Following its failure to pass the Stop Online Piracy Act (SOPA), the second session of the 112th Congress is on track for a repeat performance in internet controversy with a bill called the Cyber Intelligence Sharing and Protection Act (CISPA). The bill just passed the House of Representatives, and a companion bill in the Senate will soon be debated and voted on. Unlike SOPA, which focused on piracy and intellectual property, CISPA was originally intended to guard against "cyber threats" that could harm networks by improving cybersecurity information sharing. The bill has since been expanded to cover "national security" and other purposes, and it gives broad powers and immunity to government and military intelligence agencies to collect and share the private data of individuals from companies without the use of warrants. And like SOPA, it has prompted civil liberty and internet privacy advocates to protest the bill's broad definitions and applications.

The Obama Administration has already threatened to veto the bill, and voiced strong opposition in a recent memorandum, but it's not clear if it will follow through. The White House has signaled that it is open to some form of cybersecurity bill, so it's possible that a compromise version will reach Obama's desk.

Let's take a look at some of the CISPA's most important provisions.

"Cyber Threats:" How CISPA Works

(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and

(ii) share such cyber threat information with any other entity, including the Federal Government.

HR 3523

The goal of the bill is to allow greater information sharing between the government and private companies like, for instance, Google and Facebook ("self-protected entities"). CISPA allows companies to share private data from or about their customers with the government, including US intelligence agencies — and in doing so, the bill overrides all other federal and state privacy laws. It allows companies to share almost any type of content, provided it pertains to a "cyber threat." So what exactly falls under the umbrella of a "cyber threat?"

According to the bill, "cyber threat information" includes data that threatens systems from protection against:

  • efforts to harm public and private systems and networks
  • theft or wrongful possession of public or private data, intellectual property, or personally identifiable information

Thanks to an amendment from Rep. Ben Quayle (R-AZ) that was accepted just prior to the bill's passage, cyber threats are no longer the only purpose for which the government may use your private information under CISPA. As it stands, the bill would allow sharing for the investigation of cyber crimes, for the protection of individuals from "death or serious bodily harm" and related law enforcement needs, for the protection of children, and "to protect the national security of the United States."

The government can use your personal information for a variety of purposes under the proposed law, without liability

(2) USE AND PROTECTION OF INFORMATION- Cyber threat information shared in accordance with paragraph (1)--

(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including appropriate anonymization or minimization of such information;

HR 3523

Despite the broad definition and usage of data permitted in the bill, there are some basic protections. CISPA honors restrictions placed on data by companies, so the government cannot request access to personal information if the company chooses to protect its users by making their information anonymous. And the bill prohibits companies that share under the law from using each other's data to gain an unfair advantage in the market. Since the bill does not require that shared data be stripped of personal information, it's up to private companies to choose how to share your information with the government.

(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and

(ii) share such cyber threat information with any other entity, including the Federal Government.

HR 3523

Finally, CISPA absolves all "self-protected entities" of liability if something goes wrong. In other words, you can't sue them for sharing your information if you're deemed a "cyber threat" — even if a mistake is made.

Going Partisan

Some critics of CISPA say it's more insidious than SOPA, and that it will lead to an unwelcome escalation of government snooping on citizens. An anti-CISPA petition on Avaaz.org has over 770,000 signatures, and major web communities like Reddit have promoted regular discussion of the bill. So why is there no CISPA blackout day on the web's calendar? Despite public discussion, many major tech companies have not backed popular outrage. Currently, the bill's list of supporters include well-funded groups like the CTIA, the US Chamber of Commerce, the Internet Security Alliance, and the National Cable and Telecommunications Association, and large companies like AT&T, Verizon, Facebook, Intel, Oracle, and Microsoft.

"CISPA takes a significant step forward in safeguarding consumers and businesses from cyber attacks."

Supporters of the bill say that it will help safeguard against cyber attacks, and cite innovation and success in industry. The Telecommunications Industry Association says that "the legislation takes a significant step forward in safeguarding consumers and businesses from increasingly aggressive and sophisticated cyber attacks," and that "it establishes a collaborative approach that won't introduce heavy bureaucracy that could harm high tech innovation." The TIA believes that "CISPA gained bipartisan support in the House," and encourages the Senate to "act quickly" to consider the bill.

"CISPA would cut a loophole in all existing privacy laws allowing the government to suck up data on everyday internet users."

Web and civil liberties advocates have condemned the bill. The EFF says that the bill "leaves ample room for abuse," and that it would "cut a loophole in all existing privacy laws." The Center for Democracy and Technology says that the bill is likely to lead to an expansion of the US government's role in monitoring of private communications, to move control of cybersecurity efforts from civilian agencies to the military, and that once the information is shared with the government it could be used for any purpose that's not specifically prohibited.

Outlook

CISPA's vote in the House suggests that it may be be stalled by partisanship as it advances in the Senate. While the bill easily passed in committee by a vote of 17 to 1 last year, its passage yesterday was mostly driven by House Republicans (206 for, 28 against), and opposed by Democrats (42 for, 140 against). Additionally, the White House's threat of veto is likely to influence Democrats who currently control the Senate. We'll continue to track the bill as it makes its way through the other half of Congress.

Nilay Patel contributed to this report.