CISPA Amendment Proves Everyone's Fears Were Justified While Failing To Assuage Them
from the the-more-things-change dept
The single biggest criticism of CISPA is that it could be used by the federal government in a way that infringes on people’s privacy, allowing government agencies, including the NSA, to sift through the private data of American citizens with little to no oversight. It’s pretty obvious why that fear exists — just look at the relevant paragraph in what, until the recent and final round of markup, was the text of the bill:
(7) PROTECTION OF INDIVIDUAL INFORMATION—The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection.
So, um, the feds may worry about privacy, if they want to and as long as it doesn’t hinder their cybersecurity efforts. It’s disconcerting that this even needed to be spelled out, and it certainly doesn’t count as a safeguard. The response to criticism from the bill’s authors has been the same since last year: they deny that this bill has anything to do with spying on people, and insist it’s just about sharing technical threat data. Just this week, Rep. Rogers flatly stated this is not a surveillance bill. Still, in an attempt to placate the opposition, they backed an amendment (pdf and embedded below) from Rep. Hines replacing that paragraph, which passed in the markup phase. Here’s the new text:
PRIVACY AND CIVIL LIBERTIES.—
(A) POLICIES AND PROCEDURES.—The Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, shall establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government in accordance with paragraph (1). Such policies and procedures shall, consistent with the need to protect systems and networks from cyber threats and mitigate cyber threats in a timely manner—
(i) minimize the impact on privacy and civil liberties;
(ii) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner;
(iii) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition;
(iv) protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable; and
(v) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.
It seems to me they are hoping that by making the section longer and more complicated, people will miss the fact that very little has changed. But what’s truly astonishing is that this new text reads like a confession that CISPA does involve all the stuff that they’ve been insisting it has nothing to do with.
The big thing, of course, is that this oversight now involves civilian agencies, which is really the only meaningful change — and its impact has been rather minimized. Rather than putting the DHS or another agency in between the public and military agencies like the NSA, they’ve simply given them some input — and it’s hard to say how meaningful that input will be. The provisions are bookended by escape clauses: first we’re told that they only count when “consistent with the need to protect systems and networks from cyber threats”, and then at the end we’re reminded that they must “not delay or impede the flow of cyber threat information”. That alone renders the rest of the text virtually moot, and it also seems to be acknowledging that the type of information sharing they want to do does threaten privacy.
If that weren’t clear enough, there’s a third out hiding in clause (ii), where we’re reminded that personal information will only be limited if it’s “not necessary to protect systems or networks from cyber threats”. If this bill is really just about getting technical threat data, why would personal information ever be necessary? Once again, it serves as both an escape clause and a tacit admission that they do plan on doing the things that they have denied so vocally, or at least that they want to keep the option open.
But you can bet that the next time Rep. Rogers or Ruppersberger is questioned about it, they’ll insist that CISPA has nothing to do with personal information and couldn’t possibly threaten anyone’s privacy. They’ll insist that they addressed any concerns with this amendment, when in fact all they did was confirm just how warranted those concerns are. Nothing has changed: CISPA is still a dangerous bill, perhaps more explicitly so now than ever.