Update: The CDT now firmly opposes CISPA (again) because the House Rules Committee has denied the consideration of every amendment that would fix the problems still inherent with CISPA.
Late Tuesday, the wall of opposition to the Cyber Intelligence Sharing and Protection Act, CISPA, began to crumble, as the Center for Democracy & Technology announced that it would no longer strictly oppose the cybersecurity bill’s passage in the House. The CDT’s position change comes as a result of a flurry of proposed amendments, a number of which the CDT says will fix many of the privacy problems included in the bill’s current text (pdf).
Despite the CDT’s vow to not actively block the legislation, the group says that CISPA still contains two major flaws. First, CISPA would still allow the National Security Agency (NSA) to access information shared under the bill. Second, CISPA still allows information to be shared for the extremely broad purpose of protecting “national security.”
“In sum, good progress has been made,” writes the CDT on its website. “The Committee listened to our concerns and has made important privacy improvements and we applaud the Committee for doing so. However, the bill falls short because of the remaining concerns — the flow of Internet data directly to the NSA and the use of information for purposes unrelated to cybersecurity. We support amendments to address these concerns. Recognizing the importance of the cybersecurity issue, in deference to the good faith efforts made by Chairman Rogers and Ranking Member Ruppersberger, and on the understanding that amendments will be considered by the House to address our concerns, we will not oppose the process moving forward in the House. We will focus on the amendments and subsequently on the Senate.”
So, what are these amendments, exactly? Well, for starters, there are a lot of them — more than 40 in total. Let’s take a look at what these amendments are, what they would do, and how they change the nature of CISPA, for better or worse.
Amendments: The first batch
The first five amendments are those promoted by CISPA co-authors Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) during their call with reporters on Tuesday. Below is their description of these amendments:
Minimization, Retention, and Notification Amendment: If approved, this amendment would:
- Provide clear authority to the Federal Government to undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the government, consistent with the need of the government to protect federal systems and cybersecurity.
- Prohibit the Federal Government from retaining or using information other than for the purposes specified in the legislation.
- Require the Federal Government to notify an entity voluntarily sharing cyber threat information with the government if the government determines that the shared information is not in fact cyber threat information.
Use Amendment: This amendment would significantly tighten the bill’s current limitation on the Federal Government’s use of cyber threat information that is voluntarily provided by the private sector. The amendment strictly limits the Federal Government’s use of voluntarily shared cyber threat information to the following five purposes:
- Cybersecurity purposes;
- Investigation and prosecution of cybersecurity crimes;
- Protection of individuals from the danger of death or serious bodily harm, including the investigation and prosecution of crimes involving such danger of death or serious bodily harm;
- Protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of a minor, including kidnapping and trafficking, including the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of a minor, including kidnapping and trafficking , and any crime referred to in 18 USC 2258A(a)(2); and
- Protection of the national security of the United States.
Definitions Amendment: This amendment would tighten the bill’s definitions to narrow what cyber threat information may be identified, obtained, and shared, as well as the purposes for which such information may be identified, obtained and shared. The new definitions are limited to information that directly pertains to:
- A vulnerability of a system or network of a government or private entity;
- A threat to the integrity, confidentiality or availability of such system or network or any information stored on, processed on, or transiting such system or network;
- Efforts to degrade, disrupt or destroy such system or network; and
- Efforts to gain unauthorized access to a system or network, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting such system or network, but not including efforts to gain such unauthorized access solely involving violations of consumer terms of service or consumer licensing agreements.
Amendments to Limit Federal Government Use of Cybersecurity Systems: Two amendments filed Tuesday that would make clear (1) that nothing in this bill would alter existing authorities or provide new authority to any entity to use a federal government owned or operated cybersecurity system on a private sector system or network to protect such system or network; and (2) that the liability provision of the bill extends only to the authorities granted in the legislation. These amendments are designed to clear up any misunderstandings regarding private sector use of cybersecurity systems under the bill.
In short, these amendments greatly limit the way information shared under CISPA may be used, and what information may be shared. The “Minimization, Retention, and Notification Amendment” provides added protections to individuals by requiring the government to notify a private company when it is sharing information that is not for a purpose explicitly defined in CISPA.
