Congress is seriously considering a bill called the Cyber Intelligence Sharing and Protection Act (CISPA). Intended to allow information sharing both between corporations and between corporations and the government, it presents serious dangers to individual privacy. The most important parts of the proposed act permit corporations to share information about their customers with each other and with the government if they assert that this information sharing is necessary for national security.
While the need for the better sharing of information might be necessary in some cases, in its current form CISPA represents a particular danger – a mutually reinforcing combination of public and private threats to privacy. Here are six things you should know about this pending legislation:
1. CISPA would allow companies to share potentially sensitive customer data with each other in ways that would otherwise be inconsistent with current laws that protect consumer privacy, such as the Electronic Communications Privacy Act (ECPA). As the ACLU notes, “Health records, gun records, tax records, census data, educational records – essentially all information now protected under privacy laws carefully considered and passed by Congress over the past decades --would no longer have that protection as cybersecurity information if these bills are to become law." CISPA would also allow the government to require companies to share customer data without the warrant or subpoena that would be required under current law. The privacy rights of customers may be violated, in other words, without substantial evidence that they pose any kind of security threat.
2. CISPA would also pre-empt state laws that provide more privacy protection than the federal standard. Citizens in some states would face diminished privacy rights both now and in the future.
3. Companies would be broadly immunized from both criminal and civil liability for sharing personal data under CISPA. This is important, because the threat of lawsuits is crucial to ensuring that companies respect the privacy of their customers. Under CIPSA, conversely, corporations would have little incentive to err on the side of protecting privacy and would not face legal sanctions for even wholly unjustified invasions of privacy.
4. Private companies would not be required to remove identifying information from data they share with the government. Private information could be shared not only with civilian but with military authorities. Given the deference that courts generally show to invocations of national security interests by entities associated with the military, this makes the risks of privacy invasions even more severe. Any information shared under a new legislative framework should go to a civilian rather than a military agency.
5. The only restriction on the sharing of data is that it be related to “cybersecurity.” The bill makes no serious attempt to specifically define what would qualify, and hence this limitation will do very little to limit privacy violations in practice. As the Electronic Freedom Foundation correctly points out, the bill would apply to “far more than what security experts would reasonably consider to be cybersecurity threat indicators — things like port scans, DDoS traffic, and the like.” Without a more careful definition, the potential for abuse is simply too great.
6. Not only does the language of the bill not provide enough protection before the fact, but it also does too little to protect individual privacy after information is first shared with the government. As Sharon Bradford Franklin explains, “CISPA lacks any meaningful limitations on the ways in which the federal government may use personal information and the content of private communications that it receives from private companies.”
Until more meaningful protections are added to protect individuals against this public-private privacy threat, Congress should reject CISPA, and if it unwisely chooses to pass the legislation, President Obama should veto it. The concerns the White House expressed on Thursday are a good sign, but they need to be steadfast and not rush to sign a bad bill.