What is CISPA, and what does it mean for you? FAQ

What is CISPA, and what does it mean for you? FAQ

Summary: Dubbed as one of the most privacy infringing pieces of legislation ever to have hit the Capitol, what exactly is CISPA, and how does it affect you?


Described as "misguided" and "fatally flawed" by the two largest US privacy groups, the Cyber Intelligence Sharing and Protection Act (CISPA) threatens the online privacy of ordinary US residents more so than any other Bill since Congress amended the Foreign Intelligence Surveillance Act in 2008.

CISPA will soon be voted on in the coming few weeks.
(Image: CNET)

A lot of confusion still surrounds what CISPA can do, who it affects, and what it will practically achieve. Here's what you need to know.

What is CISPA?

CISPA, known officially as H.R. 624, is a cybersecurity Bill currently going through the motions in the lower house of Congress, the US House of Representatives. It is designed to help prevent and defend against cyberattacks on critical national infrastructure and against other internet attacks on private firms by obtaining and sharing "cyberthreat information".

Its sole purpose is to allow private sector firms to search personal and sensitive user data of ordinary US residents to identify this so-called "threat information", and to then share that information with each other and the US government — without the need for a warrant.

By citing "cybersecurity", it allows private firms to hand over private user data while circumventing existing privacy laws, such as the Wiretap Act and the Stored Communications Act. This means that CISPA can permit private firms to share your data, such as emails, text messages, and cloud-stored documents and files, with the US government.

It also gives these firms legal protection to hand over such data. There is no judicial oversight.

To make matters worse, because there is little transparency and individual accountability, those who have had their data handed to the US government may not even know about it or be given a chance to challenge it.

Wasn't CISPA put on the backburner after it failed in the Senate?

In April 2012, the US House passed CISPA by a large majority, voting 248 to 168. It passed at a time when the White House threatened to veto the Bill should it pass the desk of President Obama, citing privacy and civil liberty concerns. But once it was handed to the Senate, it failed to gain traction, likely in light of similar legislation being drafted in the upper house at the time.

How is this new CISPA version any different from the old Senate-stalled version?

The current version of CISPA, reintroduced into the House, has the same name and vastly the same content. CISPA was brought back to the House in its original format.

Since being debated and amended by the House Intelligence committee, it has gone through a mark-up process that would tighten up certain language and add definitions. This process was decided upon by members to be conducted in secret, despite the controversy surrounding this Bill. While CISPA does not force or require a private firm to share data with the US government, major telecoms providers have illegally shared data with the US intelligence agencies before.

During this recent mark-up process, less than half of the privacy re-enabling amendments that passed have "only chipped away at the edges of CISPA", according to the Electronic Frontier Foundation (EFF).

These amendments now include:

  • Information for "national security" purposes: One amendment means the US government can only use data collected under CISPA for "cybersecurity purposes", and not used for "national security" purposes — a catch-all term that can and has been used to skirt Fourth Amendment rights. The second amendment imposes the same rule on private firms. However, "cybersecurity" is still loosely defined and could be misinterpreted or abused by private firms.

  • Hacking back: Private firms are limited from acting beyond their own networks to gather "cyberthreat information", such as "hacking the hackers". But the EFF noted that a "huge loophole" exists, which allows a firm to "still use aggressive countermeasures outside of its own network as long as it believed the countermeasures were necessary for protection".

  • Government-related privacy oversight: This amendment requires oversight on how CISPA affects civil liberties and privacy on government activity, but it does not apply to private firms. The EFF is concerned that there is "no assessment of whether companies over-collect or over-share sensitive information".

How does Obama's cybersecurity executive order differ from CISPA?

President Obama signed into law a cybersecurity executive order at the same time CISPA was reintroduced into the House.

Obama's cybersecurity executive order set up the foundations in which a "framework" can be constructed between the government and private sector industries, albeit without the vast majority of the privacy complications that CISPA has.

