The author says several changes need to be implemented on CISPA. The privacy risks of CISPA

Reports of significant data breaches make headlines ever more frequently, but lost in the cloak and dagger stories of cyberespionage is the impact proposed cybersecurity programs can have on privacy. The same Internet that terrorists, spies and criminals exploit for nefarious purposes is the same Internet we all use daily for intensely private but totally innocuous purposes.

Unfortunately, in their pursuit to protect America’s critical infrastructure and trade secrets, some lawmakers are pushing a dangerous bill that would threaten Americans’ privacy while immunizing companies from any liability should that cyberinformation-sharing cause harm.


This week, the House Intelligence Committee will mark up the Cyber Intelligence Sharing and Protection Act, a bill that creates an exception to all privacy laws on the books so that companies holding our private and sensitive information can share it with each other and the government for cybersecurity purposes. This could include the content of chats and emails and people’s online browsing histories. There is no requirement that companies even attempt to remove personally identifiable information before sharing cyberthreat data nor any requirement that the government minimize and protect that data when it is collected. CISPA grants companies liability protection not only for sharing the information but also for using it however they see fit, including aggressive countermeasures, like hacking into an adversary’s computer. It’s an unmitigated and unaccountable mess for Internet users’ private data.

Perhaps most alarming is that the information — even when it reflects the sensitive and revealing Internet activities of Americans in the United States — can be given directly to the National Security Agency and other military agencies. Even the director of the NSA himself has clearly said that this sort of information sharing is a domestic program and thus, needs to be run by civilians. It’s not clear why the Intelligence Committee insists on empowering the military when even the military and intelligence community oppose it. Some surmise it is a jurisdictional battle among House committees, and if true, there couldn’t be a less compelling argument for turning the military loose on our civilian Internet.

The good news is that the administration and the Senate have incorporated some meaningful privacy protections into their cybersecurity proposals over the past year of policy development, and those can easily be incorporated into CISPA. The House bill does not have to remain an outlier when it comes to privacy; everyone else’s thinking has progressed on privacy over the past year, and there’s no reason the House’s shouldn’t, too.

Here’s what needs to happen. First, CISPA needs to be amended to clarify that civilians are in charge of information collection for cybersecurity purposes, period. Anything short of that is a fundamental failure. Second, the bill needs to narrow the definition of what can be shared specifically to say that companies can only share information necessary to address cyberthreats after making reasonable efforts to strip personally identifiable information. Industry witnesses before the House Intelligence and Homeland Security committees testified this year that this is workable, and such information isn’t even necessary to combat cyberthreats. Third, after sharing, CISPA information should be used only by government and corporate actors for cybersecurity purposes. As a corollary to that, there should be strict and aggressive minimization procedures to protect any sensitive data that slips through.

If this proposal sounds modest, that’s because it is. All of these limitations and protections exist in current cyberprograms at the Department of Homeland Security or surveillance statutes like the Foreign Intelligence Surveillance Act. What makes CISPA so extraordinary is that it eschews such tried-and-true methods that have been made feasible in national and homeland security programs over the past several decades. The bill’s sponsors claim these types of protections are too laborious, but there’s nothing in them that prevent real time sharing or automated processes that they claim are necessary.

If these changes aren’t incorporated into CISPA, members should just vote no. After all, there are many approaches to cybersecurity, and in fact, the House will be voting on several bills during the cyberweek planned starting April 15. Taking such an overbroad and unaccountable approach is wholly unnecessary, even for members who want to advance our cybersecurity.

Michelle Richardson is a legislative counsel at the American Civil Liberties Union, a nonresidential fellow at Stanford University Law School’s Center for Internet and Society and a member of the American Bar Association’s Cybersecurity Taskforce.