Members of Congress Oppose CISPA Unless Privacy Problems Are Fixed

Rep. Anna Esoo (D-CA) is one of four House members to write a "Dear Colleague" letter against the current version of CISPA (photo: Rep Eshoo's office)
Silicon Valley Congresswoman  Anna Eshoo (D-CA) is one of four House members to write a “Dear Colleague” letter against the current version of CISPA (photo: Rep Eshoo’s office)

The Cyber Information Sharing and Protection Act (CISPA) “has major shortcomings and would undermine the interests of citizens and their privacy,” a group of House members in a “Dear Colleague” letter.

Even though “the bill has improved from earlier versions,” four House members said that “even with the amendments adopted, CISPA unacceptably and unnecessarily compromises the privacy interests of Americans online. The four Democratic House members are Anna G. Eshoo (CA), Rush Holt (NJ), Janice Schakowsky (IL) and Adam B. Schiff (CA) pointed to three deficiencies in the bill.

The House members are reacting to the version of the bill that was passed by the House Intelligence Committee on April 9th.

Members cite three deficiencies (scroll down for the entire letter)

  • It does not require that companies sharing information under the bill, either with the government or with other private sector entities, make anonymous the data they share by making reasonable efforts to remove unrelated Personally Identifiable Information (PII).
  • The bill would allow information, and potentially PII, to be shared directly by private companies with the National Security Agency.
  • The bill provides a sweeping limitation on liability for sharing information in good faith, and to a wide range of decisions by private firms on the basis of cyber threat information.

The Congress members said that all of these deficiencies are correctable and promised that “amendments will be offered at the Rules Committee to address these issues.”

Why some worry about CISPA

CISPA, which has been backed by a trade group representing several Silicon Valley companies including Yahoo, Google and Microsoft, would allow companies to voluntarily share data related to cyber threats with each other and with government agencies.  There has been a lot of concern that such data could include personally identifiable information of users of those services.  Last year (prior to some amendments), the ACLU wrote that “it empowers the military, including agencies like the NSA, to collect the internet records of Americans’ everyday internet use.

The Obama administration, according to the Los Angeles Times, is also not likely to support the bill in its current form. We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections,” Caitlin Hayden, a National Security Council spokeswoman, said in a statement. “We believe the adopted committee amendments reflect a good-faith effort to incorporate some of the Administration’s important substantive concerns,” National Security Council spokeswoman Caitlin Hayden told the Times, “but we do not believe these changes have addressed some outstanding fundamental priorities.”

Congressional letter

Here is the full-text of the recent “Dear Colleague” letter.

Oppose CISPA Unless Improvements Are Made to Protect Privacy and Civil Liberties

Dear Colleague:

We write to bring to your attention serious concerns regarding legislation the House will consider this week, the Cyber Information Sharing and Protection Act (CISPA). Without further amendments to protect privacy and civil liberties, we cannot support the bill.

As Members who have served multiples terms on the House Intelligence Committee, we understand the importance of cyber security and the degree to which our public and private networks are under constant attack. There is an urgent need to improve cyber security, and facilitating the real time sharing of information about threats is a worthy goal.

However, CISPA has major shortcomings and would undermine the interests of citizens and their privacy. The bill has improved from earlier versions, but even with the amendments adopted, CISPA unacceptably and unnecessarily compromises the privacy interests of Americans online.

There are three significant deficiencies in the bill. The White House, civil liberties and privacy advocates, and Senators who have worked on information sharing legislation share our concerns about these provisions.

First, the bill does not require that companies sharing information under the bill, either with the government or with other private sector entities, make anonymous the data they share by making reasonable efforts to remove unrelated Personally Identifiable Information (PII). Instead, the bill would instruct the government to remove PII only after it has been shared. A government-only minimization makes little sense in those cases when the private party is in the best position to anonymize the data and personal information never need be shared with the government. Most important, this requirement does nothing to protect privacy in the case of private-to-private sharing.

In fact, when the Intelligence Committee held a hearing on CISPA earlier this year, industry witnesses agreed that requiring companies to make “reasonable efforts” to remove unrelated PII was “reasonable” and that, “The provider of the information is in the best position to anonymize it.”

Second, the bill would allow information, and potentially PII, to be shared directly by private companies with the National Security Agency. By allowing the sharing of data on cyber threats that may implicate personal information about Americans directly between Department of Defense agencies and private companies, the bill significantly departs from constitutional principles as well as long-standing efforts to preserve the primacy of civilian agencies in cyber space. We believe a civilian agency like the Department of Homeland Security ought to be the lead agency, even as it may draw on the services of other elements of the intelligence community.

Finally, the bill provides a sweeping limitation on liability for sharing information in good faith, and to a wide range of decisions by private firms on the basis of cyber threat information. The breadth of conduct thus immunized is considerable and may protect companies who take negligent or reckless action in response to a cyber threat or who fail to take any step to remove personal information prior to sharing. Given the wide reach of the legislation, Congress should limit the scope of the liability granted.

All of these concerns are correctable and amendments will be offered at the Rules Committee to address these issues. We urge the Rules Committee to make these important amendments in order. Americans concerned about their privacy and expanded military involvement in cyberspace deserve at the very least a vote by the House of Representatives on amendments to fix the bill.

Without changes to ameliorate these concerns, we intend to oppose the legislation, and urge Members concerned about civil liberties and privacy to do the same.

Sincerely,

 

Adam B. Schiff                                                Janice Schakowsky

 

Anna G. Eshoo                                                  Rush Holt