On Thursday, the House passed the Cyber Intelligence Sharing and Protection Act (HR 3523) by a 248-168 vote. The bill, commonly known by its acronym, CISPA, aims to make it easier for government agencies and private industry to share information about cyber threats. But all that information-sharing worries privacy advocates and civil libertarians, who say the bill lacks safeguards against abuse. Supporters like Rep. Mike Rogers (R-Mich.), who introduced the bill last November, insist that it is a necessary step in cracking down on illegal hacking and foreign spying, and would not be used to target things like file-sharing sites and free speech on the internet.
Now that the bill has passed the House, the focus shifts to the Senate, which is crafting an alternate version of the bill that could be voted on as early as May. Here are four things to know about CISPA.
1. Those for, those against. The usual suspects on both sides—rights organizations, consumer groups, big business, telecommunications—came out to endorse or condemn the bill. Here are some big names that have issued ringing endorsements of CISPA:
…and some key players that have denounced the bill:
2. The vague language. As with charges leveled at other recent controversial pieces of legislation, much of the debate over CISPA is about what the language in the bill actually means. CISPA would allow and encourage companies and government agencies to share internet users' information with each other without court orders or subpoenas so long as the company or agency can cite a "cybersecurity purpose." Proponents say that this will allow companies facing online attacks to report intrusions to the government and get help promptly without having to worry about unnecessary red tape. Critics, however, say there is a substantial potential for abuse in the vagueness of the phrase "cybersecurity purpose." "Right now, companies can only look at your communications in very specific, very narrow situations," Trevor Timm, a blogger and activist at the Electronic Frontier Foundation, told the Daily Beast on Monday. "The government, if they want to read them, needs some sort of warrant and probable cause. This allows companies to read your communication as long as they can claim a cybersecurity purpose."
It's widely known that many major companies—including Facebook and Time Warner, for instance—already share plenty of user information with federal authorities in the interest of monitoring for national security threats or cyber crime. The concern here is that the bill would allow authorities to disregard the standard practice of subpoenas and court orders in such scenarios. "Essentially, this bill would preempt…other laws related to privacy," Greg Nojeim, a senior counsel at the Center for Democracy and Technology, told Mother Jones.
3. Despite its flaws, the bill is not Zombie SOPA. It's been barely three months since the efforts to pass the Stop Online Piracy Act and the PROTECT IP Act in the House and Senate collapsed after a torrent of public outcry. Thus, it's not surprising that CISPA has undergone some makeovers in recent weeks (here's the latest draft) aimed at forestalling another round of activist and social-media blowback. Although the bill is still being labeled by some as a stealth revival of SOPA, CISPA doesn't focus on punishing violators of intellectual property and copyright laws, as SOPA did. Its focus is information-sharing. In mid-April, a revised draft nixed the lone line pertaining to theft of intellectual property—a phrase previously included in the bill's definition of the kinds of "cybersecurity purpose[s]" for which companies and agencies could legally share information.
The original phrase:
[T]heft or misappropriation of private or government information, intellectual property, or personally identifiable information.
Was changed to:
[E]fforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information.
In an attempt to further assuage the fears of various groups, dozens of amendments were sent to the House Rules Committee for consideration, including one proposed by Rep. John Lewis (D-Ga.) that would flat-out prohibit using the law as legal cover to spy on protesters (those dozens were compressed into just a few). Certain groups, including the Center for Democracy and Technology (which helped lead the push against CISPA), applauded the amendments as "important privacy improvements" but added that fundamental flaws remain and that the group will direct its attention towards pushing for a more privacy-friendly version of the bill in the Senate.
Organizations such as the Electronic Frontier Foundation and the ACLU are still unimpressed by the set of privacy amendments. "The amendments also still allow this information to be sent directly to the National Security Agency and other military offices instead of keeping civilians in control of Americans' Internet info," Michelle Richardson, legislative counsel for the ACLU, told The Hill on Wednesday morning. "The use limitations, while amended, still allow the government to use what it collects for undefined 'national security' purposes."
4. Locking down Obama administration support has been…tricky. Earlier this week, Rogers said that he was "pretty confident" that his bill had the votes needed to pass the House and move on to a Senate vote. Lawmakers had scrambled to attach provisions that they believe will help secure the support of the president and key administration officials—essentially, chiseling it down just enough to squeak through Congress.
Even so, the Obama administration has made clear that it opposes CISPA in its current form due to what it sees as weak privacy safeguards. "There is absolutely a need for comprehensive cybersecurity legislation…[but] part of what has been communicated to congressional committees is that we want legislation to come with necessary protections for individuals," Alec Ross, a senior adviser to Secretary of State Hillary Clinton, told the Guardian on Tuesday.
On Wednesday afternoon, the White House Office of Management and Budget issued a veto threat detailing the ways in which the current bill "fails to provide authorities to ensure that the Nation's core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards."