Cybersecurity Bill Revised to Ease Privacy Concerns

Supporters of a controversial cybersecurity bill have issued a revised discussion draft of the legislation in an effort to address the concerns raised by privacy advocates and civil liberties groups.

The Cyber Intelligence Sharing and Protection Act, or CISPA, is intended to clear barriers for the government and businesses to share information about critical digital threats, but critics have warned that the language is overly broad and could result in a massive flow of information to secretive government outfits like the National Security Agency under the thin pretense of cybersecurity.

Among those groups’ concerns is the fear that the bill would greatly expand federal agencies’ surveillance powers, enabling them to obtain information from private firms that could be used for a variety of purposes unrelated to cyber threats, including suspected intellectual property violations. In response, groups such as the Center for Democracy and Technology, the Electronic Frontier Foundation and the American Civil Liberties Union have designated this a “week of action,” urging concerned groups and individuals to take to the Web in protest and contact their representatives, recalling a groundswell of online opposition that helped defeat two intellectual property bills earlier this year.

The changes that the bill’s authors, House Intelligence Committee Chairman Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), the ranking member on the panel, unveiled late Monday are positioned as an explicit address of those groups’ objections.

“We have maintained an open door for all interested parties since the drafting of this bill began last year, and we appreciate all the constructive feedback and input we have received,” Rogers said in a statement.

Ruppersberger said that the revisions to the bill “show a good faith effort to continue to work with interested parties to improve the bill.”

The term “intellectual property,” for instance, has been removed from all definitions within the legislation, a move that the bill’s authors explained was meant to narrow its scope and specify that it is only to apply to legitimate cybersecurity threats.

“This change was made to avoid any misunderstanding and to clarify that the bill is intended to defend against efforts to gain unauthorized access to systems or networks, including efforts to gain such unauthorized access to steal private or government information,” read a fact sheet provided by the Intelligence Committee.

In address of the concerns that the bill lacks a meaningful check on the government’s authorities, the bill’s authors have proposed amendments to bring more transparency to the information-sharing framework CISPA would create. One proposed amendment would stipulate that the Department of Homeland Security would be able to review most of the information collected by other government entities under the bill. Privacy advocates have warned that information shared with the NSA and other military agencies that operate under limited oversight too often disappears into a black hole, and that the civilian DHS is the proper agency to take the lead on cybersecurity in the private sector.

Rogers and Ruppersberger have proposed another amendment that would allow individuals who felt that their information collected under the statute was improperly used to sue the government for damages.

The committee also reiterated that the bill does not provide any new authorities to remove content or block websites or online accounts.

Some of the opposition groups have raised the concern that companies like Facebook and Google, under the guise of cybersecurity, could share stores of sensitive information about their users without fear of legal repercussions. Those worries prompted Joel Kaplan, Facebook’s vice president of U.S. public policy, to author a blog post defending the company’s support of CISPA. Regarding the unbridled sharing of user information, Kaplan wrote, “Facebook has no intention of doing this and it is unrelated to the things we liked about [the bill] in the first place — the additional information it would provide us about specific cyber threats to our systems and users.”

The latest changes to CISPA have done little to mollify some critics. Rainey Reitman, activism director at the Electronic Frontier Foundation, argued that the revised legislation would actually expand the liability protections for private companies that share information with federal authorities.

“The amendments introduced don’t address the civil liberties concerns that have been raised around companies monitoring our communications and handing sensitive user data to the government,” Reitman wrote in an email to CIO.com. “It’s disturbing to see this legislation rapidly undergoing changes and yet those changes aren’t responsive to the grave concerns raised about CISPA’s effect on the privacy of everyday Internet users.”

Spokesmen for Center for Democracy and Technology and the ACLU did not immediately respond to requests for comment on the updates to CISPA.

Amid the week of protests that opponents of CISPA are staging, Susan Phalen, a spokeswoman for the majority members of the Intelligence Committee, expressed disappointment that some of the bill’s critics are working to scuttle the measure altogether, rather than engaging further with committee members to address their concerns.

“I think it’s interesting that some of the privacy advocacy groups are zoning in and encouraging a ‘no’ vote on the bill when the bill isn’t even in its final form. It’s still in a discussion draft and we have an open door,” Phalen said.

She confirmed that the House leadership is still planning to bring CISPA to the floor for debate next week, and that the bill’s consideration will be an open process in which members will be invited to submit amendments.

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.