On Thursday, the House of Representatives handily passed a major cybersecurity measure long sought by tech industry groups, but which critics have labeled a "privacy-eviscerating bill."
By a vote of 288-127, the House approved the Cyber Intelligence Sharing and Protection Act (CISPA), sending it to the Senate in defiance of a threatened White House veto. The bill has been a top priority of tech giants that say it's a necessary tool to combat attacks on their computer networks, though digital rights activists claim it lacks enough protections to ensure personal information isn't compromised in the process.
CISPA would make it easier for private companies and the government to share data with each other about suspected cyberattacks, allowing them to address those attacks more effectively. Huge tech and communications companies — including HP, IBM, Comcast, Verizon, and many others — have thrown their weight behind the bill, seeing it as a way to defend their businesses while ensuring legal protection should users' personal information somehow get out.
From The Economist:
Companies and spooks often remain silent about cyber-threats because they fear that sharing the details might land them in legal hot water. But this makes it much harder to hunt hackers and defend power grids and other infrastructure against online assaults. The bill encourages both groups to be more forthcoming by offering them an exemption from civil and criminal liability when gathering and sharing data about cyber-threats. [The Economist]
CISPA's proponents spent $605 million lobbying Congress from 2011 through last fall, according to the non-profit Sunlight Foundation, 140 times more than the $4.3 million spent by the bill's opponents, who've instead used social media campaigns to protest the legislation. IBM alone sent almost 200 executives to Washington this week to press for final passage of the bill.
The House passed a similar version of CISPA last year, though it flamed out in the Senate over objections that it was ill-defined and fraught with privacy loopholes. The House brought the bill back for discussion this year, adding a few amendments aimed at mollifying the legislation's opponents.
However, critics still contend that the final bill is too weak on the personal protection front, and they fear it would go too far in "creating a backdoor for individuals' data to fall into government hands," as Forbes' Andy Greenberg puts it.
Here's how Mark Jaycox of digital rights group Electronic Frontier Foundation described the bill's problems on a Reddit forum last week:
Companies have new rights to monitor user actions and share data — including potentially sensitive user data — with the government without a warrant.
Cispa overrides existing privacy law, and grants broad immunities to participating companies.
Information provided to the federal government under Cispa would be exempt from the Freedom of Information Act (FOIA) and other state laws that could otherwise require disclosure (unless some law other than Cispa already requires its provision to the government). [Reddit]
A House subcommittee rejected a proposal that would have required companies to honor their privacy contracts with users, leading Jaycox to call the changes that did pass "window dressing." Many others, including the American Civil Liberties Union, a Reddit co-founder, and Mozilla, maker of the open source Firefox browser, have opposed CISPA, citing similar privacy concerns.
So where does the legislation go from here?
The Senate is busy with other weighty measures — gun control and immigration reform foremost among them — so the bill will likely stall for some time. And as CNET's Declan McCullagh notes, Sen. John Rockefeller (D-W.V.), who was deeply involved in last year's cybersecurity talks, has called CISPA's personal protections "insufficient."
Even should a bill emerge from Congress, the White House has already issued a veto threat, as it did last year when CISPA's previous incarnation was debated in Congress.
"The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities," a White House statement reads. "Citizens have a right to know that corporations will be held accountable — and not granted immunity — for failing to safeguard personal information adequately."