The "framework" will allow intelligence to be gathered from the aftermath of cyberattacks and cyberthreats to privately owned critical national infrastructure — such as the private defense sector, utility networks (like gas and electric companies), and the banking industry — so they can better protect themselves and the wider US population.

While the executive order does touch on intelligence sharing between the US government and private firms, it doesn't undo years of privacy law-making work that continues to protect the US population. The White House even garnered support from the American Civil Liberties Union (ACLU) on the order. The order opened a path for wider consultation and discussion that could, however, change in due time.

Who supports and opposes CISPA?

Because CISPA gives legal immunity to companies already collecting personal and sensitive user and customer data of ordinary US residents, many major web and technology companies are in favor of the Bill.

Tech companies such as Microsoft, Google, and IBM, and cellular giants AT&T and Verizon, as well as banks and financial firms like the American Bankers Association and the Chamber of Commerce, have all endorsed the current version of CISPA.

While Facebook, Twitter, and other social networks have not endorsed or openly supported the current version of CISPA, they backed previous iterations of the Bill. (Facebook and Microsoft reportedly backed away from CISPA after previously coming out in favor of it. However, Microsoft's membership to lobbying group TechNet suggests otherwise.)

A full list of CISPA (H.R. 624) supporters can be found here.

As you might expect, a number of major civil liberties groups reject the principles surrounding CISPA. The EFF, the ACLU, and Reporters Without Borders have all expressed their opposition to the Bill. Firefox maker Mozilla has also criticized the Bill, and even Sir Tim Berners-Lee, the inventor of the World Wide Web, opposes CISPA.

More than 1.4 million people have signed online petitions for Facebook, Microsoft, IBM, and members of Congress to relinquish their support of the Bill — whether currently or in the past.

How does this differ from SOPA or PIPA?

There are two major differences: SOPA and PIPA acted against foreign alleged copyright infringers, while CISPA is a domestically focused cybersecurity Bill.

The House and the Senate introduced the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) respectively. Both primarily targeted non-US websites and networks, allowing the US attorney general to seek a court order that would see such allegedly copyright and intellectual property infringing sites shut down and seemingly disappear from the web.

However, CISPA focuses all but entirely on those within US borders — including US citizens and legal (and illegal) residents — rather than foreign citizens or non-US companies. While the US government cannot collect data from any private firm it likes — the firm must agree to it — CISPA has a greater impact on those within US borders, rather than non-US residents.

Does CISPA affect non-US citizens, such as those who live in the EU?

Potentially, yes, although not directly. Many smaller companies do not have local EU-based datacenters. Microsoft, Google, and Facebook, for instance, do have non-US datacenters for local users, but many do not have the capacity of the funding to do so. This means that non-US resident data may be stored directly by a US company.

What can the US government do with user data acquired under CISPA by private firms?

Anything they like with it, so long as it's lawful and pertains to "cybersecurity purposes", rather than "national security" purposes. But because the language is so ill defined, it could be used for many more reasons than were initially considered.

The data will be handed to a central location within the US Department of Homeland Security (DHS) by the private firm, which can then be disseminated throughout government — including other US law enforcement and intelligence agencies.

Techdirt recently published a list of government agencies that can acquire your data under CISPA, which amounts to around 600 departments.

Does CISPA allow the US government to spy on US residents?

Once it's in the hands of the DHS, it can be sent anywhere and be used against the person. CISPA amends the National Security Act to include provisions to further protect national or homeland security, as well as other "threats to the United States, its people, property, or interests".

According to the EFF, even though the data was passed to the government for "only cybersecurity purposes", it can then be used to investigate other crime, not limited to cybersecurity crime, such as the "criminal exploitation of minor, protecting individuals from death or serious physical injury, or protecting the national security of the United States".

What can I do if a private firm hands over my data to the US government?

Very little. But also, there's no way of knowing that your data has been handed to the US government by a private firm unless that firm informs you. Frankly, most will have no reason to.

