Updated 3:20 pm EDT, Tuesday, April 24
Lawmakers working to pass a new cybersecurity bill, the Cyber Intelligence Sharing and Protection Act, or CISPA have attempted to silence a growing chorus of critics by introducing two new versions of their legislation, the latest of which was released on Monday night.
The bill’s architects say the third and newest version addresses concerns that CISPA is overly broad and would allow private companies and America’s 17 intelligence agencies to share personally identifiable information about Web users without telling users and without any accountability.
But after conversing with a leading cybersecurity attorney, TPM has learned that the latest version of the bill may still give companies and intelligence agencies like the NSA and the CIA a blank check to share personally identifiable information about users.
“I don’t see any room for a lawsuit in there,” said John Lacey, currently an attorney with the McCormack Firm in Massachusetts and a former assistant district attorney, in a telephone interview with TPM.
“If some FBI agent comes knocking on your door, and half their case comes from information that was collected under this law, invisible to the user, there’s not going to be anything you can do.”
Lacey, who is a graduate of the Secret Service’s National Computer Forensic Institute, also blogs about cyber law on a Massachusetts Data Privacy Law blog.
Speaking to TPM, lacey pointed to section (b)(4) of the bill, which explains liability for those agencies and companies that engage in information sharing.
The section was first changed in a way that made it clear just when companies or the government could be sued for information sharing, but then changed back to the original version of the bill, which doesn’t provide any clear way for someone to sue for improper information sharing.
“Now, there’s no legal justification [for someone to file a lawsuit],” Lacey said. “They’ve taken it completely away.”
In the second major version of the bill, released on Friday, the section was rewritten to address critics’ concerns, giving individuals and other companies the power to sue those companies and agencies who share their information in such a way that constituted “willful misconduct.”
Under that rule, a plaintiff could have sued if they provided evidence that a company or intelligence agency shared their information “intentionally to achieve a wrongful purpose, or knowingly without legal or factual purpose,” Lacey told TPM.
But in the third version of the bill, released Monday night, the section on liability ((b)(3)) has been changed to its original wording, giving companies and intelligence agencies immunity from virtually any lawsuit over improperly or mistakenly sharing a user’s personal information.
The latest version states that agencies and companies that share user information have an “exemption from liability,” and that “no civil or criminal cause of action shall lie or be maintained in Federal or State court,” so long as they acted in “good faith.”
“So you can’t sue them if they’re acting in good faith, you can’t sue them in Federal or State court, that leads me to ask: ‘When can you sue someone?'” Lacey told TPM.
The issue of immunity from lawsuits has been a major sticking point for CISPA’s critics, who argue that the bill provides companies and the government with a “get out of jail free card,” even when they share personal information in violation of a product’s terms of service and existing U.S. laws, such as wiretapping laws.
As Lee Tien, an attorney with the Electronic Frontier Foundation, which staunchly opposes the bill, said in a statement published Monday: “Giving companies carte blanche to bypass federal law does not make us safer – it puts us at more risk.”
But House staffers told TPM that the newest version of the bill doesn’t void current laws or other agreements, and that it does actually allow users to sue for improper sharing of their information.
Staffers pointed to a clause which states that companies and the government can only share information with each other if that sharing is “specifically designated” to users (section (b)(1)(A)(ii)).
According to staffers, this means that a company must inform users of the distinction, either in writing or by another form of contact. A company would likely make it clear that they could share user information in revised terms of service agreements that users must agree to before using a digital product or service. If a company fails to do this and shares a person’s information, staffers say, the user can then sue.
“I don’t know how you could possibly come to that conclusion,” Lacey told TPM. “It may be technically possibly true, but in all likelihood, if you brought that to a judge, he’d throw the case out.”
The newest version of CISPA also seeks to provide accountability with a provision stating that the Inspector General of the Office of the Director of National Intelligence will conduct annual reviews of the information shared with the government, and produce a report pointing out where information was improperly used and what its impact was on civil liberties.
But this proposed report doesn’t detail any repercussions for companies or agencies that violate civil liberties.
Further, it’s unlikely that average users will even be aware of its existence, as Lacey pointed out to TPM.
“Any sharing of information is going to invisible to regular Joes,” Lacey said.
Late update: The latest version of CISPA, introduced April 19, includes a new section offering limited liability against government agencies if they “intentionally or willfully” violate a section outlining that when companies share information with the agencies, the agencies don’t share it with anyone else without the companies’ authorization.
However, the company still provides the broad exemption from liability for companies outlined in the article above.
Correction: This article originally incorrectly referred to Mr. Lacey on several occasions as “McCormack,” the name of his law firm employer. The article also originally misquoted Lacey as saying that he “guaranteed” that a judge would throw out a lawsuit when, in fact, Lacey said, “in all likelihood.” We have since corrected the errors in copy and regret them.
