be repurposed," says Richardson.

What can be done with the information once it's shared?  

As the bill stands, information shared with the government may be used for five purposes:

  • Cybersecurity
  • Investigation and prosecution of cybersecurity crimes
  • Protection of individuals from the danger of death or serious bodily harm -- and the investigation and prosecution of crimes involved in such danger, death or serious bodily harm
  • Crimes against minors
  • Protection of the national security of the United States

Theoretically, the information couldn't be used to enforce taxes, immigration, or any of the many other things the government does on our behalf, notes Richardson. 

But the ACLU still thinks it's too broad.

The term "national security" is an undefined generic term, says Richardson.

"This is a cybersecurity bill. It should only be used for cybersecurity purposes," she says.   

Passing the bill

CISPA passed through the House last year, but it never got to the Senate.  

The Obama Administration threatened to veto the bill.

Chances are that it won't pass through the Senate this year.

In fact, Richardson flat out says, "The Senate will not take up CISPA."

"They've taken a more targeted approach, and through their process last year, they've actually moved in the opposite direction," she says. 

Last year Senators unveiled significant privacy amendments to be incorporated into the Cybersecurity Act, which narrowed the bill to contain more privacy protections.

The bill is still in the works, but Richardson says it will be a better alternative to CISPA in terms of privacy.

"We're continuing to lobby Congress so that if they choose to go down this path, they only pass legislation that is narrow, clearly defined and makes sure that companies are only sharing very targeted threat information," says Richardson.