Other important amendments
That’s the first batch. But that’s only a small part of the proposed amendments to CISPA, some of which go much further toward protecting privacy, and increasing transparency on the sharing of information under the bill. The House Rules Committee provides a list of all 41 amendments that have been submitted for consideration. Here are the ones that, by my assessment, are the most notable.
Update: These are the only amendments that the House is considering. Not a single one of the amendments that would fix the primary problems with CISPA are included.
- Reps. James Langevin / Daniel Lungren Amendment
- Rep. John Conyers Amendment
- Rep. Mike Pompeo Amendment #36
- Reps. Rogers (MI) / Ruppersberger / Issa / Langevin Amendment
- Rep. Sheila Jackson Lee Amendment
- Reps. Quayle / Eshoo / Thompson (CA) Amendment
- Reps. Amash / Labrador / Paul / Nadler / Polis Amendment
- Reps. Mick Mulvaney / Norm Dicks Amendment
- Rep. Jeff Flake Amendment
- Rep. Laura Richardson Amendment
- Rep. Mike Pompeo Amendment #37
- Rep. Robert Woodall Amendment
- Rep. Bob Goodlatte Amendment
- Rep. Michael Turner Amendment
- Rep. Mick Mulvaney Amendment
- Rep. Erik Paulsen Amendment
Original text (which is now basically meaningless…)
Akin amendment: The provision would prohibit private companies from sharing any personally identifiable information of their users with the federal government, unless they have a court order or expressed written consent to do so. As CISPA is currently written, companies are simply “encouraged” to remove personally identifiable information. If approved, this amendment would go a long way toward protecting user privacy in a meaningful way. Read the full amendment text here: pdf.
Amash/Labrador/Paul/Nadler/Polls amendment: This amendment would prohibit the sharing of “inter alia, library records, firearms sales records, and tax returns,” under CISPA, for any reason. Obviously, the more limited the range of the information that may be shared, the better for privacy. Read the full amendment text here: pdf.
Barton/Markey amendment: This provision would only allow the sharing of personal information (which includes everything from name to Social Security Number to text messages and emails) to “prevent a cyber attack,” but not for any other purpose. This is less limiting than the Akin amendment, but more limiting than the “Use amendment” outlined above, which allows the sharing of personal information for reasons other than just preventing a cyberattack. Read the full amendment text here: pdf.
Conyers amendment: If approved, this amendment will make companies (or other private sector entities) liable under both criminal and civil law for sharing information under CISPA to “ensure that those who negligently cause injury through the use of cybersecurity systems or the sharing of information are not exempt from potential civil liability.” The amendment stipulates that the sharing of information not allowed under CISPA must cause “injury” in order for those who shared the data to be liable. In other words, they cannot be sued simply for sharing the information if it doesn’t actually cause anyone any harm. Read the full amendment text here: pdf.
Flake amendment: This extremely short amendment would require the Inspector General of the Intelligence Community provide a complete list of all government agencies that receive the information collected under CISPA. At present, the Inspector General is required to provide an annual report on what information was shared, and how it was used. If adopted, this amendment would provide greater transparency for who exactly is gaining access to the CISPA data. Read the full amendment text here: pdf.
Goodlatte amendment: This amendment seeks to more narrowly define what information may be shared with the federal government under CISPA. Specifically, it excludes the sharing of information that pertains strictly to the breach of a website or company’s Terms of Service. Read the full amendment text here: pdf.
Lewis amendment: This one is for the Occupy Wall Street crowd. Under Rep. Lewis’ amendment, information shared under CISPA “may not be used by the Federal Government to monitor, track, or obtain additional information with regard to the legal activities of protesters.” Clearly, this amendment is a win for the First Amendment’s protection of free speech. Read the full amendment text here: pdf.
Lofgren/Paul/Pollis/Hastings amendment: This amendment would limit the use of information gathered under CISPA to “cybersecurity purposes,” which is more narrow than the current limitations. It would also allow law enforcement to use information gathered under CISPA for other criminal cases, as long as they have probable cause, and receive judicial authority to use the data. Read the full amendment text here: pdf.
