Despite cries of protest, the House of Representatives approved the Cyber Intelligence Sharing and Protection Act (CISPA) in a rush vote on Thursday. The cybersecurity bill, which makes it easier for the government and businesses to share information, passed easily, with a vote of 248 to 168, following the adoption of a number of amendments. Though CISPA may have crossed one key hurdle, the battle against the legislation is far from over. Here, a concise rundown of everything you need to know about CISPA now.
Problems before House vote
Even before CISPA debate began yesterday, things had already gone awry for privacy advocates. The House Rules Committee on Wednesday whittled down the number of amendments allowed to go up for consideration from 43 to just 16, cutting out provisions that would have made CISPA far less dangerous, from a civil liberties standpoint. Some of those included requiring businesses to strip all data of personally identifiable information, and one amendment that would have prohibited the shared data from landing in the hands of military and spying agencies, like the National Security Agency.
On Tuesday, the Center for Democracy & Technology said they would not oppose CISPA’s passage in the House. But after the exclusion of key amendments — specifically, amendments that would have blocked the flow of information directly to the NSA, and the prohibition of using shared data for national security issues unrelated to cybersecurity — the CDT once again came out in opposition to the bill, saying that the bill’s leaders (House Intelligence Committee Chairman Rep. Mike Rogers and Ranking Member Rep. Dutch Ruppersberger) had reneged on their promise to meet certain privacy demands by blocking the amendments.
What happened in the House
During hours of debate, the House approved 11 amendments to CISPA. You can see the full list here (2 through 12 were approved; 1, 13, and 14 were not). Of these, perhaps the most important amendment is the one proposed by Rep. Bob Goodlatte (R-VA), which limits the way information shared under CISPA to that which is “directly pertaining to” threats, vulnerabilities, or unauthorized access to a system or network. The Goodlatte amendment (pdf) also makes it explicitly clear that information pertaining to the violation of businesses’ Terms of Service do not qualify as “cyber threat intelligence” under CISPA, and thus may not be shared.
Another notable amendment is a sunset provision (pdf) submitted by Rep. Mick Mulvaney (R-SC), which limits the life of CISPA to five years after the date of enactment. After that time, the bill must be re-approved by Congress.
The most controversial amendment approved is the Quayle amendment, which says that information shared under CISPA may “only” be used for the following five purposes:
- investigation and prosecution of cybersecurity crimes;
- protection of individuals from the danger of death or physical injury;
- protection of minors from physical or psychological harm; and
- protection of the national security of the United States
Prior to the adoption of this amendment, CISPA allowed information to be shared for “cybersecurity” or “national security” purposes, but did not outline any specific ways law enforcement may use the data, as it does now. Because the language did not lay out any specific uses, privacy advocates feared the government could justifiably use the data to investigate and prosecute other crimes, even if they had had nothing to do with cybersecurity or national security.
Some privacy advocates believe that the Quayle amendment is a bad one because it explicitly expands the ways with which the government may use CISPA data to include things that have nothing to do with cybersecurity or national security. The CDT, however, sees the Quayle amendment as an improvement, since it limits the non-cybersecurity or national security uses to “protection of individuals from the danger of death or physical injury” and “protection of minors from physical or psychological harm.” Of course, given that many things on the Internet could be construed as potentially causing children psychological harm, this may not be much of a reassurance. But it definitely seems better than giving the federal government a more-or-less blank slate.
So, in short, CISPA has gone through some necessary changes, from a privacy and civil liberties standpoint, but there is still quite a lot of work to be done for it to be a “good” piece of legislation.
What happens next
CISPA now heads to the Senate, where a number of other cybersecurity bills have wallowed in legislative limbo for years. Chances are good that CISPA will face greater resistance in the Democrat-controlled Senate than it did in the House. And it may change significantly, or merge with other cybersecurity bills altogether. This is increasingly likely, given the fact that President Obama has indicated that he will veto CISPA if it does not provide adequate privacy protections and explicit protections for critical infrastructure. (An amendment that would have satisfied the latter complaint was shot down in the House as well.)
Regardless, Senate Majority Leader Harry Reid (D-NV) has indicated that he plans to move with cybersecurity legislation of some kind in May, though he has not spoken publicly about CISPA specifically. So CISPA’s fate in Congress remains uncertain for now, but we will likely see some further movement on it in the coming weeks.
In the mean time, the fight over CISPA will surely continue, with privacy and civil liberties groups, including the CDT and the Electronic Frontier Foundation (EFF), committed to fighting the bill as it moves to the Senate.
“Hundreds of thousands of Internet users spoke out against this bill, and their numbers will only grow as we move this debate to the Senate,” said Rainey Reitman, EFF Activism Director, in a statement. “We will not stand idly by as the basic freedoms to read and speak online without the shadow of government surveillance are endangered by such overbroad legislative proposals.”