Described as "misguided" and "fatally flawed" by the two largest US privacy groups, the Cyber Intelligence Sharing and Protection Act (CISPA) threatens the online privacy of ordinary US residents more so than any other Bill since Congress amended the Foreign Intelligence Surveillance Act in 2008.
A lot of confusion still surrounds what CISPA can do, who it affects, and what it will practically achieve. Here's what you need to know.
What is CISPA?
CISPA, known officially as H.R. 624, is a cybersecurity Bill currently going through the motions in the lower house of Congress, the US House of Representatives. It is designed to help prevent and defend against cyberattacks on critical national infrastructure and against other internet attacks on private firms by obtaining and sharing "cyberthreat information".
Its sole purpose is to allow private sector firms to search personal and sensitive user data of ordinary US residents to identify this so-called "threat information", and to then share that information with each other and the US government — without the need for a warrant.
By citing "cybersecurity", it allows private firms to hand over private user data while circumventing existing privacy laws, such as the Wiretap Act and the Stored Communications Act. This means that CISPA can permit private firms to share your data, such as emails, text messages, and cloud-stored documents and files, with the US government.
It also gives these firms legal protection to hand over such data. There is no judicial oversight.
To make matters worse, because there is little transparency and individual accountability, those who have had their data handed to the US government may not even know about it or be given a chance to challenge it.
Wasn't CISPA put on the backburner after it failed in the Senate?
In April 2012, the US House passed CISPA by a large majority, voting 248 to 168. It passed at a time when the White House threatened to veto the Bill should it pass the desk of President Obama, citing privacy and civil liberty concerns. But once it was handed to the Senate, it failed to gain traction, likely in light of similar legislation being drafted in the upper house at the time.
How is this new CISPA version any different from the old Senate-stalled version?
The current version of CISPA, reintroduced into the House, has the same name and vastly the same content. CISPA was brought back to the House in its original format.
Since being debated and amended by the House Intelligence committee, it has gone through a mark-up process that would tighten up certain language and add definitions. This process was decided upon by members to be conducted in secret, despite the controversy surrounding this Bill. While CISPA does not force or require a private firm to share data with the US government, major telecoms providers have illegally shared data with the US intelligence agencies before.
During this recent mark-up process, less than half of the privacy re-enabling amendments that passed have "only chipped away at the edges of CISPA", according to the Electronic Frontier Foundation (EFF).
These amendments now include:
Information for "national security" purposes: One amendment means the US government can only use data collected under CISPA for "cybersecurity purposes", and not used for "national security" purposes — a catch-all term that can and has been used to skirt Fourth Amendment rights. The second amendment imposes the same rule on private firms. However, "cybersecurity" is still loosely defined and could be misinterpreted or abused by private firms.
Hacking back: Private firms are limited from acting beyond their own networks to gather "cyberthreat information", such as "hacking the hackers". But the EFF noted that a "huge loophole" exists, which allows a firm to "still use aggressive countermeasures outside of its own network as long as it believed the countermeasures were necessary for protection".
Government-related privacy oversight: This amendment requires oversight on how CISPA affects civil liberties and privacy on government activity, but it does not apply to private firms. The EFF is concerned that there is "no assessment of whether companies over-collect or over-share sensitive information".
How does Obama's cybersecurity executive order differ from CISPA?
President Obama signed into law a cybersecurity executive order at the same time CISPA was reintroduced into the House.
Obama's cybersecurity executive order set up the foundations in which a "framework" can be constructed between the government and private sector industries, albeit without the vast majority of the privacy complications that CISPA has.
The "framework" will allow intelligence to be gathered from the aftermath of cyberattacks and cyberthreats to privately owned critical national infrastructure — such as the private defense sector, utility networks (like gas and electric companies), and the banking industry — so they can better protect themselves and the wider US population.
While the executive order does touch on intelligence sharing between the US government and private firms, it doesn't undo years of privacy law-making work that continues to protect the US population. The White House even garnered support from the American Civil Liberties Union (ACLU) on the order. The order opened a path for wider consultation and discussion that could, however, change in due time.
