The controversial Cyber Intelligence Sharing and Protection Act (CISPA) passed the U.S. House of Representatives last night (April 26) in a 248-168 vote.
The voting was broadly along party lines, although 42 Democrats voted in support of the legislation and 28 Republicans voted against it. The White House has threatened to veto CISPA, citing privacy concerns, and instead supports a rival bill in the Senate, the Cybersecurity Act of 2012.
CISPA's chief sponsors, Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D- Md.), tried to make their bill more palatable to the White House, and the version that ended up being voted on had some significant changes.
"We have nation-states that are literally stealing jobs and our future," Rogers told his colleagues before the vote. "Stand for America! Support this bill!"
CISPA is meant to encourage private companies to share information related to cybersecurity with the government and with each other. Such sharing is currently limited by numerous laws, including privacy legislation, as well as the threat of lawsuits by affected parties. CISPA creates blanket exemptions from such laws and from liability.
Unlike this past winter's Stop Online Piracy Act, which was aimed at foreign websites that pirate American music and movies, CISPA targets foreign cyberspies who have broken into the networks of hundreds of American corporations and government agencies over the past few years.
However, it does not compel private entities to share information with the government. Such cooperation would be entirely voluntary. The Senate's Cybersecurity Act of 2012 does compel companies to cooperate, and sets up a regulatory framework for them to do so.
Closing a loophole, but opening a door?
One amendment that did make it into the final draft of CISPA was an attempt to more clearly define where CISPA would apply.
Sponsored by Reps. Ben Quayle (R-Ariz.), Anna Eshoo (D-Calif.) and Mike Thompson (D-Calif.), it replaced language allowing use of CISPA for "any lawful purpose." Instead, it limits the use of shared information to the areas of cybersecurity, "the protection of individuals from the danger of death or serious bodily harm," child pornography and "the national security of the United States."
The original text of CISPA mentioned neither child pornography nor the protection of individuals, prompting TechDirt writer Leigh Beadon to comment soon after the bill's passage that "this means CISPA can no longer be called a cybersecurity bill at all."
"Basically, the amendment closes a loophole but opens a door," Beadon wrote in a follow-up piece today (April 27). "It takes away some of the language that allows overreach of the bill, but then explicitly endorses the exact things people were worried the government would do with that language — as in, start using the data to investigate and build cases against American citizens without regard for the laws that would normally protect their privacy."
Whittling it down
Other approved amendments, according to the Congressional Record, included clauses that further define cybersecurity systems, require the government to disclose agencies receiving shared information, forbid new authority to be granted to any federal agency, shield companies that refuse to share information, ensure that regulatory information remains subject to the Freedom of Information Act, forbid the use of privately obtained library records, gun-sales records or tax returns, and finally, put in a "sunset clause" that nullifies the entire CISPA bill five years after enactment, subject to renewal.
It's not clear if these changes are enough to satisfy the White House, which on Wednesday sent a strongly worded letter to the House.
"Cybersecurity and privacy are not mutually exclusive," the letter said. "Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately. ... H.R. 3523 effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres."
Not good enough
Many groups and individuals who agree with CISPA's overall aims nevertheless criticize it as too sweeping, singling out the phrase "notwithstanding any other provision of law."
CNet's Declan McCullagh, a frequent commenter on Internet legislation, said the phrase would "trump all existing federal and state laws, including ones dealing with wiretaps, educational records, medical privacy, and more."
"CISPA goes too far for little reason," the American Civil Liberties Union's Michelle Richardson said. "Cybersecurity does not have to mean abdication of Americans' online privacy. As we've seen repeatedly, once the government gets expansive national security authorities, there's no going back."
"We do have a real cyberthreat in this country, and this bill is an honest attempt to deal with it," Rep. Joe L. Barton (R-Texas), told the New York Times. "But the absence of explicit privacy protections for individuals is, to me, a greater threat to democracy and liberty than the cyberthreats that face America."
"Proponents of CISPA may be well-intentioned, but they unquestionably are leading us toward a national security state rather than a free constitutional republic," said Republican presidential candidate Rep. Ron Paul (R-Texas) on his website. "Imagine having government-approved employees embedded at Facebook, complete with federal security clearances, serving as conduits for secret information about their American customers."