There is a last-minute effort to derail the bipartisan Cyber Intelligence Sharing and Protection Act (CISPA) by playing on people’s fears and stretching facts to the point of breaking. The latest example comes from a blast email from the Electronic Frontier Foundation (EFF) urging people to call House members in opposition to the bipartisan cybersecurity bill. This is from EFF’s suggested script for callers:
CISPA would trample on decades of privacy law, allowing companies to spy on our online communications and pass all kinds of sensitive data to the government. That information could end up in the hands of the NSA, an agency notorious for its lack of public accountability. And that data could also be used for purposes completely unrelated to cybersecurity.
We fully defend people’s First Amendment rights to free speech and to petition the government. But this hyperbole is simply wrong, and it’s purpose is clear: scare people into voicing a position without providing accurate facts.
The bipartisan Rogers-Ruppersberger bill establishes an effective cyber threat information-sharing structure while safeguarding individual privacy. Specifically, under this legislation, all information sharing is voluntary and companies can place tough restrictions on how data can be used and who can use it. And the agreement reached last night between the Center for Democracy and Technology and the bill’s sponsors further cements privacy protections.
In outlining the agreement, CDT points out:
Another improvement in the bill is language specifically stating that the Federal government may not affirmatively search cyber threat information shared with the government except for cybersecurity and national security purposes. This would prevent data mining for law enforcment (sic) purposes of cybersecurity information shared with the government by the private sector.
…
In terms of use of the information, the Committee is supporting an amendment that narrows the use of shared information for law enforcement purposes, allowing use only for cybersecurity crimes, crimes invoving (sic) risk of death or bodily harm, or for the protection of children from child pornography, sexual exploitation or physical harm.
The Committee has agreed to support an amendment requiring the government to notify an ISP or other entity when it is providing information that exceeds the definition of cyber threat information. As a practical matter, once so notified, the private sector entity cannot continue disclosing such extraneous data to the government. The amendment would also make it clear that the government cannot retain or use information for any purpose not authorized by the statute, but the breadth of use permitted is broad, as we explain below.
ITI has worked closely with Chairman Rogers, Ranking Member Ruppersberger, the Center for Democracy and Technology, and others in an effort to bring all sides closer together on the cyber threat information sharing structure. The agreement will result in a structure that better protects people and the systems we rely on from cyber threats. We deeply appreciate all sides’ willingness to work together and support their work. Working together to reach a constructive result will strengthen cybersecurity and protect the American people; hyperbolic distortions of the legislation will result in a more vulnerable system that jeopardizes the integrity of the Internet and the personal information that we all pass through the web each day.
Cybersecurity is personal security. The stronger, faster, and more flexible we can make our cybersecurity defenses, the safer individuals, businesses, and the government will be online. At the same time, the new structure must take into account privacy protections. The updated approach strikes that balance. We look forward to House passage of the cybersecurity bills, and pledge to work with Senators to win approval for cybersecurity legislation in that chamber in the coming weeks.