Who supports and opposes CISPA?
Because CISPA gives legal immunity to companies already collecting personal and sensitive user and customer data of ordinary US residents, many major web and technology companies are in favor of the Bill.
Tech companies such as Microsoft, Google, and IBM, and cellular giants AT&T and Verizon, as well as banks and financial firms like the American Bankers Association and the Chamber of Commerce, have all endorsed the current version of CISPA.
While Facebook, Twitter, and other social networks have not endorsed or openly supported the current version of CISPA, they backed previous iterations of the Bill. (Facebook and Microsoft reportedly backed away from CISPA after previously coming out in favor of it. However, Microsoft's membership to lobbying group TechNet suggests otherwise.)
A full list of CISPA (H.R. 624) supporters can be found here.
As you might expect, a number of major civil liberties groups reject the principles surrounding CISPA. The EFF, the ACLU, and Reporters Without Borders have all expressed their opposition to the Bill. Firefox maker Mozilla has also criticized the Bill, and even Sir Tim Berners-Lee, the inventor of the World Wide Web, opposes CISPA.
How does this differ from SOPA or PIPA?
There are two major differences: SOPA and PIPA acted against foreign alleged copyright infringers, while CISPA is a domestically focused cybersecurity Bill.
The House and the Senate introduced the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) respectively. Both primarily targeted non-US websites and networks, allowing the US attorney general to seek a court order that would see such allegedly copyright and intellectual property infringing sites shut down and seemingly disappear from the web.
However, CISPA focuses all but entirely on those within US borders — including US citizens and legal (and illegal) residents — rather than foreign citizens or non-US companies. While the US government cannot collect data from any private firm it likes — the firm must agree to it — CISPA has a greater impact on those within US borders, rather than non-US residents.
Does CISPA affect non-US citizens, such as those who live in the EU?
Potentially, yes, although not directly. Many smaller companies do not have local EU-based datacenters. Microsoft, Google, and Facebook, for instance, do have non-US datacenters for local users, but many do not have the capacity of the funding to do so. This means that non-US resident data may be stored directly by a US company.
What can the US government do with user data acquired under CISPA by private firms?
Anything they like with it, so long as it's lawful and pertains to "cybersecurity purposes", rather than "national security" purposes. But because the language is so ill defined, it could be used for many more reasons than were initially considered.
The data will be handed to a central location within the US Department of Homeland Security (DHS) by the private firm, which can then be disseminated throughout government — including other US law enforcement and intelligence agencies.
Techdirt recently published a list of government agencies that can acquire your data under CISPA, which amounts to around 600 departments.
Does CISPA allow the US government to spy on US residents?
Once it's in the hands of the DHS, it can be sent anywhere and be used against the person. CISPA amends the National Security Act to include provisions to further protect national or homeland security, as well as other "threats to the United States, its people, property, or interests".
According to the EFF, even though the data was passed to the government for "only cybersecurity purposes", it can then be used to investigate other crime, not limited to cybersecurity crime, such as the "criminal exploitation of minor, protecting individuals from death or serious physical injury, or protecting the national security of the United States".
What can I do if a private firm hands over my data to the US government?
Very little. But also, there's no way of knowing that your data has been handed to the US government by a private firm unless that firm informs you. Frankly, most will have no reason to.
CISPA explicitly prevents those under the scope of CISPA — typically US residents — to sue the US government for collecting or retaining data outside of legal parameters. Freedom of Information (FOI) requests do not apply under CISPA, because the data collected will be exempt from disclosure. CISPA also gives private firms legal protection to pass that data on the US government, so they can't be sued, either.
What are the key upcoming dates, and could CISPA be defeated?
Following a recent closed session which saw CISPA amended, it will go to a vote on the House floor as soon as next week, or late April.
Two things could happen: Either it will pass like it did last year, and will be handed over to the Senate for its consideration — where it could progress or stall as it did the last time; or CISPA could fail in the House at a coming vote.