Compliance Management, Network Security, Privacy

CISPA moves forward, but rejected amendments frustrate privacy advocates

Several privacy-bolstering amendments were left out of a contentious information-sharing bill that was approved Wednesday by the U.S. House Intelligence Committee.

The proposed Cyber Intelligence Sharing and Protection Act (CISPA), which supporters say will help the private sector share information about cyber threats with the government without fear of legal consequences, was revived earlier this year by Reps. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., after being approved by the House last April. It was never taken up by the Senate.

Six amendments were approved and four were rejected in the new, marked-up version of CISPA. The approved amendments include one that calls on the law to "reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner."

But critics believe the law in its current form doesn't go far enough to defend users' privacy.

Among the rejected suggestions for CISPA were three amendments offered by Rep. Jan Schakowsky, D-Ill., one of which would have exempted the Department of Defense, the National Security Agency, and all military branches from directly receiving cyber threat intelligence data from private companies.

Another failed amendment from the congresswoman would have given consumers the ability to legally hold companies accountable for misusing their private information. And Schakowsky also wanted the president to select an officer who would establish policies and procedures on the government's “retention, use and disclosure” of shared data.  

Rep. Adam Schiff, D-Calif., also proposed an amendment that was shot down. He wanted companies to “make reasonable efforts” to remove any PII before it was shared with the government. While an amendment was passed to minimize the amount of PII stored and used by the government under CISPA, Schiff's more inclusive suggestion was voted against.

On Thursday, Michelle Richardson, a legislative counsel with the American Civil Liberties Union (ACLU), told SCMagazine.com that from a privacy standpoint, the rejected Schiff amendment was “one of the most important.”

“They [should] strip out the PII when that's possible – when it's not directly necessary to understand the threat, so that companies don't get lazy and over share,” Richardson said." 

In an email to SCMagazine.com, Mark Jaycox, a policy analyst and legislative assistant for the Electronic Frontier Foundation, criticized how the CISPA vote was conducted.

“Holding the hearing in secret and behind closed doors is a detriment to the American public,” Jaycox said Wednesday evening. “Laws should not be made in secret. They should be influenced and informed by a debate that's open to the public to watch.”

Meanwhile, Alexis Ohanian, the co-founder of social news site Reddit, published a video urging Google, Facebook and Twitter to protest CISPA's disregard for citizens' privacy.

“I'm hoping that all of these tech companies take a stand that their privacy policies matter, their users' privacy matters, and no legislation like CISPA should take that away,” Ohanian said.

So far, Facebook, once on board with CISPA, reportedly has withdrawn its support of the bill now that contentious points of the legislation were overlooked in the latest vote.

Those continuing to support the passage of CISPA have argued that the bill is essential to protecting the government from trade secret theft and critical infrastructure from potentially crippling attacks. Recent allegations that the Chinese government has conducted cyber spying against American businesses, as detailed in a February report by security firm Mandiant, have hastened calls for legislation.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.