Described as "misguided" and "fatally flawed" by the two largest U.S. privacy groups, the Cyber Intelligence Sharing and Protection Act (CISPA) threatens the online privacy of ordinary U.S. residents more so than any other bill since Congress amended the Foreign Intelligence Surveillance Act in 2008.
A lot of confusion still surrounds what CISPA can do, who it affects, and what it will practically achieve. Here's what you need to know.
What is CISPA?
CISPA, known officially as H.R. 624, is a cybersecurity bill currently going through the motions in the lower house of Congress, the U.S. House of Representatives. It is designed to help prevent and defend against cyber-attacks on critical national infrastructure and against other Internet attacks against private firms by obtaining and sharing "cyber threat information."
Its sole purpose is to allow private sector firms to search personal and sensitive user data of ordinary U.S. residents to identify this so-called "threat information," and to then share that information with each other and the U.S. government — without the need for a warrant.
By citing "cybersecurity," it allows private firms to hand over private user data while circumventing existing privacy laws, such as the Wiretap Act and the Stored Communications Act. This means CISPA can permit private firms to share your data, such as emails, text messages, and cloud-stored documents and files, with the U.S. government.
It also gives these firms legal protection to hand over such data. There is no judicial oversight.
To make matters worse, because there is little transparency and individual accountability, those who have had their data handed to the U.S. government may not even know about it or be given a chance to challenge it.
Wasn't CISPA put on the backburner after it failed in the Senate?
In April 2012, the U.S. House passed CISPA by a large majority, voting 248 to 168. It passed at a time when the White House threatened to veto the bill should it pass the desk of President Obama, citing privacy and civil liberty concerns. But once it was handed to the Senate, it failed to gain traction, likely in light of similar legislation being drafted in the upper house at the time.
How is this new CISPA version any different from the old Senate-stalled version?
The current version of CISPA, reintroduced into the House, has the same name and vastly the same content. CISPA was brought back to the House in its original format.
Since being debated and amended by the House Intelligence committee, it has gone through a mark-up process that would tighten up certain language and add definitions. This process was decided upon by members to be conducted in secret, despite the controversy surrounding this bill. While CISPA does not force or require a private firm to share data with the U.S. government, major telecoms providers have illegally shared data with the U.S. intelligence agencies before.
During this recent mark-up process, less than half of the privacy re-enabling amendments that passed have "only chipped away at the edges of CISPA," according to the Electronic Frontier Foundation (EFF).
These amendments now include:
Information for "national security" purposes: One amendment means the U.S. government can only use data collected under CISPA for "cybersecurity purposes," and not used for "national security" purposes — a catch-all term that can and has been used to skirt Fourth Amendment rights. The second amendment imposes the same rule on private firms. However, "cybersecurity" is still loosely defined and could be misinterpreted or abused by private firms.
Hacking back: Private firms are limited from acting beyond their own networks to gather "cyber threat information," such as 'hacking the hackers'. But the EFF notes a "huge loophole" exists that allows a firm to "still use aggressive countermeasures outside of its own network as long as it believed the countermeasures were necessary for protection."
Government-related privacy oversight: This amendment requires oversight on how CISPA affects civil liberties and privacy on government activity, but it does not apply to private firms. The EFF is concerned that there is "no assessment of whether companies over-collect or over-share sensitive information."
How does Obama's cybersecurity executive order differ from CISPA?
President Obama signed into law a cybersecurity executive order at the same time CISPA was reintroduced into the House.
The "framework" will allow intelligence to be gathered from the aftermath of cyberattacks and cyberthreats to privately owned critical national infrastructure — such as the private defense sector, utility networks (like gas and electric companies), and the banking industry — so they can better protect themselves and the wider U.S. population.
While the executive order does touch on intelligence sharing between the U.S. government and private firms, itdoesn't undo years of privacy law-making work that continues to protect the U.S. population. The White House even garnered support from the American Civil Liberties Union (ACLU) on the order. The order opened a path for wider consultation and discussion that could, however, change in due time.