Nadler amendment: This amendment would expand the statute of limitations to allow private parties to bring civil suits against the federal government for the misuse of information up to two years after they discover, or “should have” discovered, the violation. (Currently, CISPA allows a statute of limitations two years after “the date of the violation.) In addition, this amendment would allow civil action due to “negligence” action (not just intentional or willful action). Finally, it would allow a person affected by government violation to seek injunctive relief. Read the full amendment text here: pdf.
Quigley amendment: This amendment would add far greater transparency to the information shared under CISPA by making only allowing data shared with the federal government to be exempt from the Freedom of Information Act (FOIA) if the Director of National Intelligence specifically determines, in writing, that disclosing the material under FOIA would outweigh the public interest in doing so. At present, CISPA could be interpreted to exempt all information shared under the bill from FOIA disclosure. Read the full amendment text here: pdf.
Sanchez/Loretta amendment: This amendment provides guidelines for the search of electronic devices by border security. The guidelines are quite thorough and expansive, and mainly attempt to limit the possibility of abuse. I highly recommend reading this amendment in full to grasp the limitations in places on the use of CISPA at U.S. borders. Read the full amendment text here: pdf.
Schakowsky/Thompson/Bennie/Sanchez/Loretta amendment: This amendment would require “reasonable efforts” to remove personally identifiable information shared under CISPA. It is not nearly as strict as the Akin amendment (mentioned above), but a small step in the right direction. Read the full amendment text here: pdf.
Schakowsky/Sanchez/Loretta amendment: This one is key. If adopted, this amendment would mandate that information shared under CISA only be made available to civilian organizations within the federal government. As it is currently written, CISPA would allow the NSA or other military organizations (which have little to no public oversight) to have access to the information. This is a big problem for privacy and civil liberty advocates, and one that this amendment would solve. Read the full amendment text here: pdf.
Schiff/Schakowsky/Hastings/Alcee amendment: Similar to other amendments listed above, this provision would “minimize” the amount of personal information shared under CISPA, provide further restrictions on the government’s use of the data, more narrowly define “cyber threat information” and “cyber security information,” and add additional civilian oversight of cybersecurity. Read the full amendment text here: pdf.
Thompson/Bennie/Paul/Sanchez/Loretta/Amash amendment: This amendment would establish greater review of the actions taken under CISPA, and require “reasonable efforts” from the government to strip collected data of personally identifiable information. Read the full amendment text here: pdf.
Thompson/Bennie/Langevin/Sanchez/Loretta/Hastings/Alcee amendment: The entirely Democratic amendment would define which infrastructure sectors are critical to the nation, and establish a framework to allow existing regulatory agencies to better protect those critical infrastructure sectors from cyberattacks. This is an interesting amendment, as it does not impose new regulatory powers on the federal government (something the Republicans are staunchly against), but would satisfy President Obama’s demand that cybersecurity legislation include protections for critical infrastructure. Read the full amendment text here: pdf.
Woodall amendment: As with the Nadler amendment, this provision would make the federal government liable if it violates the “disclosure, use, and protection of information” portions of CISPA due to negligence (as opposed to “intentional” or “willful” action. Read the full amendment text here: pdf.
Whew! Still with me? Ok, good. So, these are many (but not all) of the amendments that will be proposed on Thursday (and possibly Friday), when CISPA takes to the House floor. The House will open its session at 12pm ET on Thursday, and at 9pm ET on Friday.
At present, CISPA has a good chance of passing the House — the bill’s authors say that they already have the votes — but its ultimate future depends greatly on which amendments make it into the bill before it goes to the Senate. Earlier today, the Obama administration threatened to veto CISPA if it does not include greater privacy protections, and explicit protections for critical infrastructure. Some of these amendments above would go far to mollify the president’s concerns. Still, there is absolutely no guarantee that CISPA will become law, or even pass the House. But if you’re interested in the legislative process (which, if you made it this far, you obviously are), these are the amendments to watch.
Image via kropic1/Shutterstock