CISPA explicitly prevents those under the scope of CISPA — typically US residents — to sue the US government for collecting or retaining data outside of legal parameters. Freedom of Information (FOI) requests do not apply under CISPA, because the data collected will be exempt from disclosure. CISPA also gives private firms legal protection to pass that data on the US government, so they can't be sued, either.

What are the key upcoming dates, and could CISPA be defeated?

Following a recent closed session which saw CISPA amended, it will go to a vote on the House floor as soon as next week, or late April.

Two things could happen: Either it will pass like it did last year, and will be handed over to the Senate for its consideration — where it could progress or stall as it did the last time; or CISPA could fail in the House at a coming vote.

Topics: Security, Government US, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Gov't Agents

    What this does is turn 3rd parties into agents of the government, and those agents do not need to abide by Constitutional Protections, such as the right to be free from self-incrimination and unreasonable search and seizure.

    What exactly are the keywords that are going to make you a target? Gun control, pro-weed (which the media refers to as anti-government), any sort of protest, as well as certain religions/beliefs.

    The road to hell is paved with good intentions. I would rather run the risk of a terrorist attack than hand my life over to the coming anti-Christ to determine whether I am worthy to be "saved". The arbiter of life and death will certainly be cruel.
    • Intentions

      Actually there are no good intentions behind this bill. Good intentions are the marketing spin but not the purpose.
      • You don't know that

        It may suit your world view to assume that the intentions of the authors are malicious, but unless you can read minds, it's difficult to impossible to verify that assumption.

        But it's a good bet that a fair number of Representatives voted for it because they saw it as the "pro-business" thing to do, or in an ill conceived effort to vindicate former President George W. Bush, whose administration solicited such disclosures.
        John L. Ries
  • The end game

    Anything you say (or write) can and will be be used against you in a court of law. Time to step back from adding information about yourself on the internet.

    I am 75 years old and you young ones do not now and never will know what freedom was like.

    Welcome to Amerika.
    • What freedom?

      I have several German friends, who did student exchange trips to the USA in the late 80s and in the 90s. Germany is often lampooned for being very autocratic and having laws for everything. Whilst this is to a certain extent true, many of those rules actually define freedoms, as opposed to taking them away.

      They were all shocked, once they arrived in the "Land of the Free," to find that many things they took for granted at home (drinking beer at 16, legally buying and smoking cigarettes, having sex at 16 etc.) were suddenly illegal.

      Even going for a walk got one in trouble. His host family wouldn't let him smoke in the house, so he walked around the block whilst he was smoking. The police stopped him, because he was walking, which was suspicious! Nobody walks in Beverly Hills, they said!!
    • The consequences of ignoring history

      What is that they say? There are no consequences to telling the world your affairs on Facebook and other sites? How could that be, when historically there has always been? Well the cloud is magical, and is above these well known principles of life!

      I tell you the truth, the cloud is seductive in the way it makes life simpler. But history is rife with examples of governments and institutions taking over key aspects of our lives, making things initially nicer and simpler, and then abusing it and/or making them worse. As I've said before, individuals and companies must be vigilant about what they store away in the public cloud, and should always strive to keep private information and critical computing resources close to the vest, while outsourcing the rest of their resources, as wisely as they can.
      P. Douglas
    • Exactly

      The Bill of Rights and Constitution were specifically written to protect us from out of control government. That's why our government is destroying those rights one by one. Anyone with a brain fears our own government more than they fear the Chinese or any terrorist organization. Just like Hitler did before WWII, our government has staged or specifically allowed several large atrocities to happen in order to use them as a banner to eliminate more of our Constitutionally-guaranteed rights.

      Perhaps everyone should watch "V for Vendetta" to see where we're headed in this country. Sadly, we have no Guy Fawkes to wake up the masses. "The people should never fear their government. The government should fear the people."
      • agree

        While I agree with your sentiment you need to look up who Guy Fawkes really was, because he wasn't after freedom for the people but a restrictive religious government who would have burned us all at the stake and would have loved this government.
  • Democracy at its best

    We are born in slavery, and we die in slavery!
    Matej Petak
  • Clueless, Irresponsible, Stupid Politics, Again

    Is what CISPA really is and represents
  • Either that...