Who supports and opposes CISPA?
Because CISPA gives legal immunity to companies already collecting personal and sensitive user and customer data of ordinary U.S. residents, many major Web and technology companies are in favor of the bill.
While Facebook, Twitter, and other social networks have not endorsed or openly supported the current version of CISPA, they backed previous iterations of the bill. (Facebook and Microsoftreportedly backed away from CISPA after previously coming out in favor of it. However, Microsoft's membership to lobbying group TechNet suggests otherwise.)
As you might expect, a number of major civil liberties groups reject the principles surrounding CISPA. The EFF, the ACLU, and Reporters Without Borders have all expressed their opposition to the bill. Firefox-maker Mozilla has also criticized the bill, and even Sir Tim Berners-Lee, the inventor of the World Wide Web, opposes CISPA.
More than 1.4 million people have signed onlinepetitions for Facebook, Microsoft and IBM, and members of Congress, to relinquish their support of the bill — whether currently or in the past.
How does this differ from SOPA, or PIPA (PROTECT-IP)?
There are two major differences: SOPA and PIPA acted against foreign alleged copyright infringers, while CISPA is a domestically focused cybersecurity bill.
The House and the Senate introduced the Stop Online Piracy Act (SOPA) and the PROTECT-IP Act (PIPA) respectively. Both primarily targeted non-U.S. websites and networks, allowing the U.S. attorney general to seek a court order that would see such allegedly copyright and intellectual property infringing sites shut down and seemingly disappear from the Web.
However, CISPA focuses all but entirely on those within U.S. borders — including U.S. citizens and legal (and illegal) residents — rather than foreign citizens or non-U.S. companies. While the U.S. government cannot collect data from any private firm it likes — the firm must agree to it — CISPA has a greater impact on those within U.S. borders rather than non-U.S. residents.
Does CISPA affect non-U.S. citizens, such as those who live in the EU?
Potentially, yes, although not directly. Many smaller companies do not have local EU-based datacenters. Microsoft, Google, and Facebook, for instance, do have non-U.S. datacenters for local users, but many do not have the capacity of the funding to do so. This means that non-U.S. resident data may be stored directly by a U.S. company.
What can the U.S. government do with user acquired under CISPA by private firms?
Anything they like with it, so long as it's lawful and pertains to "cybersecurity purposes," rather than "national security" purposes. But because the language is so ill-defined, it could be used for many more reasons than were initially considered.
The data will be handed to a central location within the U.S. Department of Homeland Security (DHS) by the private firm, which can then be disseminated throughout government — including other U.S. law enforcement and intelligence agencies.
Does CISPA allow the U.S. government to spy on U.S. residents?
Once it's in the hands of the DHS, it can be sent anywhere and be used against the person. CISPA amends the National Security Act to include provisions to further protect national or homeland security, as well as other "threats to the United States, its people, property, or interests."
According to the EFF, even though the data was passed to the government for "only cybersecurity purposes," it can then be used to investigate other crime, not limited to cybersecurity crime, such as the "criminal exploitation of minor, protecting individuals from death or serious physical injury, or protecting the national security of the United States."
What can I do if a private firm hands over my data to the U.S. government?
Very little. But also, there's no way of knowing that your data has been handed to the U.S. government by a private firm unless that firm informs you. Frankly, most will have no reason to.
CISPA explicitly prevents those under the scope of CISPA — typically U.S. residents — to sue the U.S. government for collecting or retaining data outside of legal parameters. Freedom of Information (FOI) requests do not apply under CISPA because the data collected will be exempt from disclosure. CISPA also gives private firms legal protection to pass that data on the U.S. government, so they can't be sued either.
What are the key upcoming dates, and could CISPA be defeated?
Following a recent closed session which saw CISPA amended, it will go to a vote on the House floor as soon as next week, or late April.
Two things could happen: either it will pass like it did last year and it will be handed over to the Senate for its consideration — where it could progress or stall as it did the last time; or CISPA could fail in the House at a coming vote.