by Constantine von Hoffman

Latest Version of US Info-Sharing and Protection Act Still Tramples Bill of Rights

Apr 16, 20123 mins
CybercrimeData and Information SecurityIntrusion Detection Software

A recent rewrite of the Cybersecurity Intelligence Sharing and Protection Act (CISPA) says the U.S. government can’t search through data on cybersecurity threats that it obtains from private firms...unless the feds use the magic phrase, "national security." But you really shouldn't find the changes to the bill reassuring.

The House Intelligence Committee’s new draft of the Cybersecurity Intelligence Sharing and Protection Act (CISPA) includes a definition of what constitutes a “cybersecurity threat” and narrows other problematic language within the bill, but it still leaves more than enough room to trample the Bill of Rights.

If you are new to this legislation, PC World’s Jared Newman has a great summary:

CISPA would give private companies new ways to share information about cyber-threats with the U.S. government, and vice versa. Although its purpose is quite different from SOPA and PIPA–the anti-piracy bills that were protested out of Congressional consideration last January–CISPA has angered many of the same opponents due to its promise of broad new powers for the government. (The use of a catchy acronym probably helps, too.)

One proposed amendment in the new draft narrows the category of information shared under CISPA from “everything you can think of” to “stuff related to breaking and entering into a network.” (For real: Instead of “theft or misappropriate of private or government information, intellectual property, or personally identifiable information” we get “efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information.”)

While this is an improvement, the latest version still gives the government the right to use “national security” as justification for doing whatever it wants with information it gets from the private sector. Under the latest version of the bill, the government can’t search any data shared with it by private firms about cybersecurity threats UNLESS the feds close their eyes and say “n——l s——y” three times. Who can complain about that, really? When was the last time the government did evil things to the citizenry under the guise of good ol’ NS? (It helps if you pretend that the Department of Homeland Security [DHS] doesn’t actually exist.)

By the way, you won’t be able to find out what information the government didn’t look through because shared information will be protected from Freedom of Information Act (FOIA) requests.

Another fascinating aspect of CISPA relates to when the government shares threat details with private companies. The companies would be “encouraged” but not required to share their knowledge with each other. If they do they have to promise only to use the info for security and not to gain a competitive advantage. Oh, and they are protected from lawsuits related to the sharing of this information. While that may prevent those companies from lawsuits filed by the general public, it raises the specter of lawsuits between companies involved if they get info that could give them a boost over rivals.