The Cyber Intelligence Sharing and Protection Act (CISPA) may have easily passed the House of Representatives last week, but it appears that support for the controversial cybersecurity bill is beginning to crumble. Over the weekend, Microsoft, long considered a CISPA supporter, told CNet that it now has concerns about the bill regarding personal privacy.
As Declan McCullagh reports:
In response to queries from CNET, Microsoft, which has long been viewed as a supporter of the Cyber Intelligence Sharing and Protection Act, said this evening that any law must allow “us to honor the privacy and security promises we make to our customers.”
Microsoft added that it wants to “ensure the final legislation helps to tackle the real threat of cybercrime while protecting consumer privacy.”
While this is far from an outright condemnation of the bill, it is clear that Microsoft shares some of the concerns about CISPA that privacy advocates have been expressing for months. It is also a significant change in Microsoft’s position (pdf), which was that it “applauded” the bill’s leadership for drafting the legislation.
Depending on who you talk to, the primary complaints about CISPA, which allows the government and businesses to more easily share “cyber threat intelligence” with each other, are as follows:
First, CISPA removes any liability from companies that share information with the federal government, as long as the data is somehow related to a number of categories, including “cybersecurity” or “national security.” Both of these categories remain overly broad, for some critics.
Second, CISPA allows the National Security Agency, and other government organizations that lack clear public oversight, to access the information, which remains one of two primary complaints of the Center for Democracy & Technology, a leader in the fight against CISPA.
Now, it is important to note that CISPA does not require anyone to sharing anything. Microsoft could simply say, “We are never going to turn any cyber threat intelligence over to the government,” and in doing so maintain users’ privacy expectations. It could even strip all of the data it shares of any personally identifiable details, like name, IP address, or anything else it fears might cause customers to rebel. It could — but it wouldn’t be legally required to do so, and therein lies the problem: CISPA removes current protections for individual privacy while failing to replace them with anything equally robust.
Another problem is that CISPA has overwhelming support from the business community. Given Microsoft’s high profile, it’s possible that other companies will back off as well. (Though there’s no evidence that they have done so yet.) But if they don’t, the pro-CISPA camp will remain vast and powerful.
Regardless, it is encouraging to see Microsoft moving in this direction. And I hope other companies will follow suit. As I’ve mentioned before, it is highly unlikely that CISPA will make it through the Senate without undergoing some serious changes. And the provision in CISPA that allows companies to ignore all existing laws could possibly be stripped from the legislation.
All that said, CISPA remains highly problematic for a number of reasons, as mentioned above. But the bill’s passage by the House appears to have only incited more opposition to the bill, not less — and none of it has to do with Microsoft, at least not yet.
CISPA is expected to go before the Senate sometime in May.