A new cybersecurity bill, the Cyber Intelligence Sharing and Protection Act (CISPA), seeks to give intelligence agencies and Internet companies like Facebook and Google more incentives to share information with one another about cybersecurity threats, such as hackers.
But CISPA, which is scheduled to hit the floor of the House of Representatives for debate and an eventual vote the week of April 23rd, has come under intensified criticism by Web user advocacy groups and writers in recent days.
The bill’s critics contend that CISPA’s terms are too broad, and could be interpreted in a way that removes important legal checks for when and how companies may turn over Web user information to the government.
“It’s a sophisticated scheme of removing legal barriers,” said Lee Tien, the senior staff attorney with the Electronic Frontier Foundation, in a telephone interview with TPM.
Lee and his EFF colleague Rainey Reitman wrote a lengthy critique of the bill in early March, well before it was on the radar of many Web users.
Their piece, like many other critical pieces around the Web, compares CISPA to the reviled copyright protection bill SOPA, or the Stop Online Piracy Act, which Congress abandoned in January, following a massive online protest.
CISPA’s critics hope that by invoking the name of SOPA, they will be able to galvanize similar opposition to CISPA and prevent it from being passed.
But CISPA differs markedly from SOPA in both its goals and its actual language.
SOPA targeted online piracy of music, movies, TV shows, software and other copyrighted material, including pharmaceuticals. Coming in at a hefty 71 pages, SOPA explicitly sought to have U.S. websites and companies sever all ties with foreign webpages accused of piracy. In practice, SOPA could have forced Google to remove, or censor, hundreds of links to other webpages in users’ searches, while YouTube and Reddit and similar websites that rely primarily on user-generated content and posts, could have seen large sections of their websites shut down.
In contrast, CISPA is short at only 11 pages: It’s purpose to allow for easier sharing of “cyber threat intelligence” and “information” between intelligence agencies like the NSA and the CIA, with private companies like Google and Facebook, and vice versa.
The bill contains no language about companies taking down webpages or links, and only refers to intellectual property glancingly, using it as an example of a type of “cyber threat intelligence.”
For example, the EFF finds that CISPA contains “language… so broad it could be used as a blunt instrument to attack websites like The Pirate Bay or WikiLeaks,” referring to a section (1104(b)(1)(A)(i)) that reads “…a cybersecurity provider…may, for cybersecurity purposes…use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity.”
CISPA also later defines “cyber threat intelligence” as “information…pertaining to the protection of a system or network from…theft or misappropriation of private or government information, intellectual property, or personally identifiable information,” again referencing IP theft as a cybersecurity threat under which info sharing between companies the government is justifiable and warranted.
But in TPM’s reading of the bill, the language actually appears as though it is designed to protect online user information (“personally identifiable information”) collected by companies from hacks.
CISPA defines “cybersecurity systems” as “a system designed or employed to ensure the integrity, confidentiality or availability of, or safeguard, a system or network.” CISPA seems to limit this definition to exactly what the words would suggest — security software.
Further, in TPM’s reading, the key line that prevents this bill from entering into “SOPA” territory states that “cybsecurity providers…may..use cybersecurity systems to identify and obtain cyber threat information” related to the so-called “threats.”
The bill is simply talking about sharing information about perceived threats. It says nothing about taking down websites, obtaining court orders or using the information in any sort of expanded way that hasn’t been available before. It does not give anyone any powers to “attack” a website, but rather seems to be designed to defend websites.
However, Tien told TPM that his chief objections are the fact that the bill contains these provisions, coupled with a few more that allow companies to essentially ignore current laws, including federal wiretapping laws.
Specifically, Tien pointed to a part of CISPA that reads that “notwithstanding any other provision of law, a cybersecurity provider…may” obtain and share “cyber threat information.”
“That’s essentially immunity or exemption from liability,” Tien told TPM. “It nullifies or negates laws that otherwise might restrict them [the government and companies]. Right now, companies can share information, but if they don’t do it the right way, the legal way, you can sue them.”