    ... or it's a mad dash to cover the bottoms of those who have already been grossly violating the privacy of private citizens illegally and doing what they like with the information, since it may some day come to light some day that they have.
    • Nail on the head

      You got it.
    • Full disclosure is now inevitable

      With Wikileaks and Anonymous and the revelations from ICIJ, they can be certain that they will all be exposed. It would be much wiser for them to come clean now, while clemency is still an option, than to continue in an attempt to legalize their crimes. http://www.icij.org/offshore
  • Ridiculous. This is not protection at all.

    Could someone please tell me, how this law would actually protect our businesses and people from 'cyber attacks' in the first place? Let's see... Chinese hackers... Which means they are from China... I do not think China would extradite a Chinese hacker for prosecution under US law, even if CISPA does pass. In the end, this law simply will give the government legal rights to spy upon it's own citizen's online behavior, and not protect our businesses from the actual threats. Let's face it, the majority of cyber attacks would be conducted from countries in which the United States has no jurisdiction or extradition treaty. If anything, they would be coming from people sponsored by the very governments of said countries. The USA is a rather big target for a lot of nations across the world. This law would only screw over our own citizens, it would not 'protect' us or our businesses. The United States and it's people seem to forget that their laws only apply to their own country, and the internet is global. There are a lot of countries that do not like the United States. All a hacker has to do, is go into one of those countries to try to hack stuff, and, they are untouchable under any law the USA makes. This law is nothing more than anti-privacy that screws over Americans. Do not buy into the rhetoric that it is for protection.
  • In the old days

    We lost our privacy to fight Communism, now its to fight Terrorism.
  • The psychopaths in charge want to be able to mess with you 24/7

    What else could be expected from the drooling psychopaths running everything.
    Reality Bites
    • By "psychopaths in charge "

      Do you mean the corporations that monitor us and seek to exchange even more data about our actions than they already do?
  • This is unconstitutional no matter how you look at it

    1. It protects government from liability, thus violating the first amendment "to petition the Government for a redress of grievances."

    2. It violates pretty much the entire fourth amendment:
    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    3. Firth amendment states that "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury...nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation."

    4. Since this is for the alleged purpose of finding criminals, the sixth amendment may also be relevant: "In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him..."

    Is no one else seeing this? The Constitution is not something we should just allow to be ignored--it is our Supreme Law, and all elected officials have taken an oath to uphold it. It's time to make Congress answerable to the people again instead of big business and special interests.

    There is NOTHING that gives the government blanket authority to spy on Americans except our blind acceptance and ignorance.
    Iman Oldgeek
  • Nothing has changed

    I was advised decades ago, "Never put into an email something you wouldn't want to have read back to you in court."

    That policy applies to anything you type into the 'net. You have something you want kept private? Keep it private. Encrypt it Set up a simple ftp server on your machine and open access to what you want others to have to, well, just those you want others to have to it. Duh.

    Publish, in any sense -- typing it into the open Internet unencrypted -- and lose it.

    Stop whining about what, in reality, is your incompetence at maintaining your own privacy. That's your job . . . not someone elses'.

    While we're on the topic: Cloud providers are outside your circle of control. Start out presuming that to put data into a cloud provider's facility is to release it from your custody and make it vulnerable to any with the appropriate tools -- no matter what that provider promises you.

    The belief that cloud providers' promises ensure that system security failures will never occur . . . get real, y'all.
    • that works great....

      for data that you enter.

      This law makes all the data that others store about you, like the library books you borrow (electronic library cards), food that you buy (customer bonus programs to give you discounts at checkout), credit card usage - just about anything where a computer is used to store data, freely available for the government to use if the company storing it wants to give it to them.

      We shouldn't have to actively work to stay off the grid - the Constitution is 'supposed' to protect us from that.