EFF Analyzes Last-Minute Amendments Made to CISPA

Recently the privacy-invading cybersecurity bill CISPA (Cyber Intelligence Sharing and Protection Act) passed the House. In its final version, CISPA still contains many of the same problems as before. An attempt was made to fix core privacy problems in the bill, but it failed to do so. One amendment (PDF) by Rep. Conyers narrowing the overly broad immunity was not even brought to the House floor for a vote. Despite passing, the fight moves to the Senate, which will introduce its own cybersecurity "information sharing" bill. We urge you to tell your Senator now to stand up for privacy in any upcoming cybersecurity legislation.

Information Can Still Be Shared With The NSA

CISPA, as passed, is little better than when it was first introduced. The bill still allows for companies to skirt privacy laws that protect users. It still provides overly broad immunity to a company for "any decision made" to combat a suspected threat. And it still lets a company spy on and share users' sensitive personal information with anyone, including intelligence agencies like the National Security Agency (NSA).

One upshot of the debate during CISPA was the acceptance by politicians that the NSA shouldn't be in charge of our domestic cybersecurity. On the day of the full floor vote a surprise thirteenth amendment was introduced by Rep. McCaul. This amendment was touted as a way to ensure only civilian agencies receive data under CISPA, thereby preventing intelligence agencies like the NSA from receiving data directly. However, we quickly analyzed the bill and found out that the poorly drafted text failed to fix the problem.

With this amendment, CISPA now suggests that companies send information related to threats to the Department of Homeland Security (DHS) and to send information related to "cybercrimes" to the Department of Justice (DOJ). But the amendment does not require the information be shared with the two civilian departments or even that the information stay within them. The nuance is important because the amendment does not change key sections of the bill allowing a company to share information with anyone it chooses, public or private, military or civilian.

Moreover, CISPA still allows companies to limit sharing with civilian agencies. For example, a company could decide to share information only with the NSA, and even tell the NSA that it can't share the information with anyone else. If this becomes commonplace, the NSA could become the de facto leader of domestic online security—the exact opposite intention of the amendment.

Overly Broad Immunity Remains

The ability for companies to share information with the NSA isn't one of the only problems remaining in the bill. CISPA still grants companies overly broad immunity for "any decisions made" to protect against a suspected threat. As we've noted, aggressive companies could interpret this immunity to cover "defensive"—and what some would consider offensive—countermeasures so long as they can say they acted in "good faith." The revised bill expands on the definition of good faith, but not sufficiently to address these concerns.

The amendment (PDF) by Rep. Conyers would've deleted the clause, but the amendment wasn't even allowed to be debated on the floor. A similar action happened to pro-privacy amendments by Rep. Schiff and Rep. Schakowsky at a hearing before the bill went to the floor for a final vote. All of these amendments should've been debated and approved as they would've solved major problems in CISPA.

Companies Do Not Have To Minimize Personal Information

Instead, representatives voted for amendments that sidestep many of CISPA's problems. For instance, instead of requiring companies to minimize personal information unrelated to a threat, the bill only mandates the government establish policies for doing so. Since the bill was introduced, we've noted that a company must be forced to minimize unrelated personal information. Companies should not be in the business of sharing its users' personal information with the government. At a hearing in front of the House Intelligence Committee an industry witness agreed. He told the committee that companies do not need to share personal information to combat threats. Unfortunately for users, CISPA's authors failed to act on the advice.

Other amendments to CISPA added more reporting requirements, barred companies from using the information shared for marketing purposes, and inserted a 5-year expiration date.

CISPA passed the House by large numbers, but it will not go further. Senators like Jay Rockefeller have noted the lack of robust privacy protections in CISPA, while President Obama issued a veto threat over the fact that CISPA doesn't require companies minimize unrelated personal information. CISPA is so bad that the Senate won't consider it or introduce it. Instead, a new bill written by Senators will be drafted. CISPA's faults are many, and the amendments to CISPA failed to fix its core privacy problems.