On Thursday, April 26, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), the first major Internet-regulation bill Congress has tried to pass since mass protests led to the spectacular collapse of the Stop Online Piracy Act (SOPA) in January. CISPA, while aimed at a much different subject, gained much the same ire as SOPA, given its potential effect on Internet freedom. Although sold as a bill that would strengthen cybersecurity, CISPA would have huge implications for Internet users' privacy both domestically and abroad if the Senate passed it in the coming weeks and it became law.
According to the bill's main author, Rep. Mike Rogers (R-Mich.), CISPA's main purpose is to allow companies and the government to share information to prevent and defend against cyberattacks. But the bill's language is written so broadly that it carves out a giant cybersecurity loophole in all existing privacy laws.
The problem is in the bill's definition of "cyber threat information" and how companies can respond to it. "Cyber threat information" is an overly vague term that can be interpreted to include a wide range of tasks that normally wouldn't be considered cyberthreats -- like encrypting emails or running an anonymization tool such as Tor -- and as a result, a company's options would be so numerous as to allow it to read any user's communications for a host of reasons.
Those communications could then be handed over to the government voluntarily without a warrant or any oversight, nullifying well-established laws like the 1968 Wiretap Act and the 1986 Electronic Communications Privacy Act, which prevent companies from reading your communications except under very specific circumstances and prevent the government from getting users' communications without judicial review.
Once the U.S. government gets hold of such information, the problem intensifies. Private communications can be passed on to intelligences agencies like the National Security Agency (NSA) and the military -- bypassing decades of law barring intelligence agencies from spying on Americans -- and be used for other law enforcement purposes besides cybersecurity. Almost as an afterthought, the bill also increases government secrecy -- already at an all-time high -- by creating a new exception to the Freedom of Information Act for any information the government receives from companies.
It has become clear by now that CISPA is far more than a mere "cybersecurity" bill.
As such, CISPA has enraged civil liberties organizations and a host of other actors, from free market groups to Internet security experts. The bill's flaws are so obvious that Barack Obama's administration -- despite strongly pushing Congress to pass cybersecurity legislation -- issued a veto threat Wednesday, decrying the fact that CISPA "effectively treats domestic cybersecurity as an intelligence activity."
But that hasn't stopped Rogers from continually insisting that he's listening to the concerns of civil liberties groups and ordinary users. The congressman said Tuesday in response to criticism, "[Privacy advocates] have been very good working with us on language to get the bill to a point that helps them protect users and protect their civil liberties." He repeated much of those same claims on the House floor on Thursday, claiming that CISPA is "narrow" and "extremely limited" and that he was trying to accommodate the bill's critics.