Last week, the House passed the Cyber Intelligence Sharing and Protection Act (CISPA) by a measure of 248 to 168. The controversial bill was first modified before being passed.
The changes to the bill include allowing for more types of private sector information to be shared with government agencies. The information that could be shared goes beyond national security issues and includes the investigation of an ambiguous category of cyber security crimes, “protection of individuals from the danger of death or serious bodily harm,” and protection of minors from exploitation.
An example of how the law would work is that if Company A discovers a threat that also might have an impact on Company B, Company A could share user information with Company B, without having to worry about legal barriers to privacy. Company A would also be allowed to pass that information on to the federal government and vice-versa.
“The legislation has drawn the ire of legislators, civil liberties groups, security practitioners and professors, and hundreds of thousands of petitioners, who say the bill tramples over users’ privacy rights as it allows Web firms like Google and Facebook to give private users’ information to government agencies irrespective of other laws that protect users’ privacy. “It’s basically a privacy nightmare,” says Trevor Timm, a lawyer and activist with the Electronic Frontier Foundation. ‘CISPA would allow companies to hand over private data to the government without a warrant, without anonymity, with no judicial review.'”
Privacy advocates and civil liberties groups argue that CISPA would enable businesses to provide the federal government, including the intel community, with users’ private data and other sensitive personal information. According to Mashable:
“The two parts of CISPA these groups consider most offensive are a national security clause and a liability clause. The first, they say, would allow CISPA to be used in any case where national security is deemed at risk — a potentially broad category. The second would protect any business that shares cybersecurity information from lawsuits — including suits from users who think their private information may have been shared without justification.”
One company that initially supported the measure, Microsoft, has now declined its support of the bill.
So, now CISPA moves on to the Senate. The Senate can either pass it as is or further amend it. Should the amendment option prevail, the House and Senate would need to pass a bill that reconciles the differences between the two. Then, the bill would be sent to Obama who would either sign it into law or veto it.
Currently, The White House stands in opposition to CISPA and has threatened to veto it, saying that “cyber security and privacy are not mutually exclusive.” The White House statement also included the assertion that CISPA is an intelligence bill and not a security bill and one which would be detrimental to civilians’ privacy. However, as Forbes points out, the president’s advisers also recommended that he veto the National Defense Authorization Act, which he decided to sign into law instead.
Opposition to CISPA has not yet to escalated to SOPA levels, but it is starting to increase.