Talking Points: Why Oppose CISPA?

Brandon McNally What is CISPA? Introduced in February, the Cyber Intelligence Sharing and Protection Act (CISPA) is a bill intended to bolster Americas security against cyber attacks. It passed the House of Representatives in April by a vote of 288-127, though Senate approval is required before it becomes law. President Barack Obama has stated that he will veto the bill if it passes. CISPAs key provisions authorize the government and private entities to share cyber threat information and cyber threat intelligence with one another. Supporters of the bill assert that such information sharing is necessary to protect the nation against cyber attacks, while opponents argue that the provisions pose threats to individuals privacy and civil liberties. Why Oppose CISPA? 1. Because it specifically overrides existing privacy laws: CISPAs information-sharing provisions all begin with the phrase [n]otwithstanding any other provision of law. This six-word phrase places the information shared pursuant to the Act beyond the coverage of existing privacy laws.

2. Because it exempts private companies from liability arising from their sharing of information: Section 3(a) of CISPA adds Section 1104(b)(3)-which exempts private companies from liability arising from their sharing of information pursuant to CISPAs provisions-to Title XI of the National Security Act of 1947 (NSA). The only exception to this exemption is a lack of good faith-narrowly defined as any act or omission taken with intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility-on the part of the company. As a result, individuals face a nearinsurmountable burden in any legal action they take against companies that have improperly shared information.

3. Because the legal action that it does authorize is difficult-if not impossible-to pursue: Section 3(a) of CISPA also adds Section 1104(d)-which creates a federal cause of action for the recovery of damages, attorneys fees, and costs arising from the governments improper use or retention of cyber threat information-to the NSA.

However, in their FAQ on CISPA, the Electronic Frontier Foundation (EFF) asks a very important question: How would an individual know that his information has been misused? Proposed Section 1104(b)(2)(D)(i) of the NSA exempts information shared pursuant to CISPAs provisions from the Freedom of Information Act. Also, proposed Section 1104(b)(2)(E) exempts such information from disclosure under state and local public disclosure laws. An individual would thus find it difficult-if not impossible-to gather the information necessary to pursue Section 1104(d)s cause of action.

4. Because it authorizes the government to use shared information for purposes other than cybersecurity: Finally, Section 3(a) of CISPA adds Section 1104(c)(1)-which governs the use of information shared pursuant to CISPAs provisions-to the NSA. This provision authorizes the government to use shared information for cybersecurity purposes and for the investigation and prosecution of cybersecurity crimes, which is expected for a bill intended to address the nations security against cyber attacks.

However, proposed Section 1104(c)(1) also authorizes the government to use shared information to investigate and prosecute crimes unrelated to cybersecurity, such as offenses involving...danger of death or serious bodily harm, and offenses related to child pornography. Existing law-specifically, the Stored Communications Act (SCA)already allows for some sharing of information under these circumstances. While both security advocates and civil libertarians can argue that the SCA is flawed and in need of reform, passage of CISPA-with its language rendering any other provision of law inapplicable-would greatly diminish the impact of any such reform.

5. Because it could potentially be used as a copyright-enforcement tool: As the EFF notes, earlier versions of CISPA contained specific language on intellectual property, raising concerns that the Act could be used as a tool to enforce copyright laws in a manner similar to the much-maligned Stop Online Piracy Act that failed to pass last year after a massive public outcry.

While the current version of CISPA does not include the intellectual property language, the EFF states that the Acts definitions of the terms cyber threat information and confidentiality, taken together, would apply to information directly pertaining toa threat to [a] means for protectingproprietary information. However, the Act does not define the term proprietary information, and it could be read to include

copyrighted information. Thus, [l]egitimate security researchers, who routinely [bypass] restrictions on proprietary information in order to research and publish information pertaining to vulnerabilities, risk having their work treated as a cyber threat by intellectual-property owners, and would have little-if any-recourse for the actions that those owners take.

Finally, even without such an interpretation of the Acts terms, nothing prevents a future Congress from amending the Act to once again include specific language on intellectual property.

6. Because even some supporters of the bill acknowledge that it presents significant privacy concerns: Civil libertarians are not the only ones concerned about CISPAs impact on individuals privacy. In fact, even some supporters of the Act concede that it presents significant privacy concerns.

For example, while David Addington, Group Vice President for Research at the Heritage Foundation, states that CISPA would mark a small step forward on the long path toward achieving the cybersecurity of the United States, he also expresses concern that the interaction of two of the Acts provisions would authorize the government to use personal information-such as firearms sales records and medical records-that the Act specifically forbids the government from using.

Also, Carol Hayes and Jay Kesan of the University of Illinois write that CISPAs notwithstanding any other provision of law language is perhaps the most troubling provision of the Act. However, they add that a complete rejection of CISPA would be throwing the baby out with the bathwater.

Sources:

Text of H.R. 624 (CISPA): http://www.gpo.gov/fdsys/pkg/BILLS113hr624eh/pdf/BILLS-113hr624eh.pdf

Mark Jaycox and Kurt Opsahl, CISPA is Back: FAQ on What it is and Why its Still Dangerous, Electronic Frontier Foundation: https://www.eff.org/cybersecurity-bill-faq

David Addington, House Cybersecurity Legislation: A Small Step, but Flaws Need Correction, Heritage Foundation: http://www.heritage.org/research/reports/2013/04/cybersecurity-legislation-cyberintelligence-sharing-and-protection-act

Carol Hayes and Jay Kesan, At War Over CISPA: Towards a Reasonable Balance Between Privacy and Security, University of Illinois College of Law: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2135618