House members clockwise from top left: Jared Polis, who warned CISPA would "waive every single privacy law ever enacted"; Adam Schiff; Sheila Jackson Lee; Jan Schakowsky; Mike Rogers; Hank Johnson (Credit: C-SPAN)
The U.S. House of Representatives today approved a controversial Internet surveillance bill, rejecting increasingly vocal arguments from critics that it would do more to endanger Americans' privacy than aid cybersecurity.
By a vote of 248 to 168, a bipartisan majority approved the Cyber Intelligence Sharing and Protection Act, or CISPA (the bill, which would permit Internet companies to hand over confidential customer records and communications to the National Security Agency and other portions of the U.S. government.
CISPA would "waive every single privacy law ever enacted in the name of cybersecurity," said Rep. Jared Polis, a Colorado Democrat, during today's marathon floor debate. "Allowing the military and NSA to spy on Americans on American soil goes against every principle this country was founded on."
Americans' confidential information that could legally provided to the feds would "include health records, it can include firearm registration information, it can include credit card information," warned Polis, a former Web entrepreneur who was a leader in opposing the Stop Online Piracy Act as well.
CISPA wouldn't formally grant the NSA or Homeland Security any additional surveillance authority. (A proposed amendment that would have veered in that direction was withdrawn.)
But it would usher in a new era of information sharing between companies and government agencies -- with limited oversight and privacy safeguards. The House Rules committee yesterday rejected a series of modestly pro-privacy amendments, which led a coalition of civil-liberties groups to complain that "amendments that are imperative won't even be considered" in a letter today.
That prompted some politicians, including House Intelligence Committee member Adam Schiff (D-Calif.), to reluctantly oppose the bill. Schiff said that because his proposed amendments were rejected, he had to vote against CISPA "due to my concerns about civil liberties and the privacy of Americans."
What made CISPA so controversial is a section saying that, "notwithstanding any other provision of law," companies may share information with Homeland Security, the IRS, the NSA, or other agencies. By including the word "notwithstanding," CISPA's drafters intended to make their legislation trump all existing federal and state laws, including ones dealing with wiretaps, educational records, medical privacy, and more.
Rep. Mike Rogers (R-Mich.), the chairman of the House Intelligence Committee, had predicted earlier in the week he had the votes. And it turned out he did, despite a last-minute surge of opposition that included Republican presidential candidate Ron Paul warning that "CISPA is Big Brother writ large," a White House veto threat, and 18 Democratic House members saying it "does not include necessary safeguards."
CISPA is "needed to stop the Chinese government from stealing our stuff," Rogers said. They're "stealing the value and prosperity of America."
Rogers' position paper on CISPA said the bill is necessary to deal with threats from China and Russia, and that it "protects privacy by prohibiting the government from requiring private sector entities to provide information." During today's floor debate, Rogers repeatedly referred to the need for the Feds to share attack signatures with the private sector -- but never addressed the privacy criticisms directly, except to say they were invalid.
One of the biggest differences between CISPA and its SOPA predecessor is that the Web blocking bill was defeated by a broad alliance of Internet companies and millions of peeved users. Not CISPA: the House Intelligence committee proudly lists letters of support from Facebook, Microsoft, Oracle, Symantec, Verizon, AT&T, Intel, and trade association CTIA, which counts representatives of T-Mobile, Sybase, Nokia, and Qualcomm as board members.
CISPA's authorization for information sharing extends far beyond Web companies and social networks. It would also apply to Internet service providers, including ones that already have an intimate relationship with Washington officialdom. Large companies including AT&T and Verizon handed billions of customer records to the NSA; only Qwest refused to participate. Verizon turned over customer data to the FBI without court orders. An AT&T whistleblower accused the company of illegally opening its network to the NSA, a practice that the U.S. Congress retroactively made legal in 2008.
The bill now heads to the Senate, where related cybersecurity legislation has been stalled for years, and the threat of a presidential veto makes speedy approval unlikely.
"Once the government gets expansive national security authorities, there's no going back," Michelle Richardson, ACLU legislative counsel, said after the House vote. "We encourage the Senate to let this horrible bill fade into obscurity."
Excerpts from the Cyber Intelligence Sharing and Protection Act:
"Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes -- (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and (ii) share such cyber threat information with any other entity, including the Federal Government...
The term 'self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself."
About Declan McCullagh
Declan McCullagh is the chief political correspondent for CNET. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.