by Megha Rajagopalan, ProPublica
The Cyber Intelligence Sharing and Protection Act, up for debate in the House of Representatives today, has privacy activists, tech companies, security wonks and the Obama administration all jousting about what it means — not only for security but Internet privacy and intellectual property. Backers expect CISPA to pass, unlike SOPA, the Stop Online Piracy Act that melted down amid controversy earlier this year.
Here’s a rundown on the debate and what CISPA could mean for Internet users.
What exactly is CISPA?
The act, sponsored Rep. Mike Rogers, R-Mich., and Rep. Dutch Ruppersberger, D-Md., would make it easier for private corporations and U.S. agencies, including military and intelligence, to share information related to “cyber threats.” In theory, this would enable the government and companies to keep up-to-date on security risks and protect themselves more efficiently. CISPA would amend the National Security Act of 1947, which currently contains no reference to cyber security. Companies wouldn’t be required to share any data. They would just be allowed to do so.
Why should I care?
CISPA could enable companies like Facebook and Twitter, as well as Internet service providers, to share your personal information with the National Security Agency and the CIA, as long as that information is deemed to pertain to a cyber threat or to national security.
How does the bill define “cyber threat”?
The most recent version of the bill defines it as information “pertaining to a vulnerability of” a system or network — a definition that opponents have criticized as too broad. Rep. Adam Schiff, D-Calif., has proposed an amendment that narrows the definition. The bill has gained key support with the addition of the amendment.
When can data can be shared?
Rep. Rogers said the amended version of the bill would only enable companies and intelligence agencies to share information related to 1) cyber security purposes; 2) investigation and prosecution of cyber security crimes; 3) protection of individuals from death and bodily harm; 4) child pornography; or 5) protection of the national security of the United States.
Why are privacy activists upset about CISPA?
Privacy activists like the American Civil Liberties Union and the Electronic Frontier Foundation contend CISPA isn’t specific enough about just what constitutes a “cyber threat.” They say it enables Internet companies and service providers to hand over sensitive user information to intelligence agencies without enough oversight from the civilian side of government. Finally, they say it does not explicitly require Internet companies to remove identifying information about users before sharing. Opponents contend, for instance, that Facebook or Twitter could share user messages with the NSA or FBI without redacting the user’s name or personal details.
CISPA also protects the private sector from liability even if they share private user information, as long as that information is deemed to have been shared for cybersecurity or national security purposes. Even though sharing is voluntary and not required under the law, privacy activists say the legal immunity CISPA provides would make it easy for the government to pressure Internet companies to give up user data.